Bug 466745: Upgraded NSS to NSS_3_12_3_BETA3.
authorWan-Teh Chang <wtc@google.com>
Tue, 10 Feb 2009 09:18:32 -0800
changeset 24829 8334582740d7c159cb191583b21a0504c575cb47
parent 24828 c224a8b5416f32a6c5b96c8aa52f205f40ae4482
child 24830 096c7652745656d37b3a3f860e323da8e87f6d54
push idunknown
push userunknown
push dateunknown
bugs466745
milestone1.9.2a1pre
Bug 466745: Upgraded NSS to NSS_3_12_3_BETA3.
security/coreconf/WIN32.mk
security/coreconf/coreconf.dep
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/crlutil/crlgen_lex.c
security/nss/cmd/crlutil/crlgen_lex_fix.sed
security/nss/cmd/crlutil/crlutil.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/vfychain/vfychain.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/crl.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/ckfw/crypto.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/instance.c
security/nss/lib/ckfw/mechanism.c
security/nss/lib/ckfw/mutex.c
security/nss/lib/ckfw/object.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/sessobj.c
security/nss/lib/ckfw/slot.c
security/nss/lib/ckfw/token.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/freebl/blapi.h
security/nss/lib/freebl/blapii.h
security/nss/lib/freebl/config.mk
security/nss/lib/freebl/ldvector.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/loader.h
security/nss/lib/freebl/prng_fips1861.c
security/nss/lib/freebl/rsa.c
security/nss/lib/freebl/win_rand.c
security/nss/lib/libpkix/include/pkix_certstore.h
security/nss/lib/libpkix/include/pkix_errorstrings.h
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/libpkix/include/pkix_revchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
security/nss/lib/libpkix/pkix/params/pkix_procparams.c
security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
security/nss/lib/libpkix/pkix/results/pkix_verifynode.c
security/nss/lib/libpkix/pkix/top/pkix_build.c
security/nss/lib/libpkix/pkix/top/pkix_build.h
security/nss/lib/libpkix/pkix/top/pkix_validate.c
security/nss/lib/libpkix/pkix/util/pkix_list.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.h
security/nss/lib/pki/certificate.c
security/nss/lib/softoken/fipsaudt.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/legacydb/keydb.c
security/nss/lib/softoken/legacydb/lgdb.h
security/nss/lib/softoken/legacydb/lginit.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/lgglue.c
security/nss/lib/softoken/lgglue.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sdb.h
security/nss/lib/softoken/sftkdb.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softoken.h
security/nss/lib/softoken/softoknt.h
security/nss/lib/util/nssutil.def
security/nss/lib/util/secoid.c
security/nss/lib/util/secoid.h
security/nss/tests/chains/chains.sh
security/nss/tests/chains/scenarios/realcerts.cfg
security/nss/tests/chains/scenarios/revoc.cfg
security/nss/tests/chains/scenarios/scenarios
security/nss/tests/libpkix/certs/BrAirWaysBadSig.cert
security/nss/tests/libpkix/certs/PayPalEE.cert
--- a/security/coreconf/WIN32.mk
+++ b/security/coreconf/WIN32.mk
@@ -160,16 +160,20 @@ else # !NS_USE_GCC
 	DLLFLAGS   += -DEBUG -OUT:"$@"
 	LDFLAGS    += -DEBUG 
 ifndef MOZ_DEBUG_SYMBOLS
 	LDFLAGS    += -PDB:NONE 
 endif
 	# Purify requires /FIXED:NO when linking EXEs.
 	LDFLAGS    += /FIXED:NO
     endif
+    # Convert certain deadly warnings to errors (see list at end of file)
+    OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 \
+     -we4013 -we4015 -we4033 -we4035 -we4045 -we4053 -we4054 -we4063 \
+     -we4064 -we4078 -we4087 -we4098 -we4390 -we4551 -we4553 -we4715
 endif # NS_USE_GCC
 
 ifdef USE_64
 DEFINES += -DWIN64
 else
 DEFINES += -DWIN32
 endif
 
@@ -301,8 +305,33 @@ endif
 
 #
 # override the TARGETS defined in ruleset.mk, adding IMPORT_LIBRARY
 #
 ifndef TARGETS
     TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
 endif
 
+# list of MSVC warnings converted to errors above:
+# 4002: too many actual parameters for macro 'identifier'
+# 4003: not enough actual parameters for macro 'identifier'
+# 4004: incorrect construction after 'defined'
+# 4006: #undef expected an identifier
+# 4009: string too big; trailing characters truncated
+# 4015: 'identifier' : type of bit field must be integral
+# 4033: 'function' must return a value
+# 4035: 'function' : no return value
+# 4045: 'identifier' : array bounds overflow
+# 4053: one void operand for '?:'
+# 4054: 'conversion' : from function pointer 'type1' to data pointer 'type2'
+# 4059: pascal string too big, length byte is length % 256
+# 4063: case 'identifier' is not a valid value for switch of enum 'identifier'
+# 4064: switch of incomplete enum 'identifier'
+# 4078: case constant 'value' too big for the type of the switch expression
+# 4087: 'function' : declared with 'void' parameter list
+# 4098: 'function' : void function returning a value
+# 4390: ';' : empty controlled statement found; is this the intent?
+# 4541: RTTI train wreck
+# 4715: not all control paths return a value
+# 4013: function undefined; assuming extern returning int
+# 4553: '==' : operator has no effect; did you intend '='?
+# 4551: function call missing argument list
+
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@@ -37,8 +37,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -3262,16 +3262,21 @@ int main(int argc, char **argv)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
     rv = RNG_RNGInit();
     if (rv != SECSuccess) {
     	SECU_PrintPRandOSError(progName);
 	return -1;
     }
+    rv = BL_Init();
+    if (rv != SECSuccess) {
+    	SECU_PrintPRandOSError(progName);
+	return -1;
+    }
     RNG_SystemInfoForRNG();
 
     rv = SECU_ParseCommandLine(argc, argv, progName, &bltest);
     if (rv == SECFailure) {
         fprintf(stderr, "%s: command line parsing error!\n", progName);
         goto print_usage;
     }
     rv = SECFailure;
--- a/security/nss/cmd/crlutil/crlgen_lex.c
+++ b/security/nss/cmd/crlutil/crlgen_lex.c
@@ -1,32 +1,32 @@
 /* A lexical scanner generated by flex */
 
 /* Scanner skeleton version:
- * $Header: /cvsroot/mozilla/security/nss/cmd/crlutil/crlgen_lex.c,v 1.1 2005/04/12 02:24:14 alexei.volkov.bugs%sun.com Exp $
+ * $Header: /cvsroot/mozilla/security/nss/cmd/crlutil/crlgen_lex.c,v 1.2 2009/02/04 23:23:40 alexei.volkov.bugs%sun.com Exp $
  */
 
 #define FLEX_SCANNER
 #define YY_FLEX_MAJOR_VERSION 2
 #define YY_FLEX_MINOR_VERSION 5
 
 #include <stdio.h>
-#ifndef _WIN32
+#ifdef _WIN32
+#include <io.h>
+#else
 #include <unistd.h>
 #endif
 
-
 /* cfront 1.2 defines "c_plusplus" instead of "__cplusplus" */
 #ifdef c_plusplus
 #ifndef __cplusplus
 #define __cplusplus
 #endif
 #endif
 
-
 #ifdef __cplusplus
 
 #include <stdlib.h>
 
 /* Use prototypes in function declarations. */
 #define YY_USE_PROTOS
 
 /* The "const" storage-class-modifier is valid. */
--- a/security/nss/cmd/crlutil/crlgen_lex_fix.sed
+++ b/security/nss/cmd/crlutil/crlgen_lex_fix.sed
@@ -1,4 +1,6 @@
 /<unistd.h>/ {
-        i #ifndef _WIN32
+        i #ifdef _WIN32
+	i #include <io.h>
+	i #else
         a #endif
 }
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -355,25 +355,24 @@ FindSigningCert(CERTCertDBHandle *certHa
 }
 
 static CERTSignedCrl*
 CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle,
                 CERTCertificate **cert, char *certNickName,
                 PRFileDesc *inFile, PRInt32 decodeOptions,
                 PRInt32 importOptions)
 {
-    SECItem crlDER;
+    SECItem crlDER = {0, NULL, 0};
     CERTSignedCrl *signCrl = NULL;
     CERTSignedCrl *modCrl = NULL;
     PRArenaPool *modArena = NULL;
     SECStatus rv = SECSuccess;
 
-    PORT_Assert(arena != NULL && certHandle != NULL &&
-                certNickName != NULL);
     if (!arena || !certHandle || !certNickName) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n");
         return NULL;
     }
 
     modArena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (!modArena) {
         SECU_PrintError(progName, "fail to allocate memory\n");
         return NULL;
@@ -439,17 +438,19 @@ CreateModifiedCRLCopy(PRArenaPool *arena
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "fail to encode current time\n");
         goto loser;
     }
 
     signCrl->arena = arena;
 
   loser:
-    SECITEM_FreeItem(&crlDER, PR_FALSE);
+    if (crlDER.data) {
+        SECITEM_FreeItem(&crlDER, PR_FALSE);
+    }
     if (modCrl)
         SEC_DestroyCrl(modCrl);
     if (rv != SECSuccess && signCrl) {
         SEC_DestroyCrl(signCrl);
         signCrl = NULL;
     }
     return signCrl;
 }
@@ -461,18 +462,18 @@ CreateNewCrl(PRArenaPool *arena, CERTCer
 { 
     CERTSignedCrl *signCrl = NULL;
     void *dummy = NULL;
     SECStatus rv;
     void* mark = NULL;
 
     /* if the CERTSignedCrl structure changes, this function will need to be
        updated as well */
-    PORT_Assert(cert != NULL);
     if (!cert || !arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         SECU_PrintError(progName, "invalid args for function "
                         "CreateNewCrl\n");
         return NULL;
     }
 
     mark = PORT_ArenaMark(arena);
         
     signCrl = PORT_ArenaZNew(arena, CERTSignedCrl);
@@ -526,18 +527,18 @@ CreateNewCrl(PRArenaPool *arena, CERTCer
 
 
 static SECStatus
 UpdateCrl(CERTSignedCrl *signCrl, PRFileDesc *inCrlInitFile)
 {
     CRLGENGeneratorData *crlGenData = NULL;
     SECStatus rv;
     
