Bug 1296266 - Land NSS_3_27_BETA2, r=me
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Tue, 30 Aug 2016 07:58:30 +0200
changeset 311743 4044c6fd7e48eb90df1e117eca1b30a963d78740
parent 311742 ac421daef9ff2cbbcd95d9ec2ddae2435a178063
child 311744 8b245d867368e3cd52086e9aac4e4577176d9bdd
push id81203
push userfranziskuskiefer@gmail.com
push dateTue, 30 Aug 2016 06:51:26 +0000
treeherdermozilla-inbound@4044c6fd7e48 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1296266
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296266 - Land NSS_3_27_BETA2, r=me
security/nss/TAG-INFO
security/nss/automation/taskcluster/scripts/run_clang_format.sh
security/nss/cmd/certutil/certutil.c
security/nss/cmd/signtool/javascript.c
security/nss/coreconf/coreconf.dep
security/nss/external_tests/ssl_gtest/libssl_internals.c
security/nss/external_tests/ssl_gtest/libssl_internals.h
security/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_drop_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/freebl/aeskeywrap.c
security/nss/lib/freebl/alg2268.c
security/nss/lib/freebl/alghmac.c
security/nss/lib/freebl/alghmac.h
security/nss/lib/freebl/arcfive.c
security/nss/lib/freebl/arcfour.c
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/blapii.h
security/nss/lib/freebl/blapit.h
security/nss/lib/freebl/blname.c
security/nss/lib/freebl/camellia.c
security/nss/lib/freebl/camellia.h
security/nss/lib/freebl/chacha20.c
security/nss/lib/freebl/chacha20_vec.c
security/nss/lib/freebl/ctr.c
security/nss/lib/freebl/ctr.h
security/nss/lib/freebl/cts.c
security/nss/lib/freebl/cts.h
security/nss/lib/freebl/des.c
security/nss/lib/freebl/des.h
security/nss/lib/freebl/desblapi.c
security/nss/lib/freebl/dh.c
security/nss/lib/freebl/drbg.c
security/nss/lib/freebl/dsa.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ec.h
security/nss/lib/freebl/ecdecode.c
security/nss/lib/freebl/ecl/ec2.h
security/nss/lib/freebl/ecl/ec2_163.c
security/nss/lib/freebl/ecl/ec2_193.c
security/nss/lib/freebl/ecl/ec2_233.c
security/nss/lib/freebl/ecl/ec2_aff.c
security/nss/lib/freebl/ecl/ec2_mont.c
security/nss/lib/freebl/ecl/ec2_proj.c
security/nss/lib/freebl/ecl/ec_naf.c
security/nss/lib/freebl/ecl/ecl-curve.h
security/nss/lib/freebl/ecl/ecl-exp.h
security/nss/lib/freebl/ecl/ecl-priv.h
security/nss/lib/freebl/ecl/ecl.c
security/nss/lib/freebl/ecl/ecl.h
security/nss/lib/freebl/ecl/ecl_curve.c
security/nss/lib/freebl/ecl/ecl_gf.c
security/nss/lib/freebl/ecl/ecl_mult.c
security/nss/lib/freebl/ecl/ecp.h
security/nss/lib/freebl/ecl/ecp_192.c
security/nss/lib/freebl/ecl/ecp_224.c
security/nss/lib/freebl/ecl/ecp_256.c
security/nss/lib/freebl/ecl/ecp_256_32.c
security/nss/lib/freebl/ecl/ecp_384.c
security/nss/lib/freebl/ecl/ecp_521.c
security/nss/lib/freebl/ecl/ecp_aff.c
security/nss/lib/freebl/ecl/ecp_fp.c
security/nss/lib/freebl/ecl/ecp_fp.h
security/nss/lib/freebl/ecl/ecp_fp160.c
security/nss/lib/freebl/ecl/ecp_fp192.c
security/nss/lib/freebl/ecl/ecp_fp224.c
security/nss/lib/freebl/ecl/ecp_fpinc.c
security/nss/lib/freebl/ecl/ecp_jac.c
security/nss/lib/freebl/ecl/ecp_jm.c
security/nss/lib/freebl/ecl/ecp_mont.c
security/nss/lib/freebl/ecl/tests/ec2_test.c
security/nss/lib/freebl/ecl/tests/ec_naft.c
security/nss/lib/freebl/ecl/tests/ecp_fpt.c
security/nss/lib/freebl/ecl/tests/ecp_test.c
security/nss/lib/freebl/fipsfreebl.c
security/nss/lib/freebl/gcm.c
security/nss/lib/freebl/gcm.h
security/nss/lib/freebl/genload.c
security/nss/lib/freebl/hmacct.c
security/nss/lib/freebl/intel-aes.h
security/nss/lib/freebl/intel-gcm-wrap.c
security/nss/lib/freebl/intel-gcm.h
security/nss/lib/freebl/jpake.c
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/lowhash_vector.c
security/nss/lib/freebl/md2.c
security/nss/lib/freebl/md5.c
security/nss/lib/freebl/mknewpc2.c
security/nss/lib/freebl/mksp.c
security/nss/lib/freebl/mpi/logtab.h
security/nss/lib/freebl/mpi/mdxptest.c
security/nss/lib/freebl/mpi/montmulf.c
security/nss/lib/freebl/mpi/montmulf.h
security/nss/lib/freebl/mpi/mp_comba.c
security/nss/lib/freebl/mpi/mp_gf2m-priv.h
security/nss/lib/freebl/mpi/mp_gf2m.c
security/nss/lib/freebl/mpi/mp_gf2m.h
security/nss/lib/freebl/mpi/mpcpucache.c
security/nss/lib/freebl/mpi/mpi-config.h
security/nss/lib/freebl/mpi/mpi-priv.h
security/nss/lib/freebl/mpi/mpi-test.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpi.h
security/nss/lib/freebl/mpi/mpi_amd64.c
security/nss/lib/freebl/mpi/mpi_arm.c
security/nss/lib/freebl/mpi/mpi_hp.c
security/nss/lib/freebl/mpi/mpi_sparc.c
security/nss/lib/freebl/mpi/mpi_x86_asm.c
security/nss/lib/freebl/mpi/mplogic.c
security/nss/lib/freebl/mpi/mplogic.h
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/mpprime.c
security/nss/lib/freebl/mpi/mpprime.h
security/nss/lib/freebl/mpi/mpv_sparc.c
security/nss/lib/freebl/mpi/mpvalpha.c
security/nss/lib/freebl/mpi/mulsqr.c
security/nss/lib/freebl/mpi/primes.c
security/nss/lib/freebl/mpi/test-info.c
security/nss/lib/freebl/mpi/tests/mptest-1.c
security/nss/lib/freebl/mpi/tests/mptest-2.c
security/nss/lib/freebl/mpi/tests/mptest-3.c
security/nss/lib/freebl/mpi/tests/mptest-3a.c
security/nss/lib/freebl/mpi/tests/mptest-4.c
security/nss/lib/freebl/mpi/tests/mptest-4a.c
security/nss/lib/freebl/mpi/tests/mptest-4b.c
security/nss/lib/freebl/mpi/tests/mptest-5.c
security/nss/lib/freebl/mpi/tests/mptest-5a.c
security/nss/lib/freebl/mpi/tests/mptest-6.c
security/nss/lib/freebl/mpi/tests/mptest-7.c
security/nss/lib/freebl/mpi/tests/mptest-8.c
security/nss/lib/freebl/mpi/tests/mptest-9.c
security/nss/lib/freebl/mpi/tests/mptest-b.c
security/nss/lib/freebl/mpi/utils/basecvt.c
security/nss/lib/freebl/mpi/utils/bbs_rand.c
security/nss/lib/freebl/mpi/utils/bbs_rand.h
security/nss/lib/freebl/mpi/utils/bbsrand.c
security/nss/lib/freebl/mpi/utils/dec2hex.c
security/nss/lib/freebl/mpi/utils/exptmod.c
security/nss/lib/freebl/mpi/utils/fact.c
security/nss/lib/freebl/mpi/utils/gcd.c
security/nss/lib/freebl/mpi/utils/hex2dec.c
security/nss/lib/freebl/mpi/utils/identest.c
security/nss/lib/freebl/mpi/utils/invmod.c
security/nss/lib/freebl/mpi/utils/isprime.c
security/nss/lib/freebl/mpi/utils/lap.c
security/nss/lib/freebl/mpi/utils/makeprime.c
security/nss/lib/freebl/mpi/utils/metime.c
security/nss/lib/freebl/mpi/utils/pi.c
security/nss/lib/freebl/mpi/utils/primegen.c
security/nss/lib/freebl/mpi/utils/prng.c
security/nss/lib/freebl/mpi/utils/sieve.c
security/nss/lib/freebl/mpi/vis_proto.h
security/nss/lib/freebl/nsslowhash.c
security/nss/lib/freebl/nsslowhash.h
security/nss/lib/freebl/os2_rand.c
security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c
security/nss/lib/freebl/poly1305.c
security/nss/lib/freebl/pqg.c
security/nss/lib/freebl/pqg.h
security/nss/lib/freebl/rawhash.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/rijndael.h
security/nss/lib/freebl/rijndael_tables.c
security/nss/lib/freebl/rsa.c
security/nss/lib/freebl/rsapkcs.c
security/nss/lib/freebl/secmpi.h
security/nss/lib/freebl/secrng.h
security/nss/lib/freebl/seed.c
security/nss/lib/freebl/seed.h
security/nss/lib/freebl/sha256.h
security/nss/lib/freebl/sha512.c
security/nss/lib/freebl/sha_fast.c
security/nss/lib/freebl/sha_fast.h
security/nss/lib/freebl/shsign.h
security/nss/lib/freebl/shvfy.c
security/nss/lib/freebl/stubs.c
security/nss/lib/freebl/stubs.h
security/nss/lib/freebl/sysrand.c
security/nss/lib/freebl/tlsprfalg.c
security/nss/lib/freebl/unix_rand.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/ssl/SSLerrs.h
security/nss/lib/ssl/dtlscon.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/tls13con.c
security/nss/tests/ssl/ssl.sh
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_27_BETA1
+NSS_3_27_BETA2
--- a/security/nss/automation/taskcluster/scripts/run_clang_format.sh
+++ b/security/nss/automation/taskcluster/scripts/run_clang_format.sh
@@ -28,16 +28,17 @@ else
          "$top/lib/base" \
          "$top/lib/certdb" \
          "$top/lib/certhigh" \
          "$top/lib/ckfw" \
          "$top/lib/crmf" \
          "$top/lib/cryptohi" \
          "$top/lib/dbm" \
          "$top/lib/dev" \
+         "$top/lib/freebl" \
          "$top/lib/softoken" \
          "$top/lib/ssl" \
          "$top/external_tests/common" \
          "$top/external_tests/der_gtest" \
          "$top/external_tests/pk11_gtest" \
          "$top/external_tests/ssl_gtest" \
          "$top/external_tests/util_gtest" \
     )
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -208,22 +208,28 @@ CertReq(SECKEYPrivateKey *privk, SECKEYP
         return SECFailure;
     }
 
     /* Change cert type to RSA-PSS, if desired. */
     if (pssCertificate) {
         spki->algorithm.parameters.data = NULL;
         rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
                                    SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
+        if (rv != SECSuccess) {
+            PORT_FreeArena(arena, PR_FALSE);
+            SECU_PrintError(progName, "unable to set algorithm ID");
+            return SECFailure;
+        }
     }
 
     /* Generate certificate request */
     cr = CERT_CreateCertificateRequest(subject, spki, NULL);
     SECKEY_DestroySubjectPublicKeyInfo(spki);
     if (!cr) {
+        PORT_FreeArena(arena, PR_FALSE);
         SECU_PrintError(progName, "unable to make certificate request");
         return SECFailure;
     }
 
     extHandle = CERT_StartCertificateRequestAttributes(cr);
     if (extHandle == NULL) {
         PORT_FreeArena(arena, PR_FALSE);
         CERT_DestroyCertificateRequest(cr);
--- a/security/nss/cmd/signtool/javascript.c
+++ b/security/nss/cmd/signtool/javascript.c
@@ -1644,16 +1644,25 @@ loser:
     if (archiveDir) {
         PR_Free(archiveDir);
         archiveDir = NULL;
     }
     if (firstArchiveDir) {
         PR_Free(firstArchiveDir);
         firstArchiveDir = NULL;
     }
+    if (entityListTail) {
+        PR_Free(entityListTail);
+    }
+    if (curitem) {
+        PR_Free(curitem);
+    }
+    if (basedir) {
+        PR_Free(basedir);
+    }
     return retval;
 }
 
 /**********************************************************************
  *
  * e n s u r e E x i s t s
  *
  * Check for existence of indicated directory.  If it doesn't exist,
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/external_tests/ssl_gtest/libssl_internals.c
+++ b/security/nss/external_tests/ssl_gtest/libssl_internals.c
@@ -1,9 +1,9 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* This file contains functions for frobbing the internals of libssl */
 #include "libssl_internals.h"
 
@@ -217,8 +217,69 @@ PRBool SSLInt_SendAlert(PRFileDesc *fd, 
     return PR_FALSE;
   }
 
   SECStatus rv = SSL3_SendAlert(ss, level, type);
   if (rv != SECSuccess) return PR_FALSE;
 
   return PR_TRUE;
 }
+
+SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to) {
+  PRUint64 epoch;
+  sslSocket *ss;
+  ssl3CipherSpec *spec;
+
+  ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+  if (to >= (1ULL << 48)) {
+    return SECFailure;
+  }
+  ssl_GetSpecWriteLock(ss);
+  spec = ss->ssl3.crSpec;
+  epoch = spec->read_seq_num >> 48;
+  spec->read_seq_num = (epoch << 48) | to;
+
+  /* For DTLS, we need to fix the record sequence number.  For this, we can just
+   * scrub the entire structure on the assumption that the new sequence number
+   * is far enough past the last received sequence number. */
+  if (to <= spec->recvdRecords.right + DTLS_RECVD_RECORDS_WINDOW) {
+    return SECFailure;
+  }
+  dtls_RecordSetRecvd(&spec->recvdRecords, to);
+
+  ssl_ReleaseSpecWriteLock(ss);
+  return SECSuccess;
+}
+
+SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
+  PRUint64 epoch;
+  sslSocket *ss;
+
+  ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+  if (to >= (1ULL << 48)) {
+    return SECFailure;
+  }
+  ssl_GetSpecWriteLock(ss);
+  epoch = ss->ssl3.cwSpec->write_seq_num >> 48;
+  ss->ssl3.cwSpec->write_seq_num = (epoch << 48) | to;
+  ssl_ReleaseSpecWriteLock(ss);
+  return SECSuccess;
+}
+
+SECStatus SSLInt_AdvanceWriteSeqByAWindow(PRFileDesc *fd, PRInt32 extra) {
+  sslSocket *ss;
+  sslSequenceNumber to;
+
+  ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+  ssl_GetSpecReadLock(ss);
+  to = ss->ssl3.cwSpec->write_seq_num + DTLS_RECVD_RECORDS_WINDOW + extra;
+  ssl_ReleaseSpecReadLock(ss);
+  return SSLInt_AdvanceWriteSeqNum(fd, to & RECORD_SEQ_MAX);
+}
--- a/security/nss/external_tests/ssl_gtest/libssl_internals.h
+++ b/security/nss/external_tests/ssl_gtest/libssl_internals.h
@@ -28,10 +28,13 @@ PRInt32 SSLInt_CountTls13CipherSpecs(PRF
 void SSLInt_ForceTimerExpiry(PRFileDesc *fd);
 SECStatus SSLInt_SetMTU(PRFileDesc *fd, PRUint16 mtu);
 PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd);
 PRBool SSLInt_DamageHsTrafficSecret(PRFileDesc *fd);
 PRBool SSLInt_DamageEarlyTrafficSecret(PRFileDesc *fd);
 SECStatus SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len);
 PRBool SSLInt_HasCertWithAuthType(PRFileDesc *fd, SSLAuthType authType);
 PRBool SSLInt_SendAlert(PRFileDesc *fd, uint8_t level, uint8_t type);
+SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to);
+SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to);
+SECStatus SSLInt_AdvanceWriteSeqByAWindow(PRFileDesc *fd, PRInt32 extra);
 
 #endif  // ndef libssl_internals_h_
--- a/security/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -6,40 +6,51 @@
 
 #include "ssl.h"
 #include <functional>
 #include <memory>
 #include "secerr.h"
 #include "sslerr.h"
 #include "sslproto.h"
 
+extern "C" {
+// This is not something that should make you happy.
+#include "libssl_internals.h"
+}
+
 #include "gtest_utils.h"
 #include "tls_connect.h"
+#include "tls_parser.h"
 
 namespace nss_test {
 
 // mode, version, cipher suite
 typedef std::tuple<std::string, uint16_t, uint16_t> CipherSuiteProfile;
 
 class TlsCipherSuiteTestBase : public TlsConnectTestBase {
  public:
   TlsCipherSuiteTestBase(std::string mode, uint16_t version,
                          uint16_t cipher_suite)
       : TlsConnectTestBase(TlsConnectTestBase::ToMode(mode), version),
-        cipher_suite_(cipher_suite) {}
+        cipher_suite_(cipher_suite),
+        csinfo_({0}) {
+    SECStatus rv =
+        SSL_GetCipherSuiteInfo(cipher_suite_, &csinfo_, sizeof(csinfo_));
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv == SECSuccess) {
+      std::cerr << "Cipher suite: " << csinfo_.cipherSuiteName << std::endl;
+    }
+  }
 
  protected:
   uint16_t cipher_suite_;
+  SSLCipherSuiteInfo csinfo_;
 
   void SetupCertificate() {
-    SSLCipherSuiteInfo csinfo;
-    EXPECT_EQ(SECSuccess,
-              SSL_GetCipherSuiteInfo(cipher_suite_, &csinfo, sizeof(csinfo)));
-    std::cerr << "Cipher suite: " << csinfo.cipherSuiteName << std::endl;
-    switch (csinfo.authType) {
+    switch (csinfo_.authType) {
       case ssl_auth_rsa_sign:
         Reset(TlsAgent::kServerRsaSign);
         break;
       case ssl_auth_rsa_decrypt:
         Reset(TlsAgent::kServerRsaDecrypt);
         break;
       case ssl_auth_ecdsa:
         Reset(TlsAgent::kServerEcdsa256);
@@ -96,72 +107,62 @@ class TlsResumptionTest
     : public TlsCipherSuiteTestBase,
       public ::testing::WithParamInterface<CipherSuiteProfile> {
  public:
   TlsResumptionTest()
       : TlsCipherSuiteTestBase(std::get<0>(GetParam()), std::get<1>(GetParam()),
                                std::get<2>(GetParam())) {}
 
   bool SkipIfCipherSuiteIsDSA() {
-    SSLCipherSuiteInfo csinfo;
-    SECStatus rv =
-        SSL_GetCipherSuiteInfo(cipher_suite_, &csinfo, sizeof(csinfo));
-    if (rv != SECSuccess) {
-      EXPECT_TRUE(false) << "Can't get cipher suite info";
-      return false;
-    }
-    bool isDSA = csinfo.authType == ssl_auth_dsa;
+    bool isDSA = csinfo_.authType == ssl_auth_dsa;
     if (isDSA) {
-      std::cerr << "Skipping DSA suite: " << csinfo.cipherSuiteName
+      std::cerr << "Skipping DSA suite: " << csinfo_.cipherSuiteName
                 << std::endl;
     }
     return isDSA;
   }
 
   void EnablePskCipherSuite() {
-    SSLCipherSuiteInfo targetInfo;
-    ASSERT_EQ(SECSuccess, SSL_GetCipherSuiteInfo(cipher_suite_, &targetInfo,
-                                                 sizeof(targetInfo)));
     SSLKEAType targetKea;
-    switch (targetInfo.keaType) {
+    switch (csinfo_.keaType) {
       case ssl_kea_ecdh:
         targetKea = ssl_kea_ecdh_psk;
         break;
       case ssl_kea_dh:
         targetKea = ssl_kea_dh_psk;
         break;
       default:
         EXPECT_TRUE(false) << "Unsupported KEA type for "
-                           << targetInfo.cipherSuiteName;
+                           << csinfo_.cipherSuiteName;
         return;
     }
 
     size_t count = SSL_GetNumImplementedCiphers();
     const uint16_t *ciphers = SSL_GetImplementedCiphers();
     bool found = false;
     for (size_t i = 0; i < count; ++i) {
       SSLCipherSuiteInfo candidateInfo;
       ASSERT_EQ(SECSuccess, SSL_GetCipherSuiteInfo(ciphers[i], &candidateInfo,
                                                    sizeof(candidateInfo)));
       if (candidateInfo.authType == ssl_auth_psk &&
           candidateInfo.keaType == targetKea &&
-          candidateInfo.symCipher == targetInfo.symCipher &&
-          candidateInfo.macAlgorithm == targetInfo.macAlgorithm) {
+          candidateInfo.symCipher == csinfo_.symCipher &&
+          candidateInfo.macAlgorithm == csinfo_.macAlgorithm) {
         // We aren't able to check that the PRF hash is the same.  This is OK
         // because there are (currently) no suites that have different PRF
         // hashes but also use the same symmetric cipher.
         EXPECT_EQ(SECSuccess,
                   SSL_CipherPrefSet(client_->ssl_fd(), ciphers[i], PR_TRUE));
         EXPECT_EQ(SECSuccess,
                   SSL_CipherPrefSet(server_->ssl_fd(), ciphers[i], PR_TRUE));
         found = true;
       }
     }
     EXPECT_TRUE(found) << "Can't find matching PSK cipher for "
-                       << targetInfo.cipherSuiteName;
+                       << csinfo_.cipherSuiteName;
   }
 };
 
 TEST_P(TlsResumptionTest, ResumeCipherSuite) {
   if (SkipIfCipherSuiteIsDSA()) {
     return;  // Tickets don't work with DSA (bug 1174677).
   }
 
@@ -182,30 +183,131 @@ TEST_P(TlsResumptionTest, ResumeCipherSu
   if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) {
     EnablePskCipherSuite();
   }
 
   ExpectResumption(RESUME_TICKET);
   ConnectAndCheckCipherSuite();
 }
 
+class TlsCipherLimitTest
+    : public TlsCipherSuiteTestBase,
+      public ::testing::WithParamInterface<CipherSuiteProfile> {
+ public:
+  TlsCipherLimitTest()
+      : TlsCipherSuiteTestBase(std::get<0>(GetParam()), std::get<1>(GetParam()),
+                               std::get<2>(GetParam())) {}
+
+ protected:
+  // Get the expected limit on the number of records that can be sent for the
+  // cipher suite.
+  uint64_t record_limit() const {
+    switch (csinfo_.symCipher) {
+      case ssl_calg_rc4:
+      case ssl_calg_3des:
+        return 1ULL << 20;
+      case ssl_calg_aes:
+      case ssl_calg_aes_gcm:
+        return 0x5aULL << 28;
+      case ssl_calg_null:
+      case ssl_calg_chacha20:
+        return (1ULL << 48) - 1;
+      case ssl_calg_rc2:
+      case ssl_calg_des:
+      case ssl_calg_idea:
+      case ssl_calg_fortezza:
+      case ssl_calg_camellia:
+      case ssl_calg_seed:
+        break;
+    }
+    EXPECT_TRUE(false) << "No limit for " << csinfo_.cipherSuiteName;
+    return 1ULL < 48;
+  }
+
+  uint64_t last_safe_write() const {
+    uint64_t limit = record_limit() - 1;
+    if (version_ < SSL_LIBRARY_VERSION_TLS_1_1 &&
+        (csinfo_.symCipher == ssl_calg_3des ||
+         csinfo_.symCipher == ssl_calg_aes)) {
+      // 1/n-1 record splitting needs space for two records.
+      limit--;
+    }
+    return limit;
+  }
+};
+
+// This only works for stream ciphers because we modify the sequence number -
+// which is included explicitly in the DTLS record header - and that trips a
+// different error code.  Note that the message that the client sends would not
+// decrypt (the nonce/IV wouldn't match), but the record limit is hit before
+// attempting to decrypt a record.
+TEST_P(TlsCipherLimitTest, ReadLimit) {
+  SetupCertificate();
+  EnableSingleCipher();
+  ConnectAndCheckCipherSuite();
+  EXPECT_EQ(SECSuccess,
+            SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), last_safe_write()));
+  EXPECT_EQ(SECSuccess,
+            SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), last_safe_write()));
+
+  client_->SendData(10, 10);
+  server_->ReadBytes();  // This should be OK.
+
+  // The payload needs to be big enough to pass for encrypted.  In the extreme
+  // case (TLS 1.3), this means 1 for payload, 1 for content type and 16 for
+  // authentication tag.
+  static const uint8_t payload[18] = {6};
+  DataBuffer record;
+  uint64_t epoch = 0;
+  if (mode_ == DGRAM) {
+    epoch++;
+    if (version_ == SSL_LIBRARY_VERSION_TLS_1_3) {
+      epoch++;
+    }
+  }
+  TlsAgentTestBase::MakeRecord(mode_, kTlsApplicationDataType, version_,
+                               payload, sizeof(payload), &record,
+                               (epoch << 48) | record_limit());
+  server_->adapter()->PacketReceived(record);
+  server_->ExpectReadWriteError();
+  server_->ReadBytes();
+  EXPECT_EQ(SSL_ERROR_TOO_MANY_RECORDS, server_->error_code());
+}
+
+TEST_P(TlsCipherLimitTest, WriteLimit) {
+  SetupCertificate();
+  EnableSingleCipher();
+  ConnectAndCheckCipherSuite();
+  EXPECT_EQ(SECSuccess,
+            SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), last_safe_write()));
+  client_->SendData(10, 10);
+  client_->ExpectReadWriteError();
+  client_->SendData(10, 10);
+  EXPECT_EQ(SSL_ERROR_TOO_MANY_RECORDS, client_->error_code());
+}
+
 // This awful macro makes the test instantiations easier to read.
 #define INSTANTIATE_CIPHER_TEST_P(name, modes, versions, ...)      \
   static const uint16_t k##name##CiphersArr[] = {__VA_ARGS__};     \
   static const ::testing::internal::ParamGenerator<uint16_t>       \
       k##name##Ciphers = ::testing::ValuesIn(k##name##CiphersArr); \
   INSTANTIATE_TEST_CASE_P(                                         \
       CipherSuite##name, TlsCipherSuiteTest,                       \
       ::testing::Combine(TlsConnectTestBase::kTlsModes##modes,     \
                          TlsConnectTestBase::kTls##versions,       \
                          k##name##Ciphers));                       \
   INSTANTIATE_TEST_CASE_P(                                         \
       Resume##name, TlsResumptionTest,                             \
       ::testing::Combine(TlsConnectTestBase::kTlsModes##modes,     \
                          TlsConnectTestBase::kTls##versions,       \
+                         k##name##Ciphers));                       \
+  INSTANTIATE_TEST_CASE_P(                                         \
+      Limit##name, TlsCipherLimitTest,                             \
+      ::testing::Combine(TlsConnectTestBase::kTlsModes##modes,     \
+                         TlsConnectTestBase::kTls##versions,       \
                          k##name##Ciphers))
 
 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, TLS_RSA_WITH_RC4_128_SHA,
                           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDH_RSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_RSA_WITH_RC4_128_SHA);
 INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12, TLS_RSA_WITH_AES_128_GCM_SHA256,
--- a/security/nss/external_tests/ssl_gtest/ssl_drop_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_drop_unittest.cc
@@ -2,16 +2,21 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ssl.h"
 #include "secerr.h"
 
+extern "C" {
+// This is not something that should make you happy.
+#include "libssl_internals.h"
+}
+
 #include "gtest_utils.h"
 #include "scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
@@ -74,9 +79,54 @@ TEST_P(TlsConnectDatagram, DropClientSec
 }
 
 // This drops the server's second flight three times.
 TEST_P(TlsConnectDatagram, DropServerSecondFlightThrice) {
   server_->SetPacketFilter(new SelectiveDropFilter(0xe));
   Connect();
 }
 
+// This simulates a huge number of drops on one side.
+TEST_P(TlsConnectDatagram, MissLotsOfPackets) {
+  uint16_t cipher = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+  uint64_t limit = (1ULL << 48) - 1;
+  if (version_ < SSL_LIBRARY_VERSION_TLS_1_2) {
+    cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
+    limit = 0x5aULL << 28;
+  }
+  EnsureTlsSetup();
+  server_->EnableSingleCipher(cipher);
+  Connect();
+
+  // Note that the limit for ChaCha is 2^48-1.
+  EXPECT_EQ(SECSuccess,
+            SSLInt_AdvanceWriteSeqNum(client_->ssl_fd(), limit - 10));
+  SendReceive();
+}
+
+class TlsConnectDatagram12Plus : public TlsConnectDatagram {
+ public:
+  TlsConnectDatagram12Plus() : TlsConnectDatagram() {}
+};
+
+// This simulates missing a window's worth of packets.
+TEST_P(TlsConnectDatagram12Plus, MissAWindow) {
+  EnsureTlsSetup();
+  server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+  Connect();
+
+  EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 0));
+  SendReceive();
+}
+
+TEST_P(TlsConnectDatagram12Plus, MissAWindowAndOne) {
+  EnsureTlsSetup();
+  server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256);
+  Connect();
+
+  EXPECT_EQ(SECSuccess, SSLInt_AdvanceWriteSeqByAWindow(client_->ssl_fd(), 1));
+  SendReceive();
+}
+
+INSTANTIATE_TEST_CASE_P(Datagram12Plus, TlsConnectDatagram12Plus,
+                        TlsConnectTestBase::kTlsV12Plus);
+
 }  // namespace nss_test
--- a/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -90,22 +90,21 @@ TEST_P(TlsConnectGeneric, ConnectSendRec
 // The next two tests takes advantage of the fact that we
 // automatically read the first 1024 bytes, so if
 // we provide 1200 bytes, they overrun the read buffer
 // provided by the calling test.
 
 // DTLS should return an error.
 TEST_P(TlsConnectDatagram, ShortRead) {
   Connect();
-  client_->SetExpectedReadError(true);
+  client_->ExpectReadWriteError();
   server_->SendData(1200, 1200);
   client_->WaitForErrorCode(SSL_ERROR_RX_SHORT_DTLS_READ, 2000);
 
   // Now send and receive another packet.
-  client_->SetExpectedReadError(false);
   server_->ResetSentBytes();  // Reset the counter.
   SendReceive();
 }
 
 // TLS should get the write in two chunks.
 TEST_P(TlsConnectStream, ShortRead) {
   // This test behaves oddly with TLS 1.0 because of 1/n+1 splitting,
   // so skip in that case.
@@ -178,25 +177,25 @@ TEST_P(TlsConnectStreamPre13, ServerFini
   client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
   EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
 }
 
 TEST_P(TlsConnectTls13, UnknownAlert) {
   Connect();
   SSLInt_SendAlert(server_->ssl_fd(), kTlsAlertWarning,
                    0xff);  // Unknown value.
-  client_->SetExpectedReadError(true);
+  client_->ExpectReadWriteError();
   client_->WaitForErrorCode(SSL_ERROR_RX_UNKNOWN_ALERT, 2000);
 }
 
 TEST_P(TlsConnectTls13, AlertWrongLevel) {
   Connect();
   SSLInt_SendAlert(server_->ssl_fd(), kTlsAlertWarning,
                    kTlsAlertUnexpectedMessage);
-  client_->SetExpectedReadError(true);
+  client_->ExpectReadWriteError();
   client_->WaitForErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, 2000);
 }
 
 INSTANTIATE_TEST_CASE_P(GenericStream, TlsConnectGeneric,
                         ::testing::Combine(TlsConnectTestBase::kTlsModesStream,
                                            TlsConnectTestBase::kTlsVAll));
 INSTANTIATE_TEST_CASE_P(
     GenericDatagram, TlsConnectGeneric,
--- a/security/nss/external_tests/ssl_gtest/tls_agent.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -58,17 +58,17 @@ TlsAgent::TlsAgent(const std::string& na
       expect_client_auth_(false),
       can_falsestart_hook_called_(false),
       sni_hook_called_(false),
       auth_certificate_hook_called_(false),
       handshake_callback_called_(false),
       error_code_(0),
       send_ctr_(0),
       recv_ctr_(0),
-      expected_read_error_(false),
+      expect_readwrite_error_(false),
       handshake_callback_(),
       auth_certificate_callback_(),
       sni_callback_() {
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
   SECStatus rv = SSL_VersionRangeGetDefault(
       mode_ == STREAM ? ssl_variant_stream : ssl_variant_datagram, &vrange_);
   EXPECT_EQ(SECSuccess, rv);
@@ -335,17 +335,17 @@ void TlsAgent::GetVersionRange(uint16_t*
 }
 
 void TlsAgent::SetExpectedVersion(uint16_t version) {
   expected_version_ = version;
 }
 
 void TlsAgent::SetServerKeyBits(uint16_t bits) { server_key_bits_ = bits; }
 
-void TlsAgent::SetExpectedReadError(bool err) { expected_read_error_ = err; }
+void TlsAgent::ExpectReadWriteError() { expect_readwrite_error_ = true; }
 
 void TlsAgent::SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
                                       size_t count) {
   EXPECT_TRUE(EnsureTlsSetup());
   EXPECT_LE(count, SSL_SignatureMaxCount());
   EXPECT_EQ(SECSuccess, SSL_SignaturePrefSet(ssl_fd_, algorithms,
                                              static_cast<unsigned int>(count)));
   EXPECT_EQ(SECFailure, SSL_SignaturePrefSet(ssl_fd_, algorithms, 0))
@@ -482,26 +482,26 @@ void TlsAgent::CheckSrtp() const {
   uint16_t actual;
   EXPECT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
   EXPECT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
 }
 
 void TlsAgent::CheckErrorCode(int32_t expected) const {
   EXPECT_EQ(STATE_ERROR, state_);
   EXPECT_EQ(expected, error_code_)
-      << "Got error code " << PORT_ErrorToString(error_code_) << " expecting "
-      << PORT_ErrorToString(expected) << std::endl;
+      << "Got error code " << PORT_ErrorToName(error_code_) << " expecting "
+      << PORT_ErrorToName(expected) << std::endl;
 }
 
 void TlsAgent::WaitForErrorCode(int32_t expected, uint32_t delay) const {
   ASSERT_EQ(0, error_code_);
   WAIT_(error_code_ != 0, delay);
-  EXPECT_EQ(expected, error_code_) << "Got error code " << error_code_
-                                   << " expecting "
-                                   << PORT_ErrorToString(expected) << std::endl;
+  EXPECT_EQ(expected, error_code_)
+      << "Got error code " << PORT_ErrorToName(error_code_) << " expecting "
+      << PORT_ErrorToName(expected) << std::endl;
 }
 
 void TlsAgent::CheckPreliminaryInfo() {
   SSLPreliminaryChannelInfo info;
   EXPECT_EQ(SECSuccess,
             SSL_GetPreliminaryChannelInfo(ssl_fd_, &info, sizeof(info)));
   EXPECT_EQ(sizeof(info), info.length);
   EXPECT_TRUE(info.valuesSet & ssl_preinfo_version);
@@ -682,59 +682,68 @@ void TlsAgent::StartRenegotiate() {
   EXPECT_EQ(SECSuccess, rv);
 }
 
 void TlsAgent::SendDirect(const DataBuffer& buf) {
   LOG("Send Direct " << buf);
   adapter_->peer()->PacketReceived(buf);
 }
 
+static bool ErrorIsNonFatal(PRErrorCode code) {
+  return code == PR_WOULD_BLOCK_ERROR || code == SSL_ERROR_RX_SHORT_DTLS_READ;
+}
+
 void TlsAgent::SendData(size_t bytes, size_t blocksize) {
   uint8_t block[4096];
 
   ASSERT_LT(blocksize, sizeof(block));
 
   while (bytes) {
     size_t tosend = std::min(blocksize, bytes);
 
     for (size_t i = 0; i < tosend; ++i) {
       block[i] = 0xff & send_ctr_;
       ++send_ctr_;
     }
 
     LOGV("Writing " << tosend << " bytes");
     int32_t rv = PR_Write(ssl_fd_, block, tosend);
-    ASSERT_EQ(tosend, static_cast<size_t>(rv));
+    if (expect_readwrite_error_) {
+      EXPECT_GT(0, rv);
+      EXPECT_NE(PR_WOULD_BLOCK_ERROR, error_code_);
+      error_code_ = PR_GetError();
+      expect_readwrite_error_ = false;
+    } else {
+      ASSERT_EQ(tosend, static_cast<size_t>(rv));
+    }
 
     bytes -= tosend;
   }
 }
 
-static bool ErrorIsNonFatal(PRErrorCode code) {
-  return code == PR_WOULD_BLOCK_ERROR || code == SSL_ERROR_RX_SHORT_DTLS_READ;
-}
-
 void TlsAgent::ReadBytes() {
   uint8_t block[1024];
 
   int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
   LOGV("ReadBytes " << rv);
   int32_t err;
 
   if (rv >= 0) {
     size_t count = static_cast<size_t>(rv);
     for (size_t i = 0; i < count; ++i) {
       ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
       recv_ctr_++;
     }
   } else {
     err = PR_GetError();
-    LOG("Read error " << err << ": " << PORT_ErrorToString(err));
-    if (err != PR_WOULD_BLOCK_ERROR && expected_read_error_) {
+    LOG("Read error " << PORT_ErrorToName(err) << ": "
+                      << PORT_ErrorToString(err));
+    if (err != PR_WOULD_BLOCK_ERROR && expect_readwrite_error_) {
       error_code_ = err;
+      expect_readwrite_error_ = false;
     }
   }
 
   // If closed, then don't bother waiting around.
   if (rv > 0 || (rv < 0 && ErrorIsNonFatal(err))) {
     LOGV("Re-arming");
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                              &TlsAgent::ReadableCallback);
@@ -799,42 +808,46 @@ void TlsAgentTestBase::ProcessMessage(co
 