-    PORT_Assert(signCrl != NULL && inCrlInitFile != NULL);
     if (!signCrl || !inCrlInitFile) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         SECU_PrintError(progName, "invalid args for function "
                         "CreateNewCrl\n");
         return SECFailure;
     }
 
     crlGenData = CRLGEN_InitCrlGeneration(signCrl, inCrlInitFile);
     if (!crlGenData) {
 	SECU_PrintError(progName, "can not initialize parser structure.\n");
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -736,16 +736,28 @@ int main(int argc, char **argv)
          * by the PKCS#11 return code.
          */
         /* try to fork with softoken both loaded and initialized */
         crv = PKM_ForkCheck(CKR_DEVICE_ERROR, pFunctionList, PR_FALSE, NULL);
         if (crv != CKR_OK)
             goto cleanup;
     }
 
+    if (doForkTests)
+    {
+        /* In this next test, we fork and try to re-initialize softoken in
+         * the child. This should now work because softoken has the ability
+         * to hard reset.
+         */
+        /* try to fork with softoken both loaded and initialized */
+        crv = PKM_ForkCheck(CKR_OK, pFunctionList, PR_TRUE, &initArgs);
+        if (crv != CKR_OK)
+            goto cleanup;
+    }
+
     crv = PKM_ShowInfo(pFunctionList, slotID);
     if (crv == CKR_OK) {
         PKM_LogIt("PKM_ShowInfo succeeded\n");
     } else {
         PKM_Error( "PKM_ShowInfo failed with 0x%08X, %-26s\n", crv, 
                    PKM_CK_RVtoStr(crv));
         goto cleanup;
     }
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -109,17 +109,17 @@ Usage(const char *progName)
         "\t\t\tare \"leaf\" or \"chain\"\n"
         "\t-h test flags\t Sets revocation flags for the test type it\n"
         "\t\t\tfollows. Possible flags: \"testLocalInfoFirst\" and\n"
         "\t\t\t\"requireFreshInfo\".\n"
         "\t-m method type\t Sets method type for the test type it follows.\n"
         "\t\t\tPossible types are \"crl\" and \"ocsp\".\n"
         "\t-s method flags\t Sets revocation flags for the method it follows.\n"
         "\t\t\tPossible types are \"doNotUse\", \"forbidFetching\",\n"
-        "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failInNoInfo\".\n",
+        "\t\t\t\"ignoreDefaultSrc\", \"requireInfo\" and \"failIfNoInfo\".\n",
         progName);
     exit(1);
 }
 
 /**************************************************************************
 ** 
 ** Error and information routines.
 **
@@ -253,17 +253,17 @@ getCert(const char *name, PRBool isAscii
 #define REVCONFIG_METHOD_OCSP_STR     "ocsp"
 
 #define REVCONFIG_TEST_TESTLOCALINFOFIRST_STR     "testLocalInfoFirst"
 #define REVCONFIG_TEST_REQUIREFRESHINFO_STR       "requireFreshInfo"
 #define REVCONFIG_METHOD_DONOTUSEMETHOD_STR       "doNotUse"
 #define REVCONFIG_METHOD_FORBIDNETWORKFETCHIN_STR "forbidFetching"
 #define REVCONFIG_METHOD_IGNOREDEFAULTSRC_STR     "ignoreDefaultSrc"
 #define REVCONFIG_METHOD_REQUIREINFO_STR          "requireInfo"
-#define REVCONFIG_METHOD_FAILIFNOINFO_STR         "failInNoInfo" 
+#define REVCONFIG_METHOD_FAILIFNOINFO_STR         "failIfNoInfo" 
 
 #define REV_METHOD_INDEX_MAX  4
 
 typedef struct RevMethodsStruct {
     uint testType;
     char *testTypeStr;
     uint testFlags;
     char *testFlagsStr;
@@ -675,32 +675,32 @@ breakout:
             
             inParamIndex++;
         }
 
         cvin[inParamIndex].type = cert_pi_useAIACertFetch;
         cvin[inParamIndex].value.scalar.b = certFetching;
         inParamIndex++;
 
-        cvin[inParamIndex].type = cert_pi_date;
-        cvin[inParamIndex].value.scalar.time = time;
-        inParamIndex++;
-
         rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
         rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
         secStatus = configureRevocationParams(&rev);
         if (secStatus) {
             fprintf(stderr, "Can not config revocation parameters ");
             break;
         }
 
         cvin[inParamIndex].type = cert_pi_revocationFlags;
         cvin[inParamIndex].value.pointer.revocation = &rev;
 	inParamIndex++;
 
+        cvin[inParamIndex].type = cert_pi_date;
+        cvin[inParamIndex].value.scalar.time = time;
+        inParamIndex++;
+
         cvin[inParamIndex].type = cert_pi_end;
         
         cvout[0].type = cert_po_trustAnchor;
         cvout[0].value.pointer.cert = NULL;
         cvout[1].type = cert_po_certList;
         cvout[1].value.pointer.chain = NULL;
 
         /* setting pointer to CERTVerifyLog. Initialized structure
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -49,17 +49,17 @@ typedef struct NameToKindStr {
     unsigned int maxLen; /* max bytes in UTF8 encoded string value */
     SECOidTag    kind;
     int		 valueType;
 } NameToKind;
 
 /* local type for directory string--could be printable_string or utf8 */
 #define SEC_ASN1_DS SEC_ASN1_HIGH_TAG_NUMBER
 
-/* Add new entries to this table, and maybe to function CERT_ParseRFC1485AVA */
+/* Add new entries to this table, and maybe to function ParseRFC1485AVA */
 static const NameToKind name2kinds[] = {
 /* IANA registered type names
  * (See: http://www.iana.org/assignments/ldap-parameters) 
  */
 /* RFC 3280, 4630 MUST SUPPORT */
     { "CN",             64, SEC_OID_AVA_COMMON_NAME,    SEC_ASN1_DS},
     { "ST",            128, SEC_OID_AVA_STATE_OR_PROVINCE,
 							SEC_ASN1_DS},
@@ -356,50 +356,54 @@ hexToBin(PLArenaPool *pool, SECItem * de
     }
     return SECSuccess;
 loser:
     if (!pool)
     	SECITEM_FreeItem(destItem, PR_FALSE);
     return SECFailure;
 }
 
-
-CERTAVA *
-CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr,
-		    PRBool singleAVA) 
+/* Parses one AVA, starting at *pbp.  Stops at endptr.
+ * Advances *pbp past parsed AVA and trailing separator (if present).
+ * On any error, returns NULL and *pbp is undefined.
+ * On success, returns CERTAVA allocated from arena, and (*pbp)[-1] was 
+ * the last character parsed.  *pbp is either equal to endptr or 
+ * points to first character after separator.
+ */
+static CERTAVA *
+ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr)
 {
     CERTAVA *a;
     const NameToKind *n2k;
     char *bp;
     int       vt = -1;
     int       valLen;
     SECOidTag kind  = SEC_OID_UNKNOWN;
     SECStatus rv    = SECFailure;
     SECItem   derOid = { 0, NULL, 0 };
+    char      sep   = 0;
 
     char tagBuf[32];
     char valBuf[384];
 
     PORT_Assert(arena);
     if (scanTag(pbp, endptr, tagBuf, sizeof(tagBuf)) == SECFailure ||
 	scanVal(pbp, endptr, valBuf, sizeof(valBuf)) == SECFailure) {
 	goto loser;
     }
 
-    /* insist that if we haven't finished we've stopped on a separator */
     bp = *pbp;
     if (bp < endptr) {
-	if (singleAVA || (*bp != ',' && *bp != ';')) {
-	    *pbp = bp;
-	    goto loser;
-	}
-	/* ok, skip over separator */
-	bp++;
+	sep = *bp++; /* skip over separator */
     }
     *pbp = bp;
+    /* if we haven't finished, insist that we've stopped on a separator */
+    if (sep && sep != ',' && sep != ';' && sep != '+') {
+	goto loser;
+    }
 
     /* is this a dotted decimal OID attribute type ? */
     if (!PL_strncasecmp("oid.", tagBuf, 4)) {
         rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf));
     } else {
 	for (n2k = name2kinds; n2k->name; n2k++) {
 	    SECOidData *oidrec;
 	    if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
@@ -454,32 +458,41 @@ loser:
 
 static CERTName *
 ParseRFC1485Name(char *buf, int len)
 {
     SECStatus rv;
     CERTName *name;
     char *bp, *e;
     CERTAVA *ava;
-    CERTRDN *rdn;
+    CERTRDN *rdn = NULL;
 
     name = CERT_CreateName(NULL);
     if (name == NULL) {
 	return NULL;
     }
     
     e = buf + len;
     bp = buf;
     while (bp < e) {
-	ava = CERT_ParseRFC1485AVA(name->arena, &bp, e, PR_FALSE);
-	if (ava == 0) goto loser;
-	rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0);
-	if (rdn == 0) goto loser;
-	rv = CERT_AddRDN(name, rdn);
-	if (rv) goto loser;
+	ava = ParseRFC1485AVA(name->arena, &bp, e);
+	if (ava == 0) 
+	    goto loser;
+	if (!rdn) {
+	    rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA *)0);
+	    if (rdn == 0) 
+		goto loser;
+	    rv = CERT_AddRDN(name, rdn);
+	} else {
+	    rv = CERT_AddAVA(name->arena, rdn, ava);
+	}
+	if (rv) 
+	    goto loser;
+	if (bp[-1] != '+')
+	    rdn = NULL; /* done with this RDN */
 	skipSpace(&bp, e);
     }
 
     if (name->rdns[0] == 0) {
 	/* empty name -- illegal */
 	goto loser;
     }
 
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -33,17 +33,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Certificate handling code
  *
- * $Id: certdb.c,v 1.95 2008/12/02 23:24:48 nelson%bolyard.com Exp $
+ * $Id: certdb.c,v 1.96 2009/02/09 07:51:30 nelson%bolyard.com Exp $
  */
 
 #include "nssilock.h"
 #include "prmon.h"
 #include "prtime.h"
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
@@ -933,25 +933,25 @@ CERT_DecodeDERCertificate(SECItem *derSi
     }
 
     /* initialize keyUsage */
     rv = GetKeyUsage(cert);
     if ( rv != SECSuccess ) {
 	goto loser;
     }
 