   ASSERT_EQ(expected_state, agent_->state());
 
   if (expected_state == TlsAgent::STATE_ERROR) {
     ASSERT_EQ(error_code, agent_->error_code());
   }
 }
 
-void TlsAgentTestBase::MakeRecord(uint8_t type, uint16_t version,
+void TlsAgentTestBase::MakeRecord(Mode mode, uint8_t type, uint16_t version,
                                   const uint8_t* buf, size_t len,
-                                  DataBuffer* out, uint32_t seq_num) {
+                                  DataBuffer* out, uint64_t seq_num) {
   size_t index = 0;
   index = out->Write(index, type, 1);
-  ;  // Content Type
   index = out->Write(
-      index, mode_ == STREAM ? version : TlsVersionToDtlsVersion(version),
-      2);  // Version
-  if (mode_ == DGRAM) {
-    index = out->Write(index, 0U, 4);
-    index = out->Write(index, seq_num, 4);
+      index, mode == STREAM ? version : TlsVersionToDtlsVersion(version), 2);
+  if (mode == DGRAM) {
+    index = out->Write(index, seq_num >> 32, 4);
+    index = out->Write(index, seq_num & PR_UINT32_MAX, 4);
   }
-  index = out->Write(index, len, 2);  // Length
+  index = out->Write(index, len, 2);
   out->Write(index, buf, len);
 }
 
+void TlsAgentTestBase::MakeRecord(uint8_t type, uint16_t version,
+                                  const uint8_t* buf, size_t len,
+                                  DataBuffer* out, uint64_t seq_num) {
+  MakeRecord(mode_, type, version, buf, len, out, seq_num);
+}
+
 void TlsAgentTestBase::MakeHandshakeMessage(uint8_t hs_type,
                                             const uint8_t* data, size_t hs_len,
-                                            DataBuffer* out, uint32_t seq_num) {
+                                            DataBuffer* out, uint64_t seq_num) {
   return MakeHandshakeMessageFragment(hs_type, data, hs_len, out, seq_num, 0,
                                       0);
 }
 void TlsAgentTestBase::MakeHandshakeMessageFragment(
     uint8_t hs_type, const uint8_t* data, size_t hs_len, DataBuffer* out,
-    uint32_t seq_num, uint32_t fragment_offset, uint32_t fragment_length) {
+    uint64_t seq_num, uint32_t fragment_offset, uint32_t fragment_length) {
   size_t index = 0;
   if (!fragment_length) fragment_length = hs_len;
   index = out->Write(index, hs_type, 1);  // Handshake record type.
   index = out->Write(index, hs_len, 3);   // Handshake length
   if (mode_ == DGRAM) {
     index = out->Write(index, seq_num, 2);
     index = out->Write(index, fragment_offset, 3);
     index = out->Write(index, fragment_length, 3);
--- a/security/nss/external_tests/ssl_gtest/tls_agent.h
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -111,17 +111,17 @@ class TlsAgent : public PollTarget {
   void SetSessionCacheEnabled(bool en);
   void Set0RttEnabled(bool en);
   void SetVersionRange(uint16_t minver, uint16_t maxver);
   void GetVersionRange(uint16_t* minver, uint16_t* maxver);
   void CheckPreliminaryInfo();
   void ResetPreliminaryInfo();
   void SetExpectedVersion(uint16_t version);
   void SetServerKeyBits(uint16_t bits);
-  void SetExpectedReadError(bool err);
+  void ExpectReadWriteError();
   void EnableFalseStart();
   void ExpectResumption();
   void SetSignatureAlgorithms(const SSLSignatureAndHashAlg* algorithms,
                               size_t count);
   void EnableAlpn(const uint8_t* val, size_t len);
   void CheckAlpn(SSLNextProtoState expected_state,
                  const std::string& expected = "") const;
   void EnableSrtp();
@@ -186,17 +186,17 @@ class TlsAgent : public PollTarget {
   }
 
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
 
   size_t received_bytes() const { return recv_ctr_; }
-  int32_t error_code() const { return error_code_; }
+  PRErrorCode error_code() const { return error_code_; }
 
   bool can_falsestart_hook_called() const {
     return can_falsestart_hook_called_;
   }
 
   void SetHandshakeCallback(HandshakeCallbackFunction handshake_callback) {
     handshake_callback_ = handshake_callback;
   }
@@ -326,20 +326,20 @@ class TlsAgent : public PollTarget {
   bool expect_client_auth_;
   bool can_falsestart_hook_called_;
   bool sni_hook_called_;
   bool auth_certificate_hook_called_;
   bool handshake_callback_called_;
   SSLChannelInfo info_;
   SSLCipherSuiteInfo csinfo_;
   SSLVersionRange vrange_;
-  int32_t error_code_;
+  PRErrorCode error_code_;
   size_t send_ctr_;
   size_t recv_ctr_;
-  bool expected_read_error_;
+  bool expect_readwrite_error_;
   HandshakeCallbackFunction handshake_callback_;
   AuthCertificateCallbackFunction auth_certificate_callback_;
   SniCallbackFunction sni_callback_;
 };
 
 class TlsAgentTestBase : public ::testing::Test {
  public:
   static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
@@ -351,25 +351,28 @@ class TlsAgentTestBase : public ::testin
       PR_Close(fd_);
     }
   }
 
   void SetUp();
   void TearDown();
 
   void MakeRecord(uint8_t type, uint16_t version, const uint8_t* buf,
-                  size_t len, DataBuffer* out, uint32_t seq_num = 0);
+                  size_t len, DataBuffer* out, uint64_t seq_num = 0);
+  static void MakeRecord(Mode mode, uint8_t type, uint16_t version,
+                         const uint8_t* buf, size_t len, DataBuffer* out,
+                         uint64_t seq_num = 0);
   void MakeHandshakeMessage(uint8_t hs_type, const uint8_t* data, size_t hs_len,
-                            DataBuffer* out, uint32_t seq_num = 0);
+                            DataBuffer* out, uint64_t seq_num = 0);
   void MakeHandshakeMessageFragment(uint8_t hs_type, const uint8_t* data,
                                     size_t hs_len, DataBuffer* out,
-                                    uint32_t seq_num, uint32_t fragment_offset,
+                                    uint64_t seq_num, uint32_t fragment_offset,
                                     uint32_t fragment_length);
-  void MakeTrivialHandshakeRecord(uint8_t hs_type, size_t hs_len,
-                                  DataBuffer* out);
+  static void MakeTrivialHandshakeRecord(uint8_t hs_type, size_t hs_len,
+                                         DataBuffer* out);
   static inline TlsAgent::Role ToRole(const std::string& str) {
     return str == "CLIENT" ? TlsAgent::CLIENT : TlsAgent::SERVER;
   }
 
   static inline Mode ToMode(const std::string& str) {
     return str == "TLS" ? STREAM : DGRAM;
   }
 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -64,139 +64,16 @@
 #
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
-#
-# Certificate "Equifax Secure CA"
-#
-# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
-# Serial Number: 903804111 (0x35def4cf)
-# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
-# Not Valid Before: Sat Aug 22 16:41:51 1998
-# Not Valid After : Wed Aug 22 16:41:51 2018
-# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
-# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\065\336\364\317
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\040\060\202\002\211\240\003\002\001\002\002\004\065
-\336\364\317\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
-\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
-\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
-\164\171\060\036\027\015\071\070\060\070\062\062\061\066\064\061
-\065\061\132\027\015\061\070\060\070\062\062\061\066\064\061\065
-\061\132\060\116\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\020\060\016\006\003\125\004\012\023\007\105\161\165\151
-\146\141\170\061\055\060\053\006\003\125\004\013\023\044\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\103\145\162
-\164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
-\164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301
-\135\261\130\147\010\142\356\240\232\055\037\010\155\221\024\150
-\230\012\036\376\332\004\157\023\204\142\041\303\321\174\316\237
-\005\340\270\001\360\116\064\354\342\212\225\004\144\254\361\153
-\123\137\005\263\313\147\200\277\102\002\216\376\335\001\011\354
-\341\000\024\117\374\373\360\014\335\103\272\133\053\341\037\200
-\160\231\025\127\223\026\361\017\227\152\267\302\150\043\034\314
-\115\131\060\254\121\036\073\257\053\326\356\143\105\173\305\331
-\137\120\322\343\120\017\072\210\347\277\024\375\340\307\271\002
-\003\001\000\001\243\202\001\011\060\202\001\005\060\160\006\003
-\125\035\037\004\151\060\147\060\145\240\143\240\141\244\137\060
-\135\061\013\060\011\006\003\125\004\006\023\002\125\123\061\020
-\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141\170
-\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151\146
-\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151\146
-\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061
-\015\060\013\006\003\125\004\003\023\004\103\122\114\061\060\032
-\006\003\125\035\020\004\023\060\021\201\017\062\060\061\070\060
-\070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035
-\017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
-\060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043
-\040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004
-\026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040
-\020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
-\101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
-\300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
-\003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027
-\265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177
-\266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230
-\356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075
-\052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265
-\147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141
-\326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041
-\145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117
-\254\007\167\070
-END
-
-# Trust for Certificate "Equifax Secure CA"
-# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
-# Serial Number: 903804111 (0x35def4cf)
-# Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
-# Not Valid Before: Sat Aug 22 16:41:51 1998
-# Not Valid After : Wed Aug 22 16:41:51 2018
-# Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
-# Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023
-\227\206\143\072
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
-\170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\065\336\364\317
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 1407252 (0x157914)
 # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
 # Not Valid Before: Mon Feb 01 14:54:04 2010
 # Not Valid After : Tue Sep 30 00:00:00 2014
 # Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
 # Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
@@ -216,279 +93,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\025\171\024
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Verisign Class 3 Public Primary Certification Authority"
-#
-# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
-# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon Jan 29 00:00:00 1996
-# Not Valid After : Tue Aug 01 23:59:59 2028
-# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
-# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
-\272\277
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\074\060\202\001\245\002\020\160\272\344\035\020\331
-\051\064\266\070\312\173\003\314\272\277\060\015\006\011\052\206
-\110\206\367\015\001\001\002\005\000\060\137\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
-\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
-\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
-\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155\141
-\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
-\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
-\070\060\061\062\063\065\071\065\071\132\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
-\163\163\040\063\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\311\134\131\236\362\033\212\001
-\024\264\020\337\004\100\333\343\127\257\152\105\100\217\204\014
-\013\321\063\331\331\021\317\356\002\130\037\045\367\052\250\104
-\005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326
-\254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071
-\357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254
-\043\137\160\051\066\244\311\206\347\261\232\040\313\123\245\205
-\347\075\276\175\232\376\044\105\063\334\166\025\355\017\242\161
-\144\114\145\056\201\150\105\247\002\003\001\000\001\060\015\006
-\011\052\206\110\206\367\015\001\001\002\005\000\003\201\201\000
-\273\114\022\053\317\054\046\000\117\024\023\335\246\373\374\012
-\021\204\214\363\050\034\147\222\057\174\266\305\372\337\360\350
-\225\274\035\217\154\054\250\121\314\163\330\244\300\123\360\116
-\326\046\300\166\001\127\201\222\136\041\361\321\261\377\347\320
-\041\130\315\151\027\343\104\034\234\031\104\071\211\134\334\234
-\000\017\126\215\002\231\355\242\220\105\114\344\273\020\244\075
-\360\062\003\016\361\316\370\350\311\121\214\346\142\237\346\237
-\300\175\267\162\234\311\066\072\153\237\116\250\377\144\015\144
-END
-
-# Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
-# Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
-# Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon Jan 29 00:00:00 1996
-# Not Valid After : Tue Aug 01 23:59:59 2028
-# Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
-# Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\164\054\061\222\346\007\344\044\353\105\111\124\053\341\273\305
-\076\141\164\342
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\020\374\143\135\366\046\076\015\363\045\276\137\171\315\147\147
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\063\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
-\272\277
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
-#
-# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
-# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
-# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon May 18 00:00:00 1998
-# Not Valid After : Tue Aug 01 23:59:59 2028
-# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
-# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
-\154\212\257
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\003\060\202\002\154\002\021\000\271\057\140\314\210
-\237\241\172\106\011\270\133\160\154\212\257\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\060\201\301\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003
-\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\061\074\060\072\006\003\125\004\013\023\063\103\154
-\141\163\163\040\062\040\120\165\142\154\151\143\040\120\162\151
-\155\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
-\062\061\072\060\070\006\003\125\004\013\023\061\050\143\051\040
-\061\071\071\070\040\126\145\162\151\123\151\147\156\054\040\111
-\156\143\056\040\055\040\106\157\162\040\141\165\164\150\157\162
-\151\172\145\144\040\165\163\145\040\157\156\154\171\061\037\060
-\035\006\003\125\004\013\023\026\126\145\162\151\123\151\147\156
-\040\124\162\165\163\164\040\116\145\164\167\157\162\153\060\036
-\027\015\071\070\060\065\061\070\060\060\060\060\060\060\132\027
-\015\062\070\060\070\060\061\062\063\065\071\065\071\132\060\201
-\301\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
-\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\061\074\060\072\006\003\125\004\013
-\023\063\103\154\141\163\163\040\062\040\120\165\142\154\151\143
-\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146\151
-\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
-\040\055\040\107\062\061\072\060\070\006\003\125\004\013\023\061
-\050\143\051\040\061\071\071\070\040\126\145\162\151\123\151\147
-\156\054\040\111\156\143\056\040\055\040\106\157\162\040\141\165
-\164\150\157\162\151\172\145\144\040\165\163\145\040\157\156\154
-\171\061\037\060\035\006\003\125\004\013\023\026\126\145\162\151
-\123\151\147\156\040\124\162\165\163\164\040\116\145\164\167\157
-\162\153\060\201\237\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\247
-\210\001\041\164\054\347\032\003\360\230\341\227\074\017\041\010
-\361\234\333\227\351\232\374\302\004\006\023\276\137\122\310\314
-\036\054\022\126\054\270\001\151\054\314\231\037\255\260\226\256
-\171\004\362\023\071\301\173\230\272\010\054\350\302\204\023\054
-\252\151\351\011\364\307\251\002\244\102\302\043\117\112\330\360
-\016\242\373\061\154\311\346\157\231\047\007\365\346\364\114\170
-\236\155\353\106\206\372\271\206\311\124\362\262\304\257\324\106
-\034\132\311\025\060\377\015\154\365\055\016\155\316\177\167\002
-\003\001\000\001\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304
-\236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342
-\235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053
-\225\366\044\140\206\115\104\056\203\245\304\055\240\323\256\170
-\151\157\162\332\154\256\010\360\143\222\067\346\273\304\060\027
-\255\167\314\111\065\252\317\330\217\321\276\267\030\226\107\163
-\152\124\042\064\144\055\266\026\233\131\133\264\121\131\072\263
-\013\024\364\022\337\147\240\364\255\062\144\136\261\106\162\047
-\214\022\173\305\104\264\256
-END
-
-# Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
-# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
-# Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
-# Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon May 18 00:00:00 1998
-# Not Valid After : Tue Aug 01 23:59:59 2028
-# Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
-# Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 2 Public Primary Certification Authority - G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\263\352\304\107\166\311\310\034\352\362\235\225\266\314\240\010
-\033\147\354\235
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\055\273\345\045\323\321\145\202\072\267\016\372\346\353\342\341
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\301\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\061\074\060\072\006\003\125
-\004\013\023\063\103\154\141\163\163\040\062\040\120\165\142\154
-\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\055\040\107\062\061\072\060\070\006\003\125\004\013
-\023\061\050\143\051\040\061\071\071\070\040\126\145\162\151\123
-\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162\040
-\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
-\156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
-\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-\167\157\162\153
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
-\154\212\257
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "GlobalSign Root CA"
 #
 # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Not Valid Before: Tue Sep 01 12:00:00 1998
 # Not Valid After : Fri Jan 28 12:00:00 2028
 # Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
@@ -1637,249 +1251,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\002\000\000\271
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Equifax Secure Global eBusiness CA"
-#
-# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Not Valid Before: Mon Jun 21 04:00:00 1999
-# Not Valid After : Sun Jun 21 04:00:00 2020
-# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
-# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\220\060\202\001\371\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060\053
-\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040\123
-\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102\165
-\163\151\156\145\163\163\040\103\101\055\061\060\036\027\015\071
-\071\060\066\062\061\060\064\060\060\060\060\132\027\015\062\060
-\060\066\062\061\060\064\060\060\060\060\132\060\132\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\034\060\032\006\003
-\125\004\012\023\023\105\161\165\151\146\141\170\040\123\145\143
-\165\162\145\040\111\156\143\056\061\055\060\053\006\003\125\004
-\003\023\044\105\161\165\151\146\141\170\040\123\145\143\165\162
-\145\040\107\154\157\142\141\154\040\145\102\165\163\151\156\145
-\163\163\040\103\101\055\061\060\201\237\060\015\006\011\052\206
-\110\206\367\015\001\001\001\005\000\003\201\215\000\060\201\211
-\002\201\201\000\272\347\027\220\002\145\261\064\125\074\111\302
-\121\325\337\247\321\067\217\321\347\201\163\101\122\140\233\235
-\241\027\046\170\255\307\261\350\046\224\062\265\336\063\215\072
-\057\333\362\232\172\132\163\230\243\134\351\373\212\163\033\134
-\347\303\277\200\154\315\251\364\326\053\300\367\371\231\252\143
-\242\261\107\002\017\324\344\121\072\022\074\154\212\132\124\204
-\160\333\301\305\220\317\162\105\313\250\131\300\315\063\235\077
-\243\226\353\205\063\041\034\076\036\076\140\156\166\234\147\205
-\305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006
-\011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007
-\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
-\377\060\037\006\003\125\035\043\004\030\060\026\200\024\276\250
-\240\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153
-\150\154\060\035\006\003\125\035\016\004\026\004\024\276\250\240
-\164\162\120\153\104\267\311\043\330\373\250\377\263\127\153\150
-\154\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000
-\003\201\201\000\060\342\001\121\252\307\352\137\332\271\320\145
-\017\060\326\076\332\015\024\111\156\221\223\047\024\061\357\304
-\367\055\105\370\354\307\277\242\101\015\043\264\222\371\031\000
-\147\275\001\257\315\340\161\374\132\317\144\304\340\226\230\320
-\243\100\342\001\212\357\047\007\361\145\001\212\104\055\006\145
-\165\122\300\206\020\040\041\137\154\153\017\154\256\011\034\257
-\362\242\030\064\304\165\244\163\034\361\215\334\357\255\371\263
-\166\264\222\277\334\225\020\036\276\313\310\073\132\204\140\031
-\126\224\251\125
-END
-
-# Trust for Certificate "Equifax Secure Global eBusiness CA"
-# Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Not Valid Before: Mon Jun 21 04:00:00 1999
-# Not Valid After : Sun Jun 21 04:00:00 2020
-# Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
-# Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure Global eBusiness CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\176\170\112\020\034\202\145\314\055\341\361\155\107\264\100\312
-\331\012\031\105
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\217\135\167\006\047\304\230\074\133\223\170\347\327\175\233\314
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\055\060
-\053\006\003\125\004\003\023\044\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\107\154\157\142\141\154\040\145\102
-\165\163\151\156\145\163\163\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Equifax Secure eBusiness CA 1"
-#
-# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Serial Number: 4 (0x4)
-# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Not Valid Before: Mon Jun 21 04:00:00 1999
-# Not Valid After : Sun Jun 21 04:00:00 2020
-# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
-# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\004
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\202\060\202\001\353\240\003\002\001\002\002\001\004
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141\170
-\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060\044
-\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123
-\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040
-\103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064
-\060\060\060\060\132\027\015\062\060\060\066\062\061\060\064\060
-\060\060\060\132\060\123\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\105\161
-\165\151\146\141\170\040\123\145\143\165\162\145\040\111\156\143
-\056\061\046\060\044\006\003\125\004\003\023\035\105\161\165\151
-\146\141\170\040\123\145\143\165\162\145\040\145\102\165\163\151
-\156\145\163\163\040\103\101\055\061\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\316\057\031\274\027\267\167\336\223\251
-\137\132\015\027\117\064\032\014\230\364\042\331\131\324\304\150
-\106\360\264\065\305\205\003\040\306\257\105\245\041\121\105\101
-\353\026\130\066\062\157\342\120\142\144\371\375\121\234\252\044
-\331\364\235\203\052\207\012\041\323\022\070\064\154\215\000\156
-\132\240\331\102\356\032\041\225\371\122\114\125\132\305\017\070
-\117\106\372\155\370\056\065\326\035\174\353\342\360\260\165\200
-\310\251\023\254\276\210\357\072\156\253\137\052\070\142\002\260
-\022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060
-\021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002
-\000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\037\006\003\125\035\043\004\030\060\026\200\024
-\112\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152
-\107\174\114\241\060\035\006\003\125\035\016\004\026\004\024\112
-\170\062\122\021\333\131\026\066\136\337\301\024\066\100\152\107
-\174\114\241\060\015\006\011\052\206\110\206\367\015\001\001\004
-\005\000\003\201\201\000\165\133\250\233\003\021\346\351\126\114
-\315\371\251\114\300\015\232\363\314\145\151\346\045\166\314\131
-\267\326\124\303\035\315\231\254\031\335\264\205\325\340\075\374
-\142\040\247\204\113\130\145\361\342\371\225\041\077\365\324\176
-\130\036\107\207\124\076\130\241\265\265\370\052\357\161\347\274
-\303\366\261\111\106\342\327\240\153\345\126\172\232\047\230\174
-\106\142\024\347\311\374\156\003\022\171\200\070\035\110\202\215
-\374\027\376\052\226\053\265\142\246\246\075\275\177\222\131\315
-\132\052\202\262\067\171
-END
-
-# Trust for Certificate "Equifax Secure eBusiness CA 1"
-# Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Serial Number: 4 (0x4)
-# Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
-# Not Valid Before: Mon Jun 21 04:00:00 1999
-# Not Valid After : Sun Jun 21 04:00:00 2020
-# Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
-# Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Equifax Secure eBusiness CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\332\100\030\213\221\211\243\355\356\256\332\227\376\057\235\365
-\267\321\212\101
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\144\234\357\056\104\374\306\217\122\007\320\121\163\217\313\075
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\123\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\105\161\165\151\146\141
-\170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
-\044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
-\123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
-\040\103\101\055\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\004
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "AddTrust Low-Value Services Root"
 #
 # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Not Valid Before: Tue May 30 10:38:31 2000
 # Not Valid After : Sat May 30 10:38:31 2020
 # Fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
@@ -9824,183 +9205,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \337\232
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
-#
-# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
-# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
-# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
-# Not Valid Before: Wed Jun 22 00:00:00 2005
-# Not Valid After : Fri Jun 21 23:59:59 2030
-# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
-# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "S-TRUST Authentication and Encryption Root CA 2005 PN"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\040\060\036\006\003\125\004\010\023\027\102\141\144\145\156
-\055\127\165\145\162\164\164\145\155\142\145\162\147\040\050\102
-\127\051\061\022\060\020\006\003\125\004\007\023\011\123\164\165
-\164\164\147\141\162\164\061\051\060\047\006\003\125\004\012\023
-\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
-\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
-\110\061\076\060\074\006\003\125\004\003\023\065\123\055\124\122
-\125\123\124\040\101\165\164\150\145\156\164\151\143\141\164\151
-\157\156\040\141\156\144\040\105\156\143\162\171\160\164\151\157
-\156\040\122\157\157\164\040\103\101\040\062\060\060\065\072\120
-\116
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\040\060\036\006\003\125\004\010\023\027\102\141\144\145\156
-\055\127\165\145\162\164\164\145\155\142\145\162\147\040\050\102
-\127\051\061\022\060\020\006\003\125\004\007\023\011\123\164\165
-\164\164\147\141\162\164\061\051\060\047\006\003\125\004\012\023
-\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
-\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
-\110\061\076\060\074\006\003\125\004\003\023\065\123\055\124\122
-\125\123\124\040\101\165\164\150\145\156\164\151\143\141\164\151
-\157\156\040\141\156\144\040\105\156\143\162\171\160\164\151\157
-\156\040\122\157\157\164\040\103\101\040\062\060\060\065\072\120
-\116
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333
-\065\267
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\173\060\202\003\143\240\003\002\001\002\002\020\067
-\031\030\346\123\124\174\032\265\270\313\131\132\333\065\267\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\256\061\013\060\011\006\003\125\004\006\023\002\104\105\061\040
-\060\036\006\003\125\004\010\023\027\102\141\144\145\156\055\127
-\165\145\162\164\164\145\155\142\145\162\147\040\050\102\127\051
-\061\022\060\020\006\003\125\004\007\023\011\123\164\165\164\164
-\147\141\162\164\061\051\060\047\006\003\125\004\012\023\040\104
-\145\165\164\163\143\150\145\162\040\123\160\141\162\153\141\163
-\163\145\156\040\126\145\162\154\141\147\040\107\155\142\110\061
-\076\060\074\006\003\125\004\003\023\065\123\055\124\122\125\123
-\124\040\101\165\164\150\145\156\164\151\143\141\164\151\157\156
-\040\141\156\144\040\105\156\143\162\171\160\164\151\157\156\040
-\122\157\157\164\040\103\101\040\062\060\060\065\072\120\116\060
-\036\027\015\060\065\060\066\062\062\060\060\060\060\060\060\132
-\027\015\063\060\060\066\062\061\062\063\065\071\065\071\132\060
-\201\256\061\013\060\011\006\003\125\004\006\023\002\104\105\061
-\040\060\036\006\003\125\004\010\023\027\102\141\144\145\156\055
-\127\165\145\162\164\164\145\155\142\145\162\147\040\050\102\127
-\051\061\022\060\020\006\003\125\004\007\023\011\123\164\165\164
-\164\147\141\162\164\061\051\060\047\006\003\125\004\012\023\040
-\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153\141
-\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142\110
-\061\076\060\074\006\003\125\004\003\023\065\123\055\124\122\125
-\123\124\040\101\165\164\150\145\156\164\151\143\141\164\151\157
-\156\040\141\156\144\040\105\156\143\162\171\160\164\151\157\156
-\040\122\157\157\164\040\103\101\040\062\060\060\065\072\120\116
-\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
-\000\331\265\112\301\323\063\352\323\106\263\321\342\114\322\365
-\266\203\320\157\325\030\351\223\257\047\216\023\315\265\045\066
-\120\064\022\144\051\241\125\341\072\140\223\236\050\311\343\363
-\233\341\004\260\043\277\225\212\216\133\033\101\177\132\303\350
-\115\114\325\044\026\076\207\110\324\047\256\346\367\123\035\273
-\014\000\357\076\141\161\255\277\072\172\130\037\224\075\134\201
-\325\325\157\337\270\233\322\365\345\313\203\162\222\302\123\262
-\202\002\353\255\255\137\026\055\222\123\166\361\211\266\054\365
-\301\057\340\247\112\157\240\060\152\062\353\232\164\003\150\170
-\023\235\312\057\233\013\035\276\317\165\015\046\227\233\307\365
-\136\012\237\170\337\263\274\354\232\272\357\125\217\033\232\246
-\007\143\051\027\131\142\011\052\171\007\167\245\340\321\027\151
-\351\133\335\366\220\253\342\230\012\000\321\045\155\236\327\205
-\207\057\222\361\321\166\203\117\013\072\131\067\050\057\063\247
-\027\120\326\040\013\012\364\046\371\237\070\347\055\244\270\233
-\211\215\255\255\311\152\175\211\027\273\366\177\200\203\172\346
-\355\002\003\001\000\001\243\201\222\060\201\217\060\022\006\003
-\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\000
-\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006
-\060\051\006\003\125\035\021\004\042\060\040\244\036\060\034\061
-\032\060\030\006\003\125\004\003\023\021\123\124\122\157\156\154
-\151\156\145\061\055\062\060\064\070\055\065\060\035\006\003\125
-\035\016\004\026\004\024\017\312\036\134\171\340\242\363\051\266
-\322\205\263\013\112\265\145\354\153\122\060\037\006\003\125\035
-\043\004\030\060\026\200\024\017\312\036\134\171\340\242\363\051
-\266\322\205\263\013\112\265\145\354\153\122\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\257
-\001\360\355\031\074\050\350\115\134\273\245\143\034\210\063\003
-\247\000\207\244\037\040\253\326\034\343\006\037\227\176\124\275
-\267\321\262\311\325\332\200\354\027\327\212\365\173\302\000\366
-\351\021\157\204\240\132\045\061\342\211\371\244\000\077\061\150
-\056\325\075\350\156\346\325\035\074\077\262\275\237\167\353\235
-\323\214\272\300\327\266\115\354\123\234\017\004\156\352\065\147
-\127\343\012\145\173\220\072\341\117\076\303\000\222\172\273\005
-\211\163\214\313\246\115\300\373\366\002\326\260\007\243\003\302
-\047\100\237\014\344\205\202\055\257\232\102\035\320\307\215\370
-\100\356\235\006\127\034\331\242\330\200\024\376\341\143\055\062
-\207\325\224\122\226\072\106\306\161\226\075\367\230\016\262\221
-\252\217\332\364\116\044\000\071\125\350\255\027\271\323\064\053
-\112\251\100\314\027\052\125\145\101\164\102\176\365\300\257\310
-\223\255\362\030\133\075\211\014\333\107\071\044\370\340\114\362
-\037\260\075\012\312\005\116\211\041\032\343\052\231\254\374\177
-\241\361\017\033\037\075\236\004\203\335\226\331\035\072\224
-END
-
-# Trust for Certificate "S-TRUST Authentication and Encryption Root CA 2005 PN"
-# Issuer: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
-# Serial Number:37:19:18:e6:53:54:7c:1a:b5:b8:cb:59:5a:db:35:b7
-# Subject: CN=S-TRUST Authentication and Encryption Root CA 2005:PN,O=Deutscher Sparkassen Verlag GmbH,L=Stuttgart,ST=Baden-Wuerttemberg (BW),C=DE
-# Not Valid Before: Wed Jun 22 00:00:00 2005
-# Not Valid After : Fri Jun 21 23:59:59 2030
-# Fingerprint (MD5): 04:4B:FD:C9:6C:DA:2A:32:85:7C:59:84:61:46:8A:64
-# Fingerprint (SHA1): BE:B5:A9:95:74:6B:9E:DF:73:8B:56:E6:DF:43:7A:77:BE:10:6B:81
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "S-TRUST Authentication and Encryption Root CA 2005 PN"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\276\265\251\225\164\153\236\337\163\213\126\346\337\103\172\167
-\276\020\153\201
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\004\113\375\311\154\332\052\062\205\174\131\204\141\106\212\144
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\256\061\013\060\011\006\003\125\004\006\023\002\104\105
-\061\040\060\036\006\003\125\004\010\023\027\102\141\144\145\156
-\055\127\165\145\162\164\164\145\155\142\145\162\147\040\050\102
-\127\051\061\022\060\020\006\003\125\004\007\023\011\123\164\165
-\164\164\147\141\162\164\061\051\060\047\006\003\125\004\012\023
-\040\104\145\165\164\163\143\150\145\162\040\123\160\141\162\153
-\141\163\163\145\156\040\126\145\162\154\141\147\040\107\155\142
-\110\061\076\060\074\006\003\125\004\003\023\065\123\055\124\122
-\125\123\124\040\101\165\164\150\145\156\164\151\143\141\164\151
-\157\156\040\141\156\144\040\105\156\143\162\171\160\164\151\157
-\156\040\122\157\157\164\040\103\101\040\062\060\060\065\072\120
-\116
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\067\031\030\346\123\124\174\032\265\270\313\131\132\333
-\065\267
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Microsec e-Szigno Root CA"
 #
 # Issuer: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:cc:b8:e7:bf:4e:29:1a:fd:a2:dc:66:a5:1c:2c:0f:11
 # Subject: CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Wed Apr 06 12:28:44 2005
 # Not Valid After : Thu Apr 06 12:28:44 2017
 # Fingerprint (MD5): F0:96:B6:2F:C5:10:D5:67:8E:83:25:32:E8:5E:2E:E5
@@ -11685,195 +10899,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
-#
-# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Serial Number:4c:af:73:42:1c:8e:74:02
-# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Not Valid Before: Thu Aug 17 00:21:09 2006
-# Not Valid After : Sun Aug 14 00:31:09 2016
-# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
-# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\200\061\070\060\066\006\003\125\004\003\014\057\105\102
-\107\040\105\154\145\153\164\162\157\156\151\153\040\123\145\162
-\164\151\146\151\153\141\040\110\151\172\155\145\164\040\123\141
-\304\237\154\141\171\304\261\143\304\261\163\304\261\061\067\060
-\065\006\003\125\004\012\014\056\105\102\107\040\102\151\154\151
-\305\237\151\155\040\124\145\153\156\157\154\157\152\151\154\145
-\162\151\040\166\145\040\110\151\172\155\145\164\154\145\162\151
-\040\101\056\305\236\056\061\013\060\011\006\003\125\004\006\023
-\002\124\122
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\200\061\070\060\066\006\003\125\004\003\014\057\105\102
-\107\040\105\154\145\153\164\162\157\156\151\153\040\123\145\162
-\164\151\146\151\153\141\040\110\151\172\155\145\164\040\123\141
-\304\237\154\141\171\304\261\143\304\261\163\304\261\061\067\060
-\065\006\003\125\004\012\014\056\105\102\107\040\102\151\154\151
-\305\237\151\155\040\124\145\153\156\157\154\157\152\151\154\145
-\162\151\040\166\145\040\110\151\172\155\145\164\154\145\162\151
-\040\101\056\305\236\056\061\013\060\011\006\003\125\004\006\023
-\002\124\122
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\010\114\257\163\102\034\216\164\002
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\347\060\202\003\317\240\003\002\001\002\002\010\114
-\257\163\102\034\216\164\002\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\060\201\200\061\070\060\066\006\003\125
-\004\003\014\057\105\102\107\040\105\154\145\153\164\162\157\156
-\151\153\040\123\145\162\164\151\146\151\153\141\040\110\151\172
-\155\145\164\040\123\141\304\237\154\141\171\304\261\143\304\261
-\163\304\261\061\067\060\065\006\003\125\004\012\014\056\105\102
-\107\040\102\151\154\151\305\237\151\155\040\124\145\153\156\157
-\154\157\152\151\154\145\162\151\040\166\145\040\110\151\172\155
-\145\164\154\145\162\151\040\101\056\305\236\056\061\013\060\011
-\006\003\125\004\006\023\002\124\122\060\036\027\015\060\066\060
-\070\061\067\060\060\062\061\060\071\132\027\015\061\066\060\070
-\061\064\060\060\063\061\060\071\132\060\201\200\061\070\060\066
-\006\003\125\004\003\014\057\105\102\107\040\105\154\145\153\164
-\162\157\156\151\153\040\123\145\162\164\151\146\151\153\141\040
-\110\151\172\155\145\164\040\123\141\304\237\154\141\171\304\261
-\143\304\261\163\304\261\061\067\060\065\006\003\125\004\012\014
-\056\105\102\107\040\102\151\154\151\305\237\151\155\040\124\145
-\153\156\157\154\157\152\151\154\145\162\151\040\166\145\040\110
-\151\172\155\145\164\154\145\162\151\040\101\056\305\236\056\061
-\013\060\011\006\003\125\004\006\023\002\124\122\060\202\002\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\002\017\000\060\202\002\012\002\202\002\001\000\356\240\204
-\141\320\072\152\146\020\062\330\061\070\177\247\247\345\375\241
-\341\373\227\167\270\161\226\350\023\226\106\203\117\266\362\137
-\162\126\156\023\140\245\001\221\342\133\305\315\127\037\167\143
-\121\377\057\075\333\271\077\252\251\065\347\171\320\365\320\044
-\266\041\352\353\043\224\376\051\277\373\211\221\014\144\232\005
-\112\053\314\014\356\361\075\233\202\151\244\114\370\232\157\347
-\042\332\020\272\137\222\374\030\047\012\250\252\104\372\056\054
-\264\373\106\232\010\003\203\162\253\210\344\152\162\311\345\145
-\037\156\052\017\235\263\350\073\344\014\156\172\332\127\375\327
-\353\171\213\136\040\006\323\166\013\154\002\225\243\226\344\313
-\166\121\321\050\235\241\032\374\104\242\115\314\172\166\250\015
-\075\277\027\117\042\210\120\375\256\266\354\220\120\112\133\237
-\225\101\252\312\017\262\112\376\200\231\116\243\106\025\253\370
-\163\102\152\302\146\166\261\012\046\025\335\223\222\354\333\251
-\137\124\042\122\221\160\135\023\352\110\354\156\003\154\331\335
-\154\374\353\015\003\377\246\203\022\233\361\251\223\017\305\046
-\114\061\262\143\231\141\162\347\052\144\231\322\270\351\165\342
-\174\251\251\232\032\252\303\126\333\020\232\074\203\122\266\173
-\226\267\254\207\167\250\271\362\147\013\224\103\263\257\076\163
-\372\102\066\261\045\305\012\061\046\067\126\147\272\243\013\175
-\326\367\211\315\147\241\267\072\036\146\117\366\240\125\024\045
-\114\054\063\015\246\101\214\275\004\061\152\020\162\012\235\016
-\056\166\275\136\363\121\211\213\250\077\125\163\277\333\072\306
-\044\005\226\222\110\252\113\215\052\003\345\127\221\020\364\152
-\050\025\156\107\167\204\134\121\164\237\031\351\346\036\143\026
-\071\343\021\025\343\130\032\104\275\313\304\154\146\327\204\006
-\337\060\364\067\242\103\042\171\322\020\154\337\273\346\023\021
-\374\235\204\012\023\173\360\073\320\374\243\012\327\211\352\226
-\176\215\110\205\036\144\137\333\124\242\254\325\172\002\171\153
-\322\212\360\147\332\145\162\015\024\160\344\351\216\170\217\062
-\164\174\127\362\326\326\364\066\211\033\370\051\154\213\271\366
-\227\321\244\056\252\276\013\031\302\105\351\160\135\002\003\000
-\235\331\243\143\060\141\060\017\006\003\125\035\023\001\001\377
-\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001
-\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004\026
-\004\024\347\316\306\117\374\026\147\226\372\112\243\007\301\004
-\247\313\152\336\332\107\060\037\006\003\125\035\043\004\030\060
-\026\200\024\347\316\306\117\374\026\147\226\372\112\243\007\301
-\004\247\313\152\336\332\107\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\002\001\000\233\230\232\135\276
-\363\050\043\166\306\154\367\177\346\100\236\300\066\334\225\015
-\035\255\025\305\066\330\325\071\357\362\036\042\136\263\202\264
-\135\273\114\032\312\222\015\337\107\044\036\263\044\332\221\210
-\351\203\160\335\223\327\351\272\263\337\026\132\076\336\340\310
-\373\323\375\154\051\370\025\106\240\150\046\314\223\122\256\202
-\001\223\220\312\167\312\115\111\357\342\132\331\052\275\060\316
-\114\262\201\266\060\316\131\117\332\131\035\152\172\244\105\260
-\202\046\201\206\166\365\365\020\000\270\356\263\011\350\117\207
-\002\007\256\044\134\360\137\254\012\060\314\212\100\240\163\004
-\301\373\211\044\366\232\034\134\267\074\012\147\066\005\010\061
-\263\257\330\001\150\052\340\170\217\164\336\270\121\244\214\154
-\040\075\242\373\263\324\011\375\173\302\200\252\223\154\051\230
-\041\250\273\026\363\251\022\137\164\265\207\230\362\225\046\337
-\064\357\212\123\221\210\135\032\224\243\077\174\042\370\327\210
-\272\246\214\226\250\075\122\064\142\237\000\036\124\125\102\147
-\306\115\106\217\273\024\105\075\012\226\026\216\020\241\227\231
-\325\323\060\205\314\336\264\162\267\274\212\074\030\051\150\375
-\334\161\007\356\044\071\152\372\355\245\254\070\057\371\036\020
-\016\006\161\032\020\114\376\165\176\377\036\127\071\102\312\327
-\341\025\241\126\125\131\033\321\243\257\021\330\116\303\245\053
-\357\220\277\300\354\202\023\133\215\326\162\054\223\116\217\152
-\051\337\205\074\323\015\340\242\030\022\314\125\057\107\267\247
-\233\002\376\101\366\210\114\155\332\251\001\107\203\144\047\142
-\020\202\326\022\173\136\003\037\064\251\311\221\376\257\135\155
-\206\047\267\043\252\165\030\312\040\347\260\017\327\211\016\246
-\147\042\143\364\203\101\053\006\113\273\130\325\321\327\267\271
-\020\143\330\211\112\264\252\335\026\143\365\156\276\140\241\370
-\355\350\326\220\117\032\306\305\240\051\323\247\041\250\365\132
-\074\367\307\111\242\041\232\112\225\122\040\226\162\232\146\313
-\367\322\206\103\174\042\276\226\371\275\001\250\107\335\345\073
-\100\371\165\053\233\053\106\144\206\215\036\364\217\373\007\167
-\320\352\111\242\034\215\122\024\246\012\223
-END
-
-# Trust for Certificate "EBG Elektronik Sertifika Hizmet Saglayicisi"
-# Issuer: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Serial Number:4c:af:73:42:1c:8e:74:02
-# Subject: C=TR,O=EBG Bili..im Teknolojileri ve Hizmetleri A....,CN=EBG Elektronik Sertifika Hizmet Sa..lay..c..s..
-# Not Valid Before: Thu Aug 17 00:21:09 2006
-# Not Valid After : Sun Aug 14 00:31:09 2016
-# Fingerprint (MD5): 2C:20:26:9D:CB:1A:4A:00:85:B5:B7:5A:AE:C2:01:37
-# Fingerprint (SHA1): 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xc4\xb1\x63\xc4\xb1s\xc4\xb1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\214\226\272\353\335\053\007\007\110\356\060\062\146\240\363\230
-\156\174\256\130
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\054\040\046\235\313\032\112\000\205\265\267\132\256\302\001\067
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\200\061\070\060\066\006\003\125\004\003\014\057\105\102
-\107\040\105\154\145\153\164\162\157\156\151\153\040\123\145\162
-\164\151\146\151\153\141\040\110\151\172\155\145\164\040\123\141
-\304\237\154\141\171\304\261\143\304\261\163\304\261\061\067\060
-\065\006\003\125\004\012\014\056\105\102\107\040\102\151\154\151
-\305\237\151\155\040\124\145\153\156\157\154\157\152\151\154\145
-\162\151\040\166\145\040\110\151\172\155\145\164\154\145\162\151
-\040\101\056\305\236\056\061\013\060\011\006\003\125\004\006\023
-\002\124\122
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\010\114\257\163\102\034\216\164\002
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "certSIGN ROOT CA"
 #
 # Issuer: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Serial Number:20:06:05:16:70:02
 # Subject: OU=certSIGN ROOT CA,O=certSIGN,C=RO
 # Not Valid Before: Tue Jul 04 17:20:04 2006
 # Not Valid After : Fri Jul 04 17:20:04 2031
 # Fingerprint (MD5): 18:98:C0:D6:E9:3A:FC:F9:B0:F5:0C:F7:4B:01:44:17
@@ -13465,170 +12500,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\000\230\226\214
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Juur-SK"
-#
-# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
-# Serial Number: 999181308 (0x3b8e4bfc)
-# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
-# Not Valid Before: Thu Aug 30 14:23:01 2001
-# Not Valid After : Fri Aug 26 14:23:01 2016
-# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
-# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Juur-SK"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\135\061\030\060\026\006\011\052\206\110\206\367\015\001\011
-\001\026\011\160\153\151\100\163\153\056\145\145\061\013\060\011
-\006\003\125\004\006\023\002\105\105\061\042\060\040\006\003\125
-\004\012\023\031\101\123\040\123\145\162\164\151\146\151\164\163
-\145\145\162\151\155\151\163\153\145\163\153\165\163\061\020\060
-\016\006\003\125\004\003\023\007\112\165\165\162\055\123\113
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\135\061\030\060\026\006\011\052\206\110\206\367\015\001\011
-\001\026\011\160\153\151\100\163\153\056\145\145\061\013\060\011
-\006\003\125\004\006\023\002\105\105\061\042\060\040\006\003\125
-\004\012\023\031\101\123\040\123\145\162\164\151\146\151\164\163
-\145\145\162\151\155\151\163\153\145\163\153\165\163\061\020\060
-\016\006\003\125\004\003\023\007\112\165\165\162\055\123\113
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\073\216\113\374
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\346\060\202\003\316\240\003\002\001\002\002\004\073
-\216\113\374\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\135\061\030\060\026\006\011\052\206\110\206\367\015
-\001\011\001\026\011\160\153\151\100\163\153\056\145\145\061\013
-\060\011\006\003\125\004\006\023\002\105\105\061\042\060\040\006
-\003\125\004\012\023\031\101\123\040\123\145\162\164\151\146\151
-\164\163\145\145\162\151\155\151\163\153\145\163\153\165\163\061
-\020\060\016\006\003\125\004\003\023\007\112\165\165\162\055\123
-\113\060\036\027\015\060\061\060\070\063\060\061\064\062\063\060
-\061\132\027\015\061\066\060\070\062\066\061\064\062\063\060\061
-\132\060\135\061\030\060\026\006\011\052\206\110\206\367\015\001
-\011\001\026\011\160\153\151\100\163\153\056\145\145\061\013\060
-\011\006\003\125\004\006\023\002\105\105\061\042\060\040\006\003
-\125\004\012\023\031\101\123\040\123\145\162\164\151\146\151\164
-\163\145\145\162\151\155\151\163\153\145\163\153\165\163\061\020
-\060\016\006\003\125\004\003\023\007\112\165\165\162\055\123\113
-\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001
-\000\201\161\066\076\063\007\326\343\060\215\023\176\167\062\106
-\313\317\031\262\140\061\106\227\206\364\230\106\244\302\145\105
-\317\323\100\174\343\132\042\250\020\170\063\314\210\261\323\201
-\112\366\142\027\173\137\115\012\056\320\317\213\043\356\117\002
-\116\273\353\016\312\275\030\143\350\200\034\215\341\034\215\075
-\340\377\133\137\352\144\345\227\350\077\231\177\014\012\011\063
-\000\032\123\247\041\341\070\113\326\203\033\255\257\144\302\371
-\034\172\214\146\110\115\146\037\030\012\342\076\273\037\007\145
-\223\205\271\032\260\271\304\373\015\021\366\365\326\371\033\307
-\054\053\267\030\121\376\340\173\366\250\110\257\154\073\117\057
-\357\370\321\107\036\046\127\360\121\035\063\226\377\357\131\075
-\332\115\321\025\064\307\352\077\026\110\173\221\034\200\103\017
-\075\270\005\076\321\263\225\315\330\312\017\302\103\147\333\267
-\223\340\042\202\056\276\365\150\050\203\271\301\073\151\173\040
-\332\116\234\155\341\272\315\217\172\154\260\011\042\327\213\013
-\333\034\325\132\046\133\015\300\352\345\140\320\237\376\065\337
-\077\002\003\001\000\001\243\202\001\254\060\202\001\250\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\202\001\026\006\003\125\035\040\004\202\001\015\060\202\001\011
-\060\202\001\005\006\012\053\006\001\004\001\316\037\001\001\001
-\060\201\366\060\201\320\006\010\053\006\001\005\005\007\002\002
-\060\201\303\036\201\300\000\123\000\145\000\145\000\040\000\163
-\000\145\000\162\000\164\000\151\000\146\000\151\000\153\000\141
-\000\141\000\164\000\040\000\157\000\156\000\040\000\166\000\344
-\000\154\000\152\000\141\000\163\000\164\000\141\000\164\000\165
-\000\144\000\040\000\101\000\123\000\055\000\151\000\163\000\040
-\000\123\000\145\000\162\000\164\000\151\000\146\000\151\000\164
-\000\163\000\145\000\145\000\162\000\151\000\155\000\151\000\163
-\000\153\000\145\000\163\000\153\000\165\000\163\000\040\000\141
-\000\154\000\141\000\155\000\055\000\123\000\113\000\040\000\163
-\000\145\000\162\000\164\000\151\000\146\000\151\000\153\000\141
-\000\141\000\164\000\151\000\144\000\145\000\040\000\153\000\151
-\000\156\000\156\000\151\000\164\000\141\000\155\000\151\000\163
-\000\145\000\153\000\163\060\041\006\010\053\006\001\005\005\007
-\002\001\026\025\150\164\164\160\072\057\057\167\167\167\056\163
-\153\056\145\145\057\143\160\163\057\060\053\006\003\125\035\037
-\004\044\060\042\060\040\240\036\240\034\206\032\150\164\164\160
-\072\057\057\167\167\167\056\163\153\056\145\145\057\152\165\165
-\162\057\143\162\154\057\060\035\006\003\125\035\016\004\026\004
-\024\004\252\172\107\243\344\211\257\032\317\012\100\247\030\077
-\157\357\351\175\276\060\037\006\003\125\035\043\004\030\060\026
-\200\024\004\252\172\107\243\344\211\257\032\317\012\100\247\030
-\077\157\357\351\175\276\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\346\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\173\301\030\224\123\242
-\011\363\376\046\147\232\120\344\303\005\057\053\065\170\221\114
-\174\250\021\021\171\114\111\131\254\310\367\205\145\134\106\273
-\073\020\240\002\257\315\117\265\314\066\052\354\135\376\357\240
-\221\311\266\223\157\174\200\124\354\307\010\160\015\216\373\202
-\354\052\140\170\151\066\066\321\305\234\213\151\265\100\310\224
-\145\167\362\127\041\146\073\316\205\100\266\063\143\032\277\171
-\036\374\134\035\323\035\223\033\213\014\135\205\275\231\060\062
-\030\011\221\122\351\174\241\272\377\144\222\232\354\376\065\356
-\214\057\256\374\040\206\354\112\336\033\170\062\067\246\201\322
-\235\257\132\022\026\312\231\133\374\157\155\016\305\240\036\206
-\311\221\320\134\230\202\137\143\014\212\132\253\330\225\246\314
-\313\212\326\277\144\113\216\312\212\262\260\351\041\062\236\252
-\250\205\230\064\201\071\041\073\250\072\122\062\075\366\153\067
-\206\006\132\025\230\334\360\021\146\376\064\040\267\003\364\101
-\020\175\071\204\171\226\162\143\266\226\002\345\153\271\255\031
-\115\273\306\104\333\066\313\052\234\216
-END
-
-# Trust for Certificate "Juur-SK"
-# Issuer: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
-# Serial Number: 999181308 (0x3b8e4bfc)
-# Subject: CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,E=pki@sk.ee
-# Not Valid Before: Thu Aug 30 14:23:01 2001
-# Not Valid After : Fri Aug 26 14:23:01 2016
-# Fingerprint (MD5): AA:8E:5D:D9:F8:DB:0A:58:B7:8D:26:87:6C:82:35:55
-# Fingerprint (SHA1): 40:9D:4B:D9:17:B5:5C:27:B6:9B:64:CB:98:22:44:0D:CD:09:B8:89
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Juur-SK"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\100\235\113\331\027\265\134\047\266\233\144\313\230\042\104\015
-\315\011\270\211
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\252\216\135\331\370\333\012\130\267\215\046\207\154\202\065\125
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\135\061\030\060\026\006\011\052\206\110\206\367\015\001\011
-\001\026\011\160\153\151\100\163\153\056\145\145\061\013\060\011
-\006\003\125\004\006\023\002\105\105\061\042\060\040\006\003\125
-\004\012\023\031\101\123\040\123\145\162\164\151\146\151\164\163
-\145\145\162\151\155\151\163\153\145\163\153\165\163\061\020\060
-\016\006\003\125\004\003\023\007\112\165\165\162\055\123\113
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\073\216\113\374
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Hongkong Post Root CA 1"
 #
 # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Serial Number: 1000 (0x3e8)
 # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Not Valid Before: Thu May 15 05:13:14 2003
 # Not Valid After : Mon May 15 04:52:29 2023
 # Fingerprint (MD5): A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
@@ -14039,132 +12920,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 
 #
-# Certificate "Verisign Class 1 Public Primary Certification Authority"
-#
-# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
-# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon Jan 29 00:00:00 1996
-# Not Valid After : Wed Aug 02 23:59:59 2028
-# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
-# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242
-\344\335
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\074\060\202\001\245\002\020\077\151\036\201\234\360
-\232\112\363\163\377\271\110\242\344\335\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\137\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125\004
-\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156\143
-\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141\163
-\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155\141
-\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157\156
-\040\101\165\164\150\157\162\151\164\171\060\036\027\015\071\066
-\060\061\062\071\060\060\060\060\060\060\132\027\015\062\070\060
-\070\060\062\062\063\065\071\065\071\132\060\137\061\013\060\011
-\006\003\125\004\006\023\002\125\123\061\027\060\025\006\003\125
-\004\012\023\016\126\145\162\151\123\151\147\156\054\040\111\156
-\143\056\061\067\060\065\006\003\125\004\013\023\056\103\154\141
-\163\163\040\061\040\120\165\142\154\151\143\040\120\162\151\155
-\141\162\171\040\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\101\165\164\150\157\162\151\164\171\060\201\237\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\201\215
-\000\060\201\211\002\201\201\000\345\031\277\155\243\126\141\055
-\231\110\161\366\147\336\271\215\353\267\236\206\200\012\221\016
-\372\070\045\257\106\210\202\345\163\250\240\233\044\135\015\037
-\314\145\156\014\260\320\126\204\030\207\232\006\233\020\241\163
-\337\264\130\071\153\156\301\366\025\325\250\250\077\252\022\006
-\215\061\254\177\260\064\327\217\064\147\210\011\315\024\021\342
-\116\105\126\151\037\170\002\200\332\334\107\221\051\273\066\311
-\143\134\305\340\327\055\207\173\241\267\062\260\173\060\272\052
-\057\061\252\356\243\147\332\333\002\003\001\000\001\060\015\006
-\011\052\206\110\206\367\015\001\001\005\005\000\003\201\201\000
-\130\025\051\071\074\167\243\332\134\045\003\174\140\372\356\011
-\231\074\047\020\160\310\014\011\346\263\207\317\012\342\030\226
-\065\142\314\277\233\047\171\211\137\311\304\011\364\316\265\035
-\337\052\275\345\333\206\234\150\045\345\060\174\266\211\025\376
-\147\321\255\341\120\254\074\174\142\113\217\272\204\327\022\025
-\033\037\312\135\017\301\122\224\052\021\231\332\173\317\014\066
-\023\325\065\334\020\031\131\352\224\301\000\277\165\217\331\372
-\375\166\004\333\142\273\220\152\003\331\106\065\331\370\174\133
-END
-
-# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority"
-# Issuer: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Serial Number:3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
-# Subject: OU=Class 1 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
-# Not Valid Before: Mon Jan 29 00:00:00 1996
-# Not Valid After : Wed Aug 02 23:59:59 2028
-# Fingerprint (MD5): 86:AC:DE:2B:C5:6D:C3:D9:8C:28:88:D3:8D:16:13:1E
-# Fingerprint (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Verisign Class 1 Public Primary Certification Authority"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\316\152\144\243\011\344\057\273\331\205\034\105\076\144\011\352
-\350\175\140\361
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\206\254\336\053\305\155\303\331\214\050\210\323\215\026\023\036
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\137\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151
-\147\156\054\040\111\156\143\056\061\067\060\065\006\003\125\004
-\013\023\056\103\154\141\163\163\040\061\040\120\165\142\154\151
-\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151\146
-\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
-\171
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\077\151\036\201\234\360\232\112\363\163\377\271\110\242
-\344\335
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Microsec e-Szigno Root CA 2009"
 #
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
 # Subject: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Not Valid Before: Tue Jun 16 11:30:18 2009
 # Not Valid After : Sun Dec 30 11:30:18 2029
 # Fingerprint (MD5): F8:49:F4:03:BC:44:2D:83:BE:48:69:7D:29:64:FC:B1
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 9
-#define NSS_BUILTINS_LIBRARY_VERSION "2.9"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 10
+#define NSS_BUILTINS_LIBRARY_VERSION "2.10"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/freebl/aeskeywrap.c
+++ b/security/nss/lib/freebl/aeskeywrap.c
@@ -10,125 +10,125 @@
 #endif
 