+    /* determine if this is a root cert */
+    cert->isRoot = cert_IsRootCert(cert);
+
     /* initialize the certType */
     rv = cert_GetCertType(cert);
     if ( rv != SECSuccess ) {
 	goto loser;
     }
 
-    /* determine if this is a root cert */
-    cert->isRoot = cert_IsRootCert(cert);
-
     tmpname = CERT_NameToAscii(&cert->subject);
     if ( tmpname != NULL ) {
 	cert->subjectName = PORT_ArenaStrdup(cert->arena, tmpname);
 	PORT_Free(tmpname);
     }
     
     tmpname = CERT_NameToAscii(&cert->issuer);
     if ( tmpname != NULL ) {
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -32,17 +32,17 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * Moved from secpkcs7.c
  *
- * $Id: crl.c,v 1.60 2008/10/31 23:02:36 alexei.volkov.bugs%sun.com Exp $
+ * $Id: crl.c,v 1.62 2009/02/05 20:31:26 nelson%bolyard.com Exp $
  */
  
 #include "cert.h"
 #include "certi.h"
 #include "secder.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "certdb.h"
@@ -727,16 +727,20 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
      */
     if (oldCrl != NULL) {
 	/* if it's already there, quietly continue */
 	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
 						== SECEqual) {
 	    crl = newCrl;
 	    crl->slot = PK11_ReferenceSlot(slot);
 	    crl->pkcs11ID = oldCrl->pkcs11ID;
+	    if (oldCrl->url && !url)
+	        url = oldCrl->url;
+	    if (url)
+		crl->url = PORT_ArenaStrdup(crl->arena, url);
 	    goto done;
 	}
         if (!SEC_CrlIsNewer(&newCrl->crl,&oldCrl->crl)) {
 
             if (type == SEC_CRL_TYPE) {
                 PORT_SetError(SEC_ERROR_OLD_CRL);
             } else {
                 PORT_SetError(SEC_ERROR_OLD_KRL);
@@ -749,17 +753,17 @@ crl_storeCRL (PK11SlotInfo *slot,char *u
                 &oldCrl->crl.derName) != SECEqual) &&
             (type == SEC_KRL_TYPE) ) {
 
             PORT_SetError(SEC_ERROR_CKL_CONFLICT);
             goto done;
         }
 
         /* if we have a url in the database, use that one */
-        if (oldCrl->url) {
+        if (oldCrl->url && !url) {
 	    url = oldCrl->url;
         }
 
         /* really destroy this crl */
         /* first drum it out of the permanment Data base */
 	deleteOldCrl = PR_TRUE;
     }
 
@@ -1639,17 +1643,17 @@ static SECStatus DPCache_FetchFromTokens
             {
                 PRBool added = PR_FALSE;
                 rv = DPCache_AddCRL(cache, returned, &added);
                 if (PR_TRUE != added)
                 {
                     rv = CachedCrl_Destroy(returned);
                     returned = NULL;
                 }
-                else
+                else if (vfdate)
                 {
                     rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
                 }
             }
             else
             {
                 /* not enough memory to add the CRL to the cache. mark it
                    invalid so we will try again . */
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -561,17 +561,17 @@ cert_CreatePkixProcessingParams(
         PKIX_PL_Date_CreateFromPRTime(time, &date, plContext),
         PKIX_DATECREATEFROMPRTIMEFAILED);
 
     PKIX_CHECK(
         PKIX_ProcessingParams_SetDate(procParams, date, plContext),
         PKIX_PROCESSINGPARAMSSETDATEFAILED);
 
     PKIX_CHECK(
-        PKIX_RevocationChecker_Create(date,
+        PKIX_RevocationChecker_Create(
                                   PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
                                   PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
                                   PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST |
                                   PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT,
                                   &revChecker, plContext),
         PKIX_REVOCATIONCHECKERCREATEFAILED);
 
     PKIX_CHECK(
@@ -1645,23 +1645,18 @@ cert_pkixSetParam(PKIX_ProcessingParams 
                 break;
             }
 
             leafIMFlags = 
                 flags->leafTests.cert_rev_method_independent_flags;
             chainIMFlags =
                 flags->chainTests.cert_rev_method_independent_flags;
 
-            error = PKIX_ProcessingParams_GetDate(procParams, &date, plContext);
-            if (error != NULL) {
-                errCode = SEC_ERROR_INVALID_TIME;
-            }
-
             error =
-                PKIX_RevocationChecker_Create(date, leafIMFlags, chainIMFlags,
+                PKIX_RevocationChecker_Create(leafIMFlags, chainIMFlags,
                                               &revChecker, plContext);
             if (error) {
                 break;
             }
 
             error =
                 PKIX_ProcessingParams_SetRevocationChecker(procParams,
                                                 revChecker, plContext);
--- a/security/nss/lib/ckfw/crypto.c
+++ b/security/nss/lib/ckfw/crypto.c
@@ -31,17 +31,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: crypto.c,v $ $Revision: 1.3 $ $Date: 2006/04/22 05:30:18 $";
+static const char CVS_ID[] = "@(#) $RCSfile: crypto.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:51 $";
 #endif /* DEBUG */
 
 /*
  * crypto.c
  *
  * This file implements the NSSCKFWCryptoOperation type and methods.
  */
 
@@ -96,17 +96,17 @@ nssCKFWCryptoOperation_Create(
   NSSCKMDInstance *mdInstance,
   NSSCKFWInstance *fwInstance,
   NSSCKFWCryptoOperationType type,
   CK_RV *pError
 )
 {
   NSSCKFWCryptoOperation *fwOperation;
   fwOperation = nss_ZNEW(NULL, NSSCKFWCryptoOperation);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWCryptoOperation *)NULL;
   }
   fwOperation->mdOperation = mdOperation; 
   fwOperation->mdSession = mdSession; 
   fwOperation->fwSession = fwSession; 
   fwOperation->mdToken = mdToken; 
   fwOperation->fwToken = fwToken; 
@@ -121,17 +121,17 @@ nssCKFWCryptoOperation_Create(
  */
 NSS_EXTERN void
 nssCKFWCryptoOperation_Destroy
 (
   NSSCKFWCryptoOperation *fwOperation
 )
 {
   if ((NSSCKMDCryptoOperation *) NULL != fwOperation->mdOperation) {
-    if ((void *) NULL != (void *)fwOperation->mdOperation->Destroy) {
+    if (fwOperation->mdOperation->Destroy) {
       fwOperation->mdOperation->Destroy(
                                 fwOperation->mdOperation,
                                 fwOperation,
                                 fwOperation->mdInstance,
                                 fwOperation->fwInstance);
     }
   }
   nss_ZFreeIf(fwOperation);
@@ -166,17 +166,17 @@ nssCKFWCryptoOperation_GetType
  */
 NSS_EXTERN CK_ULONG
 nssCKFWCryptoOperation_GetFinalLength
 (
   NSSCKFWCryptoOperation *fwOperation,
   CK_RV *pError
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->GetFinalLength) {
+  if (!fwOperation->mdOperation->GetFinalLength) {
     *pError = CKR_FUNCTION_FAILED;
     return 0;
   }
   return fwOperation->mdOperation->GetFinalLength(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
@@ -193,17 +193,17 @@ nssCKFWCryptoOperation_GetFinalLength
 NSS_EXTERN CK_ULONG
 nssCKFWCryptoOperation_GetOperationLength
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSItem *inputBuffer,
   CK_RV *pError
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->GetOperationLength) {
+  if (!fwOperation->mdOperation->GetOperationLength) {
     *pError = CKR_FUNCTION_FAILED;
     return 0;
   }
   return fwOperation->mdOperation->GetOperationLength(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
@@ -220,17 +220,17 @@ nssCKFWCryptoOperation_GetOperationLengt
  */
 NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_Final
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSItem *outputBuffer
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->Final) {
+  if (!fwOperation->mdOperation->Final) {
     return CKR_FUNCTION_FAILED;
   }
   return fwOperation->mdOperation->Final(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
                 fwOperation->mdToken,
@@ -246,17 +246,17 @@ nssCKFWCryptoOperation_Final
 NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_Update
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSItem *inputBuffer,
   NSSItem *outputBuffer
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->Update) {
+  if (!fwOperation->mdOperation->Update) {
     return CKR_FUNCTION_FAILED;
   }
   return fwOperation->mdOperation->Update(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
                 fwOperation->mdToken,
@@ -272,17 +272,17 @@ nssCKFWCryptoOperation_Update
  */
 NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_DigestUpdate
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSItem *inputBuffer
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->DigestUpdate) {
+  if (!fwOperation->mdOperation->DigestUpdate) {
     return CKR_FUNCTION_FAILED;
   }
   return fwOperation->mdOperation->DigestUpdate(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
                 fwOperation->mdToken,
@@ -299,17 +299,17 @@ NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_DigestKey
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSCKFWObject *fwObject /* Key */
 )
 {
   NSSCKMDObject *mdObject;
 
-  if ((void *) NULL == (void *)fwOperation->mdOperation->DigestKey) {
+  if (!fwOperation->mdOperation->DigestKey) {
     return CKR_FUNCTION_FAILED;
   }
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   return fwOperation->mdOperation->DigestKey(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdToken,
                 fwOperation->fwToken,
@@ -325,17 +325,17 @@ nssCKFWCryptoOperation_DigestKey
 NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_UpdateFinal
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSItem *inputBuffer,
   NSSItem *outputBuffer
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateFinal) {
+  if (!fwOperation->mdOperation->UpdateFinal) {
     return CKR_FUNCTION_FAILED;
   }
   return fwOperation->mdOperation->UpdateFinal(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwOperation->mdSession,
                 fwOperation->fwSession,
                 fwOperation->mdToken,
@@ -353,17 +353,17 @@ NSS_EXTERN CK_RV
 nssCKFWCryptoOperation_UpdateCombo
 (
   NSSCKFWCryptoOperation *fwOperation,
   NSSCKFWCryptoOperation *fwPeerOperation,
   NSSItem *inputBuffer,
   NSSItem *outputBuffer
 )
 {
-  if ((void *) NULL == (void *)fwOperation->mdOperation->UpdateCombo) {
+  if (!fwOperation->mdOperation->UpdateCombo) {
     return CKR_FUNCTION_FAILED;
   }
   return fwOperation->mdOperation->UpdateCombo(
                 fwOperation->mdOperation,
                 fwOperation,
                 fwPeerOperation->mdOperation,
                 fwPeerOperation,
                 fwOperation->mdSession,
--- a/security/nss/lib/ckfw/find.c
+++ b/security/nss/lib/ckfw/find.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.8 $ $Date: 2006/04/20 00:03:33 $";
+static const char CVS_ID[] = "@(#) $RCSfile: find.c,v $ $Revision: 1.9 $ $Date: 2009/02/09 07:55:52 $";
 #endif /* DEBUG */
 
 /*
  * find.c
  *
  * This file implements the nssCKFWFindObjects type and methods.
  */
 
@@ -142,32 +142,32 @@ nssCKFWFindObjects_Create
   NSSCKMDToken *mdToken;
   NSSCKMDInstance *mdInstance;
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdToken = nssCKFWToken_GetMDToken(fwToken);
   mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
 
   fwFindObjects = nss_ZNEW(NULL, NSSCKFWFindObjects);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+  if (!fwFindObjects) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }
 
   fwFindObjects->mdfo1 = mdFindObjects1;
   fwFindObjects->mdfo2 = mdFindObjects2;
   fwFindObjects->fwSession = fwSession;
   fwFindObjects->mdSession = mdSession;
   fwFindObjects->fwToken = fwToken;
   fwFindObjects->mdToken = mdToken;
   fwFindObjects->fwInstance = fwInstance;
   fwFindObjects->mdInstance = mdInstance;
 
   fwFindObjects->mutex = nssCKFWInstance_CreateMutex(fwInstance, NULL, pError);
-  if( (NSSCKFWMutex *)NULL == fwFindObjects->mutex ) {
+  if (!fwFindObjects->mutex) {
     goto loser;
   }
 
 #ifdef DEBUG
   *pError = findObjects_add_pointer(fwFindObjects);
   if( CKR_OK != *pError ) {
     goto loser;
   }
@@ -217,28 +217,28 @@ nssCKFWFindObjects_Destroy
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWFindObjects_verifyPointer(fwFindObjects) ) {
     return;
   }
 #endif /* NSSDEBUG */
 
   (void)nssCKFWMutex_Destroy(fwFindObjects->mutex);
 
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Final ) {
+  if (fwFindObjects->mdfo1) {
+    if (fwFindObjects->mdfo1->Final) {
       fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
       fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
         fwFindObjects->mdSession, fwFindObjects->fwSession, 
         fwFindObjects->mdToken, fwFindObjects->fwToken,
         fwFindObjects->mdInstance, fwFindObjects->fwInstance);
     }
   }
 
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Final ) {
+  if (fwFindObjects->mdfo2) {
+    if (fwFindObjects->mdfo2->Final) {
       fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
       fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
         fwFindObjects->mdSession, fwFindObjects->fwSession, 
         fwFindObjects->mdToken, fwFindObjects->fwToken,
         fwFindObjects->mdInstance, fwFindObjects->fwInstance);
     }
   }
 
@@ -282,65 +282,65 @@ nssCKFWFindObjects_Next
   CK_RV *pError
 )
 {
   NSSCKMDObject *mdObject;
   NSSCKFWObject *fwObject = (NSSCKFWObject *)NULL;
   NSSArena *objArena;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWObject *)NULL;
   }
 
   *pError = nssCKFWFindObjects_verifyPointer(fwFindObjects);
   if( CKR_OK != *pError ) {
     return (NSSCKFWObject *)NULL;
   }
 #endif /* NSSDEBUG */
 
   *pError = nssCKFWMutex_Lock(fwFindObjects->mutex);
   if( CKR_OK != *pError ) {
     return (NSSCKFWObject *)NULL;
   }
 
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo1 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo1->Next ) {
+  if (fwFindObjects->mdfo1) {
+    if (fwFindObjects->mdfo1->Next) {
       fwFindObjects->mdFindObjects = fwFindObjects->mdfo1;
       mdObject = fwFindObjects->mdfo1->Next(fwFindObjects->mdfo1,
         fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
         fwFindObjects->mdToken, fwFindObjects->fwToken, 
         fwFindObjects->mdInstance, fwFindObjects->fwInstance,
         arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
+      if (!mdObject) {
         if( CKR_OK != *pError ) {
           goto done;
         }
 
         /* All done. */
         fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
           fwFindObjects->mdSession, fwFindObjects->fwSession,
           fwFindObjects->mdToken, fwFindObjects->fwToken, 
           fwFindObjects->mdInstance, fwFindObjects->fwInstance);
         fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
       } else {
         goto wrap;
       }
     }
   }
 
-  if( (NSSCKMDFindObjects *)NULL != fwFindObjects->mdfo2 ) {
-    if( (void *)NULL != (void *)fwFindObjects->mdfo2->Next ) {
+  if (fwFindObjects->mdfo2) {
+    if (fwFindObjects->mdfo2->Next) {
       fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
       mdObject = fwFindObjects->mdfo2->Next(fwFindObjects->mdfo2,
         fwFindObjects, fwFindObjects->mdSession, fwFindObjects->fwSession,
         fwFindObjects->mdToken, fwFindObjects->fwToken, 
         fwFindObjects->mdInstance, fwFindObjects->fwInstance,
         arenaOpt, pError);
-      if( (NSSCKMDObject *)NULL == mdObject ) {
+      if (!mdObject) {
         if( CKR_OK != *pError ) {
           goto done;
         }
 
         /* All done. */
         fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
           fwFindObjects->mdSession, fwFindObjects->fwSession,
           fwFindObjects->mdToken, fwFindObjects->fwToken, 
@@ -368,27 +368,27 @@ nssCKFWFindObjects_Next
    * to create an arena style leak (where our arena grows with every search),
    * and 2) we want the same object to always have the same ID. This means
    * the only case the nssCKFWObject_Create() will need the objArena and the
    * Session is in the case of token objects (session objects should already
    * exist in the cache from their initial creation). So this code is correct,
    * but it depends on nssCKFWObject_Create caching all objects.
    */
   objArena = nssCKFWToken_GetArena(fwFindObjects->fwToken, pError);
-  if( (NSSArena *)NULL == objArena ) {
+  if (!objArena) {
     if( CKR_OK == *pError ) {
       *pError = CKR_HOST_MEMORY;
     }
     goto done;
   }
 
   fwObject = nssCKFWObject_Create(objArena, mdObject,
                NULL, fwFindObjects->fwToken, 
                fwFindObjects->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
   }
 
  done:
   (void)nssCKFWMutex_Unlock(fwFindObjects->mutex);
   return fwObject;
--- a/security/nss/lib/ckfw/hash.c
+++ b/security/nss/lib/ckfw/hash.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.3 $ $Date: 2005/01/20 02:25:45 $";
+static const char CVS_ID[] = "@(#) $RCSfile: hash.c,v $ $Revision: 1.4 $ $Date: 2009/02/09 07:55:52 $";
 #endif /* DEBUG */
 
 /*
  * hash.c
  *
  * This is merely a couple wrappers around NSPR's PLHashTable, using
  * the identity hash and arena-aware allocators.  The reason I did
  * this is that hash tables are used in a few places throughout the
@@ -99,43 +99,43 @@ nssCKFWHash_Create
   NSSCKFWInstance *fwInstance,
   NSSArena *arena,
   CK_RV *pError
 )
 {
   nssCKFWHash *rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (nssCKFWHash *)NULL;
   }
 
   if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
     *pError = CKR_ARGUMENTS_BAD;
     return (nssCKFWHash *)NULL;
   }
 #endif /* NSSDEBUG */
 
   rv = nss_ZNEW(arena, nssCKFWHash);
-  if( (nssCKFWHash *)NULL == rv ) {
+  if (!rv) {
     *pError = CKR_HOST_MEMORY;
     return (nssCKFWHash *)NULL;
   }
 
   rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == rv->mutex ) {
+  if (!rv->mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (nssCKFWHash *)NULL;
   }
 
   rv->plHashTable = PL_NewHashTable(0, nss_ckfw_identity_hash, 
     PL_CompareValues, PL_CompareValues, &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
+  if (!rv->plHashTable) {
     (void)nssCKFWMutex_Destroy(rv->mutex);
     (void)nss_ZFreeIf(rv);
     *pError = CKR_HOST_MEMORY;
     return (nssCKFWHash *)NULL;
   }
 
   rv->count = 0;
 
@@ -173,17 +173,17 @@ nssCKFWHash_Add
   PLHashEntry *he;
 
   error = nssCKFWMutex_Lock(hash->mutex);
   if( CKR_OK != error ) {
     return error;
   }
   
   he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
+  if (!he) {
     error = CKR_HOST_MEMORY;
   } else {
     hash->count++;
   }
 
   (void)nssCKFWMutex_Unlock(hash->mutex);
 
   return error;
@@ -254,17 +254,17 @@ nssCKFWHash_Exists
   if( CKR_OK != nssCKFWMutex_Lock(hash->mutex) ) {
     return CK_FALSE;
   }
 
   value = PL_HashTableLookup(hash->plHashTable, it);
 
   (void)nssCKFWMutex_Unlock(hash->mutex);
 
-  if( (void *)NULL == value ) {
+  if (!value) {
     return CK_FALSE;
   } else {
     return CK_TRUE;
   }
 }
 
 /*
  * nssCKFWHash_Lookup
--- a/security/nss/lib/ckfw/instance.c
+++ b/security/nss/lib/ckfw/instance.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: instance.c,v $ $Revision: 1.11 $ $Date: 2006/10/09 22:16:59 $";
+static const char CVS_ID[] = "@(#) $RCSfile: instance.c,v $ $Revision: 1.12 $ $Date: 2009/02/09 07:55:52 $";
 #endif /* DEBUG */
 
 /*
  * instance.c
  *
  * This file implements the NSSCKFWInstance type and methods.
  */
 
@@ -203,30 +203,30 @@ nssCKFWInstance_Create
   CK_ULONG i;
   CK_BBOOL called_Initialize = CK_FALSE;
 
 #ifdef NSSDEBUG
   if( (CK_RV)NULL == pError ) {
     return (NSSCKFWInstance *)NULL;
   }
 