 #include "prcpucfg.h"
 #if defined(IS_LITTLE_ENDIAN) || defined(SHA_NO_LONG_LONG)
 #define BIG_ENDIAN_WITH_64_BIT_REGISTERS 0
 #else
 #define BIG_ENDIAN_WITH_64_BIT_REGISTERS 1
 #endif
-#include "prtypes.h"	/* for PRUintXX */
-#include "secport.h"	/* for PORT_XXX */
+#include "prtypes.h" /* for PRUintXX */
+#include "secport.h" /* for PORT_XXX */
 #include "secerr.h"
-#include "blapi.h"	/* for AES_ functions */
+#include "blapi.h" /* for AES_ functions */
 #include "rijndael.h"
 
 struct AESKeyWrapContextStr {
-     unsigned char iv[AES_KEY_WRAP_IV_BYTES];
-     AESContext    aescx;
+    unsigned char iv[AES_KEY_WRAP_IV_BYTES];
+    AESContext aescx;
 };
 
 /******************************************/
 /*
 ** AES key wrap algorithm, RFC 3394
 */
 
-AESKeyWrapContext * 
+AESKeyWrapContext *
 AESKeyWrap_AllocateContext(void)
 {
-    AESKeyWrapContext * cx = PORT_New(AESKeyWrapContext);
+    AESKeyWrapContext *cx = PORT_New(AESKeyWrapContext);
     return cx;
 }
 
-SECStatus  
-AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
-		       const unsigned char *key, 
-		       unsigned int keylen,
-		       const unsigned char *iv, 
-		       int x1,
-		       unsigned int encrypt,
-		       unsigned int x2)
+SECStatus
+AESKeyWrap_InitContext(AESKeyWrapContext *cx,
+                       const unsigned char *key,
+                       unsigned int keylen,
+                       const unsigned char *iv,
+                       int x1,
+                       unsigned int encrypt,
+                       unsigned int x2)
 {
     SECStatus rv = SECFailure;
     if (!cx) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (iv) {
-    	memcpy(cx->iv, iv, sizeof cx->iv);
+        memcpy(cx->iv, iv, sizeof cx->iv);
     } else {
-	memset(cx->iv, 0xA6, sizeof cx->iv);
+        memset(cx->iv, 0xA6, sizeof cx->iv);
     }
-    rv = AES_InitContext(&cx->aescx, key, keylen, NULL, NSS_AES, encrypt, 
-                                  AES_BLOCK_SIZE);
+    rv = AES_InitContext(&cx->aescx, key, keylen, NULL, NSS_AES, encrypt,
+                         AES_BLOCK_SIZE);
     return rv;
 }
 
 /*
 ** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**  "key" raw key data
+**  "keylen" the number of bytes of key data (16, 24, or 32)
 */
 extern AESKeyWrapContext *
-AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
+AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv,
                          int encrypt, unsigned int keylen)
 {
     SECStatus rv;
-    AESKeyWrapContext * cx = AESKeyWrap_AllocateContext();
-    if (!cx) 
-    	return NULL;	/* error is already set */
+    AESKeyWrapContext *cx = AESKeyWrap_AllocateContext();
+    if (!cx)
+        return NULL; /* error is already set */
     rv = AESKeyWrap_InitContext(cx, key, keylen, iv, 0, encrypt, 0);
     if (rv != SECSuccess) {
         PORT_Free(cx);
-	cx = NULL; 	/* error should already be set */
+        cx = NULL; /* error should already be set */
     }
     return cx;
 }
 
 /*
 ** Destroy a AES KeyWrap context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void 
+extern void
 AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
 {
     if (cx) {
-	AES_DestroyContext(&cx->aescx, PR_FALSE);
-/*	memset(cx, 0, sizeof *cx); */
-	if (freeit)
-	    PORT_Free(cx);
+        AES_DestroyContext(&cx->aescx, PR_FALSE);
+        /*  memset(cx, 0, sizeof *cx); */
+        if (freeit)
+            PORT_Free(cx);
     }
 }
 
 #if !BIG_ENDIAN_WITH_64_BIT_REGISTERS
 
 /* The AES Key Wrap algorithm has 64-bit values that are ALWAYS big-endian
 ** (Most significant byte first) in memory.  The only ALU operations done
 ** on them are increment, decrement, and XOR.  So, on little-endian CPUs,
 ** and on CPUs that lack 64-bit registers, these big-endian 64-bit operations
 ** are simulated in the following code.  This is thought to be faster and
 ** simpler than trying to convert the data to little-endian and back.
 */
 
 /* A and T point to two 64-bit values stored most signficant byte first
 ** (big endian).  This function increments the 64-bit value T, and then
 ** XORs it with A, changing A.
-*/ 
+*/
 static void
 increment_and_xor(unsigned char *A, unsigned char *T)
 {
     if (!++T[7])
         if (!++T[6])
-	    if (!++T[5])
-		if (!++T[4])
-		    if (!++T[3])
-			if (!++T[2])
-			    if (!++T[1])
-				 ++T[0];
+            if (!++T[5])
+                if (!++T[4])
+                    if (!++T[3])
+                        if (!++T[2])
+                            if (!++T[1])
+                                ++T[0];
 
     A[0] ^= T[0];
     A[1] ^= T[1];
     A[2] ^= T[2];
     A[3] ^= T[3];
     A[4] ^= T[4];
     A[5] ^= T[5];
     A[6] ^= T[6];
@@ -137,247 +137,253 @@ increment_and_xor(unsigned char *A, unsi
 
 /* A and T point to two 64-bit values stored most signficant byte first
 ** (big endian).  This function XORs T with A, giving a new A, then
 ** decrements the 64-bit value T.
 */
 static void
 xor_and_decrement(PRUint64 *A, PRUint64 *T)
 {
-    unsigned char* TP = (unsigned char*)T;
+    unsigned char *TP = (unsigned char *)T;
     const PRUint64 mask = 0xFF;
     *A = ((*A & mask << 56) ^ (*T & mask << 56)) |
          ((*A & mask << 48) ^ (*T & mask << 48)) |
          ((*A & mask << 40) ^ (*T & mask << 40)) |
          ((*A & mask << 32) ^ (*T & mask << 32)) |
          ((*A & mask << 24) ^ (*T & mask << 23)) |
          ((*A & mask << 16) ^ (*T & mask << 16)) |
          ((*A & mask << 8) ^ (*T & mask << 8)) |
          ((*A & mask) ^ (*T & mask));
 
     if (!TP[7]--)
         if (!TP[6]--)
-	    if (!TP[5]--)
-		if (!TP[4]--)
-		    if (!TP[3]--)
-			if (!TP[2]--)
-			    if (!TP[1]--)
-				 TP[0]--;
-
+            if (!TP[5]--)
+                if (!TP[4]--)
+                    if (!TP[3]--)
+                        if (!TP[2]--)
+                            if (!TP[1]--)
+                                TP[0]--;
 }
 
 /* Given an unsigned long t (in host byte order), store this value as a
 ** 64-bit big-endian value (MSB first) in *pt.
 */
 static void
 set_t(unsigned char *pt, unsigned long t)
 {
-    pt[7] = (unsigned char)t; t >>= 8;
-    pt[6] = (unsigned char)t; t >>= 8;
-    pt[5] = (unsigned char)t; t >>= 8;
-    pt[4] = (unsigned char)t; t >>= 8;
-    pt[3] = (unsigned char)t; t >>= 8;
-    pt[2] = (unsigned char)t; t >>= 8;
-    pt[1] = (unsigned char)t; t >>= 8;
+    pt[7] = (unsigned char)t;
+    t >>= 8;
+    pt[6] = (unsigned char)t;
+    t >>= 8;
+    pt[5] = (unsigned char)t;
+    t >>= 8;
+    pt[4] = (unsigned char)t;
+    t >>= 8;
+    pt[3] = (unsigned char)t;
+    t >>= 8;
+    pt[2] = (unsigned char)t;
+    t >>= 8;
+    pt[1] = (unsigned char)t;
+    t >>= 8;
     pt[0] = (unsigned char)t;
 }
 
 #endif
 
 /*
 ** Perform AES key wrap.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *pOutputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
+                   unsigned int *pOutputLen, unsigned int maxOutputLen,
+                   const unsigned char *input, unsigned int inputLen)
 {
-    PRUint64 *     R          = NULL;
-    unsigned int   nBlocks;
-    unsigned int   i, j;
-    unsigned int   aesLen     = AES_BLOCK_SIZE;
-    unsigned int   outLen     = inputLen + AES_KEY_WRAP_BLOCK_SIZE;
-    SECStatus      s          = SECFailure;
+    PRUint64 *R = NULL;
+    unsigned int nBlocks;
+    unsigned int i, j;
+    unsigned int aesLen = AES_BLOCK_SIZE;
+    unsigned int outLen = inputLen + AES_KEY_WRAP_BLOCK_SIZE;
+    SECStatus s = SECFailure;
     /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
-    PRUint64       t;
-    PRUint64       B[2];
+    PRUint64 t;
+    PRUint64 B[2];
 
 #define A B[0]
 
     /* Check args */
     if (!inputLen || 0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return s;
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return s;
     }
 #ifdef maybe
-    if (!output && pOutputLen) {	/* caller is asking for output size */
-    	*pOutputLen = outLen;
-	return SECSuccess;
+    if (!output && pOutputLen) { /* caller is asking for output size */
+        *pOutputLen = outLen;
+        return SECSuccess;
     }
 #endif
     if (maxOutputLen < outLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return s;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return s;
     }
     if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return s;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return s;
     }
     nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
     R = PORT_NewArray(PRUint64, nBlocks + 1);
     if (!R)
-    	return s;	/* error is already set. */
-    /* 
+        return s; /* error is already set. */
+    /*
     ** 1) Initialize variables.
     */
     memcpy(&A, cx->iv, AES_KEY_WRAP_IV_BYTES);
     memcpy(&R[1], input, inputLen);
 #if BIG_ENDIAN_WITH_64_BIT_REGISTERS
     t = 0;
 #else
     memset(&t, 0, sizeof t);
 #endif
-    /* 
+    /*
     ** 2) Calculate intermediate values.
     */
     for (j = 0; j < 6; ++j) {
-    	for (i = 1; i <= nBlocks; ++i) {
-	    B[1] = R[i];
-	    s = AES_Encrypt(&cx->aescx, (unsigned char *)B, &aesLen, 
-	                    sizeof B,  (unsigned char *)B, sizeof B);
-	    if (s != SECSuccess) 
-	        break;
-	    R[i] = B[1];
-	    /* here, increment t and XOR A with t (in big endian order); */
+        for (i = 1; i <= nBlocks; ++i) {
+            B[1] = R[i];
+            s = AES_Encrypt(&cx->aescx, (unsigned char *)B, &aesLen,
+                            sizeof B, (unsigned char *)B, sizeof B);
+            if (s != SECSuccess)
+                break;
+            R[i] = B[1];
+/* here, increment t and XOR A with t (in big endian order); */
 #if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-   	    A ^= ++t; 
+            A ^= ++t;
 #else
-	    increment_and_xor((unsigned char *)&A, (unsigned char *)&t);
+            increment_and_xor((unsigned char *)&A, (unsigned char *)&t);
 #endif
-	}
+        }
     }
-    /* 
+    /*
     ** 3) Output the results.
     */
     if (s == SECSuccess) {
-    	R[0] =  A;
-	memcpy(output, &R[0], outLen);
-	if (pOutputLen)
-	    *pOutputLen = outLen;
+        R[0] = A;
+        memcpy(output, &R[0], outLen);
+        if (pOutputLen)
+            *pOutputLen = outLen;
     } else if (pOutputLen) {
-    	*pOutputLen = 0;
+        *pOutputLen = 0;
     }
     PORT_ZFree(R, outLen);
     return s;
 }
 #undef A
 
 /*
 ** Perform AES key unwrap.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *pOutputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen)
+                   unsigned int *pOutputLen, unsigned int maxOutputLen,
+                   const unsigned char *input, unsigned int inputLen)
 {
-    PRUint64 *     R          = NULL;
-    unsigned int   nBlocks;
-    unsigned int   i, j;
-    unsigned int   aesLen     = AES_BLOCK_SIZE;
-    unsigned int   outLen;
-    SECStatus      s          = SECFailure;
+    PRUint64 *R = NULL;
+    unsigned int nBlocks;
+    unsigned int i, j;
+    unsigned int aesLen = AES_BLOCK_SIZE;
+    unsigned int outLen;
+    SECStatus s = SECFailure;
     /* These PRUint64s are ALWAYS big endian, regardless of CPU orientation. */
-    PRUint64       t;
-    PRUint64       B[2];
+    PRUint64 t;
+    PRUint64 B[2];
 
     /* Check args */
     if (inputLen < 3 * AES_KEY_WRAP_BLOCK_SIZE ||
         0 != inputLen % AES_KEY_WRAP_BLOCK_SIZE) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return s;
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return s;
     }
     outLen = inputLen - AES_KEY_WRAP_BLOCK_SIZE;
 #ifdef maybe
-    if (!output && pOutputLen) {	/* caller is asking for output size */
-    	*pOutputLen = outLen;
-	return SECSuccess;
+    if (!output && pOutputLen) { /* caller is asking for output size */
+        *pOutputLen = outLen;
+        return SECSuccess;
     }
 #endif
     if (maxOutputLen < outLen) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return s;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return s;
     }
     if (cx == NULL || output == NULL || input == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return s;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return s;
     }
     nBlocks = inputLen / AES_KEY_WRAP_BLOCK_SIZE;
     R = PORT_NewArray(PRUint64, nBlocks);
     if (!R)
-    	return s;	/* error is already set. */
+        return s; /* error is already set. */
     nBlocks--;
     /*
     ** 1) Initialize variables.
     */
     memcpy(&R[0], input, inputLen);
     B[0] = R[0];
 #if BIG_ENDIAN_WITH_64_BIT_REGISTERS
     t = 6UL * nBlocks;
 #else
     set_t((unsigned char *)&t, 6UL * nBlocks);
 #endif
     /*
     ** 2) Calculate intermediate values.
     */
     for (j = 0; j < 6; ++j) {
-    	for (i = nBlocks; i; --i) {
-	    /* here, XOR A with t (in big endian order) and decrement t; */
+        for (i = nBlocks; i; --i) {
+/* here, XOR A with t (in big endian order) and decrement t; */
 #if BIG_ENDIAN_WITH_64_BIT_REGISTERS
-   	    B[0] ^= t--;
+            B[0] ^= t--;
 #else
-	    xor_and_decrement(&B[0], &t);
+            xor_and_decrement(&B[0], &t);
 #endif
-	    B[1] = R[i];
-	    s = AES_Decrypt(&cx->aescx, (unsigned char *)B, &aesLen,
-	                    sizeof B,  (unsigned char *)B, sizeof B);
-	    if (s != SECSuccess)
-	        break;
-	    R[i] = B[1];
-	}
+            B[1] = R[i];
+            s = AES_Decrypt(&cx->aescx, (unsigned char *)B, &aesLen,
+                            sizeof B, (unsigned char *)B, sizeof B);
+            if (s != SECSuccess)
+                break;
+            R[i] = B[1];
+        }
     }
     /*
     ** 3) Output the results.
     */
     if (s == SECSuccess) {
-	int bad = memcmp(&B[0], cx->iv, AES_KEY_WRAP_IV_BYTES);
-	if (!bad) {
-	    memcpy(output, &R[1], outLen);
-	    if (pOutputLen)
-		*pOutputLen = outLen;
-	} else {
-	    s = SECFailure;
-	    PORT_SetError(SEC_ERROR_BAD_DATA);
-	    if (pOutputLen)
-		*pOutputLen = 0;
-    	}
+        int bad = memcmp(&B[0], cx->iv, AES_KEY_WRAP_IV_BYTES);
+        if (!bad) {
+            memcpy(output, &R[1], outLen);
+            if (pOutputLen)
+                *pOutputLen = outLen;
+        } else {
+            s = SECFailure;
+            PORT_SetError(SEC_ERROR_BAD_DATA);
+            if (pOutputLen)
+                *pOutputLen = 0;
+        }
     } else if (pOutputLen) {
-    	*pOutputLen = 0;
+        *pOutputLen = 0;
     }
     PORT_ZFree(R, inputLen);
     return s;
 }
 #undef A
--- a/security/nss/lib/freebl/alg2268.c
+++ b/security/nss/lib/freebl/alg2268.c
@@ -7,233 +7,252 @@
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "blapi.h"
 #include "secerr.h"
 #ifdef XP_UNIX_XXX
-#include <stddef.h>	/* for ptrdiff_t */
+#include <stddef.h> /* for ptrdiff_t */
 #endif
 
 /*
 ** RC2 symmetric block cypher
 */
 
-typedef SECStatus (rc2Func)(RC2Context *cx, unsigned char *output,
-		           const unsigned char *input, unsigned int inputLen);
+typedef SECStatus(rc2Func)(RC2Context *cx, unsigned char *output,
+                           const unsigned char *input, unsigned int inputLen);
 
 /* forward declarations */
 static rc2Func rc2_EncryptECB;
 static rc2Func rc2_DecryptECB;
 static rc2Func rc2_EncryptCBC;
 static rc2Func rc2_DecryptCBC;
 
 typedef union {
-    PRUint32	l[2];
-    PRUint16	s[4];
-    PRUint8	b[8];
+    PRUint32 l[2];
+    PRUint16 s[4];
+    PRUint8 b[8];
 } RC2Block;
 
 struct RC2ContextStr {
     union {
-    	PRUint8  Kb[128];
-	PRUint16 Kw[64];
+        PRUint8 Kb[128];
+        PRUint16 Kw[64];
     } u;
-    RC2Block     iv;
-    rc2Func      *enc;
-    rc2Func      *dec;
+    RC2Block iv;
+    rc2Func *enc;
+    rc2Func *dec;
 };
 
 #define B u.Kb
 #define K u.Kw
 #define BYTESWAP(x) ((x) << 8 | (x) >> 8)
-#define SWAPK(i)  cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
+#define SWAPK(i) cx->K[i] = (tmpS = cx->K[i], BYTESWAP(tmpS))
 #define RC2_BLOCK_SIZE 8
 
-#define LOAD_HARD(R) \
+#define LOAD_HARD(R)                           \
     R[0] = (PRUint16)input[1] << 8 | input[0]; \
     R[1] = (PRUint16)input[3] << 8 | input[2]; \
     R[2] = (PRUint16)input[5] << 8 | input[4]; \
     R[3] = (PRUint16)input[7] << 8 | input[6];
-#define LOAD_EASY(R) \
+#define LOAD_EASY(R)               \
     R[0] = ((PRUint16 *)input)[0]; \
     R[1] = ((PRUint16 *)input)[1]; \
     R[2] = ((PRUint16 *)input)[2]; \
     R[3] = ((PRUint16 *)input)[3];
-#define STORE_HARD(R) \
-    output[0] =  (PRUint8)(R[0]);   output[1] = (PRUint8)(R[0] >> 8); \
-    output[2] =  (PRUint8)(R[1]);   output[3] = (PRUint8)(R[1] >> 8); \
-    output[4] =  (PRUint8)(R[2]);   output[5] = (PRUint8)(R[2] >> 8); \
-    output[6] =  (PRUint8)(R[3]);   output[7] = (PRUint8)(R[3] >> 8);
-#define STORE_EASY(R) \
-    ((PRUint16 *)output)[0] =  R[0]; \
-    ((PRUint16 *)output)[1] =  R[1]; \
-    ((PRUint16 *)output)[2] =  R[2]; \
-    ((PRUint16 *)output)[3] =  R[3];   
+#define STORE_HARD(R)                 \
+    output[0] = (PRUint8)(R[0]);      \
+    output[1] = (PRUint8)(R[0] >> 8); \
+    output[2] = (PRUint8)(R[1]);      \
+    output[3] = (PRUint8)(R[1] >> 8); \
+    output[4] = (PRUint8)(R[2]);      \
+    output[5] = (PRUint8)(R[2] >> 8); \
+    output[6] = (PRUint8)(R[3]);      \
+    output[7] = (PRUint8)(R[3] >> 8);
+#define STORE_EASY(R)               \
+    ((PRUint16 *)output)[0] = R[0]; \
+    ((PRUint16 *)output)[1] = R[1]; \
+    ((PRUint16 *)output)[2] = R[2]; \
+    ((PRUint16 *)output)[3] = R[3];
 