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+  if (!mdInstance) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWInstance *)NULL;
   }
 #endif /* NSSDEBUG */
 
   arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
+  if (!arena) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWInstance *)NULL;
   }
 
   fwInstance = nss_ZNEW(arena, NSSCKFWInstance);
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     goto nomem;
   }
 
   fwInstance->arena = arena;
   fwInstance->mdInstance = mdInstance;
 
   fwInstance->LockingState = LockingState;
   if( (CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs ) {
@@ -239,40 +239,40 @@ nssCKFWInstance_Create
     }
     fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
   } else {
     fwInstance->mayCreatePthreads = CK_TRUE;
   }
 
   fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena,
                                           pError);
-  if( (NSSCKFWMutex *)NULL == fwInstance->mutex ) {
+  if (!fwInstance->mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
-  if( (void *)NULL != (void *)mdInstance->Initialize ) {
+  if (mdInstance->Initialize) {
     *pError = mdInstance->Initialize(mdInstance, fwInstance, fwInstance->configurationData);
     if( CKR_OK != *pError ) {
       goto loser;
     }
 
     called_Initialize = CK_TRUE;
   }
 
-  if( (void *)NULL != (void *)mdInstance->ModuleHandlesSessionObjects ) {
+  if (mdInstance->ModuleHandlesSessionObjects) {
     fwInstance->moduleHandlesSessionObjects = 
       mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
   } else {
     fwInstance->moduleHandlesSessionObjects = CK_FALSE;
   }
 
-  if( (void *)NULL == (void *)mdInstance->GetNSlots ) {
+  if (!mdInstance->GetNSlots) {
     /* That routine is required */
     *pError = CKR_GENERAL_ERROR;
     goto loser;
   }
 
   fwInstance->nSlots = mdInstance->GetNSlots(mdInstance, fwInstance, pError);
   if( (CK_ULONG)0 == fwInstance->nSlots ) {
     if( CKR_OK == *pError ) {
@@ -289,56 +289,56 @@ nssCKFWInstance_Create
 
   fwInstance->mdSlotList = nss_ZNEWARRAY(arena, NSSCKMDSlot *, fwInstance->nSlots);
   if( (NSSCKMDSlot **)NULL == fwInstance->mdSlotList ) {
     goto nomem;
   }
 
   fwInstance->sessionHandleHash = nssCKFWHash_Create(fwInstance, 
     fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->sessionHandleHash ) {
+  if (!fwInstance->sessionHandleHash) {
     goto loser;
   }
 
   fwInstance->objectHandleHash = nssCKFWHash_Create(fwInstance,
     fwInstance->arena, pError);
-  if( (nssCKFWHash *)NULL == fwInstance->objectHandleHash ) {
+  if (!fwInstance->objectHandleHash) {
     goto loser;
   }
 
-  if( (void *)NULL == (void *)mdInstance->GetSlots ) {
+  if (!mdInstance->GetSlots) {
     /* That routine is required */
     *pError = CKR_GENERAL_ERROR;
     goto loser;
   }
 
   *pError = mdInstance->GetSlots(mdInstance, fwInstance, fwInstance->mdSlotList);
   if( CKR_OK != *pError ) {
     goto loser;
   }
 
   for( i = 0; i < fwInstance->nSlots; i++ ) {
     NSSCKMDSlot *mdSlot = fwInstance->mdSlotList[i];
 
-    if( (NSSCKMDSlot *)NULL == mdSlot ) {
+    if (!mdSlot) {
       *pError = CKR_GENERAL_ERROR;
       goto loser;
     }
 
     fwInstance->fwSlotList[i] = nssCKFWSlot_Create(fwInstance, mdSlot, i, pError);
     if( CKR_OK != *pError ) {
       CK_ULONG j;
 
       for( j = 0; j < i; j++ ) {
         (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[j]);
       }
 
       for( j = i; j < fwInstance->nSlots; j++ ) {
         NSSCKMDSlot *mds = fwInstance->mdSlotList[j];
-        if( (void *)NULL != (void *)mds->Destroy ) {
+        if (mds->Destroy) {
           mds->Destroy(mds, (NSSCKFWSlot *)NULL, mdInstance, fwInstance);
         }
       }
 
       goto loser;
     }
   }
 
@@ -357,17 +357,17 @@ nssCKFWInstance_Create
   return fwInstance;
 
  nomem:
   *pError = CKR_HOST_MEMORY;
   /*FALLTHROUGH*/
  loser:
 
   if( CK_TRUE == called_Initialize ) {
-    if( (void *)NULL != (void *)mdInstance->Finalize ) {
+    if (mdInstance->Finalize) {
       mdInstance->Finalize(mdInstance, fwInstance);
     }
   }
 
   if (arena) {
     (void)NSSArena_Destroy(arena);
   }
   return (NSSCKFWInstance *)NULL;
@@ -396,17 +396,17 @@ nssCKFWInstance_Destroy
 #endif /* NSSDEBUG */
 
   nssCKFWMutex_Destroy(fwInstance->mutex);
 
   for( i = 0; i < fwInstance->nSlots; i++ ) {
     (void)nssCKFWSlot_Destroy(fwInstance->fwSlotList[i]);
   }
 
-  if( (void *)NULL != (void *)fwInstance->mdInstance->Finalize ) {
+  if (fwInstance->mdInstance->Finalize) {
     fwInstance->mdInstance->Finalize(fwInstance->mdInstance, fwInstance);
   }
 
   if (fwInstance->sessionHandleHash) {
      nssCKFWHash_Destroy(fwInstance->sessionHandleHash);
   }
 
   if (fwInstance->objectHandleHash) {
@@ -447,17 +447,17 @@ nssCKFWInstance_GetMDInstance
 NSS_IMPLEMENT NSSArena *
 nssCKFWInstance_GetArena
 (
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* NSSDEBUG */
@@ -495,29 +495,29 @@ nssCKFWInstance_CreateMutex
   NSSCKFWInstance *fwInstance,
   NSSArena *arena,
   CK_RV *pError
 )
 {
   NSSCKFWMutex *mutex;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWMutex *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSCKFWMutex *)NULL;
   }
 #endif /* NSSDEBUG */
 
   mutex = nssCKFWMutex_Create(fwInstance->pInitArgs, fwInstance->LockingState,
                               arena, pError);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
+  if (!mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
 
     return (NSSCKFWMutex *)NULL;
   }
 
   return mutex;
@@ -571,17 +571,17 @@ nssCKFWInstance_CreateSessionHandle
   NSSCKFWInstance *fwInstance,
   NSSCKFWSession *fwSession,
   CK_RV *pError
 )
 {
   CK_SESSION_HANDLE hSession;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_SESSION_HANDLE)0;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (CK_SESSION_HANDLE)0;
   }
 #endif /* NSSDEBUG */
@@ -715,17 +715,17 @@ nssCKFWInstance_CreateObjectHandle
   NSSCKFWInstance *fwInstance,
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
   CK_OBJECT_HANDLE hObject;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_OBJECT_HANDLE)0;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (CK_OBJECT_HANDLE)0;
   }
 #endif /* NSSDEBUG */
@@ -900,17 +900,17 @@ nssCKFWInstance_FindObjectHandle
 NSS_IMPLEMENT CK_ULONG
 nssCKFWInstance_GetNSlots
 (
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
@@ -944,17 +944,17 @@ nssCKFWInstance_GetCryptokiVersion
   }
 
   if( (0 != fwInstance->cryptokiVersion.major) ||
       (0 != fwInstance->cryptokiVersion.minor) ) {
     rv = fwInstance->cryptokiVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetCryptokiVersion ) {
+  if (fwInstance->mdInstance->GetCryptokiVersion) {
     fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
       fwInstance->mdInstance, fwInstance);
   } else {
     fwInstance->cryptokiVersion.major = 2;
     fwInstance->cryptokiVersion.minor = 1;
   }
 
   rv = fwInstance->cryptokiVersion;
@@ -988,21 +988,21 @@ nssCKFWInstance_GetManufacturerID
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwInstance->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwInstance->manufacturerID ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetManufacturerID ) {
+  if (!fwInstance->manufacturerID) {
+    if (fwInstance->mdInstance->GetManufacturerID) {
       fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
         fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->manufacturerID) && (CKR_OK != error) ) {
+      if ((!fwInstance->manufacturerID) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwInstance->manufacturerID = (NSSUTF8 *) "";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
@@ -1057,21 +1057,21 @@ nssCKFWInstance_GetLibraryDescription
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwInstance->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwInstance->libraryDescription ) {
-    if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryDescription ) {
+  if (!fwInstance->libraryDescription) {
+    if (fwInstance->mdInstance->GetLibraryDescription) {
       fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
         fwInstance->mdInstance, fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwInstance->libraryDescription) && (CKR_OK != error) ) {
+      if ((!fwInstance->libraryDescription) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwInstance->libraryDescription = (NSSUTF8 *) "";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
@@ -1107,17 +1107,17 @@ nssCKFWInstance_GetLibraryVersion
   }
 
   if( (0 != fwInstance->libraryVersion.major) ||
       (0 != fwInstance->libraryVersion.minor) ) {
     rv = fwInstance->libraryVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwInstance->mdInstance->GetLibraryVersion ) {
+  if (fwInstance->mdInstance->GetLibraryVersion) {
     fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
       fwInstance->mdInstance, fwInstance);
   } else {
     fwInstance->libraryVersion.major = 0;
     fwInstance->libraryVersion.minor = 3;
   }
 
   rv = fwInstance->libraryVersion;
@@ -1152,17 +1152,17 @@ nssCKFWInstance_GetModuleHandlesSessionO
 NSS_IMPLEMENT NSSCKFWSlot **
 nssCKFWInstance_GetSlots
 (
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWSlot **)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSCKFWSlot **)NULL;
   }
 #endif /* NSSDEBUG */
@@ -1182,17 +1182,17 @@ nssCKFWInstance_WaitForSlotEvent
   CK_RV *pError
 )
 {
   NSSCKFWSlot *fwSlot = (NSSCKFWSlot *)NULL;
   NSSCKMDSlot *mdSlot;
   CK_ULONG i, n;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWSlot *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSCKFWSlot *)NULL;
   }
 
@@ -1201,45 +1201,45 @@ nssCKFWInstance_WaitForSlotEvent
   case CK_FALSE:
     break;
   default:
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWSlot *)NULL;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwInstance->mdInstance->WaitForSlotEvent ) {
+  if (!fwInstance->mdInstance->WaitForSlotEvent) {
     *pError = CKR_NO_EVENT;
     return (NSSCKFWSlot *)NULL;
   }
 
   mdSlot = fwInstance->mdInstance->WaitForSlotEvent(
     fwInstance->mdInstance,
     fwInstance,
     block,
     pError
   );
 
-  if( (NSSCKMDSlot *)NULL == mdSlot ) {
+  if (!mdSlot) {
     return (NSSCKFWSlot *)NULL;
   }
 
   n = nssCKFWInstance_GetNSlots(fwInstance, pError);
   if( ((CK_ULONG)0 == n) && (CKR_OK != *pError) ) {
     return (NSSCKFWSlot *)NULL;
   }
 
   for( i = 0; i < n; i++ ) {
     if( fwInstance->mdSlotList[i] == mdSlot ) {
       fwSlot = fwInstance->fwSlotList[i];
       break;
     }
   }
 
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     /* Internal error */
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWSlot *)NULL;
   }
 
   return fwSlot;
 }
 
@@ -1269,17 +1269,17 @@ NSSCKFWInstance_GetMDInstance
 NSS_IMPLEMENT NSSArena *
 NSSCKFWInstance_GetArena
 (
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* DEBUG */
@@ -1314,17 +1314,17 @@ NSS_IMPLEMENT NSSCKFWMutex *
 NSSCKFWInstance_CreateMutex
 (
   NSSCKFWInstance *fwInstance,
   NSSArena *arena,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWMutex *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSCKFWMutex *)NULL;
   }
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/mechanism.c
+++ b/security/nss/lib/ckfw/mechanism.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.5 $ $Date: 2007/12/12 00:50:58 $";
+static const char CVS_ID[] = "@(#) $RCSfile: mechanism.c,v $ $Revision: 1.6 $ $Date: 2009/02/09 07:55:52 $";
 #endif /* DEBUG */
 
 /*
  * mechanism.c
  *
  * This file implements the NSSCKFWMechanism type and methods.
  */
 
@@ -113,17 +113,17 @@ nssCKFWMechanism_Create
   NSSCKMDInstance *mdInstance,
   NSSCKFWInstance *fwInstance
 )
 {
   NSSCKFWMechanism *fwMechanism;
 
 
   fwMechanism = nss_ZNEW(NULL, NSSCKFWMechanism);
-  if ((NSSCKFWMechanism *)NULL == fwMechanism) {
+  if (!fwMechanism) {
     return (NSSCKFWMechanism *)NULL;
   }
   fwMechanism->mdMechanism = mdMechanism;
   fwMechanism->mdToken = mdToken;
   fwMechanism->fwToken = fwToken;
   fwMechanism->mdInstance = mdInstance;
   fwMechanism->fwInstance = fwInstance;
   return fwMechanism;
@@ -136,17 +136,17 @@ nssCKFWMechanism_Create
 NSS_IMPLEMENT void
 nssCKFWMechanism_Destroy
 (
   NSSCKFWMechanism *fwMechanism
 )
 {
   /* destroy any fw resources held by nssCKFWMechanism (currently none) */
 
-  if ((void *)NULL == (void *)fwMechanism->mdMechanism->Destroy) {
+  if (!fwMechanism->mdMechanism->Destroy) {
     /* destroys it's parent as well */
     fwMechanism->mdMechanism->Destroy(
         fwMechanism->mdMechanism, 
         fwMechanism,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance);
   }
   /* if the Destroy function wasn't supplied, then the mechanism is 'static',
@@ -173,17 +173,17 @@ nssCKFWMechanism_GetMDMechanism
  */
 NSS_IMPLEMENT CK_ULONG
 nssCKFWMechanism_GetMinKeySize
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMinKeySize) {
+  if (!fwMechanism->mdMechanism->GetMinKeySize) {
     return 0;
   }
 
   return fwMechanism->mdMechanism->GetMinKeySize(fwMechanism->mdMechanism,
     fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
     fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
 }
 
@@ -193,17 +193,17 @@ nssCKFWMechanism_GetMinKeySize
  */
 NSS_IMPLEMENT CK_ULONG
 nssCKFWMechanism_GetMaxKeySize
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetMaxKeySize) {
+  if (!fwMechanism->mdMechanism->GetMaxKeySize) {
     return 0;
   }
 
   return fwMechanism->mdMechanism->GetMaxKeySize(fwMechanism->mdMechanism,
     fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
     fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
 }
 
@@ -213,17 +213,17 @@ nssCKFWMechanism_GetMaxKeySize
  */
 NSS_IMPLEMENT CK_BBOOL
 nssCKFWMechanism_GetInHardware
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GetInHardware) {
+  if (!fwMechanism->mdMechanism->GetInHardware) {
     return CK_FALSE;
   }
 
   return fwMechanism->mdMechanism->GetInHardware(fwMechanism->mdMechanism,
     fwMechanism, fwMechanism->mdToken, fwMechanism->fwToken, 
     fwMechanism->mdInstance, fwMechanism->fwInstance, pError);
 }
 
@@ -238,204 +238,204 @@ nssCKFWMechanism_GetInHardware
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanEncrypt
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) {
+  if (!fwMechanism->mdMechanism->EncryptInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanDecrypt
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanDecrypt
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) {
+  if (!fwMechanism->mdMechanism->DecryptInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanDigest
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanDigest
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) {
+  if (!fwMechanism->mdMechanism->DigestInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanSign
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanSign
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) {
+  if (!fwMechanism->mdMechanism->SignInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanSignRecover
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanSignRecover
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) {
+  if (!fwMechanism->mdMechanism->SignRecoverInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanVerify
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanVerify
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) {
+  if (!fwMechanism->mdMechanism->VerifyInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanVerifyRecover
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanVerifyRecover
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) {
+  if (!fwMechanism->mdMechanism->VerifyRecoverInit) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanGenerate
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanGenerate
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+  if (!fwMechanism->mdMechanism->GenerateKey) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanGenerateKeyPair
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanGenerateKeyPair
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKeyPair) {
+  if (!fwMechanism->mdMechanism->GenerateKeyPair) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanUnwrap
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanUnwrap
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) {
+  if (!fwMechanism->mdMechanism->UnwrapKey) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanWrap
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanWrap
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+  if (!fwMechanism->mdMechanism->WrapKey) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * nssCKFWMechanism_GetCanDerive
  *
  */
 NSS_EXTERN CK_BBOOL
 nssCKFWMechanism_GetCanDerive
 (
   NSSCKFWMechanism *fwMechanism,
   CK_RV *pError
 )
 {
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) {
+  if (!fwMechanism->mdMechanism->DeriveKey) {
     return CK_FALSE;
   }
   return CK_TRUE;
 }
 
 /*
  * These are the actual crypto operations
  */
@@ -457,21 +457,21 @@ nssCKFWMechanism_EncryptInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_EncryptDecrypt);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->EncryptInit) {
+  if (!fwMechanism->mdMechanism->EncryptInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->EncryptInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -481,25 +481,25 @@ nssCKFWMechanism_EncryptInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_Encrypt, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_EncryptDecrypt);
   }
 
 loser:
   return error;
 }
 
@@ -520,21 +520,21 @@ nssCKFWMechanism_DecryptInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_EncryptDecrypt);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DecryptInit) {
+  if (!fwMechanism->mdMechanism->DecryptInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->DecryptInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -544,25 +544,25 @@ nssCKFWMechanism_DecryptInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_Decrypt, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_EncryptDecrypt);
   }
 
 loser:
   return error;
 }
 
@@ -581,46 +581,46 @@ nssCKFWMechanism_DigestInit
   NSSCKFWCryptoOperation *fwOperation;
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_Digest);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DigestInit) {
+  if (!fwMechanism->mdMechanism->DigestInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdOperation = fwMechanism->mdMechanism->DigestInit(
         fwMechanism->mdMechanism,
         fwMechanism,
         pMechanism,
         mdSession,
         fwSession,
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_Digest, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_Digest);
   }
 
 loser:
   return error;
 }
 
@@ -641,21 +641,21 @@ nssCKFWMechanism_SignInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_SignVerify);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignInit) {
+  if (!fwMechanism->mdMechanism->SignInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->SignInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -665,25 +665,25 @@ nssCKFWMechanism_SignInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_Sign, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_SignVerify);
   }
 
 loser:
   return error;
 }
 
@@ -704,21 +704,21 @@ nssCKFWMechanism_VerifyInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_SignVerify);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyInit) {
+  if (!fwMechanism->mdMechanism->VerifyInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->VerifyInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -728,25 +728,25 @@ nssCKFWMechanism_VerifyInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_Verify, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_SignVerify);
   }
 
 loser:
   return error;
 }
 
@@ -767,21 +767,21 @@ nssCKFWMechanism_SignRecoverInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_SignVerify);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->SignRecoverInit) {
+  if (!fwMechanism->mdMechanism->SignRecoverInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->SignRecoverInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -791,25 +791,25 @@ nssCKFWMechanism_SignRecoverInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_SignRecover, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_SignVerify);
   }
 
 loser:
   return error;
 }
 
@@ -830,21 +830,21 @@ nssCKFWMechanism_VerifyRecoverInit
   NSSCKMDCryptoOperation *mdOperation;
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   CK_RV  error = CKR_OK;
 