-#if defined (NSS_X86_OR_X64)
-#define LOAD(R)  LOAD_EASY(R)
+#if defined(NSS_X86_OR_X64)
+#define LOAD(R) LOAD_EASY(R)
 #define STORE(R) STORE_EASY(R)
 #elif !defined(IS_LITTLE_ENDIAN)
-#define LOAD(R)  LOAD_HARD(R)
+#define LOAD(R) LOAD_HARD(R)
 #define STORE(R) STORE_HARD(R)
 #else
-#define LOAD(R) if ((ptrdiff_t)input & 1) { LOAD_HARD(R) } else { LOAD_EASY(R) }
-#define STORE(R) if ((ptrdiff_t)input & 1) { STORE_HARD(R) } else { STORE_EASY(R) }
+#define LOAD(R)                 \
+    if ((ptrdiff_t)input & 1) { \
+        LOAD_HARD(R)            \
+    } else {                    \
+        LOAD_EASY(R)            \
+    }
+#define STORE(R)                \
+    if ((ptrdiff_t)input & 1) { \
+        STORE_HARD(R)           \
+    } else {                    \
+        STORE_EASY(R)           \
+    }
 #endif
 
 static const PRUint8 S[256] = {
-0331,0170,0371,0304,0031,0335,0265,0355,0050,0351,0375,0171,0112,0240,0330,0235,
-0306,0176,0067,0203,0053,0166,0123,0216,0142,0114,0144,0210,0104,0213,0373,0242,
-0027,0232,0131,0365,0207,0263,0117,0023,0141,0105,0155,0215,0011,0201,0175,0062,
-0275,0217,0100,0353,0206,0267,0173,0013,0360,0225,0041,0042,0134,0153,0116,0202,
-0124,0326,0145,0223,0316,0140,0262,0034,0163,0126,0300,0024,0247,0214,0361,0334,
-0022,0165,0312,0037,0073,0276,0344,0321,0102,0075,0324,0060,0243,0074,0266,0046,
-0157,0277,0016,0332,0106,0151,0007,0127,0047,0362,0035,0233,0274,0224,0103,0003,
-0370,0021,0307,0366,0220,0357,0076,0347,0006,0303,0325,0057,0310,0146,0036,0327,
-0010,0350,0352,0336,0200,0122,0356,0367,0204,0252,0162,0254,0065,0115,0152,0052,
-0226,0032,0322,0161,0132,0025,0111,0164,0113,0237,0320,0136,0004,0030,0244,0354,
-0302,0340,0101,0156,0017,0121,0313,0314,0044,0221,0257,0120,0241,0364,0160,0071,
-0231,0174,0072,0205,0043,0270,0264,0172,0374,0002,0066,0133,0045,0125,0227,0061,
-0055,0135,0372,0230,0343,0212,0222,0256,0005,0337,0051,0020,0147,0154,0272,0311,
-0323,0000,0346,0317,0341,0236,0250,0054,0143,0026,0001,0077,0130,0342,0211,0251,
-0015,0070,0064,0033,0253,0063,0377,0260,0273,0110,0014,0137,0271,0261,0315,0056,
-0305,0363,0333,0107,0345,0245,0234,0167,0012,0246,0040,0150,0376,0177,0301,0255
+    0331, 0170, 0371, 0304, 0031, 0335, 0265, 0355, 0050, 0351, 0375, 0171, 0112, 0240, 0330, 0235,
+    0306, 0176, 0067, 0203, 0053, 0166, 0123, 0216, 0142, 0114, 0144, 0210, 0104, 0213, 0373, 0242,
+    0027, 0232, 0131, 0365, 0207, 0263, 0117, 0023, 0141, 0105, 0155, 0215, 0011, 0201, 0175, 0062,
+    0275, 0217, 0100, 0353, 0206, 0267, 0173, 0013, 0360, 0225, 0041, 0042, 0134, 0153, 0116, 0202,
+    0124, 0326, 0145, 0223, 0316, 0140, 0262, 0034, 0163, 0126, 0300, 0024, 0247, 0214, 0361, 0334,
+    0022, 0165, 0312, 0037, 0073, 0276, 0344, 0321, 0102, 0075, 0324, 0060, 0243, 0074, 0266, 0046,
+    0157, 0277, 0016, 0332, 0106, 0151, 0007, 0127, 0047, 0362, 0035, 0233, 0274, 0224, 0103, 0003,
+    0370, 0021, 0307, 0366, 0220, 0357, 0076, 0347, 0006, 0303, 0325, 0057, 0310, 0146, 0036, 0327,
+    0010, 0350, 0352, 0336, 0200, 0122, 0356, 0367, 0204, 0252, 0162, 0254, 0065, 0115, 0152, 0052,
+    0226, 0032, 0322, 0161, 0132, 0025, 0111, 0164, 0113, 0237, 0320, 0136, 0004, 0030, 0244, 0354,
+    0302, 0340, 0101, 0156, 0017, 0121, 0313, 0314, 0044, 0221, 0257, 0120, 0241, 0364, 0160, 0071,
+    0231, 0174, 0072, 0205, 0043, 0270, 0264, 0172, 0374, 0002, 0066, 0133, 0045, 0125, 0227, 0061,
+    0055, 0135, 0372, 0230, 0343, 0212, 0222, 0256, 0005, 0337, 0051, 0020, 0147, 0154, 0272, 0311,
+    0323, 0000, 0346, 0317, 0341, 0236, 0250, 0054, 0143, 0026, 0001, 0077, 0130, 0342, 0211, 0251,
+    0015, 0070, 0064, 0033, 0253, 0063, 0377, 0260, 0273, 0110, 0014, 0137, 0271, 0261, 0315, 0056,
+    0305, 0363, 0333, 0107, 0345, 0245, 0234, 0167, 0012, 0246, 0040, 0150, 0376, 0177, 0301, 0255
 };
 
-RC2Context * RC2_AllocateContext(void)
+RC2Context *
+RC2_AllocateContext(void)
 {
     return PORT_ZNew(RC2Context);
 }
-SECStatus   
+SECStatus
 RC2_InitContext(RC2Context *cx, const unsigned char *key, unsigned int len,
-	        const unsigned char *input, int mode, unsigned int efLen8, 
-		unsigned int unused)
+                const unsigned char *input, int mode, unsigned int efLen8,
+                unsigned int unused)
 {
-    PRUint8    *L,*L2;
-    int         i;
+    PRUint8 *L, *L2;
+    int i;
 #if !defined(IS_LITTLE_ENDIAN)
-    PRUint16    tmpS;
+    PRUint16 tmpS;
 #endif
-    PRUint8     tmpB;
+    PRUint8 tmpB;
 
-    if (!key || !cx || !len || len > (sizeof cx->B) || 
-	efLen8 > (sizeof cx->B)) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-    	return SECFailure;
+    if (!key || !cx || !len || len > (sizeof cx->B) ||
+        efLen8 > (sizeof cx->B)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (mode == NSS_RC2) {
-    	/* groovy */
+        /* groovy */
     } else if (mode == NSS_RC2_CBC) {
-    	if (!input) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
+        if (!input) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
     } else {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     if (mode == NSS_RC2_CBC) {
-    	cx->enc = & rc2_EncryptCBC;
-	cx->dec = & rc2_DecryptCBC;
-	LOAD(cx->iv.s);
+        cx->enc = &rc2_EncryptCBC;
+        cx->dec = &rc2_DecryptCBC;
+        LOAD(cx->iv.s);
     } else {
-    	cx->enc = & rc2_EncryptECB;
-	cx->dec = & rc2_DecryptECB;
+        cx->enc = &rc2_EncryptECB;
+        cx->dec = &rc2_DecryptECB;
     }
 
     /* Step 0. Copy key into table. */
     memcpy(cx->B, key, len);
 
     /* Step 1. Compute all values to the right of the key. */
     L2 = cx->B;
     L = L2 + len;
     tmpB = L[-1];
     for (i = (sizeof cx->B) - len; i > 0; --i) {
-	*L++ = tmpB = S[ (PRUint8)(tmpB + *L2++) ];
+        *L++ = tmpB = S[(PRUint8)(tmpB + *L2++)];
     }
 
     /* step 2. Adjust left most byte of effective key. */
     i = (sizeof cx->B) - efLen8;
     L = cx->B + i;
-    *L = tmpB = S[*L];				/* mask is always 0xff */
+    *L = tmpB = S[*L]; /* mask is always 0xff */
 
     /* step 3. Recompute all values to the left of effective key. */
     L2 = --L + efLen8;
-    while(L >= cx->B) {
-	*L-- = tmpB = S[ tmpB ^ *L2-- ];
+    while (L >= cx->B) {
+        *L-- = tmpB = S[tmpB ^ *L2--];
     }
 
 #if !defined(IS_LITTLE_ENDIAN)
     for (i = 63; i >= 0; --i) {
-        SWAPK(i);		/* candidate for unrolling */
+        SWAPK(i); /* candidate for unrolling */
     }
 #endif
     return SECSuccess;
 }
 
 /*
 ** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" in bytes, not bits.
+**  "key" raw key data
+**  "len" the number of bytes of key data
+**  "iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+**  "mode" one of NSS_RC2 or NSS_RC2_CBC
+**  "effectiveKeyLen" in bytes, not bits.
 **
 ** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
 ** chaining" mode.
 */
 RC2Context *
 RC2_CreateContext(const unsigned char *key, unsigned int len,
-		  const unsigned char *iv, int mode, unsigned efLen8)
+                  const unsigned char *iv, int mode, unsigned efLen8)
 {
     RC2Context *cx = PORT_ZNew(RC2Context);
     if (cx) {
-	SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0);
-	if (rv != SECSuccess) {
-	    RC2_DestroyContext(cx, PR_TRUE);
-	    cx = NULL;
-	}
+        SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0);
+        if (rv != SECSuccess) {
+            RC2_DestroyContext(cx, PR_TRUE);
+            cx = NULL;
+        }
     }
     return cx;
 }
 
 /*
 ** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-void 
+void
 RC2_DestroyContext(RC2Context *cx, PRBool freeit)
 {
     if (cx) {
-	memset(cx, 0, sizeof *cx);
-	if (freeit) {
-	    PORT_Free(cx);
-	}
+        memset(cx, 0, sizeof *cx);
+        if (freeit) {
+            PORT_Free(cx);
+        }
     }
 }
 
-#define ROL(x,k) (x << k | x >> (16-k))
-#define MIX(j) \
-    R0 = R0 + cx->K[ 4*j+0] + (R3 & R2) + (~R3 & R1);  R0 = ROL(R0,1);\
-    R1 = R1 + cx->K[ 4*j+1] + (R0 & R3) + (~R0 & R2);  R1 = ROL(R1,2);\
-    R2 = R2 + cx->K[ 4*j+2] + (R1 & R0) + (~R1 & R3);  R2 = ROL(R2,3);\
-    R3 = R3 + cx->K[ 4*j+3] + (R2 & R1) + (~R2 & R0);  R3 = ROL(R3,5)
-#define MASH \
-    R0 = R0 + cx->K[R3 & 63];\
-    R1 = R1 + cx->K[R0 & 63];\
-    R2 = R2 + cx->K[R1 & 63];\
+#define ROL(x, k) (x << k | x >> (16 - k))
+#define MIX(j)                                           \
+    R0 = R0 + cx->K[4 * j + 0] + (R3 & R2) + (~R3 & R1); \
+    R0 = ROL(R0, 1);                                     \
+    R1 = R1 + cx->K[4 * j + 1] + (R0 & R3) + (~R0 & R2); \
+    R1 = ROL(R1, 2);                                     \
+    R2 = R2 + cx->K[4 * j + 2] + (R1 & R0) + (~R1 & R3); \
+    R2 = ROL(R2, 3);                                     \
+    R3 = R3 + cx->K[4 * j + 3] + (R2 & R1) + (~R2 & R0); \
+    R3 = ROL(R3, 5)
+#define MASH                  \
+    R0 = R0 + cx->K[R3 & 63]; \
+    R1 = R1 + cx->K[R0 & 63]; \
+    R2 = R2 + cx->K[R1 & 63]; \
     R3 = R3 + cx->K[R2 & 63]
 
 /* Encrypt one block */
-static void 
+static void
 rc2_Encrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
 {
     register PRUint16 R0, R1, R2, R3;
 
     /* step 1. Initialize input. */
     R0 = input->s[0];
     R1 = input->s[1];
     R2 = input->s[2];
@@ -274,30 +293,34 @@ rc2_Encrypt1Block(RC2Context *cx, RC2Blo
 
     /* output results */
     output->s[0] = R0;
     output->s[1] = R1;
     output->s[2] = R2;
     output->s[3] = R3;
 }
 
-#define ROR(x,k) (x >> k | x << (16-k))
-#define R_MIX(j) \
-    R3 = ROR(R3,5); R3 = R3 - cx->K[ 4*j+3] - (R2 & R1) - (~R2 & R0);  \
-    R2 = ROR(R2,3); R2 = R2 - cx->K[ 4*j+2] - (R1 & R0) - (~R1 & R3);  \
-    R1 = ROR(R1,2); R1 = R1 - cx->K[ 4*j+1] - (R0 & R3) - (~R0 & R2);  \
-    R0 = ROR(R0,1); R0 = R0 - cx->K[ 4*j+0] - (R3 & R2) - (~R3 & R1)
-#define R_MASH \
-    R3 = R3 - cx->K[R2 & 63];\
-    R2 = R2 - cx->K[R1 & 63];\
-    R1 = R1 - cx->K[R0 & 63];\
+#define ROR(x, k) (x >> k | x << (16 - k))
+#define R_MIX(j)                                         \
+    R3 = ROR(R3, 5);                                     \
+    R3 = R3 - cx->K[4 * j + 3] - (R2 & R1) - (~R2 & R0); \
+    R2 = ROR(R2, 3);                                     \
+    R2 = R2 - cx->K[4 * j + 2] - (R1 & R0) - (~R1 & R3); \
+    R1 = ROR(R1, 2);                                     \
+    R1 = R1 - cx->K[4 * j + 1] - (R0 & R3) - (~R0 & R2); \
+    R0 = ROR(R0, 1);                                     \
+    R0 = R0 - cx->K[4 * j + 0] - (R3 & R2) - (~R3 & R1)
+#define R_MASH                \
+    R3 = R3 - cx->K[R2 & 63]; \
+    R2 = R2 - cx->K[R1 & 63]; \
+    R1 = R1 - cx->K[R0 & 63]; \
     R0 = R0 - cx->K[R3 & 63]
 
 /* Encrypt one block */
-static void 
+static void
 rc2_Decrypt1Block(RC2Context *cx, RC2Block *output, RC2Block *input)
 {
     register PRUint16 R0, R1, R2, R3;
 
     /* step 1. Initialize input. */
     R0 = input->s[0];
     R1 = input->s[1];
     R2 = input->s[2];
@@ -337,149 +360,149 @@ rc2_Decrypt1Block(RC2Context *cx, RC2Blo
     output->s[0] = R0;
     output->s[1] = R1;
     output->s[2] = R2;
     output->s[3] = R3;
 }
 
 static SECStatus
 rc2_EncryptECB(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
+               const unsigned char *input, unsigned int inputLen)
 {
-    RC2Block  iBlock;
+    RC2Block iBlock;
 
     while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
+        LOAD(iBlock.s)
+        rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+        STORE(iBlock.s)
+        output += RC2_BLOCK_SIZE;
+        input += RC2_BLOCK_SIZE;
+        inputLen -= RC2_BLOCK_SIZE;
     }
     return SECSuccess;
 }
 
 static SECStatus
 rc2_DecryptECB(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
+               const unsigned char *input, unsigned int inputLen)
 {
-    RC2Block  iBlock;
+    RC2Block iBlock;
 
     while (inputLen > 0) {
-    	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &iBlock, &iBlock);
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
+        LOAD(iBlock.s)
+        rc2_Decrypt1Block(cx, &iBlock, &iBlock);
+        STORE(iBlock.s)
+        output += RC2_BLOCK_SIZE;
+        input += RC2_BLOCK_SIZE;
+        inputLen -= RC2_BLOCK_SIZE;
     }
     return SECSuccess;
 }
 
 static SECStatus
 rc2_EncryptCBC(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
+               const unsigned char *input, unsigned int inputLen)
 {
-    RC2Block  iBlock;
+    RC2Block iBlock;
 
     while (inputLen > 0) {
 
-	LOAD(iBlock.s)
-	iBlock.l[0] ^= cx->iv.l[0];
-	iBlock.l[1] ^= cx->iv.l[1];
-	rc2_Encrypt1Block(cx, &iBlock, &iBlock);
-	cx->iv = iBlock;
-	STORE(iBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
+        LOAD(iBlock.s)
+        iBlock.l[0] ^= cx->iv.l[0];
+        iBlock.l[1] ^= cx->iv.l[1];
+        rc2_Encrypt1Block(cx, &iBlock, &iBlock);
+        cx->iv = iBlock;
+        STORE(iBlock.s)
+        output += RC2_BLOCK_SIZE;
+        input += RC2_BLOCK_SIZE;
+        inputLen -= RC2_BLOCK_SIZE;
     }
     return SECSuccess;
 }
 
 static SECStatus
 rc2_DecryptCBC(RC2Context *cx, unsigned char *output,
-	       const unsigned char *input, unsigned int inputLen)
+               const unsigned char *input, unsigned int inputLen)
 {
-    RC2Block  iBlock;
-    RC2Block  oBlock;
+    RC2Block iBlock;
+    RC2Block oBlock;
 
     while (inputLen > 0) {
-	LOAD(iBlock.s)
-	rc2_Decrypt1Block(cx, &oBlock, &iBlock);
-	oBlock.l[0] ^= cx->iv.l[0];
-	oBlock.l[1] ^= cx->iv.l[1];
-	cx->iv = iBlock;
-	STORE(oBlock.s)
-	output   += RC2_BLOCK_SIZE;
-	input    += RC2_BLOCK_SIZE;
-	inputLen -= RC2_BLOCK_SIZE;
+        LOAD(iBlock.s)
+        rc2_Decrypt1Block(cx, &oBlock, &iBlock);
+        oBlock.l[0] ^= cx->iv.l[0];
+        oBlock.l[1] ^= cx->iv.l[1];
+        cx->iv = iBlock;
+        STORE(oBlock.s)
+        output += RC2_BLOCK_SIZE;
+        input += RC2_BLOCK_SIZE;
+        inputLen -= RC2_BLOCK_SIZE;
     }
     return SECSuccess;
 }
 
-
 /*
 ** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      const unsigned char *input, unsigned int inputLen)
+SECStatus
+RC2_Encrypt(RC2Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
 {
     SECStatus rv = SECSuccess;
     if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->enc)(cx, output, input, inputLen);
+        if (inputLen % RC2_BLOCK_SIZE) {
+            PORT_SetError(SEC_ERROR_INPUT_LEN);
+            return SECFailure;
+        }
+        if (maxOutputLen < inputLen) {
+            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+            return SECFailure;
+        }
+        rv = (*cx->enc)(cx, output, input, inputLen);
     }
     if (rv == SECSuccess) {
-    	*outputLen = inputLen;
+        *outputLen = inputLen;
     }
     return rv;
 }
 
 /*
 ** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-		      unsigned int *outputLen, unsigned int maxOutputLen,
-		      const unsigned char *input, unsigned int inputLen)
+SECStatus
+RC2_Decrypt(RC2Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
 {
     SECStatus rv = SECSuccess;
     if (inputLen) {
-	if (inputLen % RC2_BLOCK_SIZE) {
-	    PORT_SetError(SEC_ERROR_INPUT_LEN);
-	    return SECFailure;
-	}
-	if (maxOutputLen < inputLen) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	rv = (*cx->dec)(cx, output, input, inputLen);
+        if (inputLen % RC2_BLOCK_SIZE) {
+            PORT_SetError(SEC_ERROR_INPUT_LEN);
+            return SECFailure;
+        }
+        if (maxOutputLen < inputLen) {
+            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+            return SECFailure;
+        }
+        rv = (*cx->dec)(cx, output, input, inputLen);
     }
     if (rv == SECSuccess) {
-	*outputLen = inputLen;
+        *outputLen = inputLen;
     }
     return rv;
 }
-
--- a/security/nss/lib/freebl/alghmac.c
+++ b/security/nss/lib/freebl/alghmac.c
@@ -12,102 +12,102 @@
 #include "alghmac.h"
 #include "secerr.h"
 
 #define HMAC_PAD_SIZE HASH_BLOCK_LENGTH_MAX
 
 struct HMACContextStr {
     void *hash;
     const SECHashObject *hashobj;
-    PRBool        wasAllocated;
+    PRBool wasAllocated;
     unsigned char ipad[HMAC_PAD_SIZE];
     unsigned char opad[HMAC_PAD_SIZE];
 };
 
 void
 HMAC_Destroy(HMACContext *cx, PRBool freeit)
 {
     if (cx == NULL)
-	return;
+        return;
 
     PORT_Assert(!freeit == !cx->wasAllocated);
     if (cx->hash != NULL) {
-	cx->hashobj->destroy(cx->hash, PR_TRUE);
-	PORT_Memset(cx, 0, sizeof *cx);
+        cx->hashobj->destroy(cx->hash, PR_TRUE);
+        PORT_Memset(cx, 0, sizeof *cx);
     }
     if (freeit)
-	PORT_Free(cx);
+        PORT_Free(cx);
 }
 
 SECStatus
-HMAC_Init( HMACContext * cx, const SECHashObject *hash_obj, 
-	   const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
+HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj,
+          const unsigned char *secret, unsigned int secret_len, PRBool isFIPS)
 {
     unsigned int i;
     unsigned char hashed_secret[HASH_LENGTH_MAX];
 
     /* required by FIPS 198 Section 3 */
-    if (isFIPS && secret_len < hash_obj->length/2) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+    if (isFIPS && secret_len < hash_obj->length / 2) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (cx == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     cx->wasAllocated = PR_FALSE;
     cx->hashobj = hash_obj;
     cx->hash = cx->hashobj->create();
     if (cx->hash == NULL)
-	goto loser;
+        goto loser;
 
     if (secret_len > cx->hashobj->blocklength) {
-	cx->hashobj->begin( cx->hash);
-	cx->hashobj->update(cx->hash, secret, secret_len);
-	PORT_Assert(cx->hashobj->length <= sizeof hashed_secret);
-	cx->hashobj->end(   cx->hash, hashed_secret, &secret_len, 
-	                 sizeof hashed_secret);
-	if (secret_len != cx->hashobj->length) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    goto loser;
-	}
-	secret = (const unsigned char *)&hashed_secret[0];
+        cx->hashobj->begin(cx->hash);
+        cx->hashobj->update(cx->hash, secret, secret_len);
+        PORT_Assert(cx->hashobj->length <= sizeof hashed_secret);
+        cx->hashobj->end(cx->hash, hashed_secret, &secret_len,
+                         sizeof hashed_secret);
+        if (secret_len != cx->hashobj->length) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            goto loser;
+        }
+        secret = (const unsigned char *)&hashed_secret[0];
     }
 
     PORT_Memset(cx->ipad, 0x36, cx->hashobj->blocklength);
     PORT_Memset(cx->opad, 0x5c, cx->hashobj->blocklength);
 
     /* fold secret into padding */
     for (i = 0; i < secret_len; i++) {
-	cx->ipad[i] ^= secret[i];
-	cx->opad[i] ^= secret[i];
+        cx->ipad[i] ^= secret[i];
+        cx->opad[i] ^= secret[i];
     }
     PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
     return SECSuccess;
 
 loser:
     PORT_Memset(hashed_secret, 0, sizeof hashed_secret);
     if (cx->hash != NULL)
-	cx->hashobj->destroy(cx->hash, PR_TRUE);
+        cx->hashobj->destroy(cx->hash, PR_TRUE);
     return SECFailure;
 }
 
 HMACContext *
-HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
+HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret,
             unsigned int secret_len, PRBool isFIPS)
 {
     SECStatus rv;
-    HMACContext * cx = PORT_ZNew(HMACContext);
+    HMACContext *cx = PORT_ZNew(HMACContext);
     if (cx == NULL)
-	return NULL;
+        return NULL;
     rv = HMAC_Init(cx, hash_obj, secret, secret_len, isFIPS);
     cx->wasAllocated = PR_TRUE;
     if (rv != SECSuccess) {
-	PORT_Free(cx); /* contains no secret info */
-	cx = NULL;
+        PORT_Free(cx); /* contains no secret info */
+        cx = NULL;
     }
     return cx;
 }
 
 void
 HMAC_Begin(HMACContext *cx)
 {
     /* start inner hash */
@@ -118,48 +118,48 @@ HMAC_Begin(HMACContext *cx)
 void
 HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len)
 {
     cx->hashobj->update(cx->hash, data, data_len);
 }
 
 SECStatus
 HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len)
+            unsigned int max_result_len)
 {
     if (max_result_len < cx->hashobj->length) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     cx->hashobj->end(cx->hash, result, result_len, max_result_len);
     if (*result_len != cx->hashobj->length)
-	return SECFailure;
+        return SECFailure;
 
     cx->hashobj->begin(cx->hash);
     cx->hashobj->update(cx->hash, cx->opad, cx->hashobj->blocklength);
     cx->hashobj->update(cx->hash, result, *result_len);
     cx->hashobj->end(cx->hash, result, result_len, max_result_len);
     return SECSuccess;
 }
 
 HMACContext *
 HMAC_Clone(HMACContext *cx)
 {
     HMACContext *newcx;
 
-    newcx = (HMACContext*)PORT_ZAlloc(sizeof(HMACContext));
+    newcx = (HMACContext *)PORT_ZAlloc(sizeof(HMACContext));
     if (newcx == NULL)
-	goto loser;
+        goto loser;
 
     newcx->wasAllocated = PR_TRUE;
     newcx->hashobj = cx->hashobj;
     newcx->hash = cx->hashobj->clone(cx->hash);
     if (newcx->hash == NULL)
-	goto loser;
+        goto loser;
     PORT_Memcpy(newcx->ipad, cx->ipad, cx->hashobj->blocklength);
     PORT_Memcpy(newcx->opad, cx->opad, cx->hashobj->blocklength);
     return newcx;
 
 loser:
     HMAC_Destroy(newcx, PR_TRUE);
     return NULL;
 }
--- a/security/nss/lib/freebl/alghmac.h
+++ b/security/nss/lib/freebl/alghmac.h
@@ -10,55 +10,55 @@ typedef struct HMACContextStr HMACContex
 SEC_BEGIN_PROTOS
 
 /* destroy HMAC context */
 extern void
 HMAC_Destroy(HMACContext *cx, PRBool freeit);
 
 /* create HMAC context
  *  hash_obj    hash object from SECRawHashObjects[]
- *  secret	the secret with which the HMAC is performed.
- *  secret_len	the length of the secret.
- *  isFIPS	true if conforming to FIPS 198.
+ *  secret      the secret with which the HMAC is performed.
+ *  secret_len  the length of the secret.
+ *  isFIPS      true if conforming to FIPS 198.
  *
  * NULL is returned if an error occurs.
  */
 extern HMACContext *
-HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret, 
-	    unsigned int secret_len, PRBool isFIPS);
+HMAC_Create(const SECHashObject *hash_obj, const unsigned char *secret,
+            unsigned int secret_len, PRBool isFIPS);
 
 /* like HMAC_Create, except caller allocates HMACContext. */
 SECStatus
-HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj, 
-	  const unsigned char *secret, unsigned int secret_len, PRBool isFIPS);
+HMAC_Init(HMACContext *cx, const SECHashObject *hash_obj,
+          const unsigned char *secret, unsigned int secret_len, PRBool isFIPS);
 
 /* reset HMAC for a fresh round */
 extern void
 HMAC_Begin(HMACContext *cx);
 
-/* update HMAC 
- *  cx		HMAC Context
- *  data	the data to perform HMAC on
- *  data_len	the length of the data to process
+/* update HMAC
+ *  cx          HMAC Context
+ *  data        the data to perform HMAC on
+ *  data_len    the length of the data to process
  */
-extern void 
+extern void
 HMAC_Update(HMACContext *cx, const unsigned char *data, unsigned int data_len);
 
 /* Finish HMAC -- place the results within result
- *  cx		HMAC context
- *  result	buffer for resulting hmac'd data
- *  result_len	where the resultant hmac length is stored
+ *  cx          HMAC context
+ *  result      buffer for resulting hmac'd data
+ *  result_len  where the resultant hmac length is stored
  *  max_result_len  maximum possible length that can be stored in result
  */
 extern SECStatus
 HMAC_Finish(HMACContext *cx, unsigned char *result, unsigned int *result_len,
-	    unsigned int max_result_len);
+            unsigned int max_result_len);
 
 /* clone a copy of the HMAC state.  this is usefult when you would
- * need to keep a running hmac but also need to extract portions 
+ * need to keep a running hmac but also need to extract portions
  * partway through the process.
  */
 extern HMACContext *
 HMAC_Clone(HMACContext *cx);
 
 SEC_END_PROTOS
 
 #endif
--- a/security/nss/lib/freebl/arcfive.c
+++ b/security/nss/lib/freebl/arcfive.c
@@ -35,54 +35,53 @@ RC5_CreateContext(const SECItem *key, un
     return NULL;
 }
 
 /*
 ** Destroy an RC5 encryption/decryption context.
 **      "cx" the context
 **      "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-void 
-RC5_DestroyContext(RC5Context *cx, PRBool freeit) 
+void
+RC5_DestroyContext(RC5Context *cx, PRBool freeit)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
 }
 
 /*
 ** Perform RC5 encryption.
 **      "cx" the context
 **      "output" the output buffer to store the encrypted data.
 **      "outputLen" how much data is stored in "output". Set by the routine
 **         after some data is stored in output.
 **      "maxOutputLen" the maximum amount of data that can ever be
 **         stored in "output"
 **      "input" the input data
 **      "inputLen" the amount of input data
 */
-SECStatus 
-RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen, 
-	    const unsigned char *input, unsigned int inputLen)
+SECStatus
+RC5_Encrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 
 /*
 ** Perform RC5 decryption.
 **      "cx" the context
 **      "output" the output buffer to store the decrypted data.
 **      "outputLen" how much data is stored in "output". Set by the routine
 **         after some data is stored in output.
 **      "maxOutputLen" the maximum amount of data that can ever be
 **         stored in "output"
 **      "input" the input data
 **      "inputLen" the amount of input data
 */
-SECStatus 
-RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen, 
-	    unsigned int maxOutputLen,
+SECStatus
+RC5_Decrypt(RC5Context *cx, unsigned char *output, unsigned int *outputLen,
+            unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
-
--- a/security/nss/lib/freebl/arcfour.c
+++ b/security/nss/lib/freebl/arcfour.c
@@ -18,18 +18,18 @@
 
 #if defined(SOLARIS) || defined(HPUX) || defined(NSS_X86) || \
     defined(_WIN64)
 /* Convert the byte-stream to a word-stream */
 #define CONVERT_TO_WORDS
 #endif
 
 #if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR)
-/* Treat array variables as words, not bytes, on CPUs that take 
- * much longer to write bytes than to write words, or when using 
+/* Treat array variables as words, not bytes, on CPUs that take
+ * much longer to write bytes than to write words, or when using
  * assembler code that required it.
  */
 #define USE_WORD
 #endif
 
 #if defined(IS_64) || defined(NSS_BEVAND_ARCFOUR)
 typedef PRUint64 WORD;
 #else
@@ -43,531 +43,552 @@ typedef WORD Stype;
 typedef PRUint8 Stype;
 #endif
 
 #define ARCFOUR_STATE_SIZE 256
 
 #define MASK1BYTE (WORD)(0xff)
 
 #define SWAP(a, b) \
-	tmp = a; \
-	a = b; \
-	b = tmp;
+    tmp = a;       \
+    a = b;         \
+    b = tmp;
 
 /*
  * State information for stream cipher.
  */
-struct RC4ContextStr
-{
+struct RC4ContextStr {
 #if defined(NSS_ARCFOUR_IJ_B4_S) || defined(NSS_BEVAND_ARCFOUR)
-	Stype i;
-	Stype j;
-	Stype S[ARCFOUR_STATE_SIZE];
+    Stype i;
+    Stype j;
+    Stype S[ARCFOUR_STATE_SIZE];
 #else
-	Stype S[ARCFOUR_STATE_SIZE];
-	Stype i;
-	Stype j;
+    Stype S[ARCFOUR_STATE_SIZE];
+    Stype i;
+    Stype j;
 #endif
 };
 
 /*
  * array indices [0..255] to initialize cx->S array (faster than loop).
  */
 static const Stype Kinit[256] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-	0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
-	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
-	0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+    0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+    0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+    0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+    0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+    0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+    0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+    0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+    0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+    0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+    0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+    0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+    0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+    0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+    0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+    0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+    0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+    0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+    0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+    0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+    0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
 };
 
 RC4Context *
 RC4_AllocateContext(void)
 {
     return PORT_ZNew(RC4Context);
 }
 
-SECStatus   
+SECStatus
 RC4_InitContext(RC4Context *cx, const unsigned char *key, unsigned int len,
-	        const unsigned char * unused1, int unused2, 
-		unsigned int unused3, unsigned int unused4)
+                const unsigned char *unused1, int unused2,
+                unsigned int unused3, unsigned int unused4)
 {
-	unsigned int i;
-	PRUint8 j, tmp;
-	PRUint8 K[256];
-	PRUint8 *L;
+    unsigned int i;
+    PRUint8 j, tmp;
+    PRUint8 K[256];
+    PRUint8 *L;
 
-	/* verify the key length. */
-	PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
-	if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
-		PORT_SetError(SEC_ERROR_BAD_KEY);
-		return SECFailure;
-	}
-	if (cx == NULL) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	/* Initialize the state using array indices. */
-	memcpy(cx->S, Kinit, sizeof cx->S);
-	/* Fill in K repeatedly with values from key. */
-	L = K;
-	for (i = sizeof K; i > len; i-= len) {
-		memcpy(L, key, len);
-		L += len;
-	}
-	memcpy(L, key, i);
-	/* Stir the state of the generator.  At this point it is assumed
-	 * that the key is the size of the state buffer.  If this is not
-	 * the case, the key bytes are repeated to fill the buffer.
-	 */
-	j = 0;
+    /* verify the key length. */
+    PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
+    if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
+        PORT_SetError(SEC_ERROR_BAD_KEY);
+        return SECFailure;
+    }
+    if (cx == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    /* Initialize the state using array indices. */
+    memcpy(cx->S, Kinit, sizeof cx->S);
+    /* Fill in K repeatedly with values from key. */
+    L = K;
+    for (i = sizeof K; i > len; i -= len) {
+        memcpy(L, key, len);
+        L += len;
+    }
+    memcpy(L, key, i);
+    /* Stir the state of the generator.  At this point it is assumed
+     * that the key is the size of the state buffer.  If this is not
+     * the case, the key bytes are repeated to fill the buffer.
+     */
+    j = 0;
 #define ARCFOUR_STATE_STIR(ii) \
-	j = j + cx->S[ii] + K[ii]; \
-	SWAP(cx->S[ii], cx->S[j]);
-	for (i=0; i<ARCFOUR_STATE_SIZE; i++) {
-		ARCFOUR_STATE_STIR(i);
-	}
-	cx->i = 0;
-	cx->j = 0;
-	return SECSuccess;
+    j = j + cx->S[ii] + K[ii]; \
+    SWAP(cx->S[ii], cx->S[j]);
+    for (i = 0; i < ARCFOUR_STATE_SIZE; i++) {
+        ARCFOUR_STATE_STIR(i);
+    }
+    cx->i = 0;
+    cx->j = 0;
+    return SECSuccess;
 }
 
-
 /*
  * Initialize a new generator.
  */
 RC4Context *
 RC4_CreateContext(const unsigned char *key, int len)
 {
     RC4Context *cx = RC4_AllocateContext();
     if (cx) {
-	SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0);
-	if (rv != SECSuccess) {
-	    PORT_ZFree(cx, sizeof(*cx));
-	    cx = NULL;
-	}
+        SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0);
+        if (rv != SECSuccess) {
+            PORT_ZFree(cx, sizeof(*cx));
+            cx = NULL;
+        }
     }
     return cx;
 }
 
-void 
+void
 RC4_DestroyContext(RC4Context *cx, PRBool freeit)
 {
-	if (freeit)
-		PORT_ZFree(cx, sizeof(*cx));
+    if (freeit)
+        PORT_ZFree(cx, sizeof(*cx));
 }
 
 #if defined(NSS_BEVAND_ARCFOUR)
-extern void ARCFOUR(RC4Context *cx, WORD inputLen, 
-	const unsigned char *input, unsigned char *output);
+extern void ARCFOUR(RC4Context *cx, WORD inputLen,
+                    const unsigned char *input, unsigned char *output);
 #else
 /*
  * Generate the next byte in the stream.
  */
 #define ARCFOUR_NEXT_BYTE() \
-	tmpSi = cx->S[++tmpi]; \
-	tmpj += tmpSi; \
-	tmpSj = cx->S[tmpj]; \
-	cx->S[tmpi] = tmpSj; \
-	cx->S[tmpj] = tmpSi; \
-	t = tmpSi + tmpSj;
+    tmpSi = cx->S[++tmpi];  \
+    tmpj += tmpSi;          \
+    tmpSj = cx->S[tmpj];    \
+    cx->S[tmpi] = tmpSj;    \
+    cx->S[tmpj] = tmpSi;    \
+    t = tmpSi + tmpSj;
 
 #ifdef CONVERT_TO_WORDS
 /*
  * Straight ARCFOUR op.  No optimization.
  */
-static SECStatus 
+static SECStatus
 rc4_no_opt(RC4Context *cx, unsigned char *output,
            unsigned int *outputLen, unsigned int maxOutputLen,
            const unsigned char *input, unsigned int inputLen)
 {
     PRUint8 t;
-	Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	unsigned int index;
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-		return SECFailure;
-	}
-	for (index=0; index < inputLen; index++) {
-		/* Generate next byte from stream. */
-		ARCFOUR_NEXT_BYTE();
-		/* output = next stream byte XOR next input byte */
-		output[index] = cx->S[t] ^ input[index];
-	}
-	*outputLen = inputLen;
-	cx->i = tmpi;
-	cx->j = tmpj;
-	return SECSuccess;
+    Stype tmpSi, tmpSj;
+    register PRUint8 tmpi = cx->i;
+    register PRUint8 tmpj = cx->j;
+    unsigned int index;
+    PORT_Assert(maxOutputLen >= inputLen);
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    for (index = 0; index < inputLen; index++) {
+        /* Generate next byte from stream. */
+        ARCFOUR_NEXT_BYTE();
+        /* output = next stream byte XOR next input byte */
+        output[index] = cx->S[t] ^ input[index];
+    }
+    *outputLen = inputLen;
+    cx->i = tmpi;
+    cx->j = tmpj;
+    return SECSuccess;
 }
 
 #else
 /* !CONVERT_TO_WORDS */
 
 /*
  * Byte-at-a-time ARCFOUR, unrolling the loop into 8 pieces.
  */
-static SECStatus 
+static SECStatus
 rc4_unrolled(RC4Context *cx, unsigned char *output,
              unsigned int *outputLen, unsigned int maxOutputLen,
              const unsigned char *input, unsigned int inputLen)
 {
-	PRUint8 t;
-	Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	int index;
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-		return SECFailure;
-	}
-	for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
-		ARCFOUR_NEXT_BYTE();
-		output[0] = cx->S[t] ^ input[0];
-		ARCFOUR_NEXT_BYTE();
-		output[1] = cx->S[t] ^ input[1];
-		ARCFOUR_NEXT_BYTE();
-		output[2] = cx->S[t] ^ input[2];
-		ARCFOUR_NEXT_BYTE();
-		output[3] = cx->S[t] ^ input[3];
-		ARCFOUR_NEXT_BYTE();
-		output[4] = cx->S[t] ^ input[4];
-		ARCFOUR_NEXT_BYTE();
-		output[5] = cx->S[t] ^ input[5];
-		ARCFOUR_NEXT_BYTE();
-		output[6] = cx->S[t] ^ input[6];
-		ARCFOUR_NEXT_BYTE();
-		output[7] = cx->S[t] ^ input[7];
-	}
-	index = inputLen % 8;
-	if (index) {
-		input += index;
-		output += index;
-		switch (index) {
-		case 7:
-			ARCFOUR_NEXT_BYTE();
-			output[-7] = cx->S[t] ^ input[-7]; /* FALLTHRU */
-		case 6:
-			ARCFOUR_NEXT_BYTE();
-			output[-6] = cx->S[t] ^ input[-6]; /* FALLTHRU */
-		case 5:
-			ARCFOUR_NEXT_BYTE();
-			output[-5] = cx->S[t] ^ input[-5]; /* FALLTHRU */
-		case 4:
-			ARCFOUR_NEXT_BYTE();
-			output[-4] = cx->S[t] ^ input[-4]; /* FALLTHRU */
-		case 3:
-			ARCFOUR_NEXT_BYTE();
-			output[-3] = cx->S[t] ^ input[-3]; /* FALLTHRU */
-		case 2:
-			ARCFOUR_NEXT_BYTE();
-			output[-2] = cx->S[t] ^ input[-2]; /* FALLTHRU */
-		case 1:
-			ARCFOUR_NEXT_BYTE();
-			output[-1] = cx->S[t] ^ input[-1]; /* FALLTHRU */
-		default:
-			/* FALLTHRU */
-			; /* hp-ux build breaks without this */
-		}
-	}
-	cx->i = tmpi;
-	cx->j = tmpj;
-	*outputLen = inputLen;
-	return SECSuccess;
+    PRUint8 t;
+    Stype tmpSi, tmpSj;
+    register PRUint8 tmpi = cx->i;
+    register PRUint8 tmpj = cx->j;
+    int index;
+    PORT_Assert(maxOutputLen >= inputLen);
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    for (index = inputLen / 8; index-- > 0; input += 8, output += 8) {
+        ARCFOUR_NEXT_BYTE();
+        output[0] = cx->S[t] ^ input[0];
+        ARCFOUR_NEXT_BYTE();
+        output[1] = cx->S[t] ^ input[1];
+        ARCFOUR_NEXT_BYTE();
+        output[2] = cx->S[t] ^ input[2];
+        ARCFOUR_NEXT_BYTE();
+        output[3] = cx->S[t] ^ input[3];
+        ARCFOUR_NEXT_BYTE();
+        output[4] = cx->S[t] ^ input[4];
+        ARCFOUR_NEXT_BYTE();
+        output[5] = cx->S[t] ^ input[5];
+        ARCFOUR_NEXT_BYTE();
+        output[6] = cx->S[t] ^ input[6];
+        ARCFOUR_NEXT_BYTE();
+        output[7] = cx->S[t] ^ input[7];
+    }
+    index = inputLen % 8;
+    if (index) {
+        input += index;
+        output += index;
+        switch (index) {
+            case 7:
+                ARCFOUR_NEXT_BYTE();
+                output[-7] = cx->S[t] ^ input[-7]; /* FALLTHRU */
+            case 6:
+                ARCFOUR_NEXT_BYTE();
+                output[-6] = cx->S[t] ^ input[-6]; /* FALLTHRU */
+            case 5:
+                ARCFOUR_NEXT_BYTE();
+                output[-5] = cx->S[t] ^ input[-5]; /* FALLTHRU */
+            case 4:
+                ARCFOUR_NEXT_BYTE();
+                output[-4] = cx->S[t] ^ input[-4]; /* FALLTHRU */
+            case 3:
+                ARCFOUR_NEXT_BYTE();
+                output[-3] = cx->S[t] ^ input[-3]; /* FALLTHRU */
+            case 2:
+                ARCFOUR_NEXT_BYTE();
+                output[-2] = cx->S[t] ^ input[-2]; /* FALLTHRU */
+            case 1:
+                ARCFOUR_NEXT_BYTE();
+                output[-1] = cx->S[t] ^ input[-1]; /* FALLTHRU */
+            default:
+                /* FALLTHRU */
+                ; /* hp-ux build breaks without this */
+        }
+    }
+    cx->i = tmpi;
+    cx->j = tmpj;
+    *outputLen = inputLen;
+    return SECSuccess;
 }
 #endif
 
 #ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT4BYTES_L(n) \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     ); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24);
+#define ARCFOUR_NEXT4BYTES_L(n)               \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n);      \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 8);  \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 16); \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 24);
 #else
-#define ARCFOUR_NEXT4BYTES_B(n) \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 24); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n + 16); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n +  8); \
-	ARCFOUR_NEXT_BYTE(); streamWord |= (WORD)cx->S[t] << (n     );
+#define ARCFOUR_NEXT4BYTES_B(n)               \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 24); \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 16); \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n + 8);  \
+    ARCFOUR_NEXT_BYTE();                      \
+    streamWord |= (WORD)cx->S[t] << (n);
 #endif
 
 #if (defined(IS_64) && !defined(__sparc)) || defined(NSS_USE_64)
 /* 64-bit wordsize */
 #ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); ARCFOUR_NEXT4BYTES_L(32); }
+#define ARCFOUR_NEXT_WORD()       \
+    {                             \
+        streamWord = 0;           \
+        ARCFOUR_NEXT4BYTES_L(0);  \
+        ARCFOUR_NEXT4BYTES_L(32); \
+    }
 #else
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(32); ARCFOUR_NEXT4BYTES_B(0); }
+#define ARCFOUR_NEXT_WORD()       \
+    {                             \
+        streamWord = 0;           \
+        ARCFOUR_NEXT4BYTES_B(32); \
+        ARCFOUR_NEXT4BYTES_B(0);  \
+    }
 #endif
 #else
 /* 32-bit wordsize */
 #ifdef IS_LITTLE_ENDIAN
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_L(0); }
+#define ARCFOUR_NEXT_WORD()      \
+    {                            \
+        streamWord = 0;          \
+        ARCFOUR_NEXT4BYTES_L(0); \
+    }
 #else
-#define ARCFOUR_NEXT_WORD() \
-	{ streamWord = 0; ARCFOUR_NEXT4BYTES_B(0); }
+#define ARCFOUR_NEXT_WORD()      \
+    {                            \
+        streamWord = 0;          \
+        ARCFOUR_NEXT4BYTES_B(0); \
+    }
 #endif
 #endif
 
 #ifdef IS_LITTLE_ENDIAN
 #define RSH <<
 #define LSH >>
 #else
 #define RSH >>
 #define LSH <<
 #endif
 
 #ifdef IS_LITTLE_ENDIAN
 #define LEFTMOST_BYTE_SHIFT 0
 #define NEXT_BYTE_SHIFT(shift) shift + 8
 #else
-#define LEFTMOST_BYTE_SHIFT 8*(WORDSIZE - 1)
+#define LEFTMOST_BYTE_SHIFT 8 * (WORDSIZE - 1)
 #define NEXT_BYTE_SHIFT(shift) shift - 8
 #endif
 
 #ifdef CONVERT_TO_WORDS
-static SECStatus 
+static SECStatus
 rc4_wordconv(RC4Context *cx, unsigned char *output,
              unsigned int *outputLen, unsigned int maxOutputLen,
              const unsigned char *input, unsigned int inputLen)
 {
-	PR_STATIC_ASSERT(sizeof(PRUword) == sizeof(ptrdiff_t));
-	unsigned int inOffset = (PRUword)input % WORDSIZE;
-	unsigned int outOffset = (PRUword)output % WORDSIZE;
-	register WORD streamWord;
-	register const WORD *pInWord;
-	register WORD *pOutWord;
-	register WORD inWord, nextInWord;
-	PRUint8 t;
-	register Stype tmpSi, tmpSj;
-	register PRUint8 tmpi = cx->i;
-	register PRUint8 tmpj = cx->j;
-	unsigned int bufShift, invBufShift;
-	unsigned int i;
-	const unsigned char *finalIn;
-	unsigned char *finalOut;
+    PR_STATIC_ASSERT(sizeof(PRUword) == sizeof(ptrdiff_t));
+    unsigned int inOffset = (PRUword)input % WORDSIZE;
+    unsigned int outOffset = (PRUword)output % WORDSIZE;
+    register WORD streamWord;
+    register const WORD *pInWord;
+    register WORD *pOutWord;
+    register WORD inWord, nextInWord;
+    PRUint8 t;
+    register Stype tmpSi, tmpSj;
+    register PRUint8 tmpi = cx->i;
+    register PRUint8 tmpj = cx->j;
+    unsigned int bufShift, invBufShift;
+    unsigned int i;
+    const unsigned char *finalIn;
+    unsigned char *finalOut;
 
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-		return SECFailure;
-	}
-	if (inputLen < 2*WORDSIZE) {
-		/* Ignore word conversion, do byte-at-a-time */
-		return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
-	}
-	*outputLen = inputLen;
-	pInWord = (const WORD *)(input - inOffset);
-	pOutWord = (WORD *)(output - outOffset);
-	if (inOffset <= outOffset) {
-		bufShift = 8*(outOffset - inOffset);
-		invBufShift = 8*WORDSIZE - bufShift;
-	} else {
-		invBufShift = 8*(inOffset - outOffset);
-		bufShift = 8*WORDSIZE - invBufShift;
-	}
-	/*****************************************************************/
-	/* Step 1:                                                       */
-	/* If the first output word is partial, consume the bytes in the */
-	/* first partial output word by loading one or two words of      */
-	/* input and shifting them accordingly.  Otherwise, just load    */
-	/* in the first word of input.  At the end of this block, at     */
-	/* least one partial word of input should ALWAYS be loaded.      */
-	/*****************************************************************/
-	if (outOffset) {
-		unsigned int byteCount = WORDSIZE - outOffset; 
-		for (i = 0; i < byteCount; i++) {
-			ARCFOUR_NEXT_BYTE();
-			output[i] = cx->S[t] ^ input[i];
-		}
-		/* Consumed byteCount bytes of input */
-		inputLen -= byteCount;
-		pInWord++;
+    PORT_Assert(maxOutputLen >= inputLen);
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+    if (inputLen < 2 * WORDSIZE) {
+        /* Ignore word conversion, do byte-at-a-time */
+        return rc4_no_opt(cx, output, outputLen, maxOutputLen, input, inputLen);
+    }
+    *outputLen = inputLen;
+    pInWord = (const WORD *)(input - inOffset);
+    pOutWord = (WORD *)(output - outOffset);
+    if (inOffset <= outOffset) {
+        bufShift = 8 * (outOffset - inOffset);
+        invBufShift = 8 * WORDSIZE - bufShift;
+    } else {
+        invBufShift = 8 * (inOffset - outOffset);
+        bufShift = 8 * WORDSIZE - invBufShift;
+    }
+    /*****************************************************************/
+    /* Step 1:                                                       */
+    /* If the first output word is partial, consume the bytes in the */
+    /* first partial output word by loading one or two words of      */
+    /* input and shifting them accordingly.  Otherwise, just load    */
+    /* in the first word of input.  At the end of this block, at     */
+    /* least one partial word of input should ALWAYS be loaded.      */
+    /*****************************************************************/
+    if (outOffset) {
+        unsigned int byteCount = WORDSIZE - outOffset;
+        for (i = 0; i < byteCount; i++) {
+            ARCFOUR_NEXT_BYTE();
+            output[i] = cx->S[t] ^ input[i];
+        }
+        /* Consumed byteCount bytes of input */
+        inputLen -= byteCount;
+        pInWord++;
 
-		/* move to next word of output */
-		pOutWord++;
+        /* move to next word of output */
+        pOutWord++;
 
-		/* If buffers are relatively misaligned, shift the bytes in inWord
-		 * to be aligned to the output buffer.
-		 */
-		if (inOffset < outOffset) {
-			/* The first input word (which may be partial) has more bytes
-			 * than needed.  Copy the remainder to inWord.
-			 */
-			unsigned int shift = LEFTMOST_BYTE_SHIFT;
-			inWord = 0;
-			for (i = 0; i < outOffset - inOffset; i++) {
-				inWord |= (WORD)input[byteCount + i] << shift;
-				shift = NEXT_BYTE_SHIFT(shift);
-			}
-		} else if (inOffset > outOffset) {
-			/* Consumed some bytes in the second input word.  Copy the
-			 * remainder to inWord.
-			 */
-			inWord = *pInWord++;
-			inWord = inWord LSH invBufShift;
-		} else {
-			inWord = 0;
-		}
-	} else {
-		/* output is word-aligned */
-		if (inOffset) {
-			/* Input is not word-aligned.  The first word load of input 
-			 * will not produce a full word of input bytes, so one word
-			 * must be pre-loaded.  The main loop below will load in the
-			 * next input word and shift some of its bytes into inWord
-			 * in order to create a full input word.  Note that the main
-			 * loop must execute at least once because the input must
-			 * be at least two words.
-			 */
-			unsigned int shift = LEFTMOST_BYTE_SHIFT;
-			inWord = 0;
-			for (i = 0; i < WORDSIZE - inOffset; i++) {
-				inWord |= (WORD)input[i] << shift;
-				shift = NEXT_BYTE_SHIFT(shift);
-			}
-			pInWord++;
-		} else {
-			/* Input is word-aligned.  The first word load of input 
-			 * will produce a full word of input bytes, so nothing
-			 * needs to be loaded here.
-			 */
-			inWord = 0;
-		}
-	}
-	/*****************************************************************/
-	/* Step 2: main loop                                             */
-	/* At this point the output buffer is word-aligned.  Any unused  */
-	/* bytes from above will be in inWord (shifted correctly).  If   */
-	/* the input buffer is unaligned relative to the output buffer,  */
-	/* shifting has to be done.                                      */
-	/*****************************************************************/
-	if (bufShift) {
-		/* preloadedByteCount is the number of input bytes pre-loaded
-		 * in inWord.
-		 */
-		unsigned int preloadedByteCount = bufShift/8;
-		for (; inputLen >= preloadedByteCount + WORDSIZE;
-		     inputLen -= WORDSIZE) {
-			nextInWord = *pInWord++;
-			inWord |= nextInWord RSH bufShift;
-			nextInWord = nextInWord LSH invBufShift;
-			ARCFOUR_NEXT_WORD();
-			*pOutWord++ = inWord ^ streamWord;
-			inWord = nextInWord;
-		}
-		if (inputLen == 0) {
-			/* Nothing left to do. */
-			cx->i = tmpi;
-			cx->j = tmpj;
-			return SECSuccess;
-		}
-		finalIn = (const unsigned char *)pInWord - preloadedByteCount;
-	} else {
-		for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
-			inWord = *pInWord++;
-			ARCFOUR_NEXT_WORD();
-			*pOutWord++ = inWord ^ streamWord;
-		}
-		if (inputLen == 0) {
-			/* Nothing left to do. */
-			cx->i = tmpi;
-			cx->j = tmpj;
-			return SECSuccess;
-		}
-		finalIn = (const unsigned char *)pInWord;
-	}
-	/*****************************************************************/
-	/* Step 3:                                                       */
-	/* Do the remaining partial word of input one byte at a time.    */
-	/*****************************************************************/
-	finalOut = (unsigned char *)pOutWord;
-	for (i = 0; i < inputLen; i++) {
-		ARCFOUR_NEXT_BYTE();
-		finalOut[i] = cx->S[t] ^ finalIn[i];
-	}
-	cx->i = tmpi;
-	cx->j = tmpj;
-	return SECSuccess;
+        /* If buffers are relatively misaligned, shift the bytes in inWord
+         * to be aligned to the output buffer.
+         */
+        if (inOffset < outOffset) {
+            /* The first input word (which may be partial) has more bytes
+             * than needed.  Copy the remainder to inWord.
+             */
+            unsigned int shift = LEFTMOST_BYTE_SHIFT;
+            inWord = 0;
+            for (i = 0; i < outOffset - inOffset; i++) {
+                inWord |= (WORD)input[byteCount + i] << shift;
+                shift = NEXT_BYTE_SHIFT(shift);
+            }
+        } else if (inOffset > outOffset) {
+            /* Consumed some bytes in the second input word.  Copy the
+             * remainder to inWord.
+             */
+            inWord = *pInWord++;
+            inWord = inWord LSH invBufShift;
+        } else {
+            inWord = 0;
+        }
+    } else {
+        /* output is word-aligned */
+        if (inOffset) {
+            /* Input is not word-aligned.  The first word load of input
+             * will not produce a full word of input bytes, so one word
+             * must be pre-loaded.  The main loop below will load in the
+             * next input word and shift some of its bytes into inWord
+             * in order to create a full input word.  Note that the main
+             * loop must execute at least once because the input must
+             * be at least two words.
+             */
+            unsigned int shift = LEFTMOST_BYTE_SHIFT;
+            inWord = 0;
+            for (i = 0; i < WORDSIZE - inOffset; i++) {
+                inWord |= (WORD)input[i] << shift;
+                shift = NEXT_BYTE_SHIFT(shift);
+            }
+            pInWord++;
+        } else {
+            /* Input is word-aligned.  The first word load of input
+             * will produce a full word of input bytes, so nothing
+             * needs to be loaded here.
+             */
+            inWord = 0;
+        }
+    }
+    /*****************************************************************/
+    /* Step 2: main loop                                             */
+    /* At this point the output buffer is word-aligned.  Any unused  */
+    /* bytes from above will be in inWord (shifted correctly).  If   */
+    /* the input buffer is unaligned relative to the output buffer,  */
+    /* shifting has to be done.                                      */
+    /*****************************************************************/
+    if (bufShift) {
+        /* preloadedByteCount is the number of input bytes pre-loaded
+         * in inWord.
+         */
+        unsigned int preloadedByteCount = bufShift / 8;
+        for (; inputLen >= preloadedByteCount + WORDSIZE;
+             inputLen -= WORDSIZE) {
+            nextInWord = *pInWord++;
+            inWord |= nextInWord RSH bufShift;
+            nextInWord = nextInWord LSH invBufShift;
+            ARCFOUR_NEXT_WORD();
+            *pOutWord++ = inWord ^ streamWord;
+            inWord = nextInWord;
+        }
+        if (inputLen == 0) {
+            /* Nothing left to do. */
+            cx->i = tmpi;
+            cx->j = tmpj;
+            return SECSuccess;
+        }
+        finalIn = (const unsigned char *)pInWord - preloadedByteCount;
+    } else {
+        for (; inputLen >= WORDSIZE; inputLen -= WORDSIZE) {
+            inWord = *pInWord++;
+            ARCFOUR_NEXT_WORD();
+            *pOutWord++ = inWord ^ streamWord;
+        }
+        if (inputLen == 0) {
+            /* Nothing left to do. */
+            cx->i = tmpi;
+            cx->j = tmpj;
+            return SECSuccess;
+        }
+        finalIn = (const unsigned char *)pInWord;
+    }
+    /*****************************************************************/
+    /* Step 3:                                                       */
+    /* Do the remaining partial word of input one byte at a time.    */
+    /*****************************************************************/
+    finalOut = (unsigned char *)pOutWord;
+    for (i = 0; i < inputLen; i++) {
+        ARCFOUR_NEXT_BYTE();
+        finalOut[i] = cx->S[t] ^ finalIn[i];
+    }
+    cx->i = tmpi;
+    cx->j = tmpj;
+    return SECSuccess;
 }
 #endif
 #endif /* NSS_BEVAND_ARCFOUR */
 
-SECStatus 
+SECStatus
 RC4_Encrypt(RC4Context *cx, unsigned char *output,
             unsigned int *outputLen, unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen)
 {
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-		return SECFailure;
-	}
+    PORT_Assert(maxOutputLen >= inputLen);
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
 #if defined(NSS_BEVAND_ARCFOUR)
-	ARCFOUR(cx, inputLen, input, output);
-        *outputLen = inputLen;
-	return SECSuccess;
-#elif defined( CONVERT_TO_WORDS )
-	/* Convert the byte-stream to a word-stream */
-	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+    ARCFOUR(cx, inputLen, input, output);
+    *outputLen = inputLen;
+    return SECSuccess;
+#elif defined(CONVERT_TO_WORDS)
+    /* Convert the byte-stream to a word-stream */
+    return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
 #else
-	/* Operate on bytes, but unroll the main loop */
-	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+    /* Operate on bytes, but unroll the main loop */
+    return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
 #endif
 }
 
-SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
-                      unsigned int *outputLen, unsigned int maxOutputLen,
-                      const unsigned char *input, unsigned int inputLen)
+SECStatus
+RC4_Decrypt(RC4Context *cx, unsigned char *output,
+            unsigned int *outputLen, unsigned int maxOutputLen,
+            const unsigned char *input, unsigned int inputLen)
 {
-	PORT_Assert(maxOutputLen >= inputLen);
-	if (maxOutputLen < inputLen) {
-		PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-		return SECFailure;
-	}
-	/* decrypt and encrypt are same operation. */
+    PORT_Assert(maxOutputLen >= inputLen);
+    if (maxOutputLen < inputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
+/* decrypt and encrypt are same operation. */
 #if defined(NSS_BEVAND_ARCFOUR)
-	ARCFOUR(cx, inputLen, input, output);
-        *outputLen = inputLen;
-	return SECSuccess;
-#elif defined( CONVERT_TO_WORDS )
-	/* Convert the byte-stream to a word-stream */
-	return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
+    ARCFOUR(cx, inputLen, input, output);
+    *outputLen = inputLen;
+    return SECSuccess;
+#elif defined(CONVERT_TO_WORDS)
+    /* Convert the byte-stream to a word-stream */
+    return rc4_wordconv(cx, output, outputLen, maxOutputLen, input, inputLen);
 #else
-	/* Operate on bytes, but unroll the main loop */
-	return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
+    /* Operate on bytes, but unroll the main loop */
+    return rc4_unrolled(cx, output, outputLen, maxOutputLen, input, inputLen);
 #endif
 }
 
 #undef CONVERT_TO_WORDS
 #undef USE_WORD
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@@ -18,63 +18,63 @@ SEC_BEGIN_PROTOS
 ** RSA encryption/decryption. When encrypting/decrypting the output
 ** buffer must be at least the size of the public key modulus.
 */
 
 extern SECStatus BL_Init(void);
 
 /*
 ** Generate and return a new RSA public and private key.
-**	Both keys are encoded in a single RSAPrivateKey structure.
-**	"cx" is the random number generator context
-**	"keySizeInBits" is the size of the key to be generated, in bits.
-**	   512, 1024, etc.
-**	"publicExponent" when not NULL is a pointer to some data that
-**	   represents the public exponent to use. The data is a byte
-**	   encoded integer, in "big endian" order.
+**  Both keys are encoded in a single RSAPrivateKey structure.
+**  "cx" is the random number generator context
+**  "keySizeInBits" is the size of the key to be generated, in bits.
+**     512, 1024, etc.
+**  "publicExponent" when not NULL is a pointer to some data that
+**     represents the public exponent to use. The data is a byte
+**     encoded integer, in "big endian" order.
 */
-extern RSAPrivateKey *RSA_NewKey(int         keySizeInBits,
-				 SECItem *   publicExponent);
+extern RSAPrivateKey *RSA_NewKey(int keySizeInBits,
+                                 SECItem *publicExponent);
 
 /*
-** Perform a raw public-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
+** Perform a raw public-key operation
+**  Length of input and output buffers are equal to key's modulus len.
 */
-extern SECStatus RSA_PublicKeyOp(RSAPublicKey *   key,
-				 unsigned char *  output,
-				 const unsigned char *  input);
+extern SECStatus RSA_PublicKeyOp(RSAPublicKey *key,
+                                 unsigned char *output,
+                                 const unsigned char *input);
 
 /*
-** Perform a raw private-key operation 
-**	Length of input and output buffers are equal to key's modulus len.
+** Perform a raw private-key operation
+**  Length of input and output buffers are equal to key's modulus len.
 */
-extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *  key,
-				  unsigned char *  output,
-				  const unsigned char *  input);
+extern SECStatus RSA_PrivateKeyOp(RSAPrivateKey *key,
+                                  unsigned char *output,
+                                  const unsigned char *input);
 
 /*
 ** Perform a raw private-key operation, and check the parameters used in
 ** the operation for validity by performing a test operation first.
-**	Length of input and output buffers are equal to key's modulus len.
+**  Length of input and output buffers are equal to key's modulus len.
 */
-extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *  key,
-				               unsigned char *  output,
-				               const unsigned char *  input);
+extern SECStatus RSA_PrivateKeyOpDoubleChecked(RSAPrivateKey *key,
+                                               unsigned char *output,
+                                               const unsigned char *input);
 
 /*
 ** Perform a check of private key parameters for consistency.
 */
 extern SECStatus RSA_PrivateKeyCheck(const RSAPrivateKey *key);
 
 /*
 ** Given only minimal private key parameters, fill in the rest of the
 ** parameters.
 **
 **
-** All the entries, including those supplied by the caller, will be 
+** All the entries, including those supplied by the caller, will be
 ** overwritten with data alocated out of the arena.
 **
 ** If no arena is supplied, one will be created.
 **
 ** The following fields must be supplied in order for this function
 ** to succeed:
 **   one of either publicExponent or privateExponent
 **   two more of the following 5 parameters (not counting the above).
@@ -113,270 +113,270 @@ extern SECStatus RSA_PopulatePrivateKey(
 
 /********************************************************************
 ** Raw signing/encryption/decryption operations.
 **
 ** No padding or formatting will be applied.
 ** inputLen MUST be equivalent to the modulus size (in bytes).
 */
 extern SECStatus
-RSA_SignRaw(RSAPrivateKey       * key,
-            unsigned char       * output,
-            unsigned int        * outputLen,
-            unsigned int          maxOutputLen,
-            const unsigned char * input,
-            unsigned int          inputLen);
+RSA_SignRaw(RSAPrivateKey *key,
+            unsigned char *output,
+            unsigned int *outputLen,
+            unsigned int maxOutputLen,
+            const unsigned char *input,
+            unsigned int inputLen);
 
 extern SECStatus
-RSA_CheckSignRaw(RSAPublicKey        * key,
-                 const unsigned char * sig,
-                 unsigned int          sigLen,
-                 const unsigned char * hash,
-                 unsigned int          hashLen);
+RSA_CheckSignRaw(RSAPublicKey *key,
+                 const unsigned char *sig,
+                 unsigned int sigLen,
+                 const unsigned char *hash,
+                 unsigned int hashLen);
 
 extern SECStatus
-RSA_CheckSignRecoverRaw(RSAPublicKey        * key,
-                        unsigned char       * data,
-                        unsigned int        * dataLen,
-                        unsigned int          maxDataLen,
-                        const unsigned char * sig,
-                        unsigned int          sigLen);
+RSA_CheckSignRecoverRaw(RSAPublicKey *key,
+                        unsigned char *data,
+                        unsigned int *dataLen,
+                        unsigned int maxDataLen,
+                        const unsigned char *sig,
+                        unsigned int sigLen);
 
 extern SECStatus
-RSA_EncryptRaw(RSAPublicKey        * key,
-               unsigned char       * output,
-               unsigned int        * outputLen,
-               unsigned int          maxOutputLen,
-               const unsigned char * input,
-               unsigned int          inputLen);
+RSA_EncryptRaw(RSAPublicKey *key,
+               unsigned char *output,
+               unsigned int *outputLen,
+               unsigned int maxOutputLen,
+               const unsigned char *input,
+               unsigned int inputLen);
 
 extern SECStatus
-RSA_DecryptRaw(RSAPrivateKey       * key,
-               unsigned char       * output,
-               unsigned int        * outputLen,
-               unsigned int          maxOutputLen,
-               const unsigned char * input,
-               unsigned int          inputLen);
+RSA_DecryptRaw(RSAPrivateKey *key,
+               unsigned char *output,
+               unsigned int *outputLen,
+               unsigned int maxOutputLen,
+               const unsigned char *input,
+               unsigned int inputLen);
 
 /********************************************************************
 ** RSAES-OAEP encryption/decryption, as defined in RFC 3447, Section 7.1.
 **
 ** Note: Only MGF1 is supported as the mask generation function. It will be
 ** used with maskHashAlg as the inner hash function.
 **
 ** Unless performing Known Answer Tests, "seed" should be NULL, indicating that
 ** freebl should generate a random value. Otherwise, it should be an octet
 ** string of seedLen bytes, which should be the same size as the output of
 ** hashAlg.
 */
 extern SECStatus
-RSA_EncryptOAEP(RSAPublicKey        * key,
-                HASH_HashType         hashAlg,
-                HASH_HashType         maskHashAlg,
-                const unsigned char * label,
-                unsigned int          labelLen,
-                const unsigned char * seed,
-                unsigned int          seedLen,
-                unsigned char       * output,
-                unsigned int        * outputLen,
-                unsigned int          maxOutputLen,
-                const unsigned char * input,
-                unsigned int          inputLen);
+RSA_EncryptOAEP(RSAPublicKey *key,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char *label,
+                unsigned int labelLen,
+                const unsigned char *seed,
+                unsigned int seedLen,
+                unsigned char *output,
+                unsigned int *outputLen,
+                unsigned int maxOutputLen,
+                const unsigned char *input,
+                unsigned int inputLen);
 
 extern SECStatus
-RSA_DecryptOAEP(RSAPrivateKey       * key,
-                HASH_HashType         hashAlg,
-                HASH_HashType         maskHashAlg,
-                const unsigned char * label,
-                unsigned int          labelLen,
-                unsigned char       * output,
-                unsigned int        * outputLen,
-                unsigned int          maxOutputLen,
-                const unsigned char * input,
-                unsigned int          inputLen);
+RSA_DecryptOAEP(RSAPrivateKey *key,
+                HASH_HashType hashAlg,
+                HASH_HashType maskHashAlg,
+                const unsigned char *label,
+                unsigned int labelLen,
+                unsigned char *output,
+                unsigned int *outputLen,
+                unsigned int maxOutputLen,
+                const unsigned char *input,
+                unsigned int inputLen);
 
 /********************************************************************
 ** RSAES-PKCS1-v1_5 encryption/decryption, as defined in RFC 3447, Section 7.2.
 */
 extern SECStatus
-RSA_EncryptBlock(RSAPublicKey        * key,
-                 unsigned char       * output,
-                 unsigned int        * outputLen,
-                 unsigned int          maxOutputLen,
-                 const unsigned char * input,
-                 unsigned int          inputLen);
+RSA_EncryptBlock(RSAPublicKey *key,
+                 unsigned char *output,
+                 unsigned int *outputLen,
+                 unsigned int maxOutputLen,
+                 const unsigned char *input,
+                 unsigned int inputLen);
 
 extern SECStatus
-RSA_DecryptBlock(RSAPrivateKey       * key,
-                 unsigned char       * output,
-                 unsigned int        * outputLen,
-                 unsigned int          maxOutputLen,
-                 const unsigned char * input,
-                 unsigned int          inputLen);
+RSA_DecryptBlock(RSAPrivateKey *key,
+                 unsigned char *output,
+                 unsigned int *outputLen,
+                 unsigned int maxOutputLen,
+                 const unsigned char *input,
+                 unsigned int inputLen);
 
 /********************************************************************
 ** RSASSA-PSS signing/verifying, as defined in RFC 3447, Section 8.1.
 **
 ** Note: Only MGF1 is supported as the mask generation function. It will be
 ** used with maskHashAlg as the inner hash function.
 **
 ** Unless performing Known Answer Tests, "salt" should be NULL, indicating that
 ** freebl should generate a random value.
 */
 extern SECStatus
-RSA_SignPSS(RSAPrivateKey       * key,
-            HASH_HashType         hashAlg,
-            HASH_HashType         maskHashAlg,
-            const unsigned char * salt,
-            unsigned int          saltLen,
-            unsigned char       * output,
-            unsigned int        * outputLen,
-            unsigned int          maxOutputLen,
-            const unsigned char * input,
-            unsigned int          inputLen);
+RSA_SignPSS(RSAPrivateKey *key,
+            HASH_HashType hashAlg,
+            HASH_HashType maskHashAlg,
+            const unsigned char *salt,
+            unsigned int saltLen,
+            unsigned char *output,
+            unsigned int *outputLen,
+            unsigned int maxOutputLen,
+            const unsigned char *input,
+            unsigned int inputLen);
 
 extern SECStatus
-RSA_CheckSignPSS(RSAPublicKey        * key,
-                 HASH_HashType         hashAlg,
-                 HASH_HashType         maskHashAlg,
-                 unsigned int          saltLen,
-                 const unsigned char * sig,
-                 unsigned int          sigLen,
-                 const unsigned char * hash,
-                 unsigned int          hashLen);
+RSA_CheckSignPSS(RSAPublicKey *key,
+                 HASH_HashType hashAlg,
+                 HASH_HashType maskHashAlg,
+                 unsigned int saltLen,
+                 const unsigned char *sig,
+                 unsigned int sigLen,
+                 const unsigned char *hash,
+                 unsigned int hashLen);
 
 /********************************************************************
 ** RSASSA-PKCS1-v1_5 signing/verifying, as defined in RFC 3447, Section 8.2.
 **
 ** These functions expect as input to be the raw value to be signed. For most
 ** cases using PKCS1-v1_5, this should be the value of T, the DER-encoded
 ** DigestInfo structure defined in Section 9.2, Step 2.
 ** Note: This can also be used for signatures that use PKCS1-v1_5 padding, such
 ** as the signatures used in SSL/TLS, which sign a raw hash.
 */
 extern SECStatus
-RSA_Sign(RSAPrivateKey       * key,
-         unsigned char       * output,
-         unsigned int        * outputLen,
-         unsigned int          maxOutputLen,
-         const unsigned char * data,
-         unsigned int          dataLen);
+RSA_Sign(RSAPrivateKey *key,
+         unsigned char *output,
+         unsigned int *outputLen,
+         unsigned int maxOutputLen,
+         const unsigned char *data,
+         unsigned int dataLen);
 
 extern SECStatus
-RSA_CheckSign(RSAPublicKey        * key,
-              const unsigned char * sig,
-              unsigned int          sigLen,
-              const unsigned char * data,
-              unsigned int          dataLen);
+RSA_CheckSign(RSAPublicKey *key,
+              const unsigned char *sig,
+              unsigned int sigLen,
+              const unsigned char *data,
+              unsigned int dataLen);
 
 extern SECStatus
-RSA_CheckSignRecover(RSAPublicKey        * key,
-                     unsigned char       * output,
-                     unsigned int        * outputLen,
-                     unsigned int          maxOutputLen,
-                     const unsigned char * sig,
-                     unsigned int          sigLen);
+RSA_CheckSignRecover(RSAPublicKey *key,
+                     unsigned char *output,
+                     unsigned int *outputLen,
+                     unsigned int maxOutputLen,
+                     const unsigned char *sig,
+                     unsigned int sigLen);
 