 
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                         NSSCKFWCryptoOperationState_SignVerify);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     return CKR_OPERATION_ACTIVE;
   }
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->VerifyRecoverInit) {
+  if (!fwMechanism->mdMechanism->VerifyRecoverInit) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = nssCKFWObject_GetMDObject(fwObject);
   mdOperation = fwMechanism->mdMechanism->VerifyRecoverInit(
         fwMechanism->mdMechanism,
         fwMechanism,
@@ -854,25 +854,25 @@ nssCKFWMechanism_VerifyRecoverInit
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdObject,
         fwObject,
         &error
   );
-  if ((NSSCKMDCryptoOperation *)NULL == mdOperation) {
+  if (!mdOperation) {
     goto loser;
   }
 
   fwOperation = nssCKFWCryptoOperation_Create(mdOperation, 
         mdSession, fwSession, fwMechanism->mdToken, fwMechanism->fwToken,
         fwMechanism->mdInstance, fwMechanism->fwInstance,
         NSSCKFWCryptoOperationType_VerifyRecover, &error);
-  if ((NSSCKFWCryptoOperation *)NULL != fwOperation) {
+  if (fwOperation) {
     nssCKFWSession_SetCurrentCryptoOperation(fwSession, fwOperation,
                 NSSCKFWCryptoOperationState_SignVerify);
   }
 
 loser:
   return error;
 }
 
@@ -890,23 +890,23 @@ nssCKFWMechanism_GenerateKey
   CK_RV            *pError
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   NSSCKFWObject  *fwObject = NULL;
   NSSArena       *arena;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+  if (!fwMechanism->mdMechanism->GenerateKey) {
     *pError = CKR_FUNCTION_FAILED;
     return (NSSCKFWObject *)NULL;
   }
 
   arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
-  if ((NSSArena *)NULL == arena) {
+  if (!arena) {
     if (CKR_OK == *pError) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (NSSCKFWObject *)NULL;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdObject = fwMechanism->mdMechanism->GenerateKey(
@@ -918,17 +918,17 @@ nssCKFWMechanism_GenerateKey
         fwMechanism->mdToken,
         fwMechanism->fwToken,
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         pTemplate,
         ulAttributeCount,
         pError);
 
-  if ((NSSCKMDObject *)NULL == mdObject) {
+  if (!mdObject) {
     return (NSSCKFWObject *)NULL;
   }
 
   fwObject = nssCKFWObject_Create(arena, mdObject, 
         fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
 
   return fwObject;
 }
@@ -951,22 +951,22 @@ nssCKFWMechanism_GenerateKeyPair
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdPublicKeyObject;
   NSSCKMDObject  *mdPrivateKeyObject;
   NSSArena       *arena;
   CK_RV         error = CKR_OK;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->GenerateKey) {
+  if (!fwMechanism->mdMechanism->GenerateKey) {
     return CKR_FUNCTION_FAILED;
   }
 
   arena = nssCKFWToken_GetArena(fwMechanism->fwToken, &error);
-  if ((NSSArena *)NULL == arena) {
+  if (!arena) {
     if (CKR_OK == error) {
       error = CKR_GENERAL_ERROR;
     }
     return error;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   error = fwMechanism->mdMechanism->GenerateKeyPair(
@@ -987,17 +987,17 @@ nssCKFWMechanism_GenerateKeyPair
         &mdPrivateKeyObject);
 
   if (CKR_OK != error) {
     return error;
   }
 
   *fwPublicKeyObject = nssCKFWObject_Create(arena, mdPublicKeyObject, 
         fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, &error);
-  if ((NSSCKFWObject *)NULL == *fwPublicKeyObject) {
+  if (!*fwPublicKeyObject) {
     return error;
   }
   *fwPrivateKeyObject = nssCKFWObject_Create(arena, mdPrivateKeyObject, 
         fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, &error);
 
   return error;
 }
 
@@ -1014,17 +1014,17 @@ nssCKFWMechanism_GetWrapKeyLength
   NSSCKFWObject    *fwKeyObject,
   CK_RV                   *pError
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdWrappingKeyObject;
   NSSCKMDObject  *mdKeyObject;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+  if (!fwMechanism->mdMechanism->WrapKey) {
     *pError = CKR_FUNCTION_FAILED;
     return (CK_ULONG) 0;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
   mdKeyObject = nssCKFWObject_GetMDObject(fwKeyObject);
   return fwMechanism->mdMechanism->GetWrapKeyLength(
@@ -1057,17 +1057,17 @@ nssCKFWMechanism_WrapKey
   NSSCKFWObject    *fwKeyObject,
   NSSItem          *wrappedKey
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdWrappingKeyObject;
   NSSCKMDObject  *mdKeyObject;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->WrapKey) {
+  if (!fwMechanism->mdMechanism->WrapKey) {
     return CKR_FUNCTION_FAILED;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
   mdKeyObject = nssCKFWObject_GetMDObject(fwKeyObject);
   return fwMechanism->mdMechanism->WrapKey(
         fwMechanism->mdMechanism,
@@ -1103,27 +1103,27 @@ nssCKFWMechanism_UnwrapKey
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   NSSCKMDObject  *mdWrappingKeyObject;
   NSSCKFWObject  *fwObject = NULL;
   NSSArena       *arena;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->UnwrapKey) {
+  if (!fwMechanism->mdMechanism->UnwrapKey) {
     /* we could simulate UnwrapKey using Decrypt and Create object, but
      * 1) it's not clear that would work well, and 2) the low level token
      * may want to restrict unwrap key for a reason, so just fail it it
      * can't be done */
     *pError = CKR_FUNCTION_FAILED;
     return (NSSCKFWObject *)NULL;
   }
 
   arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
-  if ((NSSArena *)NULL == arena) {
+  if (!arena) {
     if (CKR_OK == *pError) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (NSSCKFWObject *)NULL;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdWrappingKeyObject = nssCKFWObject_GetMDObject(fwWrappingKeyObject);
@@ -1139,17 +1139,17 @@ nssCKFWMechanism_UnwrapKey
         fwMechanism->fwInstance,
         mdWrappingKeyObject,
         fwWrappingKeyObject,
         wrappedKey,
         pTemplate,
         ulAttributeCount,
         pError);
 
-  if ((NSSCKMDObject *)NULL == mdObject) {
+  if (!mdObject) {
     return (NSSCKFWObject *)NULL;
   }
 
   fwObject = nssCKFWObject_Create(arena, mdObject, 
         fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
 
   return fwObject;
 }
@@ -1170,23 +1170,23 @@ nssCKFWMechanism_DeriveKey
 )
 {
   NSSCKMDSession *mdSession;
   NSSCKMDObject  *mdObject;
   NSSCKMDObject  *mdBaseKeyObject;
   NSSCKFWObject  *fwObject = NULL;
   NSSArena       *arena;
 
-  if ( (void *)NULL == (void *)fwMechanism->mdMechanism->DeriveKey) {
+  if (!fwMechanism->mdMechanism->DeriveKey) {
     *pError = CKR_FUNCTION_FAILED;
     return (NSSCKFWObject *)NULL;
   }
 
   arena = nssCKFWToken_GetArena(fwMechanism->fwToken, pError);
-  if ((NSSArena *)NULL == arena) {
+  if (!arena) {
     if (CKR_OK == *pError) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (NSSCKFWObject *)NULL;
   }
 
   mdSession = nssCKFWSession_GetMDSession(fwSession);
   mdBaseKeyObject = nssCKFWObject_GetMDObject(fwBaseKeyObject);
@@ -1201,17 +1201,17 @@ nssCKFWMechanism_DeriveKey
         fwMechanism->mdInstance,
         fwMechanism->fwInstance,
         mdBaseKeyObject,
         fwBaseKeyObject,
         pTemplate,
         ulAttributeCount,
         pError);
 
-  if ((NSSCKMDObject *)NULL == mdObject) {
+  if (!mdObject) {
     return (NSSCKFWObject *)NULL;
   }
 
   fwObject = nssCKFWObject_Create(arena, mdObject, 
         fwSession, fwMechanism->fwToken, fwMechanism->fwInstance, pError);
 
   return fwObject;
 }
--- a/security/nss/lib/ckfw/mutex.c
+++ b/security/nss/lib/ckfw/mutex.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: mutex.c,v $ $Revision: 1.8 $ $Date: 2008/06/06 01:15:32 $";
+static const char CVS_ID[] = "@(#) $RCSfile: mutex.c,v $ $Revision: 1.9 $ $Date: 2009/02/09 07:55:52 $";
 #endif /* DEBUG */
 
 /*
  * mutex.c
  *
  * This file implements a mutual-exclusion locking facility for Modules
  * using the NSS Cryptoki Framework.
  */
@@ -122,17 +122,17 @@ nssCKFWMutex_Create
   CryptokiLockingState LockingState,
   NSSArena *arena,
   CK_RV *pError
 )
 {
   NSSCKFWMutex *mutex;
   
   mutex = nss_ZNEW(arena, NSSCKFWMutex);
-  if( (NSSCKFWMutex *)NULL == mutex ) {
+  if (!mutex) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWMutex *)NULL;
   }
   *pError = CKR_OK;
   mutex->lock = NULL;
   if (LockingState == MultiThreaded) {
     mutex->lock = PR_NewLock();
     if (!mutex->lock) {
--- a/security/nss/lib/ckfw/object.c
+++ b/security/nss/lib/ckfw/object.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: object.c,v $ $Revision: 1.15 $ $Date: 2007/12/12 00:41:37 $";
+static const char CVS_ID[] = "@(#) $RCSfile: object.c,v $ $Revision: 1.16 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * object.c
  *
  * This file implements the NSSCKFWObject type and methods.
  */
 
@@ -154,61 +154,61 @@ nssCKFWObject_Create
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
   NSSCKFWObject *fwObject;
   nssCKFWHash *mdObjectHash;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWObject *)NULL;
   }
 
   if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWObject *)NULL;
   }
 #endif /* NSSDEBUG */
 
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWObject *)NULL;
   }
   mdObjectHash = nssCKFWToken_GetMDObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == mdObjectHash ) {
+  if (!mdObjectHash) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWObject *)NULL;
   }
 
   if( nssCKFWHash_Exists(mdObjectHash, mdObject) ) {
     fwObject = nssCKFWHash_Lookup(mdObjectHash, mdObject);
     return fwObject;
   }
 
   fwObject = nss_ZNEW(arena, NSSCKFWObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWObject *)NULL;
   }
 
   fwObject->arena = arena;
   fwObject->mdObject = mdObject;
   fwObject->fwSession = fwSession;
 
-  if( (NSSCKFWSession *)NULL != fwSession ) {
+  if (fwSession) {
     fwObject->mdSession = nssCKFWSession_GetMDSession(fwSession);
   }
 
   fwObject->fwToken = fwToken;
   fwObject->mdToken = nssCKFWToken_GetMDToken(fwToken);
   fwObject->fwInstance = fwInstance;
   fwObject->mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
   fwObject->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwObject->mutex ) {
+  if (!fwObject->mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (NSSCKFWObject *)NULL;
   }
 
   *pError = nssCKFWHash_Add(mdObjectHash, mdObject, fwObject);
   if( CKR_OK != *pError ) {
@@ -245,25 +245,25 @@ nssCKFWObject_Finalize
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
     return;
   }
 #endif /* NSSDEBUG */
 