 /********************************************************************
 ** DSA signing algorithm
 */
 
 /* Generate a new random value within the interval [2, q-1].
 */
-extern SECStatus DSA_NewRandom(PLArenaPool * arena, const SECItem * q,
-                               SECItem * random);
+extern SECStatus DSA_NewRandom(PLArenaPool *arena, const SECItem *q,
+                               SECItem *random);
 
 /*
 ** Generate and return a new DSA public and private key pair,
-**	both of which are encoded into a single DSAPrivateKey struct.
-**	"params" is a pointer to the PQG parameters for the domain
-**	Uses a random seed.
+**  both of which are encoded into a single DSAPrivateKey struct.
+**  "params" is a pointer to the PQG parameters for the domain
+**  Uses a random seed.
 */
-extern SECStatus DSA_NewKey(const PQGParams *     params, 
-		            DSAPrivateKey **      privKey);
+extern SECStatus DSA_NewKey(const PQGParams *params,
+                            DSAPrivateKey **privKey);
 
 /* signature is caller-supplied buffer of at least 20 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 ** On output, signature->len == size of signature in buffer.
 ** Uses a random seed.
 */
-extern SECStatus DSA_SignDigest(DSAPrivateKey *   key,
-				SECItem *         signature,
-				const SECItem *   digest);
+extern SECStatus DSA_SignDigest(DSAPrivateKey *key,
+                                SECItem *signature,
+                                const SECItem *digest);
 
 /* signature is caller-supplied buffer of at least 20 bytes.
 ** On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 */
-extern SECStatus DSA_VerifyDigest(DSAPublicKey *  key,
-				  const SECItem * signature,
-				  const SECItem * digest);
+extern SECStatus DSA_VerifyDigest(DSAPublicKey *key,
+                                  const SECItem *signature,
+                                  const SECItem *digest);
 
 /* For FIPS compliance testing. Seed must be exactly 20 bytes long */
-extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params, 
-                                    const unsigned char * seed,
+extern SECStatus DSA_NewKeyFromSeed(const PQGParams *params,
+                                    const unsigned char *seed,
                                     DSAPrivateKey **privKey);
 
 /* For FIPS compliance testing. Seed must be exactly 20 bytes. */
-extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey * key,
-                                        SECItem *       signature,
-                                        const SECItem * digest,
-                                        const unsigned char * seed);
+extern SECStatus DSA_SignDigestWithSeed(DSAPrivateKey *key,
+                                        SECItem *signature,
+                                        const SECItem *digest,
+                                        const unsigned char *seed);
 
 /******************************************************
-** Diffie Helman key exchange algorithm 
+** Diffie Helman key exchange algorithm
 */
 
 /* Generates parameters for Diffie-Helman key generation.
-**	primeLen is the length in bytes of prime P to be generated.
+**  primeLen is the length in bytes of prime P to be generated.
 */
-extern SECStatus DH_GenParam(int primeLen, DHParams ** params);
+extern SECStatus DH_GenParam(int primeLen, DHParams **params);
 
 /* Generates a public and private key, both of which are encoded in a single
-**	DHPrivateKey struct. Params is input, privKey are output.  
-**	This is Phase 1 of Diffie Hellman.
+**  DHPrivateKey struct. Params is input, privKey are output.
+**  This is Phase 1 of Diffie Hellman.
 */
-extern SECStatus DH_NewKey(DHParams *           params, 
-                           DHPrivateKey **	privKey);
+extern SECStatus DH_NewKey(DHParams *params,
+                           DHPrivateKey **privKey);
 
-/* 
-** DH_Derive does the Diffie-Hellman phase 2 calculation, using the 
+/*
+** DH_Derive does the Diffie-Hellman phase 2 calculation, using the
 ** other party's publicValue, and the prime and our privateValue.
-** maxOutBytes is the requested length of the generated secret in bytes.  
-** A zero value means produce a value of any length up to the size of 
-** the prime.   If successful, derivedSecret->data is set 
-** to the address of the newly allocated buffer containing the derived 
+** maxOutBytes is the requested length of the generated secret in bytes.
+** A zero value means produce a value of any length up to the size of
+** the prime.   If successful, derivedSecret->data is set
+** to the address of the newly allocated buffer containing the derived
 ** secret, and derivedSecret->len is the size of the secret produced.
 ** The size of the secret produced will depend on the value of outBytes.
 ** If outBytes is 0, the key length will be all the significant bytes of
 ** the derived secret (leading zeros are dropped). This length could be less
 ** than the length of the prime. If outBytes is nonzero, the length of the
 ** produced key will be outBytes long. If the key is truncated, the most
 ** significant bytes are truncated. If it is expanded, zero bytes are added
 ** at the beginning.
-** It is the caller's responsibility to free the allocated buffer 
+** It is the caller's responsibility to free the allocated buffer
 ** containing the derived secret.
 */
-extern SECStatus DH_Derive(SECItem *    publicValue, 
-		           SECItem *    prime, 
-			   SECItem *    privateValue, 
-			   SECItem *    derivedSecret,
-			   unsigned int outBytes);
+extern SECStatus DH_Derive(SECItem *publicValue,
+                           SECItem *prime,
+                           SECItem *privateValue,
+                           SECItem *derivedSecret,
+                           unsigned int outBytes);
 
-/* 
+/*
 ** KEA_CalcKey returns octet string with the private key for a dual
 ** Diffie-Helman  key generation as specified for government key exchange.
 */
-extern SECStatus KEA_Derive(SECItem *prime, 
-                            SECItem *public1, 
-                            SECItem *public2, 
-			    SECItem *private1, 
-			    SECItem *private2,
-			    SECItem *derivedSecret);
+extern SECStatus KEA_Derive(SECItem *prime,
+                            SECItem *public1,
+                            SECItem *public2,
+                            SECItem *private1,
+                            SECItem *private2,
+                            SECItem *derivedSecret);
 
 /*
  * verify that a KEA or DSA public key is a valid key for this prime and
  * subprime domain.
  */
 extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
 
 /****************************************
@@ -396,248 +396,248 @@ extern PRBool KEA_Verify(SECItem *Y, SEC
  * If the gxIn parameter is NULL then gxOut must be non-NULL; in this case
  * gxOut will contain the value g^x on output.
  *
  * gx (if not supplied by the caller), gv, and r will be allocated in the arena.
  * The arena is *not* optional so do not pass NULL for the arena parameter.
  * The arena should be zeroed when it is freed.
  */
 SECStatus
-JPAKE_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
-           const SECItem * signerID, const SECItem * x,
-           const SECItem * testRandom, const SECItem * gxIn, SECItem * gxOut,
-           SECItem * gv, SECItem * r);
+JPAKE_Sign(PLArenaPool *arena, const PQGParams *pqg, HASH_HashType hashType,
+           const SECItem *signerID, const SECItem *x,
+           const SECItem *testRandom, const SECItem *gxIn, SECItem *gxOut,
+           SECItem *gv, SECItem *r);
 
 /* Given gx == g^x, verify the Schnorr zero-knowledge proof (gv, r) for the
  * value x using the specified hash algorithm and signer ID.
  *
- * The arena is *not* optional so do not pass NULL for the arena parameter. 
+ * The arena is *not* optional so do not pass NULL for the arena parameter.
  */
 SECStatus
-JPAKE_Verify(PLArenaPool * arena, const PQGParams * pqg,
-             HASH_HashType hashType, const SECItem * signerID,
-             const SECItem * peerID, const SECItem * gx,
-             const SECItem * gv, const SECItem * r);
+JPAKE_Verify(PLArenaPool *arena, const PQGParams *pqg,
+             HASH_HashType hashType, const SECItem *signerID,
+             const SECItem *peerID, const SECItem *gx,
+             const SECItem *gv, const SECItem *r);
 
 /* Call before round 2 with x2, s, and x2s all non-NULL. This will calculate
- * base = g^(x1+x3+x4) (mod p) and x2s = x2*s (mod q). The values to send in 
+ * base = g^(x1+x3+x4) (mod p) and x2s = x2*s (mod q). The values to send in
  * round 2 (A and the proof of knowledge of x2s) can then be calculated with
  * JPAKE_Sign using pqg->base = base and x = x2s.
  *
  * Call after round 2 with x2, s, and x2s all NULL, and passing (gx1, gx2, gx3)
  * instead of (gx1, gx3, gx4). This will calculate base = g^(x1+x2+x3). Then call
  * JPAKE_Verify with pqg->base = base and then JPAKE_Final.
  *
  * base and x2s will be allocated in the arena. The arena is *not* optional so
  * do not pass NULL for the arena parameter. The arena should be zeroed when it
  * is freed.
 */
 SECStatus
-JPAKE_Round2(PLArenaPool * arena, const SECItem * p, const SECItem  *q,
-             const SECItem * gx1, const SECItem * gx3, const SECItem * gx4,
-             SECItem * base, const SECItem * x2, const SECItem * s, SECItem * x2s);
+JPAKE_Round2(PLArenaPool *arena, const SECItem *p, const SECItem *q,
+             const SECItem *gx1, const SECItem *gx3, const SECItem *gx4,
+             SECItem *base, const SECItem *x2, const SECItem *s, SECItem *x2s);
 
 /* K = (B/g^(x2*x4*s))^x2 (mod p)
  *
  * K will be allocated in the arena. The arena is *not* optional so do not pass
  * NULL for the arena parameter. The arena should be zeroed when it is freed.
  */
 SECStatus
-JPAKE_Final(PLArenaPool * arena, const SECItem * p, const SECItem  *q,
-            const SECItem * x2, const SECItem * gx4, const SECItem * x2s,
-            const SECItem * B, SECItem * K);
+JPAKE_Final(PLArenaPool *arena, const SECItem *p, const SECItem *q,
+            const SECItem *x2, const SECItem *gx4, const SECItem *x2s,
+            const SECItem *B, SECItem *K);
 
 /******************************************************
 ** Elliptic Curve algorithms
 */
 
-/* Generates a public and private key, both of which are encoded 
+/* Generates a public and private key, both of which are encoded
 ** in a single ECPrivateKey struct. Params is input, privKey are
 ** output.
 */
-extern SECStatus EC_NewKey(ECParams *          params, 
-                           ECPrivateKey **     privKey);
+extern SECStatus EC_NewKey(ECParams *params,
+                           ECPrivateKey **privKey);
 
-extern SECStatus EC_NewKeyFromSeed(ECParams *  params, 
-                           ECPrivateKey **     privKey,
-                           const unsigned char* seed,
-                           int                 seedlen);
+extern SECStatus EC_NewKeyFromSeed(ECParams *params,
+                                   ECPrivateKey **privKey,
+                                   const unsigned char *seed,
+                                   int seedlen);
 
 /* Validates an EC public key as described in Section 5.2.2 of
  * X9.62. Such validation prevents against small subgroup attacks
  * when the ECDH primitive is used with the cofactor.
  */
-extern SECStatus EC_ValidatePublicKey(ECParams * params, 
-                           SECItem *           publicValue);
+extern SECStatus EC_ValidatePublicKey(ECParams *params,
+                                      SECItem *publicValue);
 
-/* 
+/*
 ** ECDH_Derive performs a scalar point multiplication of a point
 ** representing a (peer's) public key and a large integer representing
 ** a private key (its own). Both keys must use the same elliptic curve
 ** parameters. If the withCofactor parameter is true, the
 ** multiplication also uses the cofactor associated with the curve
 ** parameters.  The output of this scheme is the x-coordinate of the
 ** resulting point. If successful, derivedSecret->data is set to the
 ** address of the newly allocated buffer containing the derived
 ** secret, and derivedSecret->len is the size of the secret
 ** produced. It is the caller's responsibility to free the allocated
 ** buffer containing the derived secret.
 */
-extern SECStatus ECDH_Derive(SECItem *       publicValue,
-                             ECParams *      params,
-                             SECItem *       privateValue,
-                             PRBool          withCofactor,
-                             SECItem *       derivedSecret);
+extern SECStatus ECDH_Derive(SECItem *publicValue,
+                             ECParams *params,
+                             SECItem *privateValue,
+                             PRBool withCofactor,
+                             SECItem *derivedSecret);
 
 /* On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 ** On output, signature->len == size of signature in buffer.
 ** Uses a random seed.
 */
-extern SECStatus ECDSA_SignDigest(ECPrivateKey  *key, 
-                                  SECItem       *signature, 
+extern SECStatus ECDSA_SignDigest(ECPrivateKey *key,
+                                  SECItem *signature,
                                   const SECItem *digest);
 
 /* On input,  signature->len == size of buffer to hold signature.
 **            digest->len    == size of digest.
 */
-extern SECStatus ECDSA_VerifyDigest(ECPublicKey   *key, 
-                                    const SECItem *signature, 
+extern SECStatus ECDSA_VerifyDigest(ECPublicKey *key,
+                                    const SECItem *signature,
                                     const SECItem *digest);
 
 /* Uses the provided seed. */
-extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey        *key,
-                                          SECItem             *signature,
-                                          const SECItem       *digest,
-                                          const unsigned char *seed, 
-                                          const int           seedlen);
+extern SECStatus ECDSA_SignDigestWithSeed(ECPrivateKey *key,
+                                          SECItem *signature,
+                                          const SECItem *digest,
+                                          const unsigned char *seed,
+                                          const int seedlen);
 
 /******************************************/
 /*
 ** RC4 symmetric stream cypher
 */
 
 /*
 ** Create a new RC4 context suitable for RC4 encryption/decryption.
-**	"key" raw key data
-**	"len" the number of bytes of key data
+**  "key" raw key data
+**  "len" the number of bytes of key data
 */
 extern RC4Context *RC4_CreateContext(const unsigned char *key, int len);
 
 extern RC4Context *RC4_AllocateContext(void);
-extern SECStatus   RC4_InitContext(RC4Context *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *, 
-				   int, 
-				   unsigned int ,
-				   unsigned int );
+extern SECStatus RC4_InitContext(RC4Context *cx,
+                                 const unsigned char *key,
+                                 unsigned int keylen,
+                                 const unsigned char *,
+                                 int,
+                                 unsigned int,
+                                 unsigned int);
 
 /*
 ** Destroy an RC4 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void RC4_DestroyContext(RC4Context *cx, PRBool freeit);
 
 /*
 ** Perform RC4 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
 extern SECStatus RC4_Encrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform RC4 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
 extern SECStatus RC4_Decrypt(RC4Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** RC2 symmetric block cypher
 */
 
 /*
 ** Create a new RC2 context suitable for RC2 encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
-** 	"mode" one of NSS_RC2 or NSS_RC2_CBC
-**	"effectiveKeyLen" is the effective key length (as specified in 
-**	    RFC 2268) in bytes (not bits).
+**  "key" raw key data
+**  "len" the number of bytes of key data
+**  "iv" is the CBC initialization vector (if mode is NSS_RC2_CBC)
+**  "mode" one of NSS_RC2 or NSS_RC2_CBC
+**  "effectiveKeyLen" is the effective key length (as specified in
+**      RFC 2268) in bytes (not bits).
 **
 ** When mode is set to NSS_RC2_CBC the RC2 cipher is run in "cipher block
 ** chaining" mode.
 */
 extern RC2Context *RC2_CreateContext(const unsigned char *key, unsigned int len,
-				     const unsigned char *iv, int mode, 
-				     unsigned effectiveKeyLen);
+                                     const unsigned char *iv, int mode,
+                                     unsigned effectiveKeyLen);
 extern RC2Context *RC2_AllocateContext(void);
-extern SECStatus   RC2_InitContext(RC2Context *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode, 
-				   unsigned int effectiveKeyLen,
-				   unsigned int );
+extern SECStatus RC2_InitContext(RC2Context *cx,
+                                 const unsigned char *key,
+                                 unsigned int keylen,
+                                 const unsigned char *iv,
+                                 int mode,
+                                 unsigned int effectiveKeyLen,
+                                 unsigned int);
 
 /*
 ** Destroy an RC2 encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void RC2_DestroyContext(RC2Context *cx, PRBool freeit);
 
 /*
 ** Perform RC2 encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
 extern SECStatus RC2_Encrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform RC2 decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
 extern SECStatus RC2_Decrypt(RC2Context *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** RC5 symmetric block cypher -- 64-bit block size
 */
 
 /*
 ** Create a new RC5 context suitable for RC5 encryption/decryption.
@@ -645,25 +645,25 @@ extern SECStatus RC2_Decrypt(RC2Context 
 **      "len" the number of bytes of key data
 **      "iv" is the CBC initialization vector (if mode is NSS_RC5_CBC)
 **      "mode" one of NSS_RC5 or NSS_RC5_CBC
 **
 ** When mode is set to NSS_RC5_CBC the RC5 cipher is run in "cipher block
 ** chaining" mode.
 */
 extern RC5Context *RC5_CreateContext(const SECItem *key, unsigned int rounds,
-                     unsigned int wordSize, const unsigned char *iv, int mode);
+                                     unsigned int wordSize, const unsigned char *iv, int mode);
 extern RC5Context *RC5_AllocateContext(void);
-extern SECStatus   RC5_InitContext(RC5Context *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode,
-				   unsigned int rounds, 
-				   unsigned int wordSize);
+extern SECStatus RC5_InitContext(RC5Context *cx,
+                                 const unsigned char *key,
+                                 unsigned int keylen,
+                                 const unsigned char *iv,
+                                 int mode,
+                                 unsigned int rounds,
+                                 unsigned int wordSize);
 
 /*
 ** Destroy an RC5 encryption/decryption context.
 **      "cx" the context
 **      "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void RC5_DestroyContext(RC5Context *cx, PRBool freeit);
 
@@ -674,322 +674,320 @@ extern void RC5_DestroyContext(RC5Contex
 **      "outputLen" how much data is stored in "output". Set by the routine
 **         after some data is stored in output.
 **      "maxOutputLen" the maximum amount of data that can ever be
 **         stored in "output"
 **      "input" the input data
 **      "inputLen" the amount of input data
 */
 extern SECStatus RC5_Encrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform RC5 decryption.
 **      "cx" the context
 **      "output" the output buffer to store the decrypted data.
 **      "outputLen" how much data is stored in "output". Set by the routine
 **         after some data is stored in output.
 **      "maxOutputLen" the maximum amount of data that can ever be
 **         stored in "output"
 **      "input" the input data
 **      "inputLen" the amount of input data
 */
 
 extern SECStatus RC5_Decrypt(RC5Context *cx, unsigned char *output,
-                            unsigned int *outputLen, unsigned int maxOutputLen,
-                            const unsigned char *input, unsigned int inputLen);
-
-
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** DES symmetric block cypher
 */
 
 /*
 ** Create a new DES context suitable for DES encryption/decryption.
-** 	"key" raw key data
-** 	"len" the number of bytes of key data
-** 	"iv" is the CBC initialization vector (if mode is NSS_DES_CBC or
-** 	   mode is DES_EDE3_CBC)
-** 	"mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC
-**	"encrypt" is PR_TRUE if the context will be used for encryption
+**  "key" raw key data
+**  "len" the number of bytes of key data
+**  "iv" is the CBC initialization vector (if mode is NSS_DES_CBC or
+**     mode is DES_EDE3_CBC)
+**  "mode" one of NSS_DES, NSS_DES_CBC, NSS_DES_EDE3 or NSS_DES_EDE3_CBC
+**  "encrypt" is PR_TRUE if the context will be used for encryption
 **
 ** When mode is set to NSS_DES_CBC or NSS_DES_EDE3_CBC then the DES
 ** cipher is run in "cipher block chaining" mode.
 */
-extern DESContext *DES_CreateContext(const unsigned char *key, 
+extern DESContext *DES_CreateContext(const unsigned char *key,
                                      const unsigned char *iv,
-				     int mode, PRBool encrypt);
+                                     int mode, PRBool encrypt);
 extern DESContext *DES_AllocateContext(void);
-extern SECStatus   DES_InitContext(DESContext *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int mode,
-				   unsigned int encrypt,
-				   unsigned int );
+extern SECStatus DES_InitContext(DESContext *cx,
+                                 const unsigned char *key,
+                                 unsigned int keylen,
+                                 const unsigned char *iv,
+                                 int mode,
+                                 unsigned int encrypt,
+                                 unsigned int);
 
 /*
 ** Destroy an DES encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void DES_DestroyContext(DESContext *cx, PRBool freeit);
 
 /*
 ** Perform DES encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 **
 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
 */
 extern SECStatus DES_Encrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform DES decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 **
 ** NOTE: the inputLen must be a multiple of DES_KEY_LENGTH
 */
 extern SECStatus DES_Decrypt(DESContext *cx, unsigned char *output,
-			    unsigned int *outputLen, unsigned int maxOutputLen,
-			    const unsigned char *input, unsigned int inputLen);
+                             unsigned int *outputLen, unsigned int maxOutputLen,
+                             const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
-/* 
-** SEED symmetric block cypher		  
+/*
+** SEED symmetric block cypher
 */
 extern SEEDContext *
-SEED_CreateContext(const unsigned char *key, const unsigned char *iv, 
-		   int mode, PRBool encrypt);
+SEED_CreateContext(const unsigned char *key, const unsigned char *iv,
+                   int mode, PRBool encrypt);
 extern SEEDContext *SEED_AllocateContext(void);
-extern SECStatus   SEED_InitContext(SEEDContext *cx, 
-				    const unsigned char *key, 
-				    unsigned int keylen, 
-				    const unsigned char *iv, 
-				    int mode, unsigned int encrypt, 
-				    unsigned int );
+extern SECStatus SEED_InitContext(SEEDContext *cx,
+                                  const unsigned char *key,
+                                  unsigned int keylen,
+                                  const unsigned char *iv,
+                                  int mode, unsigned int encrypt,
+                                  unsigned int);
 extern void SEED_DestroyContext(SEEDContext *cx, PRBool freeit);
-extern SECStatus 
-SEED_Encrypt(SEEDContext *cx, unsigned char *output, 
-	     unsigned int *outputLen, unsigned int maxOutputLen, 
-	     const unsigned char *input, unsigned int inputLen);
-extern SECStatus 
-SEED_Decrypt(SEEDContext *cx, unsigned char *output, 
-	     unsigned int *outputLen, unsigned int maxOutputLen, 
+extern SECStatus
+SEED_Encrypt(SEEDContext *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
+             const unsigned char *input, unsigned int inputLen);
+extern SECStatus
+SEED_Decrypt(SEEDContext *cx, unsigned char *output,
+             unsigned int *outputLen, unsigned int maxOutputLen,
              const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** AES symmetric block cypher (Rijndael)
 */
 
 /*
 ** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**  "key" raw key data
+**  "keylen" the number of bytes of key data (16, 24, or 32)
 **      "blocklen" is the blocksize to use (16, 24, or 32)
 **                        XXX currently only blocksize==16 has been tested!
 */
 extern AESContext *
-AES_CreateContext(const unsigned char *key, const unsigned char *iv, 
+AES_CreateContext(const unsigned char *key, const unsigned char *iv,
                   int mode, int encrypt,
                   unsigned int keylen, unsigned int blocklen);
 extern AESContext *AES_AllocateContext(void);
-extern SECStatus   AES_InitContext(AESContext *cx,
-				   const unsigned char *key, 
-				   unsigned int keylen, 
-				   const unsigned char *iv, 
-				   int mode, 
-				   unsigned int encrypt,
-				   unsigned int blocklen);
+extern SECStatus AES_InitContext(AESContext *cx,
+                                 const unsigned char *key,
+                                 unsigned int keylen,
+                                 const unsigned char *iv,
+                                 int mode,
+                                 unsigned int encrypt,
+                                 unsigned int blocklen);
 
 /*
 ** Destroy a AES encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void 
+extern void
 AES_DestroyContext(AESContext *cx, PRBool freeit);
 
 /*
 ** Perform AES encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AES_Encrypt(AESContext *cx, unsigned char *output,
             unsigned int *outputLen, unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform AES decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AES_Decrypt(AESContext *cx, unsigned char *output,
             unsigned int *outputLen, unsigned int maxOutputLen,
             const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** AES key wrap algorithm, RFC 3394
 */
 
 /*
 ** Create a new AES context suitable for AES encryption/decryption.
-** 	"key" raw key data
+**  "key" raw key data
 **      "iv"  The 8 byte "initial value"
 **      "encrypt", a boolean, true for key wrapping, false for unwrapping.
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**  "keylen" the number of bytes of key data (16, 24, or 32)
 */
 extern AESKeyWrapContext *
-AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv, 
+AESKeyWrap_CreateContext(const unsigned char *key, const unsigned char *iv,
                          int encrypt, unsigned int keylen);
-extern AESKeyWrapContext * AESKeyWrap_AllocateContext(void);
-extern SECStatus  
-     AESKeyWrap_InitContext(AESKeyWrapContext *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *iv, 
-				   int ,
-				   unsigned int encrypt,
-				   unsigned int );
+extern AESKeyWrapContext *AESKeyWrap_AllocateContext(void);
+extern SECStatus
+AESKeyWrap_InitContext(AESKeyWrapContext *cx,
+                       const unsigned char *key,
+                       unsigned int keylen,
+                       const unsigned char *iv,
+                       int,
+                       unsigned int encrypt,
+                       unsigned int);
 
 /*
 ** Destroy a AES KeyWrap context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void 
+extern void
 AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit);
 
 /*
 ** Perform AES key wrap.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AESKeyWrap_Encrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
+                   unsigned int *outputLen, unsigned int maxOutputLen,
+                   const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform AES key unwrap.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 AESKeyWrap_Decrypt(AESKeyWrapContext *cx, unsigned char *output,
-            unsigned int *outputLen, unsigned int maxOutputLen,
-            const unsigned char *input, unsigned int inputLen);
+                   unsigned int *outputLen, unsigned int maxOutputLen,
+                   const unsigned char *input, unsigned int inputLen);
 
- /******************************************/
+/******************************************/
 /*
 ** Camellia symmetric block cypher
 */
 
 /*
 ** Create a new Camellia context suitable for Camellia encryption/decryption.
-** 	"key" raw key data
-** 	"keylen" the number of bytes of key data (16, 24, or 32)
+**  "key" raw key data
+**  "keylen" the number of bytes of key data (16, 24, or 32)
 */
 extern CamelliaContext *
-Camellia_CreateContext(const unsigned char *key, const unsigned char *iv, 
-		       int mode, int encrypt, unsigned int keylen);
+Camellia_CreateContext(const unsigned char *key, const unsigned char *iv,
+                       int mode, int encrypt, unsigned int keylen);
 
 extern CamelliaContext *Camellia_AllocateContext(void);
-extern SECStatus   Camellia_InitContext(CamelliaContext *cx,
-					const unsigned char *key, 
-					unsigned int keylen, 
-					const unsigned char *iv, 
-					int mode, 
-					unsigned int encrypt,
-					unsigned int unused);
+extern SECStatus Camellia_InitContext(CamelliaContext *cx,
+                                      const unsigned char *key,
+                                      unsigned int keylen,
+                                      const unsigned char *iv,
+                                      int mode,
+                                      unsigned int encrypt,
+                                      unsigned int unused);
 /*
 ** Destroy a Camellia encryption/decryption context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
-extern void 
+extern void
 Camellia_DestroyContext(CamelliaContext *cx, PRBool freeit);
 
 /*
 ** Perform Camellia encryption.
-**	"cx" the context
-**	"output" the output buffer to store the encrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the encrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 Camellia_Encrypt(CamelliaContext *cx, unsigned char *output,
-		 unsigned int *outputLen, unsigned int maxOutputLen,
-		 const unsigned char *input, unsigned int inputLen);
+                 unsigned int *outputLen, unsigned int maxOutputLen,
+                 const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Perform Camellia decryption.
-**	"cx" the context
-**	"output" the output buffer to store the decrypted data.
-**	"outputLen" how much data is stored in "output". Set by the routine
-**	   after some data is stored in output.
-**	"maxOutputLen" the maximum amount of data that can ever be
-**	   stored in "output"
-**	"input" the input data
-**	"inputLen" the amount of input data
+**  "cx" the context
+**  "output" the output buffer to store the decrypted data.
+**  "outputLen" how much data is stored in "output". Set by the routine
+**     after some data is stored in output.
+**  "maxOutputLen" the maximum amount of data that can ever be
+**     stored in "output"
+**  "input" the input data
+**  "inputLen" the amount of input data
 */
-extern SECStatus 
+extern SECStatus
 Camellia_Decrypt(CamelliaContext *cx, unsigned char *output,
-		 unsigned int *outputLen, unsigned int maxOutputLen,
-		 const unsigned char *input, unsigned int inputLen);
+                 unsigned int *outputLen, unsigned int maxOutputLen,
+                 const unsigned char *input, unsigned int inputLen);
 
 /******************************************/
 /*
 ** ChaCha20+Poly1305 AEAD
 */
 
 extern SECStatus ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
                                               const unsigned char *key,
@@ -1025,235 +1023,231 @@ extern SECStatus ChaCha20Poly1305_Open(
 ** Hash a null terminated string "src" into "dest" using MD5
 */
 extern SECStatus MD5_Hash(unsigned char *dest, const char *src);
 
 /*
 ** Hash a non-null terminated string "src" into "dest" using MD5
 */
 extern SECStatus MD5_HashBuf(unsigned char *dest, const unsigned char *src,
-			     PRUint32 src_length);
+                             PRUint32 src_length);
 
 /*
 ** Create a new MD5 context
 */
 extern MD5Context *MD5_NewContext(void);
 
-
 /*
 ** Destroy an MD5 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void MD5_DestroyContext(MD5Context *cx, PRBool freeit);
 
 /*
 ** Reset an MD5 context, preparing it for a fresh round of hashing
 */
 extern void MD5_Begin(MD5Context *cx);
 
 /*
 ** Update the MD5 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
+**  "cx" the context
+**  "input" the data to hash
+**  "inputLen" the amount of data to hash
 */
 extern void MD5_Update(MD5Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
+                       const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Finish the MD5 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 16 bytes of digest data are stored
+**  "digestLen" where the digest length (16) is stored
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void MD5_End(MD5Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
+                    unsigned int *digestLen, unsigned int maxDigestLen);
 
 /*
 ** Export the current state of the MD5 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 16 bytes of digest data are stored
+**  "digestLen" where the digest length (16) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void MD5_EndRaw(MD5Context *cx, unsigned char *digest,
-		       unsigned int *digestLen, unsigned int maxDigestLen);
+                       unsigned int *digestLen, unsigned int maxDigestLen);
 
 /*
  * Return the the size of a buffer needed to flatten the MD5 Context into
  *    "cx" the context
  *  returns size;
  */
 extern unsigned int MD5_FlattenSize(MD5Context *cx);
 
 /*
  * Flatten the MD5 Context into a buffer:
  *    "cx" the context
  *    "space" the buffer to flatten to
  *  returns status;
  */
-extern SECStatus MD5_Flatten(MD5Context *cx,unsigned char *space);
+extern SECStatus MD5_Flatten(MD5Context *cx, unsigned char *space);
 
 /*
  * Resurrect a flattened context into a MD5 Context
  *    "space" the buffer of the flattend buffer
  *    "arg" ptr to void used by cryptographic resurrect
  *  returns resurected context;
  */
-extern MD5Context * MD5_Resurrect(unsigned char *space, void *arg);
+extern MD5Context *MD5_Resurrect(unsigned char *space, void *arg);
 extern void MD5_Clone(MD5Context *dest, MD5Context *src);
 
 /*
 ** trace the intermediate state info of the MD5 hash.
 */
 extern void MD5_TraceState(MD5Context *cx);
 
-
 /******************************************/
 /*
 ** MD2 secure hash function
 */
 
 /*
 ** Hash a null terminated string "src" into "dest" using MD2
 */
 extern SECStatus MD2_Hash(unsigned char *dest, const char *src);
 
 /*
 ** Create a new MD2 context
 */
 extern MD2Context *MD2_NewContext(void);
 
-
 /*
 ** Destroy an MD2 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void MD2_DestroyContext(MD2Context *cx, PRBool freeit);
 
 /*
 ** Reset an MD2 context, preparing it for a fresh round of hashing
 */
 extern void MD2_Begin(MD2Context *cx);
 
 /*
 ** Update the MD2 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
+**  "cx" the context
+**  "input" the data to hash
+**  "inputLen" the amount of data to hash
 */
 extern void MD2_Update(MD2Context *cx,
-		       const unsigned char *input, unsigned int inputLen);
+                       const unsigned char *input, unsigned int inputLen);
 
 /*
 ** Finish the MD2 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (16) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 16 bytes of digest data are stored
+**  "digestLen" where the digest length (16) is stored
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void MD2_End(MD2Context *cx, unsigned char *digest,
-		    unsigned int *digestLen, unsigned int maxDigestLen);
+                    unsigned int *digestLen, unsigned int maxDigestLen);
 
 /*
  * Return the the size of a buffer needed to flatten the MD2 Context into
  *    "cx" the context
  *  returns size;
  */
 extern unsigned int MD2_FlattenSize(MD2Context *cx);
 
 /*
  * Flatten the MD2 Context into a buffer:
  *    "cx" the context
  *    "space" the buffer to flatten to
  *  returns status;
  */
-extern SECStatus MD2_Flatten(MD2Context *cx,unsigned char *space);
+extern SECStatus MD2_Flatten(MD2Context *cx, unsigned char *space);
 
 /*
  * Resurrect a flattened context into a MD2 Context
  *    "space" the buffer of the flattend buffer
  *    "arg" ptr to void used by cryptographic resurrect
  *  returns resurected context;
  */
-extern MD2Context * MD2_Resurrect(unsigned char *space, void *arg);
+extern MD2Context *MD2_Resurrect(unsigned char *space, void *arg);
 extern void MD2_Clone(MD2Context *dest, MD2Context *src);
 
 /******************************************/
 /*
 ** SHA-1 secure hash function
 */
 
 /*
 ** Hash a null terminated string "src" into "dest" using SHA-1
 */
 extern SECStatus SHA1_Hash(unsigned char *dest, const char *src);
 
 /*
 ** Hash a non-null terminated string "src" into "dest" using SHA-1
 */
 extern SECStatus SHA1_HashBuf(unsigned char *dest, const unsigned char *src,
-			      PRUint32 src_length);
+                              PRUint32 src_length);
 
 /*
 ** Create a new SHA-1 context
 */
 extern SHA1Context *SHA1_NewContext(void);
 
-
 /*
 ** Destroy a SHA-1 secure hash context.
-**	"cx" the context
-**	"freeit" if PR_TRUE then free the object as well as its sub-objects
+**  "cx" the context
+**  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void SHA1_DestroyContext(SHA1Context *cx, PRBool freeit);
 
 /*
 ** Reset a SHA-1 context, preparing it for a fresh round of hashing
 */
 extern void SHA1_Begin(SHA1Context *cx);
 
 /*
 ** Update the SHA-1 hash function with more data.
-**	"cx" the context
-**	"input" the data to hash
-**	"inputLen" the amount of data to hash
+**  "cx" the context
+**  "input" the data to hash
+**  "inputLen" the amount of data to hash
 */
 extern void SHA1_Update(SHA1Context *cx, const unsigned char *input,
-			unsigned int inputLen);
+                        unsigned int inputLen);
 
 /*
 ** Finish the SHA-1 hash function. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 16 bytes of digest data are stored
-**	"digestLen" where the digest length (20) is stored
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 16 bytes of digest data are stored
+**  "digestLen" where the digest length (20) is stored
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA1_End(SHA1Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
+                     unsigned int *digestLen, unsigned int maxDigestLen);
 
 /*
 ** Export the current state of the SHA-1 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 20 bytes of digest data are stored
-**	"digestLen" where the digest length (20) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 20 bytes of digest data are stored
+**  "digestLen" where the digest length (20) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA1_EndRaw(SHA1Context *cx, unsigned char *digest,
-			unsigned int *digestLen, unsigned int maxDigestLen);
+                        unsigned int *digestLen, unsigned int maxDigestLen);
 
 /*
 ** trace the intermediate state info of the SHA1 hash.
 */
 extern void SHA1_TraceState(SHA1Context *cx);
 
 /*
  * Return the the size of a buffer needed to flatten the SHA-1 Context into
@@ -1263,150 +1257,150 @@ extern void SHA1_TraceState(SHA1Context 
 extern unsigned int SHA1_FlattenSize(SHA1Context *cx);
 
 /*
  * Flatten the SHA-1 Context into a buffer:
  *    "cx" the context
  *    "space" the buffer to flatten to
  *  returns status;
  */
-extern SECStatus SHA1_Flatten(SHA1Context *cx,unsigned char *space);
+extern SECStatus SHA1_Flatten(SHA1Context *cx, unsigned char *space);
 
 /*
  * Resurrect a flattened context into a SHA-1 Context
  *    "space" the buffer of the flattend buffer
  *    "arg" ptr to void used by cryptographic resurrect
  *  returns resurected context;
  */
-extern SHA1Context * SHA1_Resurrect(unsigned char *space, void *arg);
+extern SHA1Context *SHA1_Resurrect(unsigned char *space, void *arg);
 extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
 
 /******************************************/
 
 extern SHA224Context *SHA224_NewContext(void);
 extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit);
 extern void SHA224_Begin(SHA224Context *cx);
 extern void SHA224_Update(SHA224Context *cx, const unsigned char *input,
-			unsigned int inputLen);
+                          unsigned int inputLen);
 extern void SHA224_End(SHA224Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
+                       unsigned int *digestLen, unsigned int maxDigestLen);
 /*
 ** Export the current state of the SHA-224 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 28 bytes of digest data are stored
-**	"digestLen" where the digest length (28) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 28 bytes of digest data are stored
+**  "digestLen" where the digest length (28) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA224_EndRaw(SHA224Context *cx, unsigned char *digest,
-			  unsigned int *digestLen, unsigned int maxDigestLen);
+                          unsigned int *digestLen, unsigned int maxDigestLen);
 extern SECStatus SHA224_HashBuf(unsigned char *dest, const unsigned char *src,
-				PRUint32 src_length);
+                                PRUint32 src_length);
 extern SECStatus SHA224_Hash(unsigned char *dest, const char *src);
 extern void SHA224_TraceState(SHA224Context *cx);
 extern unsigned int SHA224_FlattenSize(SHA224Context *cx);
-extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space);
-extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg);
+extern SECStatus SHA224_Flatten(SHA224Context *cx, unsigned char *space);
+extern SHA224Context *SHA224_Resurrect(unsigned char *space, void *arg);
 extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src);
 
 /******************************************/
 
 extern SHA256Context *SHA256_NewContext(void);
 extern void SHA256_DestroyContext(SHA256Context *cx, PRBool freeit);
 extern void SHA256_Begin(SHA256Context *cx);
 extern void SHA256_Update(SHA256Context *cx, const unsigned char *input,
-			unsigned int inputLen);
+                          unsigned int inputLen);
 extern void SHA256_End(SHA256Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
+                       unsigned int *digestLen, unsigned int maxDigestLen);
 /*
 ** Export the current state of the SHA-256 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 32 bytes of digest data are stored
-**	"digestLen" where the digest length (32) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 32 bytes of digest data are stored
+**  "digestLen" where the digest length (32) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA256_EndRaw(SHA256Context *cx, unsigned char *digest,
-			  unsigned int *digestLen, unsigned int maxDigestLen);
+                          unsigned int *digestLen, unsigned int maxDigestLen);
 extern SECStatus SHA256_HashBuf(unsigned char *dest, const unsigned char *src,
-				PRUint32 src_length);
+                                PRUint32 src_length);
 extern SECStatus SHA256_Hash(unsigned char *dest, const char *src);
 extern void SHA256_TraceState(SHA256Context *cx);
 extern unsigned int SHA256_FlattenSize(SHA256Context *cx);
-extern SECStatus SHA256_Flatten(SHA256Context *cx,unsigned char *space);
-extern SHA256Context * SHA256_Resurrect(unsigned char *space, void *arg);
+extern SECStatus SHA256_Flatten(SHA256Context *cx, unsigned char *space);
+extern SHA256Context *SHA256_Resurrect(unsigned char *space, void *arg);
 extern void SHA256_Clone(SHA256Context *dest, SHA256Context *src);
 
 /******************************************/
 
 extern SHA512Context *SHA512_NewContext(void);
 extern void SHA512_DestroyContext(SHA512Context *cx, PRBool freeit);
 extern void SHA512_Begin(SHA512Context *cx);
 extern void SHA512_Update(SHA512Context *cx, const unsigned char *input,
-			unsigned int inputLen);
+                          unsigned int inputLen);
 /*
 ** Export the current state of the SHA-512 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 64 bytes of digest data are stored
-**	"digestLen" where the digest length (64) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 64 bytes of digest data are stored
+**  "digestLen" where the digest length (64) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA512_EndRaw(SHA512Context *cx, unsigned char *digest,
-			  unsigned int *digestLen, unsigned int maxDigestLen);
+                          unsigned int *digestLen, unsigned int maxDigestLen);
 extern void SHA512_End(SHA512Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
+                       unsigned int *digestLen, unsigned int maxDigestLen);
 extern SECStatus SHA512_HashBuf(unsigned char *dest, const unsigned char *src,
-				PRUint32 src_length);
+                                PRUint32 src_length);
 extern SECStatus SHA512_Hash(unsigned char *dest, const char *src);
 extern void SHA512_TraceState(SHA512Context *cx);
 extern unsigned int SHA512_FlattenSize(SHA512Context *cx);
-extern SECStatus SHA512_Flatten(SHA512Context *cx,unsigned char *space);
-extern SHA512Context * SHA512_Resurrect(unsigned char *space, void *arg);
+extern SECStatus SHA512_Flatten(SHA512Context *cx, unsigned char *space);
+extern SHA512Context *SHA512_Resurrect(unsigned char *space, void *arg);
 extern void SHA512_Clone(SHA512Context *dest, SHA512Context *src);
 
 /******************************************/
 
 extern SHA384Context *SHA384_NewContext(void);
 extern void SHA384_DestroyContext(SHA384Context *cx, PRBool freeit);
 extern void SHA384_Begin(SHA384Context *cx);
 extern void SHA384_Update(SHA384Context *cx, const unsigned char *input,
-			unsigned int inputLen);
+                          unsigned int inputLen);
 extern void SHA384_End(SHA384Context *cx, unsigned char *digest,
-		     unsigned int *digestLen, unsigned int maxDigestLen);
+                       unsigned int *digestLen, unsigned int maxDigestLen);
 /*
 ** Export the current state of the SHA-384 hash without appending the standard
 ** padding and length bytes. Produce the digested results in "digest"
-**	"cx" the context
-**	"digest" where the 48 bytes of digest data are stored
-**	"digestLen" where the digest length (48) is stored (optional)
-**	"maxDigestLen" the maximum amount of data that can ever be
-**	   stored in "digest"
+**  "cx" the context
+**  "digest" where the 48 bytes of digest data are stored
+**  "digestLen" where the digest length (48) is stored (optional)
+**  "maxDigestLen" the maximum amount of data that can ever be
+**     stored in "digest"
 */
 extern void SHA384_EndRaw(SHA384Context *cx, unsigned char *digest,
-			  unsigned int *digestLen, unsigned int maxDigestLen);
+                          unsigned int *digestLen, unsigned int maxDigestLen);
 extern SECStatus SHA384_HashBuf(unsigned char *dest, const unsigned char *src,
-				PRUint32 src_length);
+                                PRUint32 src_length);
 extern SECStatus SHA384_Hash(unsigned char *dest, const char *src);
 extern void SHA384_TraceState(SHA384Context *cx);
 extern unsigned int SHA384_FlattenSize(SHA384Context *cx);
-extern SECStatus SHA384_Flatten(SHA384Context *cx,unsigned char *space);
-extern SHA384Context * SHA384_Resurrect(unsigned char *space, void *arg);
+extern SECStatus SHA384_Flatten(SHA384Context *cx, unsigned char *space);
+extern SHA384Context *SHA384_Resurrect(unsigned char *space, void *arg);
 extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
 
 /****************************************
  * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function
  */
 
 extern SECStatus
-TLS_PRF(const SECItem *secret, const char *label, SECItem *seed, 
-         SECItem *result, PRBool isFIPS);
+TLS_PRF(const SECItem *secret, const char *label, SECItem *seed,
+        SECItem *result, PRBool isFIPS);
 
 extern SECStatus
 TLS_P_hash(HASH_HashType hashAlg, const SECItem *secret, const char *label,
            SECItem *seed, SECItem *result, PRBool isFIPS);
 
 /******************************************/
 /*
 ** Pseudo Random Number Generation.  FIPS compliance desirable.
@@ -1434,17 +1428,17 @@ extern SECStatus RNG_RandomUpdate(const 
 ** object.
 */
 extern SECStatus RNG_GenerateGlobalRandomBytes(void *dest, size_t len);
 
 /* Destroy the global RNG context.  After a call to RNG_RNGShutdown()
 ** a call to RNG_RNGInit() is required in order to use the generator again,
 ** along with seed data (see the comment above RNG_RNGInit()).
 */
-extern void  RNG_RNGShutdown(void);
+extern void RNG_RNGShutdown(void);
 
 extern void RNG_SystemInfoForRNG(void);
 
 /*
  * FIPS 186-2 Change Notice 1 RNG Algorithm 1, used both to
  * generate the DSA X parameter and as a generic purpose RNG.
  *
  * The following two FIPS186Change functions are needed for
@@ -1473,113 +1467,111 @@ FIPS186Change_ReduceModQForDSA(const uns
                                const unsigned char *q,
                                unsigned char *xj);
 
 /*
  * The following functions are for FIPS poweron self test and FIPS algorithm
  * testing.
  */
 extern SECStatus
-PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len, 
-		const PRUint8 *nonce, unsigned int nonce_len,
-		const PRUint8 *personal_string, unsigned int ps_len);
+PRNGTEST_Instantiate(const PRUint8 *entropy, unsigned int entropy_len,
+                     const PRUint8 *nonce, unsigned int nonce_len,
+                     const PRUint8 *personal_string, unsigned int ps_len);
 
 extern SECStatus
-PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len, 
-		  const PRUint8 *additional, unsigned int additional_len);
+PRNGTEST_Reseed(const PRUint8 *entropy, unsigned int entropy_len,
+                const PRUint8 *additional, unsigned int additional_len);
 
 extern SECStatus
-PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, 
-		  const PRUint8 *additional, unsigned int additional_len);
+PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
+                  const PRUint8 *additional, unsigned int additional_len);
 
 extern SECStatus
 PRNGTEST_Uninstantiate(void);
 
 extern SECStatus
 PRNGTEST_RunHealthTests(void);
 
 /* Generate PQGParams and PQGVerify structs.
- * Length of seed and length of h both equal length of P. 
+ * Length of seed and length of h both equal length of P.
  * All lengths are specified by "j", according to the table above.
  *
  * The verify parameters will conform to FIPS186-1.
  */
 extern SECStatus
-PQG_ParamGen(unsigned int j, 	   /* input : determines length of P. */
-             PQGParams **pParams,  /* output: P Q and G returned here */
-	     PQGVerify **pVfy);    /* output: counter and seed. */
+PQG_ParamGen(unsigned int j,      /* input : determines length of P. */
+             PQGParams **pParams, /* output: P Q and G returned here */
+             PQGVerify **pVfy);   /* output: counter and seed. */
 
 /* Generate PQGParams and PQGVerify structs.
  * Length of P specified by j.  Length of h will match length of P.
  * Length of SEED in bytes specified in seedBytes.
  * seedBbytes must be in the range [20..255] or an error will result.
  *
  * The verify parameters will conform to FIPS186-1.
  */
 extern SECStatus
 PQG_ParamGenSeedLen(
-             unsigned int j, 	     /* input : determines length of P. */
-	     unsigned int seedBytes, /* input : length of seed in bytes.*/
-             PQGParams **pParams,    /* output: P Q and G returned here */
-	     PQGVerify **pVfy);      /* output: counter and seed. */
+    unsigned int j,         /* input : determines length of P. */
+    unsigned int seedBytes, /* input : length of seed in bytes.*/
+    PQGParams **pParams,    /* output: P Q and G returned here */
+    PQGVerify **pVfy);      /* output: counter and seed. */
 
 /* Generate PQGParams and PQGVerify structs.
- * Length of P specified by L in bits.  
- * Length of Q specified by N in bits.  
+ * Length of P specified by L in bits.
+ * Length of Q specified by N in bits.
  * Length of SEED in bytes specified in seedBytes.
  * seedBbytes must be in the range [N..L*2] or an error will result.
  *
  * Not that J uses the above table, L is the length exact. L and N must
  * match the table below or an error will result:
  *
  *  L            N
  * 1024         160
  * 2048         224
  * 2048         256
  * 3072         256
  *
  * If N or seedBytes are set to zero, then PQG_ParamGenSeedLen will
  * pick a default value (typically the smallest secure value for these
  * variables).
  *
- * The verify parameters will conform to FIPS186-3 using the smallest 
+ * The verify parameters will conform to FIPS186-3 using the smallest
  * permissible hash for the key strength.
  */
 extern SECStatus
 PQG_ParamGenV2(
-             unsigned int L, 	     /* input : determines length of P. */
-             unsigned int N, 	     /* input : determines length of Q. */
-	     unsigned int seedBytes, /* input : length of seed in bytes.*/
-             PQGParams **pParams,    /* output: P Q and G returned here */
-	     PQGVerify **pVfy);      /* output: counter and seed. */
-
+    unsigned int L,         /* input : determines length of P. */
+    unsigned int N,         /* input : determines length of Q. */
+    unsigned int seedBytes, /* input : length of seed in bytes.*/
+    PQGParams **pParams,    /* output: P Q and G returned here */
+    PQGVerify **pVfy);      /* output: counter and seed. */
 
 /*  Test PQGParams for validity as DSS PQG values.
  *  If vfy is non-NULL, test PQGParams to make sure they were generated
  *       using the specified seed, counter, and h values.
  *
  *  Return value indicates whether Verification operation ran successfully
  *  to completion, but does not indicate if PQGParams are valid or not.
  *  If return value is SECSuccess, then *pResult has these meanings:
  *       SECSuccess: PQGParams are valid.
  *       SECFailure: PQGParams are invalid.
  *
  * Verify the PQG againts the counter, SEED and h.
  * These tests are specified in FIPS 186-3 Appendix A.1.1.1, A.1.1.3, and A.2.2
  * PQG_VerifyParams will automatically choose the appropriate test.
  */
 
-extern SECStatus   PQG_VerifyParams(const PQGParams *params, 
-                                    const PQGVerify *vfy, SECStatus *result);
+extern SECStatus PQG_VerifyParams(const PQGParams *params,
+                                  const PQGVerify *vfy, SECStatus *result);
 
 extern void PQG_DestroyParams(PQGParams *params);
 
 extern void PQG_DestroyVerify(PQGVerify *vfy);
 
-
 /*
  * clean-up any global tables freebl may have allocated after it starts up.
  * This function is not thread safe and should be called only after the
  * library has been quiessed.
  */
 extern void BL_Cleanup(void);
 
 /* unload freebl shared library from memory */
@@ -1596,17 +1588,17 @@ PRBool BLAPI_SHVerify(const char *name, 
 PRBool BLAPI_SHVerifyFile(const char *shName);
 
 /**************************************************************************
  *  Verify Are Own Shared library signature                               *
  **************************************************************************/
 PRBool BLAPI_VerifySelf(const char *name);
 
 /*********************************************************************/
-extern const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType);
+extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
 
 extern void BL_SetForkState(PRBool forked);
 
 #ifndef NSS_DISABLE_ECC
 /*
 ** pepare an ECParam structure from DEREncoded params
  */
 extern SECStatus EC_FillParams(PLArenaPool *arena,
--- a/security/nss/lib/freebl/blapii.h
+++ b/security/nss/lib/freebl/blapii.h
@@ -9,34 +9,35 @@
 #define _BLAPII_H_
 
 #include "blapit.h"
 
 /* max block size of supported block ciphers */
 #define MAX_BLOCK_SIZE 16
 
 typedef SECStatus (*freeblCipherFunc)(void *cx, unsigned char *output,
-                          unsigned int *outputLen, unsigned int maxOutputLen,
-                          const unsigned char *input, unsigned int inputLen,
-			  unsigned int blocksize);
+                                      unsigned int *outputLen, unsigned int maxOutputLen,
+                                      const unsigned char *input, unsigned int inputLen,
+                                      unsigned int blocksize);
 typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
 
 SEC_BEGIN_PROTOS
 
 SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
 PRBool BL_POSTRan(PRBool freeblOnly);
 
 #if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
 
 extern PRBool bl_parentForkedAfterC_Initialize;
 
-#define SKIP_AFTER_FORK(x) if (!bl_parentForkedAfterC_Initialize) x
+#define SKIP_AFTER_FORK(x)                 \
+    if (!bl_parentForkedAfterC_Initialize) \
+    x
 
 #else
 
 #define SKIP_AFTER_FORK(x) x
 
 #endif
 
 SEC_END_PROTOS
 
 #endif /* _BLAPII_H_ */
-
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@@ -8,292 +8,286 @@
 #ifndef _BLAPIT_H_
 #define _BLAPIT_H_
 
 #include "seccomon.h"
 #include "prlink.h"
 #include "plarena.h"
 #include "ecl-exp.h"
 
-
 /* RC2 operation modes */
-#define NSS_RC2			0
-#define NSS_RC2_CBC		1
+#define NSS_RC2 0
+#define NSS_RC2_CBC 1
 
 /* RC5 operation modes */
-#define NSS_RC5                 0
-#define NSS_RC5_CBC             1
+#define NSS_RC5 0
+#define NSS_RC5_CBC 1
 
 /* DES operation modes */
-#define NSS_DES			0
-#define NSS_DES_CBC		1
-#define NSS_DES_EDE3		2
-#define NSS_DES_EDE3_CBC	3
+#define NSS_DES 0
+#define NSS_DES_CBC 1
+#define NSS_DES_EDE3 2
+#define NSS_DES_EDE3_CBC 3
 
-#define DES_KEY_LENGTH		8	/* Bytes */
+#define DES_KEY_LENGTH 8 /* Bytes */
 
 /* AES operation modes */
-#define NSS_AES                 0
-#define NSS_AES_CBC             1
-#define NSS_AES_CTS             2
-#define NSS_AES_CTR             3
-#define NSS_AES_GCM             4
+#define NSS_AES 0
+#define NSS_AES_CBC 1
+#define NSS_AES_CTS 2
+#define NSS_AES_CTR 3
+#define NSS_AES_GCM 4
 
 /* Camellia operation modes */
-#define NSS_CAMELLIA                 0
-#define NSS_CAMELLIA_CBC             1
+#define NSS_CAMELLIA 0
+#define NSS_CAMELLIA_CBC 1
 
 /* SEED operation modes */
-#define NSS_SEED		0
-#define NSS_SEED_CBC		1
+#define NSS_SEED 0
+#define NSS_SEED_CBC 1
 
-#define DSA1_SUBPRIME_LEN	20			/* Bytes */
-#define DSA1_SIGNATURE_LEN 	(DSA1_SUBPRIME_LEN*2)	/* Bytes */
-#define DSA_MAX_SUBPRIME_LEN	32			/* Bytes */
-#define DSA_MAX_SIGNATURE_LEN 	(DSA_MAX_SUBPRIME_LEN*2)/* Bytes */
+#define DSA1_SUBPRIME_LEN 20                             /* Bytes */
+#define DSA1_SIGNATURE_LEN (DSA1_SUBPRIME_LEN * 2)       /* Bytes */
+#define DSA_MAX_SUBPRIME_LEN 32                          /* Bytes */
+#define DSA_MAX_SIGNATURE_LEN (DSA_MAX_SUBPRIME_LEN * 2) /* Bytes */
 
 /*
  * Mark the old defines as deprecated. This will warn code that expected
  * DSA1 only that they need to change if the are to support DSA2.
  */
 #if defined(__GNUC__) && (__GNUC__ > 3)
 /* make GCC warn when we use these #defines */
 typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
 #define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN)
 #define DSA_SIGNATURE_LEN ((__BLAPI_DEPRECATED)DSA1_SIGNATURE_LEN)
-#define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN*8))
+#define DSA_Q_BITS ((__BLAPI_DEPRECATED)(DSA1_SUBPRIME_LEN * 8))
 #else
 #ifdef _WIN32
 /* This magic gets the windows compiler to give us a deprecation
  * warning */
 #pragma deprecated(DSA_SUBPRIME_LEN, DSA_SIGNATURE_LEN, DSA_QBITS)
 #endif
-#define DSA_SUBPRIME_LEN  DSA1_SUBPRIME_LEN
+#define DSA_SUBPRIME_LEN DSA1_SUBPRIME_LEN
 #define DSA_SIGNATURE_LEN DSA1_SIGNATURE_LEN
-#define DSA_Q_BITS 	  (DSA1_SUBPRIME_LEN*8)
+#define DSA_Q_BITS (DSA1_SUBPRIME_LEN * 8)
 #endif
 
-
 /* XXX We shouldn't have to hard code this limit. For
  * now, this is the quickest way to support ECDSA signature
  * processing (ECDSA signature lengths depend on curve
  * size). This limit is sufficient for curves upto
  * 576 bits.
  */
-#define MAX_ECKEY_LEN 	        72	/* Bytes */
+#define MAX_ECKEY_LEN 72 /* Bytes */
 
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
-#define EC_MAX_KEY_BITS		571     /* in bits */
-#define EC_MIN_KEY_BITS		112     /* in bits */
+#define EC_MAX_KEY_BITS 571 /* in bits */
+#define EC_MIN_KEY_BITS 112 /* in bits */
 #else
-#define EC_MAX_KEY_BITS		521     /* in bits */
-#define EC_MIN_KEY_BITS		256     /* in bits */
+#define EC_MAX_KEY_BITS 521 /* in bits */
+#define EC_MIN_KEY_BITS 256 /* in bits */
 #endif
 
 /* EC point compression format */
-#define EC_POINT_FORM_COMPRESSED_Y0    0x02
-#define EC_POINT_FORM_COMPRESSED_Y1    0x03
-#define EC_POINT_FORM_UNCOMPRESSED     0x04
-#define EC_POINT_FORM_HYBRID_Y0        0x06
-#define EC_POINT_FORM_HYBRID_Y1        0x07
+#define EC_POINT_FORM_COMPRESSED_Y0 0x02
+#define EC_POINT_FORM_COMPRESSED_Y1 0x03
+#define EC_POINT_FORM_UNCOMPRESSED 0x04
+#define EC_POINT_FORM_HYBRID_Y0 0x06
+#define EC_POINT_FORM_HYBRID_Y1 0x07
 
 /*
  * Number of bytes each hash algorithm produces
  */
-#define MD2_LENGTH		16	/* Bytes */
-#define MD5_LENGTH		16	/* Bytes */
-#define SHA1_LENGTH		20	/* Bytes */
-#define SHA256_LENGTH 		32 	/* bytes */
-#define SHA384_LENGTH 		48 	/* bytes */
-#define SHA512_LENGTH 		64 	/* bytes */
-#define HASH_LENGTH_MAX         SHA512_LENGTH
+#define MD2_LENGTH 16    /* Bytes */
+#define MD5_LENGTH 16    /* Bytes */
+#define SHA1_LENGTH 20   /* Bytes */
+#define SHA256_LENGTH 32 /* bytes */
+#define SHA384_LENGTH 48 /* bytes */
+#define SHA512_LENGTH 64 /* bytes */
+#define HASH_LENGTH_MAX SHA512_LENGTH
 
 /*
  * Input block size for each hash algorithm.
  */
 
-#define MD2_BLOCK_LENGTH 	 64 	/* bytes */
-#define MD5_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA1_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA224_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA256_BLOCK_LENGTH 	 64 	/* bytes */
-#define SHA384_BLOCK_LENGTH 	128 	/* bytes */
-#define SHA512_BLOCK_LENGTH 	128 	/* bytes */
-#define HASH_BLOCK_LENGTH_MAX 	SHA512_BLOCK_LENGTH
+#define MD2_BLOCK_LENGTH 64     /* bytes */
+#define MD5_BLOCK_LENGTH 64     /* bytes */
+#define SHA1_BLOCK_LENGTH 64    /* bytes */
+#define SHA224_BLOCK_LENGTH 64  /* bytes */
+#define SHA256_BLOCK_LENGTH 64  /* bytes */
+#define SHA384_BLOCK_LENGTH 128 /* bytes */
+#define SHA512_BLOCK_LENGTH 128 /* bytes */
+#define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH
 
-#define AES_KEY_WRAP_IV_BYTES    8
-#define AES_KEY_WRAP_BLOCK_SIZE  8  /* bytes */
-#define AES_BLOCK_SIZE          16  /* bytes */
+#define AES_KEY_WRAP_IV_BYTES 8
+#define AES_KEY_WRAP_BLOCK_SIZE 8 /* bytes */
+#define AES_BLOCK_SIZE 16         /* bytes */
 
-#define AES_128_KEY_LENGTH      16  /* bytes */
-#define AES_192_KEY_LENGTH      24  /* bytes */
-#define AES_256_KEY_LENGTH      32  /* bytes */
+#define AES_128_KEY_LENGTH 16 /* bytes */
+#define AES_192_KEY_LENGTH 24 /* bytes */
+#define AES_256_KEY_LENGTH 32 /* bytes */
 
-#define CAMELLIA_BLOCK_SIZE          16  /* bytes */
+#define CAMELLIA_BLOCK_SIZE 16 /* bytes */
 
-#define SEED_BLOCK_SIZE 16              /* bytes */
-#define SEED_KEY_LENGTH 16              /* bytes */
+#define SEED_BLOCK_SIZE 16 /* bytes */
+#define SEED_KEY_LENGTH 16 /* bytes */
 
 #define NSS_FREEBL_DEFAULT_CHUNKSIZE 2048
 
 /*
  * These values come from the initial key size limits from the PKCS #11
  * module. They may be arbitrarily adjusted to any value freebl supports.
  */
-#define RSA_MIN_MODULUS_BITS   128
+#define RSA_MIN_MODULUS_BITS 128
 #define RSA_MAX_MODULUS_BITS 16384
-#define RSA_MAX_EXPONENT_BITS   64
-#define DH_MIN_P_BITS	       128
-#define DH_MAX_P_BITS        16384
+#define RSA_MAX_EXPONENT_BITS 64
+#define DH_MIN_P_BITS 128
+#define DH_MAX_P_BITS 16384
 
 /*
  * The FIPS 186-1 algorithm for generating primes P and Q allows only 9
  * distinct values for the length of P, and only one value for the
  * length of Q.
  * The algorithm uses a variable j to indicate which of the 9 lengths
  * of P is to be used.
  * The following table relates j to the lengths of P and Q in bits.
  *
- *	j	bits in P	bits in Q
- *	_	_________	_________
- *	0	 512		160
- *	1	 576		160
- *	2	 640		160
- *	3	 704		160
- *	4	 768		160
- *	5	 832		160
- *	6	 896		160
- *	7	 960		160
- *	8	1024		160
+ *  j   bits in P   bits in Q
+ *  _   _________   _________
+ *  0    512        160
+ *  1    576        160
+ *  2    640        160
+ *  3    704        160
+ *  4    768        160
+ *  5    832        160
+ *  6    896        160
+ *  7    960        160
+ *  8   1024        160
  *
  * The FIPS-186-1 compliant PQG generator takes j as an input parameter.
  *
  * FIPS 186-3 algorithm specifies 4 distinct P and Q sizes:
  *
  *     bits in P       bits in Q
  *     _________       _________
  *      1024           160
  *      2048           224
  *      2048           256
  *      3072           256
  *
  * The FIPS-186-3 complaiant PQG generator (PQG V2) takes arbitrary p and q
  * lengths as input and returns an error if they aren't in this list.
  */
 
-#define DSA1_Q_BITS      160
-#define DSA_MAX_P_BITS	3072
-#define DSA_MIN_P_BITS	 512
-#define DSA_MAX_Q_BITS   256
-#define DSA_MIN_Q_BITS   160
+#define DSA1_Q_BITS 160
+#define DSA_MAX_P_BITS 3072
+#define DSA_MIN_P_BITS 512
+#define DSA_MAX_Q_BITS 256
+#define DSA_MIN_Q_BITS 160
 
-#if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN*8
+#if DSA_MAX_Q_BITS != DSA_MAX_SUBPRIME_LEN * 8
 #error "Inconsistent declaration of DSA SUBPRIME/Q parameters in blapit.h"
 #endif
 
-
 /*
  * function takes desired number of bits in P,
  * returns index (0..8) or -1 if number of bits is invalid.
  */
 #define PQG_PBITS_TO_INDEX(bits) \
-    (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? \
-    -1 : (int)((bits)-512)/64)
+    (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64)
 
 /*
  * function takes index (0-8)
  * returns number of bits in P for that index, or -1 if index is invalid.
  */
 #define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
 
-
 /***************************************************************************
-** Opaque objects 
+** Opaque objects
 */
 
-struct DESContextStr        ;
-struct RC2ContextStr        ;
-struct RC4ContextStr        ;
-struct RC5ContextStr        ;
-struct AESContextStr        ;
-struct CamelliaContextStr   ;
-struct MD2ContextStr        ;
-struct MD5ContextStr        ;
-struct SHA1ContextStr       ;
-struct SHA256ContextStr     ;
-struct SHA512ContextStr     ;
-struct AESKeyWrapContextStr ;
-struct SEEDContextStr       ;	
+struct DESContextStr;
+struct RC2ContextStr;
+struct RC4ContextStr;
+struct RC5ContextStr;
+struct AESContextStr;
+struct CamelliaContextStr;
+struct MD2ContextStr;
+struct MD5ContextStr;
+struct SHA1ContextStr;
+struct SHA256ContextStr;
+struct SHA512ContextStr;
+struct AESKeyWrapContextStr;
+struct SEEDContextStr;
 struct ChaCha20Poly1305ContextStr;
 
-typedef struct DESContextStr        DESContext;
-typedef struct RC2ContextStr        RC2Context;
-typedef struct RC4ContextStr        RC4Context;
-typedef struct RC5ContextStr        RC5Context;
-typedef struct AESContextStr        AESContext;
-typedef struct CamelliaContextStr   CamelliaContext;
-typedef struct MD2ContextStr        MD2Context;
-typedef struct MD5ContextStr        MD5Context;
-typedef struct SHA1ContextStr       SHA1Context;
-typedef struct SHA256ContextStr     SHA256Context;
+typedef struct DESContextStr DESContext;
+typedef struct RC2ContextStr RC2Context;
+typedef struct RC4ContextStr RC4Context;
+typedef struct RC5ContextStr RC5Context;
+typedef struct AESContextStr AESContext;
+typedef struct CamelliaContextStr CamelliaContext;
+typedef struct MD2ContextStr MD2Context;
+typedef struct MD5ContextStr MD5Context;
+typedef struct SHA1ContextStr SHA1Context;
+typedef struct SHA256ContextStr SHA256Context;
 /* SHA224Context is really a SHA256ContextStr.  This is not a mistake. */
-typedef struct SHA256ContextStr     SHA224Context;
-typedef struct SHA512ContextStr     SHA512Context;
+typedef struct SHA256ContextStr SHA224Context;
+typedef struct SHA512ContextStr SHA512Context;
 /* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
-typedef struct SHA512ContextStr     SHA384Context;
+typedef struct SHA512ContextStr SHA384Context;
 typedef struct AESKeyWrapContextStr AESKeyWrapContext;
-typedef struct SEEDContextStr	    SEEDContext;	
+typedef struct SEEDContextStr SEEDContext;
 typedef struct ChaCha20Poly1305ContextStr ChaCha20Poly1305Context;
 
 /***************************************************************************
 ** RSA Public and Private Key structures
 */
 
 /* member names from PKCS#1, section 7.1 */
 struct RSAPublicKeyStr {
-    PLArenaPool * arena;
+    PLArenaPool *arena;
     SECItem modulus;
     SECItem publicExponent;
 };
 typedef struct RSAPublicKeyStr RSAPublicKey;
 
 /* member names from PKCS#1, section 7.2 */
 struct RSAPrivateKeyStr {
-    PLArenaPool * arena;
+    PLArenaPool *arena;
     SECItem version;
     SECItem modulus;
     SECItem publicExponent;
     SECItem privateExponent;
     SECItem prime1;
     SECItem prime2;
     SECItem exponent1;
     SECItem exponent2;
     SECItem coefficient;
 };
 typedef struct RSAPrivateKeyStr RSAPrivateKey;
 
-
 /***************************************************************************
 ** DSA Public and Private Key and related structures
 */
 
 struct PQGParamsStr {
     PLArenaPool *arena;
     SECItem prime;    /* p */
     SECItem subPrime; /* q */
     SECItem base;     /* g */
     /* XXX chrisk: this needs to be expanded to hold j and validationParms (RFC2459 7.3.2) */
 };
 typedef struct PQGParamsStr PQGParams;
 
 struct PQGVerifyStr {
-    PLArenaPool * arena;	/* includes this struct, seed, & h. */
-    unsigned int  counter;
-    SECItem       seed;
-    SECItem       h;
+    PLArenaPool *arena; /* includes this struct, seed, & h. */
+    unsigned int counter;
+    SECItem seed;
+    SECItem h;
 };
 typedef struct PQGVerifyStr PQGVerify;
 
 struct DSAPublicKeyStr {
     PQGParams params;
     SECItem publicValue;
 };
 typedef struct DSAPublicKeyStr DSAPublicKey;
@@ -306,119 +300,119 @@ struct DSAPrivateKeyStr {
 typedef struct DSAPrivateKeyStr DSAPrivateKey;
 
 /***************************************************************************
 ** Diffie-Hellman Public and Private Key and related structures
 ** Structure member names suggested by PKCS#3.
 */
 
 struct DHParamsStr {
-    PLArenaPool * arena;
+    PLArenaPool *arena;
     SECItem prime; /* p */
-    SECItem base; /* g */
+    SECItem base;  /* g */
 };
 typedef struct DHParamsStr DHParams;
 
 struct DHPublicKeyStr {
-    PLArenaPool * arena;
+    PLArenaPool *arena;
     SECItem prime;
     SECItem base;
     SECItem publicValue;
 };
 typedef struct DHPublicKeyStr DHPublicKey;
 
 struct DHPrivateKeyStr {
-    PLArenaPool * arena;
+    PLArenaPool *arena;
     SECItem prime;
     SECItem base;
     SECItem publicValue;
     SECItem privateValue;
 };
 typedef struct DHPrivateKeyStr DHPrivateKey;
 
 /***************************************************************************
 ** Data structures used for elliptic curve parameters and
 ** public and private keys.
 */
 
 /*
-** The ECParams data structures can encode elliptic curve 
+** The ECParams data structures can encode elliptic curve
 ** parameters for both GFp and GF2m curves.
 */
 
 typedef enum { ec_params_explicit,
-	       ec_params_named
+               ec_params_named
 } ECParamsType;
 
 typedef enum { ec_field_GFp = 1,
                ec_field_GF2m
 } ECFieldType;
 
 struct ECFieldIDStr {
-    int         size;   /* field size in bits */
+    int size; /* field size in bits */
     ECFieldType type;
     union {
-        SECItem  prime; /* prime p for (GFp) */
-        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
+        SECItem prime; /* prime p for (GFp) */
+        SECItem poly;  /* irreducible binary polynomial for (GF2m) */
     } u;
-    int         k1;     /* first coefficient of pentanomial or
-                         * the only coefficient of trinomial 
+    int k1; /* first coefficient of pentanomial or
+                         * the only coefficient of trinomial
                          */
-    int         k2;     /* two remaining coefficients of pentanomial */
-    int         k3;
+    int k2; /* two remaining coefficients of pentanomial */
+    int k3;
 };
 typedef struct ECFieldIDStr ECFieldID;
 
 struct ECCurveStr {
-    SECItem a;          /* contains octet stream encoding of
-                         * field element (X9.62 section 4.3.3) 
-			 */
+    SECItem a; /* contains octet stream encoding of
+                         * field element (X9.62 section 4.3.3)
+             */
     SECItem b;
     SECItem seed;
 };
 typedef struct ECCurveStr ECCurve;
 
 struct ECParamsStr {
-    PLArenaPool * arena;
-    ECParamsType  type;
-    ECFieldID     fieldID;
-    ECCurve       curve; 
-    SECItem       base;
-    SECItem       order; 
-    int           cofactor;
-    SECItem       DEREncoding;
-    ECCurveName   name;
-    SECItem       curveOID;
+    PLArenaPool *arena;
+    ECParamsType type;
+    ECFieldID fieldID;
+    ECCurve curve;
+    SECItem base;
+    SECItem order;
+    int cofactor;
+    SECItem DEREncoding;
+    ECCurveName name;
+    SECItem curveOID;
 };
 typedef struct ECParamsStr ECParams;
 
 struct ECPublicKeyStr {
-    ECParams ecParams;   
-    SECItem publicValue;   /* elliptic curve point encoded as 
-			    * octet stream.
-			    */
+    ECParams ecParams;
+    SECItem publicValue; /* elliptic curve point encoded as
+                * octet stream.
+                */
 };
 typedef struct ECPublicKeyStr ECPublicKey;
 
 struct ECPrivateKeyStr {
-    ECParams ecParams;   
-    SECItem publicValue;   /* encoded ec point */
-    SECItem privateValue;  /* private big integer */
-    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
+    ECParams ecParams;
+    SECItem publicValue;  /* encoded ec point */
+    SECItem privateValue; /* private big integer */
+    SECItem version;      /* As per SEC 1, Appendix C, Section C.4 */
 };
 typedef struct ECPrivateKeyStr ECPrivateKey;
 
-typedef void * (*BLapiAllocateFunc)(void);
+typedef void *(*BLapiAllocateFunc)(void);
 typedef void (*BLapiDestroyContextFunc)(void *cx, PRBool freeit);
-typedef SECStatus (*BLapiInitContextFunc)(void *cx, 
-				   const unsigned char *key, 
-				   unsigned int keylen,
-				   const unsigned char *, 
-				   int, 
-				   unsigned int ,
-				   unsigned int );
+typedef SECStatus (*BLapiInitContextFunc)(void *cx,
+                                          const unsigned char *key,
+                                          unsigned int keylen,
+                                          const unsigned char *,
+                                          int,
+                                          unsigned int,
+                                          unsigned int);
 typedef SECStatus (*BLapiEncrypt)(void *cx, unsigned char *output,
-				unsigned int *outputLen, 
-				unsigned int maxOutputLen,
-				const unsigned char *input, 
-				unsigned int inputLen);
+                                  unsigned int *outputLen,
+                                  unsigned int maxOutputLen,
+                                  const unsigned char *input,
+                                  unsigned int inputLen);
 
 #endif /* _BLAPIT_H_ */
--- a/security/nss/lib/freebl/blname.c
+++ b/security/nss/lib/freebl/blname.c
@@ -1,98 +1,100 @@
 /*
- *  * blname.c - determine the freebl library name.
- *   *
- *    * This Source Code Form is subject to the terms of the Mozilla Public
- *     * License, v. 2.0. If a copy of the MPL was not distributed with this
- *      * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ *  blname.c - determine the freebl library name.
+ *  This Source Code Form is subject to the terms of the Mozilla Public
+ *  License, v. 2.0. If a copy of the MPL was not distributed with this
+ *  file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #if defined(FREEBL_LOWHASH)
 static const char* default_name =
-    SHLIB_PREFIX"freeblpriv"SHLIB_VERSION"."SHLIB_SUFFIX;
+    SHLIB_PREFIX "freeblpriv" SHLIB_VERSION "." SHLIB_SUFFIX;
 #else
 static const char* default_name =
-    SHLIB_PREFIX"freebl"SHLIB_VERSION"."SHLIB_SUFFIX;
+    SHLIB_PREFIX "freebl" SHLIB_VERSION "." SHLIB_SUFFIX;
 #endif
 
 /* getLibName() returns the name of the library to load. */
 
 #if defined(SOLARIS) && defined(__sparc)
 #include <stddef.h>
 #include <strings.h>
 #include <sys/systeminfo.h>
 
-
 #if defined(NSS_USE_64)
 
 const static char fpu_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
 const static char int_hybrid_shared_lib[] = "libfreebl_64int_3.so";
 const static char non_hybrid_shared_lib[] = "libfreebl_64fpu_3.so";
 
 const static char int_hybrid_isa[] = "sparcv9";
 const static char fpu_hybrid_isa[] = "sparcv9+vis";
 
 #else
 
 const static char fpu_hybrid_shared_lib[] = "libfreebl_32fpu_3.so";
 const static char int_hybrid_shared_lib[] = "libfreebl_32int64_3.so";
 /* This was for SPARC V8, now obsolete. */
-const static char *const non_hybrid_shared_lib = NULL;
+const static char* const non_hybrid_shared_lib = NULL;
 
 const static char int_hybrid_isa[] = "sparcv8plus";
 const static char fpu_hybrid_isa[] = "sparcv8plus+vis";
 
 #endif
 
-static const char *
+static const char*
 getLibName(void)
 {
-    char * found_int_hybrid;
-    char * found_fpu_hybrid;
+    char* found_int_hybrid;
+    char* found_fpu_hybrid;
     long buflen;
     char buf[256];
 
     buflen = sysinfo(SI_ISALIST, buf, sizeof buf);
-    if (buflen <= 0) 
-	return NULL;
+    if (buflen <= 0)
+        return NULL;
     /* sysinfo output is always supposed to be NUL terminated, but ... */
-    if (buflen < sizeof buf) 
-    	buf[buflen] = '\0';
+    if (buflen < sizeof buf)
+        buf[buflen] = '\0';
     else
-    	buf[(sizeof buf) - 1] = '\0';
+        buf[(sizeof buf) - 1] = '\0';
     /* The ISA list is a space separated string of names of ISAs and
      * ISA extensions, in order of decreasing performance.
      * There are two different ISAs with which NSS's crypto code can be
      * accelerated. If both are in the list, we take the first one.
      * If one is in the list, we use it, and if neither then we use
      * the base unaccelerated code.
      */
     found_int_hybrid = strstr(buf, int_hybrid_isa);
     found_fpu_hybrid = strstr(buf, fpu_hybrid_isa);
-    if (found_fpu_hybrid && 
-	(!found_int_hybrid ||
-	 (found_int_hybrid - found_fpu_hybrid) >= 0)) {
-	return fpu_hybrid_shared_lib;
+    if (found_fpu_hybrid &&
+        (!found_int_hybrid ||
+         (found_int_hybrid - found_fpu_hybrid) >= 0)) {
+        return fpu_hybrid_shared_lib;
     }
     if (found_int_hybrid) {
-	return int_hybrid_shared_lib;
+        return int_hybrid_shared_lib;
     }
     return non_hybrid_shared_lib;
 }
 
 #elif defined(HPUX) && !defined(NSS_USE_64) && !defined(__ia64)
 #include <unistd.h>
 
 /* This code tests to see if we're running on a PA2.x CPU.
 ** It returns true (1) if so, and false (0) otherwise.
 */
-static const char *
+static const char*
 getLibName(void)
 {
     long cpu = sysconf(_SC_CPU_VERSION);
-    return (cpu == CPU_PA_RISC2_0) 
-		? "libfreebl_32fpu_3.sl"
-	        : "libfreebl_32int_3.sl" ;
+    return (cpu == CPU_PA_RISC2_0)
+               ? "libfreebl_32fpu_3.sl"
+               : "libfreebl_32int_3.sl";
 }
 #else
 /* default case, for platforms/ABIs that have only one freebl shared lib. */
-static const char * getLibName(void) { return default_name; }
+static const char*
+getLibName(void)
+{
+    return default_name;
+}
 #endif
--- a/security/nss/lib/freebl/camellia.c
+++ b/security/nss/lib/freebl/camellia.c
@@ -10,17 +10,16 @@
 #include "prerr.h"
 #include "secerr.h"
 
 #include "prtypes.h"
 #include "blapi.h"
 #include "camellia.h"
 #include "sha_fast.h" /* for SHA_HTONL and related configuration macros */
 
-
 /* key constants */
 
 #define CAMELLIA_SIGMA1L (0xA09E667FL)
 #define CAMELLIA_SIGMA1R (0x3BCC908BL)
 #define CAMELLIA_SIGMA2L (0xB67AE858L)
 #define CAMELLIA_SIGMA2R (0x4CAA73B2L)
 #define CAMELLIA_SIGMA3L (0xC6EF372FL)
 #define CAMELLIA_SIGMA3R (0xE94F82BEL)
@@ -30,528 +29,578 @@
 #define CAMELLIA_SIGMA5R (0xDE682D1DL)
 #define CAMELLIA_SIGMA6L (0xB05688C2L)
 #define CAMELLIA_SIGMA6R (0xB3E6C1FDL)
 
 /*
  *  macros
  */
 
-
 #if defined(SHA_ALLOW_UNALIGNED_ACCESS)
 
 /* require a CPU that allows unaligned access */
 
 #if defined(SHA_NEED_TMP_VARIABLE)
 #define CAMELLIA_NEED_TMP_VARIABLE 1
 #endif
 
-# define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
-# define PUTU32(ct, st) {*((PRUint32 *)(ct)) = SHA_HTONL(st);}
+#define GETU32(p) SHA_HTONL(*((PRUint32 *)(p)))
+#define PUTU32(ct, st)                       \
+    {                                        \
+        *((PRUint32 *)(ct)) = SHA_HTONL(st); \
+    }
 
 #else /* no unaligned access */
 
-# define GETU32(pt)					\
-    (((PRUint32)(pt)[0] << 24)				\
-     ^ ((PRUint32)(pt)[1] << 16)			\
-     ^ ((PRUint32)(pt)[2] <<  8)			\
-     ^ ((PRUint32)(pt)[3]))
+#define GETU32(pt) \
+    (((PRUint32)(pt)[0] << 24) ^ ((PRUint32)(pt)[1] << 16) ^ ((PRUint32)(pt)[2] << 8) ^ ((PRUint32)(pt)[3]))
 
-# define PUTU32(ct, st)  {				\
-	(ct)[0] = (PRUint8)((st) >> 24);		\
-	(ct)[1] = (PRUint8)((st) >> 16);		\
-	(ct)[2] = (PRUint8)((st) >>  8);		\
-	(ct)[3] = (PRUint8)(st); }
+#define PUTU32(ct, st)                   \
+    {                                    \
+        (ct)[0] = (PRUint8)((st) >> 24); \
+        (ct)[1] = (PRUint8)((st) >> 16); \
+        (ct)[2] = (PRUint8)((st) >> 8);  \
+        (ct)[3] = (PRUint8)(st);         \
+    }
 
 #endif
 
 #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2])
 #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
 
 /* rotation right shift 1byte */
 #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
 /* rotation left shift 1bit */
 #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
 /* rotation left shift 1byte */
 #define CAMELLIA_RL8(x) (((x) << 8) + ((x) >> 24))
 
-#define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits)	\
-    do {						\
-	w0 = ll;					\
-	ll = (ll << bits) + (lr >> (32 - bits));	\
-	lr = (lr << bits) + (rl >> (32 - bits));	\
-	rl = (rl << bits) + (rr >> (32 - bits));	\
-	rr = (rr << bits) + (w0 >> (32 - bits));	\
-    } while(0)
+#define CAMELLIA_ROLDQ(ll, lr, rl, rr, w0, w1, bits) \
+    do {                                             \
+        w0 = ll;                                     \
+        ll = (ll << bits) + (lr >> (32 - bits));     \
+        lr = (lr << bits) + (rl >> (32 - bits));     \
+        rl = (rl << bits) + (rr >> (32 - bits));     \
+        rr = (rr << bits) + (w0 >> (32 - bits));     \
+    } while (0)
 
-#define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits)	\
-    do {						\
-	w0 = ll;					\
-	w1 = lr;					\
-	ll = (lr << (bits - 32)) + (rl >> (64 - bits));	\
-	lr = (rl << (bits - 32)) + (rr >> (64 - bits));	\
-	rl = (rr << (bits - 32)) + (w0 >> (64 - bits));	\
-	rr = (w0 << (bits - 32)) + (w1 >> (64 - bits));	\
-    } while(0)
+#define CAMELLIA_ROLDQo32(ll, lr, rl, rr, w0, w1, bits) \
+    do {                                                \
+        w0 = ll;                                        \
+        w1 = lr;                                        \
+        ll = (lr << (bits - 32)) + (rl >> (64 - bits)); \
+        lr = (rl << (bits - 32)) + (rr >> (64 - bits)); \
+        rl = (rr << (bits - 32)) + (w0 >> (64 - bits)); \
+        rr = (w0 << (bits - 32)) + (w1 >> (64 - bits)); \
+    } while (0)
 
 #define CAMELLIA_SP1110(INDEX) (camellia_sp1110[(INDEX)])
 #define CAMELLIA_SP0222(INDEX) (camellia_sp0222[(INDEX)])
 #define CAMELLIA_SP3033(INDEX) (camellia_sp3033[(INDEX)])
 #define CAMELLIA_SP4404(INDEX) (camellia_sp4404[(INDEX)])
 
-#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
-    do {							\
-	il = xl ^ kl;						\
-	ir = xr ^ kr;						\
-	t0 = il >> 16;						\
-	t1 = ir >> 16;						\
-	yl = CAMELLIA_SP1110(ir & 0xff)				\
-	    ^ CAMELLIA_SP0222((t1 >> 8) & 0xff)			\
-	    ^ CAMELLIA_SP3033(t1 & 0xff)			\
-	    ^ CAMELLIA_SP4404((ir >> 8) & 0xff);		\
-	yr = CAMELLIA_SP1110((t0 >> 8) & 0xff)			\
-	    ^ CAMELLIA_SP0222(t0 & 0xff)			\
-	    ^ CAMELLIA_SP3033((il >> 8) & 0xff)			\
-	    ^ CAMELLIA_SP4404(il & 0xff);			\
-	yl ^= yr;						\
-	yr = CAMELLIA_RR8(yr);					\
-	yr ^= yl;						\
-    } while(0)
-
+#define CAMELLIA_F(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
+    do {                                                   \
+        il = xl ^ kl;                                      \
+        ir = xr ^ kr;                                      \
+        t0 = il >> 16;                                     \
+        t1 = ir >> 16;                                     \
+        yl = CAMELLIA_SP1110(ir & 0xff) ^                  \
+             CAMELLIA_SP0222((t1 >> 8) & 0xff) ^           \
+             CAMELLIA_SP3033(t1 & 0xff) ^                  \
+             CAMELLIA_SP4404((ir >> 8) & 0xff);            \
+        yr = CAMELLIA_SP1110((t0 >> 8) & 0xff) ^           \
+             CAMELLIA_SP0222(t0 & 0xff) ^                  \
+             CAMELLIA_SP3033((il >> 8) & 0xff) ^           \
+             CAMELLIA_SP4404(il & 0xff);                   \
+        yl ^= yr;                                          \
+        yr = CAMELLIA_RR8(yr);                             \
+        yr ^= yl;                                          \
+    } while (0)
 
 /*
  * for speed up
  *
  */
 #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \
-    do {								\
-	t0 = kll;							\
-	t0 &= ll;							\
-	lr ^= CAMELLIA_RL1(t0);						\
-	t1 = klr;							\
-	t1 |= lr;							\
-	ll ^= t1;							\
-									\
-	t2 = krr;							\
-	t2 |= rr;							\
-	rl ^= t2;							\
-	t3 = krl;							\
-	t3 &= rl;							\
-	rr ^= CAMELLIA_RL1(t3);						\
-    } while(0)
+    do {                                                                 \
+        t0 = kll;                                                        \
+        t0 &= ll;                                                        \
+        lr ^= CAMELLIA_RL1(t0);                                          \
+        t1 = klr;                                                        \
+        t1 |= lr;                                                        \
+        ll ^= t1;                                                        \
+                                                                         \
+        t2 = krr;                                                        \
+        t2 |= rr;                                                        \
+        rl ^= t2;                                                        \
+        t3 = krl;                                                        \
+        t3 &= rl;                                                        \
+        rr ^= CAMELLIA_RL1(t3);                                          \
+    } while (0)
 
-#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1)	\
-    do {								\
-	ir = CAMELLIA_SP1110(xr & 0xff)					\
-	    ^ CAMELLIA_SP0222((xr >> 24) & 0xff)			\
-	    ^ CAMELLIA_SP3033((xr >> 16) & 0xff)			\
-	    ^ CAMELLIA_SP4404((xr >> 8) & 0xff);			\
-	il = CAMELLIA_SP1110((xl >> 24) & 0xff)				\
-	    ^ CAMELLIA_SP0222((xl >> 16) & 0xff)			\
-	    ^ CAMELLIA_SP3033((xl >> 8) & 0xff)				\
-	    ^ CAMELLIA_SP4404(xl & 0xff);				\
-	il ^= kl;							\
-	ir ^= kr;							\
-	ir ^= il;							\
-	il = CAMELLIA_RR8(il);						\
-	il ^= ir;							\
-	yl ^= ir;							\
-	yr ^= il;							\
-    } while(0)
-
+#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \
+    do {                                                         \
+        ir = CAMELLIA_SP1110(xr & 0xff) ^                        \
+             CAMELLIA_SP0222((xr >> 24) & 0xff) ^                \
+             CAMELLIA_SP3033((xr >> 16) & 0xff) ^                \
+             CAMELLIA_SP4404((xr >> 8) & 0xff);                  \
+        il = CAMELLIA_SP1110((xl >> 24) & 0xff) ^                \
+             CAMELLIA_SP0222((xl >> 16) & 0xff) ^                \
+             CAMELLIA_SP3033((xl >> 8) & 0xff) ^                 \
+             CAMELLIA_SP4404(xl & 0xff);                         \
+        il ^= kl;                                                \
+        ir ^= kr;                                                \
+        ir ^= il;                                                \
+        il = CAMELLIA_RR8(il);                                   \
+        il ^= ir;                                                \
+        yl ^= ir;                                                \
+        yr ^= il;                                                \
+    } while (0)
 
 static const PRUint32 camellia_sp1110[256] = {
-    0x70707000,0x82828200,0x2c2c2c00,0xececec00,
-    0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500,
-    0xe4e4e400,0x85858500,0x57575700,0x35353500,
-    0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100,
-    0x23232300,0xefefef00,0x6b6b6b00,0x93939300,
-    0x45454500,0x19191900,0xa5a5a500,0x21212100,
-    0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00,
-    0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00,
-    0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00,
-    0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00,
-    0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00,
-    0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00,
-    0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00,
-    0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00,
-    0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600,
-    0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00,
-    0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600,
-    0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00,
-    0x74747400,0x12121200,0x2b2b2b00,0x20202000,
-    0xf0f0f000,0xb1b1b100,0x84848400,0x99999900,
-    0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200,
-    0x34343400,0x7e7e7e00,0x76767600,0x05050500,
-    0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100,
-    0xd1d1d100,0x17171700,0x04040400,0xd7d7d700,
-    0x14141400,0x58585800,0x3a3a3a00,0x61616100,
-    0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00,
-    0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600,
-    0x53535300,0x18181800,0xf2f2f200,0x22222200,
-    0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200,
-    0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100,
-    0x24242400,0x08080800,0xe8e8e800,0xa8a8a800,
-    0x60606000,0xfcfcfc00,0x69696900,0x50505000,
-    0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00,
-    0xa1a1a100,0x89898900,0x62626200,0x97979700,
-    0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500,
-    0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200,
-    0x10101000,0xc4c4c400,0x00000000,0x48484800,
-    0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00,
-    0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00,
-    0x09090900,0x3f3f3f00,0xdddddd00,0x94949400,
-    0x87878700,0x5c5c5c00,0x83838300,0x02020200,
-    0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300,
-    0x73737300,0x67676700,0xf6f6f600,0xf3f3f300,
-    0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200,
-    0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600,
-    0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00,
-    0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00,
-    0x13131300,0xbebebe00,0x63636300,0x2e2e2e00,
-    0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00,
-    0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00,
-    0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600,
-    0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900,
-    0x78787800,0x98989800,0x06060600,0x6a6a6a00,
-    0xe7e7e700,0x46464600,0x71717100,0xbababa00,
-    0xd4d4d400,0x25252500,0xababab00,0x42424200,
-    0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00,
-    0x72727200,0x07070700,0xb9b9b900,0x55555500,
-    0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00,
-    0x36363600,0x49494900,0x2a2a2a00,0x68686800,
-    0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400,
-    0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00,
-    0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100,
-    0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400,
-    0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00,
+    0x70707000, 0x82828200, 0x2c2c2c00, 0xececec00,
+    0xb3b3b300, 0x27272700, 0xc0c0c000, 0xe5e5e500,
+    0xe4e4e400, 0x85858500, 0x57575700, 0x35353500,
+    0xeaeaea00, 0x0c0c0c00, 0xaeaeae00, 0x41414100,
+    0x23232300, 0xefefef00, 0x6b6b6b00, 0x93939300,
+    0x45454500, 0x19191900, 0xa5a5a500, 0x21212100,
+    0xededed00, 0x0e0e0e00, 0x4f4f4f00, 0x4e4e4e00,
+    0x1d1d1d00, 0x65656500, 0x92929200, 0xbdbdbd00,
+    0x86868600, 0xb8b8b800, 0xafafaf00, 0x8f8f8f00,
+    0x7c7c7c00, 0xebebeb00, 0x1f1f1f00, 0xcecece00,
+    0x3e3e3e00, 0x30303000, 0xdcdcdc00, 0x5f5f5f00,
+    0x5e5e5e00, 0xc5c5c500, 0x0b0b0b00, 0x1a1a1a00,
+    0xa6a6a600, 0xe1e1e100, 0x39393900, 0xcacaca00,
+    0xd5d5d500, 0x47474700, 0x5d5d5d00, 0x3d3d3d00,
+    0xd9d9d900, 0x01010100, 0x5a5a5a00, 0xd6d6d600,
+    0x51515100, 0x56565600, 0x6c6c6c00, 0x4d4d4d00,
+    0x8b8b8b00, 0x0d0d0d00, 0x9a9a9a00, 0x66666600,
+    0xfbfbfb00, 0xcccccc00, 0xb0b0b000, 0x2d2d2d00,
+    0x74747400, 0x12121200, 0x2b2b2b00, 0x20202000,
+    0xf0f0f000, 0xb1b1b100, 0x84848400, 0x99999900,
+    0xdfdfdf00, 0x4c4c4c00, 0xcbcbcb00, 0xc2c2c200,
+    0x34343400, 0x7e7e7e00, 0x76767600, 0x05050500,
+    0x6d6d6d00, 0xb7b7b700, 0xa9a9a900, 0x31313100,
+    0xd1d1d100, 0x17171700, 0x04040400, 0xd7d7d700,
+    0x14141400, 0x58585800, 0x3a3a3a00, 0x61616100,
+    0xdedede00, 0x1b1b1b00, 0x11111100, 0x1c1c1c00,
+    0x32323200, 0x0f0f0f00, 0x9c9c9c00, 0x16161600,
+    0x53535300, 0x18181800, 0xf2f2f200, 0x22222200,
+    0xfefefe00, 0x44444400, 0xcfcfcf00, 0xb2b2b200,
+    0xc3c3c300, 0xb5b5b500, 0x7a7a7a00, 0x91919100,
+    0x24242400, 0x08080800, 0xe8e8e800, 0xa8a8a800,
+    0x60606000, 0xfcfcfc00, 0x69696900, 0x50505000,
+    0xaaaaaa00, 0xd0d0d000, 0xa0a0a000, 0x7d7d7d00,
+    0xa1a1a100, 0x89898900, 0x62626200, 0x97979700,
+    0x54545400, 0x5b5b5b00, 0x1e1e1e00, 0x95959500,
+    0xe0e0e000, 0xffffff00, 0x64646400, 0xd2d2d200,
+    0x10101000, 0xc4c4c400, 0x00000000, 0x48484800,
+    0xa3a3a300, 0xf7f7f700, 0x75757500, 0xdbdbdb00,
+    0x8a8a8a00, 0x03030300, 0xe6e6e600, 0xdadada00,
+    0x09090900, 0x3f3f3f00, 0xdddddd00, 0x94949400,
+    0x87878700, 0x5c5c5c00, 0x83838300, 0x02020200,
+    0xcdcdcd00, 0x4a4a4a00, 0x90909000, 0x33333300,
+    0x73737300, 0x67676700, 0xf6f6f600, 0xf3f3f300,
+    0x9d9d9d00, 0x7f7f7f00, 0xbfbfbf00, 0xe2e2e200,
+    0x52525200, 0x9b9b9b00, 0xd8d8d800, 0x26262600,
+    0xc8c8c800, 0x37373700, 0xc6c6c600, 0x3b3b3b00,
+    0x81818100, 0x96969600, 0x6f6f6f00, 0x4b4b4b00,
+    0x13131300, 0xbebebe00, 0x63636300, 0x2e2e2e00,
+    0xe9e9e900, 0x79797900, 0xa7a7a700, 0x8c8c8c00,
+    0x9f9f9f00, 0x6e6e6e00, 0xbcbcbc00, 0x8e8e8e00,
+    0x29292900, 0xf5f5f500, 0xf9f9f900, 0xb6b6b600,
+    0x2f2f2f00, 0xfdfdfd00, 0xb4b4b400, 0x59595900,
+    0x78787800, 0x98989800, 0x06060600, 0x6a6a6a00,
+    0xe7e7e700, 0x46464600, 0x71717100, 0xbababa00,
+    0xd4d4d400, 0x25252500, 0xababab00, 0x42424200,
+    0x88888800, 0xa2a2a200, 0x8d8d8d00, 0xfafafa00,
+    0x72727200, 0x07070700, 0xb9b9b900, 0x55555500,
+    0xf8f8f800, 0xeeeeee00, 0xacacac00, 0x0a0a0a00,
+    0x36363600, 0x49494900, 0x2a2a2a00, 0x68686800,
+    0x3c3c3c00, 0x38383800, 0xf1f1f100, 0xa4a4a400,
+    0x40404000, 0x28282800, 0xd3d3d300, 0x7b7b7b00,
+    0xbbbbbb00, 0xc9c9c900, 0x43434300, 0xc1c1c100,
+    0x15151500, 0xe3e3e300, 0xadadad00, 0xf4f4f400,
+    0x77777700, 0xc7c7c700, 0x80808000, 0x9e9e9e00,
 };
 
 static const PRUint32 camellia_sp0222[256] = {
-    0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9,
-    0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb,
-    0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a,
-    0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282,
-    0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727,
-    0x008a8a8a,0x00323232,0x004b4b4b,0x00424242,
-    0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c,
-    0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b,
-    0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f,
-    0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d,
-    0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe,
-    0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434,
-    0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595,
-    0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a,
-    0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad,
-    0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a,
-    0x00171717,0x001a1a1a,0x00353535,0x00cccccc,
-    0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a,
-    0x00e8e8e8,0x00242424,0x00565656,0x00404040,
-    0x00e1e1e1,0x00636363,0x00090909,0x00333333,
-    0x00bfbfbf,0x00989898,0x00979797,0x00858585,
-    0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a,
-    0x00dadada,0x006f6f6f,0x00535353,0x00626262,
-    0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf,
-    0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2,
-    0x00bdbdbd,0x00363636,0x00222222,0x00383838,
-    0x00646464,0x001e1e1e,0x00393939,0x002c2c2c,
-    0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444,
-    0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565,
-    0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323,
-    0x00484848,0x00101010,0x00d1d1d1,0x00515151,
-    0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0,
-    0x00555555,0x00a1a1a1,0x00414141,0x00fafafa,
-    0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f,
-    0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b,
-    0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5,
-    0x00202020,0x00898989,0x00000000,0x00909090,
-    0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7,
-    0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5,
-    0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929,
-    0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404,
-    0x009b9b9b,0x00949494,0x00212121,0x00666666,
-    0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7,
-    0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5,
-    0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c,
-    0x00919191,0x006e6e6e,0x008d8d8d,0x00767676,
-    0x00030303,0x002d2d2d,0x00dedede,0x00969696,
-    0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c,
-    0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919,
-    0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d,
-    0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d,
-    0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2,
-    0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4,
-    0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575,
-    0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484,
-    0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5,
-    0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa,
-    0x00f1f1f1,0x00dddddd,0x00595959,0x00141414,
-    0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0,
-    0x00787878,0x00707070,0x00e3e3e3,0x00494949,
-    0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6,
-    0x00777777,0x00939393,0x00868686,0x00838383,
-    0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9,
-    0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d,
+    0x00e0e0e0, 0x00050505, 0x00585858, 0x00d9d9d9,
+    0x00676767, 0x004e4e4e, 0x00818181, 0x00cbcbcb,
+    0x00c9c9c9, 0x000b0b0b, 0x00aeaeae, 0x006a6a6a,
+    0x00d5d5d5, 0x00181818, 0x005d5d5d, 0x00828282,
+    0x00464646, 0x00dfdfdf, 0x00d6d6d6, 0x00272727,
+    0x008a8a8a, 0x00323232, 0x004b4b4b, 0x00424242,
+    0x00dbdbdb, 0x001c1c1c, 0x009e9e9e, 0x009c9c9c,
+    0x003a3a3a, 0x00cacaca, 0x00252525, 0x007b7b7b,
+    0x000d0d0d, 0x00717171, 0x005f5f5f, 0x001f1f1f,
+    0x00f8f8f8, 0x00d7d7d7, 0x003e3e3e, 0x009d9d9d,
+    0x007c7c7c, 0x00606060, 0x00b9b9b9, 0x00bebebe,
+    0x00bcbcbc, 0x008b8b8b, 0x00161616, 0x00343434,
+    0x004d4d4d, 0x00c3c3c3, 0x00727272, 0x00959595,
+    0x00ababab, 0x008e8e8e, 0x00bababa, 0x007a7a7a,
+    0x00b3b3b3, 0x00020202, 0x00b4b4b4, 0x00adadad,
+    0x00a2a2a2, 0x00acacac, 0x00d8d8d8, 0x009a9a9a,
+    0x00171717, 0x001a1a1a, 0x00353535, 0x00cccccc,
+    0x00f7f7f7, 0x00999999, 0x00616161, 0x005a5a5a,
+    0x00e8e8e8, 0x00242424, 0x00565656, 0x00404040,
+    0x00e1e1e1, 0x00636363, 0x00090909, 0x00333333,
+    0x00bfbfbf, 0x00989898, 0x00979797, 0x00858585,
+    0x00686868, 0x00fcfcfc, 0x00ececec, 0x000a0a0a,
+    0x00dadada, 0x006f6f6f, 0x00535353, 0x00626262,
+    0x00a3a3a3, 0x002e2e2e, 0x00080808, 0x00afafaf,
+    0x00282828, 0x00b0b0b0, 0x00747474, 0x00c2c2c2,
+    0x00bdbdbd, 0x00363636, 0x00222222, 0x00383838,
+    0x00646464, 0x001e1e1e, 0x00393939, 0x002c2c2c,
+    0x00a6a6a6, 0x00303030, 0x00e5e5e5, 0x00444444,
+    0x00fdfdfd, 0x00888888, 0x009f9f9f, 0x00656565,
+    0x00878787, 0x006b6b6b, 0x00f4f4f4, 0x00232323,
+    0x00484848, 0x00101010, 0x00d1d1d1, 0x00515151,
+    0x00c0c0c0, 0x00f9f9f9, 0x00d2d2d2, 0x00a0a0a0,
+    0x00555555, 0x00a1a1a1, 0x00414141, 0x00fafafa,
+    0x00434343, 0x00131313, 0x00c4c4c4, 0x002f2f2f,
+    0x00a8a8a8, 0x00b6b6b6, 0x003c3c3c, 0x002b2b2b,
+    0x00c1c1c1, 0x00ffffff, 0x00c8c8c8, 0x00a5a5a5,
+    0x00202020, 0x00898989, 0x00000000, 0x00909090,
+    0x00474747, 0x00efefef, 0x00eaeaea, 0x00b7b7b7,
+    0x00151515, 0x00060606, 0x00cdcdcd, 0x00b5b5b5,
+    0x00121212, 0x007e7e7e, 0x00bbbbbb, 0x00292929,
+    0x000f0f0f, 0x00b8b8b8, 0x00070707, 0x00040404,
+    0x009b9b9b, 0x00949494, 0x00212121, 0x00666666,
+    0x00e6e6e6, 0x00cecece, 0x00ededed, 0x00e7e7e7,
+    0x003b3b3b, 0x00fefefe, 0x007f7f7f, 0x00c5c5c5,
+    0x00a4a4a4, 0x00373737, 0x00b1b1b1, 0x004c4c4c,
+    0x00919191, 0x006e6e6e, 0x008d8d8d, 0x00767676,
+    0x00030303, 0x002d2d2d, 0x00dedede, 0x00969696,
+    0x00262626, 0x007d7d7d, 0x00c6c6c6, 0x005c5c5c,
+    0x00d3d3d3, 0x00f2f2f2, 0x004f4f4f, 0x00191919,
+    0x003f3f3f, 0x00dcdcdc, 0x00797979, 0x001d1d1d,
+    0x00525252, 0x00ebebeb, 0x00f3f3f3, 0x006d6d6d,
+    0x005e5e5e, 0x00fbfbfb, 0x00696969, 0x00b2b2b2,
+    0x00f0f0f0, 0x00313131, 0x000c0c0c, 0x00d4d4d4,
+    0x00cfcfcf, 0x008c8c8c, 0x00e2e2e2, 0x00757575,
+    0x00a9a9a9, 0x004a4a4a, 0x00575757, 0x00848484,
+    0x00111111, 0x00454545, 0x001b1b1b, 0x00f5f5f5,
+    0x00e4e4e4, 0x000e0e0e, 0x00737373, 0x00aaaaaa,
+    0x00f1f1f1, 0x00dddddd, 0x00595959, 0x00141414,
+    0x006c6c6c, 0x00929292, 0x00545454, 0x00d0d0d0,
+    0x00787878, 0x00707070, 0x00e3e3e3, 0x00494949,
+    0x00808080, 0x00505050, 0x00a7a7a7, 0x00f6f6f6,
+    0x00777777, 0x00939393, 0x00868686, 0x00838383,
+    0x002a2a2a, 0x00c7c7c7, 0x005b5b5b, 0x00e9e9e9,
+    0x00eeeeee, 0x008f8f8f, 0x00010101, 0x003d3d3d,
 };
 
 static const PRUint32 camellia_sp3033[256] = {
-    0x38003838,0x41004141,0x16001616,0x76007676,
-    0xd900d9d9,0x93009393,0x60006060,0xf200f2f2,
-    0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a,
-    0x75007575,0x06000606,0x57005757,0xa000a0a0,
-    0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9,
-    0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090,
-    0xf600f6f6,0x07000707,0xa700a7a7,0x27002727,
-    0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede,
-    0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7,
-    0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767,
-    0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf,
-    0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d,
-    0x53005353,0xf000f0f0,0x9c009c9c,0x65006565,
-    0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e,
-    0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b,
-    0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6,
-    0xc500c5c5,0x86008686,0x4d004d4d,0x33003333,
-    0xfd00fdfd,0x66006666,0x58005858,0x96009696,
-    0x3a003a3a,0x09000909,0x95009595,0x10001010,
-    0x78007878,0xd800d8d8,0x42004242,0xcc00cccc,
-    0xef00efef,0x26002626,0xe500e5e5,0x61006161,
-    0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282,
-    0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898,
-    0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb,
-    0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0,
-    0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e,
-    0x19001919,0x87008787,0x4e004e4e,0x0b000b0b,
-    0xa900a9a9,0x0c000c0c,0x79007979,0x11001111,
-    0x7f007f7f,0x22002222,0xe700e7e7,0x59005959,
-    0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8,
-    0x12001212,0x04000404,0x74007474,0x54005454,
-    0x30003030,0x7e007e7e,0xb400b4b4,0x28002828,
-    0x55005555,0x68006868,0x50005050,0xbe00bebe,
-    0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb,
-    0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca,
-    0x70007070,0xff00ffff,0x32003232,0x69006969,
-    0x08000808,0x62006262,0x00000000,0x24002424,
-    0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded,
-    0x45004545,0x81008181,0x73007373,0x6d006d6d,
-    0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a,
-    0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101,
-    0xe600e6e6,0x25002525,0x48004848,0x99009999,
-    0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9,
-    0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171,
-    0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313,
-    0x64006464,0x9b009b9b,0x63006363,0x9d009d9d,
-    0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5,
-    0x89008989,0x5f005f5f,0xb100b1b1,0x17001717,
-    0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646,
-    0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747,
-    0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b,
-    0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac,
-    0x3c003c3c,0x4c004c4c,0x03000303,0x35003535,
-    0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d,
-    0x6a006a6a,0x92009292,0xd500d5d5,0x21002121,
-    0x44004444,0x51005151,0xc600c6c6,0x7d007d7d,
-    0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa,
-    0x7c007c7c,0x77007777,0x56005656,0x05000505,
-    0x1b001b1b,0xa400a4a4,0x15001515,0x34003434,
-    0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252,
-    0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd,
-    0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0,
-    0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a,
-    0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f,
+    0x38003838, 0x41004141, 0x16001616, 0x76007676,
+    0xd900d9d9, 0x93009393, 0x60006060, 0xf200f2f2,
+    0x72007272, 0xc200c2c2, 0xab00abab, 0x9a009a9a,
+    0x75007575, 0x06000606, 0x57005757, 0xa000a0a0,
+    0x91009191, 0xf700f7f7, 0xb500b5b5, 0xc900c9c9,
+    0xa200a2a2, 0x8c008c8c, 0xd200d2d2, 0x90009090,
+    0xf600f6f6, 0x07000707, 0xa700a7a7, 0x27002727,
+    0x8e008e8e, 0xb200b2b2, 0x49004949, 0xde00dede,
+    0x43004343, 0x5c005c5c, 0xd700d7d7, 0xc700c7c7,
+    0x3e003e3e, 0xf500f5f5, 0x8f008f8f, 0x67006767,
+    0x1f001f1f, 0x18001818, 0x6e006e6e, 0xaf00afaf,
+    0x2f002f2f, 0xe200e2e2, 0x85008585, 0x0d000d0d,
+    0x53005353, 0xf000f0f0, 0x9c009c9c, 0x65006565,
+    0xea00eaea, 0xa300a3a3, 0xae00aeae, 0x9e009e9e,
+    0xec00ecec, 0x80008080, 0x2d002d2d, 0x6b006b6b,
+    0xa800a8a8, 0x2b002b2b, 0x36003636, 0xa600a6a6,
+    0xc500c5c5, 0x86008686, 0x4d004d4d, 0x33003333,
+    0xfd00fdfd, 0x66006666, 0x58005858, 0x96009696,
+    0x3a003a3a, 0x09000909, 0x95009595, 0x10001010,
+    0x78007878, 0xd800d8d8, 0x42004242, 0xcc00cccc,
+    0xef00efef, 0x26002626, 0xe500e5e5, 0x61006161,
+    0x1a001a1a, 0x3f003f3f, 0x3b003b3b, 0x82008282,
+    0xb600b6b6, 0xdb00dbdb, 0xd400d4d4, 0x98009898,
+    0xe800e8e8, 0x8b008b8b, 0x02000202, 0xeb00ebeb,
+    0x0a000a0a, 0x2c002c2c, 0x1d001d1d, 0xb000b0b0,
+    0x6f006f6f, 0x8d008d8d, 0x88008888, 0x0e000e0e,
+    0x19001919, 0x87008787, 0x4e004e4e, 0x0b000b0b,
+    0xa900a9a9, 0x0c000c0c, 0x79007979, 0x11001111,
+    0x7f007f7f, 0x22002222, 0xe700e7e7, 0x59005959,
+    0xe100e1e1, 0xda00dada, 0x3d003d3d, 0xc800c8c8,
+    0x12001212, 0x04000404, 0x74007474, 0x54005454,
+    0x30003030, 0x7e007e7e, 0xb400b4b4, 0x28002828,
+    0x55005555, 0x68006868, 0x50005050, 0xbe00bebe,
+    0xd000d0d0, 0xc400c4c4, 0x31003131, 0xcb00cbcb,
+    0x2a002a2a, 0xad00adad, 0x0f000f0f, 0xca00caca,
+    0x70007070, 0xff00ffff, 0x32003232, 0x69006969,
+    0x08000808, 0x62006262, 0x00000000, 0x24002424,
+    0xd100d1d1, 0xfb00fbfb, 0xba00baba, 0xed00eded,
+    0x45004545, 0x81008181, 0x73007373, 0x6d006d6d,
+    0x84008484, 0x9f009f9f, 0xee00eeee, 0x4a004a4a,
+    0xc300c3c3, 0x2e002e2e, 0xc100c1c1, 0x01000101,
+    0xe600e6e6, 0x25002525, 0x48004848, 0x99009999,
+    0xb900b9b9, 0xb300b3b3, 0x7b007b7b, 0xf900f9f9,
+    0xce00cece, 0xbf00bfbf, 0xdf00dfdf, 0x71007171,