   (void)nssCKFWMutex_Destroy(fwObject->mutex);
 
-  if( (void *)NULL != (void *)fwObject->mdObject->Finalize ) {
+  if (fwObject->mdObject->Finalize) {
     fwObject->mdObject->Finalize(fwObject->mdObject, fwObject,
       fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
       fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
   }
 
   if (removeFromHash) {
     mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-    if( (nssCKFWHash *)NULL != mdObjectHash ) {
+    if (mdObjectHash) {
       nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
     }
  }
 
   if (fwObject->fwSession) {
     nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
   }
   nss_ZFreeIf(fwObject);
@@ -290,24 +290,24 @@ nssCKFWObject_Destroy
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
     return;
   }
 #endif /* NSSDEBUG */
 
   (void)nssCKFWMutex_Destroy(fwObject->mutex);
 
-  if( (void *)NULL != (void *)fwObject->mdObject->Destroy ) {
+  if (fwObject->mdObject->Destroy) {
     fwObject->mdObject->Destroy(fwObject->mdObject, fwObject,
       fwObject->mdSession, fwObject->fwSession, fwObject->mdToken,
       fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance);
   }
 
   mdObjectHash = nssCKFWToken_GetMDObjectHash(fwObject->fwToken);
-  if( (nssCKFWHash *)NULL != mdObjectHash ) {
+  if (mdObjectHash) {
     nssCKFWHash_Remove(mdObjectHash, fwObject->mdObject);
   }
 
   if (fwObject->fwSession) {
     nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
   }
   nss_ZFreeIf(fwObject);
 
@@ -344,17 +344,17 @@ nssCKFWObject_GetMDObject
 NSS_IMPLEMENT NSSArena *
 nssCKFWObject_GetArena
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* NSSDEBUG */
@@ -425,27 +425,27 @@ nssCKFWObject_IsTokenObject
   CK_BBOOL b = CK_FALSE;
 
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWObject_verifyPointer(fwObject) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->IsTokenObject ) {
+  if (!fwObject->mdObject->IsTokenObject) {
     NSSItem item;
     NSSItem *pItem;
     CK_RV rv = CKR_OK;
 
     item.data = (void *)&b;
     item.size = sizeof(b);
 
     pItem = nssCKFWObject_GetAttribute(fwObject, CKA_TOKEN, &item, 
       (NSSArena *)NULL, &rv);
-    if( (NSSItem *)NULL == pItem ) {
+    if (!pItem) {
       /* Error of some type */
       b = CK_FALSE;
       goto done;
     }
 
     goto done;
   }
 
@@ -466,27 +466,27 @@ nssCKFWObject_GetAttributeCount
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
   CK_ULONG rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeCount ) {
+  if (!fwObject->mdObject->GetAttributeCount) {
     *pError = CKR_GENERAL_ERROR;
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWMutex_Lock(fwObject->mutex);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
@@ -520,17 +520,17 @@ nssCKFWObject_GetAttributeTypes
     return error;
   }
 
   if( (CK_ATTRIBUTE_TYPE_PTR)NULL == typeArray ) {
     return CKR_ARGUMENTS_BAD;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeTypes ) {
+  if (!fwObject->mdObject->GetAttributeTypes) {
     return CKR_GENERAL_ERROR;
   }
 
   error = nssCKFWMutex_Lock(fwObject->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
@@ -553,27 +553,27 @@ nssCKFWObject_GetAttributeSize
   NSSCKFWObject *fwObject,
   CK_ATTRIBUTE_TYPE attribute,
   CK_RV *pError
 )
 {
   CK_ULONG rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttributeSize ) {
+  if (!fwObject->mdObject->GetAttributeSize) {
     *pError = CKR_GENERAL_ERROR;
     return (CK_ULONG )0;
   }
 
   *pError = nssCKFWMutex_Lock(fwObject->mutex);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
@@ -606,65 +606,65 @@ nssCKFWObject_GetAttribute
   NSSArena *arenaOpt,
   CK_RV *pError
 )
 {
   NSSItem *rv = (NSSItem *)NULL;
   NSSCKFWItem mdItem;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSItem *)NULL;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (NSSItem *)NULL;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->GetAttribute ) {
+  if (!fwObject->mdObject->GetAttribute) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSItem *)NULL;
   }
 
   *pError = nssCKFWMutex_Lock(fwObject->mutex);
   if( CKR_OK != *pError ) {
     return (NSSItem *)NULL;
   }
 
   mdItem = fwObject->mdObject->GetAttribute(fwObject->mdObject, fwObject,
     fwObject->mdSession, fwObject->fwSession, fwObject->mdToken, 
     fwObject->fwToken, fwObject->mdInstance, fwObject->fwInstance,
     attribute, pError);
 
-  if( (NSSItem *)NULL == mdItem.item ) {
+  if (!mdItem.item) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
 
     goto done;
   }
 
-  if( (NSSItem *)NULL == itemOpt ) {
+  if (!itemOpt) {
     rv = nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
+    if (!rv) {
       *pError = CKR_HOST_MEMORY;
       goto done;
     }
   } else {
     rv = itemOpt;
   }
 
-  if( (void *)NULL == rv->data ) {
+  if (!rv->data) {
     rv->size = mdItem.item->size;
     rv->data = nss_ZAlloc(arenaOpt, rv->size);
-    if( (void *)NULL == rv->data ) {
+    if (!rv->data) {
       *pError = CKR_HOST_MEMORY;
-      if( (NSSItem *)NULL == itemOpt ) {
+      if (!itemOpt) {
         nss_ZFreeIf(rv);
       }
       rv = (NSSItem *)NULL;
       goto done;
     }
   } else {
     if( rv->size >= mdItem.item->size ) {
       rv->size = mdItem.item->size;
@@ -724,17 +724,17 @@ nssCKFWObject_SetAttribute
     NSSCKFWObject swab;
 
     a.type = CKA_TOKEN;
     a.pValue = value->data;
     a.ulValueLen = value->size;
 
     newFwObject = nssCKFWSession_CopyObject(fwSession, fwObject,
                     &a, 1, &error);
-    if( (NSSCKFWObject *)NULL == newFwObject ) {
+    if (!newFwObject) {
       if( CKR_OK == error ) {
         error = CKR_GENERAL_ERROR;
       }
       return error;
     }
 
     /*
      * Actually, I bet the locking is worse than this.. this part of
@@ -794,17 +794,17 @@ nssCKFWObject_SetAttribute
      */
     nssCKFWObject_Destroy(newFwObject);
 
     return CKR_OK;
   } else {
     /*
      * An "ordinary" change.
      */
-    if( (void *)NULL == (void *)fwObject->mdObject->SetAttribute ) {
+    if (!fwObject->mdObject->SetAttribute) {
       /* We could fake it with copying, like above.. later */
       return CKR_ATTRIBUTE_READ_ONLY;
     }
 
     error = nssCKFWMutex_Lock(fwObject->mutex);
     if( CKR_OK != error ) {
       return error;
     }
@@ -829,27 +829,27 @@ nssCKFWObject_GetObjectSize
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
   CK_ULONG rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwObject->mdObject->GetObjectSize ) {
+  if (!fwObject->mdObject->GetObjectSize) {
     *pError = CKR_INFORMATION_SENSITIVE;
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWMutex_Lock(fwObject->mutex);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
@@ -889,17 +889,17 @@ NSSCKFWObject_GetMDObject
 NSS_IMPLEMENT NSSArena *
 NSSCKFWObject_GetArena
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* DEBUG */
@@ -933,17 +933,17 @@ NSSCKFWObject_IsTokenObject
 NSS_IMPLEMENT CK_ULONG
 NSSCKFWObject_GetAttributeCount
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* DEBUG */
@@ -987,17 +987,17 @@ NSS_IMPLEMENT CK_ULONG
 NSSCKFWObject_GetAttributeSize
 (
   NSSCKFWObject *fwObject,
   CK_ATTRIBUTE_TYPE attribute,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* DEBUG */
@@ -1015,17 +1015,17 @@ NSSCKFWObject_GetAttribute
   NSSCKFWObject *fwObject,
   CK_ATTRIBUTE_TYPE attribute,
   NSSItem *itemOpt,
   NSSArena *arenaOpt,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSItem *)NULL;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (NSSItem *)NULL;
   }
 #endif /* DEBUG */
@@ -1040,17 +1040,17 @@ NSSCKFWObject_GetAttribute
 NSS_IMPLEMENT CK_ULONG
 NSSCKFWObject_GetObjectSize
 (
   NSSCKFWObject *fwObject,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.12 $ $Date: 2007/10/06 01:41:28 $";
+static const char CVS_ID[] = "@(#) $RCSfile: session.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * session.c
  *
  * This file implements the NSSCKFWSession type and methods.
  */
 
@@ -174,34 +174,34 @@ nssCKFWSession_Create
   CK_RV *pError
 )
 {
   NSSArena *arena = (NSSArena *)NULL;
   NSSCKFWSession *fwSession;
   NSSCKFWSlot *fwSlot;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWSession *)NULL;
   }
 
   *pError = nssCKFWToken_verifyPointer(fwToken);
   if( CKR_OK != *pError ) {
     return (NSSCKFWSession *)NULL;
   }
 #endif /* NSSDEBUG */
 
   arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
+  if (!arena) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWSession *)NULL;
   }
 
   fwSession = nss_ZNEW(arena, NSSCKFWSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }
 
   fwSession->arena = arena;
   fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
   fwSession->fwToken = fwToken;
   fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
@@ -212,35 +212,35 @@ nssCKFWSession_Create
 
   fwSession->rw = rw;
   fwSession->pApplication = pApplication;
   fwSession->Notify = Notify;
 
   fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
 
   fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwSession->sessionObjectHash ) {
+  if (!fwSession->sessionObjectHash) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
 #ifdef DEBUG
   *pError = session_add_pointer(fwSession);
   if( CKR_OK != *pError ) {
     goto loser;
   }
 #endif /* DEBUG */
 
   return fwSession;
 
  loser:
-  if( (NSSArena *)NULL != arena ) {
-    if( fwSession && (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+  if (arena) {
+    if (fwSession &&   fwSession->sessionObjectHash) {
       (void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
     }
     NSSArena_Destroy(arena);
   }
 
   return (NSSCKFWSession *)NULL;
 }
 
@@ -289,17 +289,17 @@ nssCKFWSession_Destroy
   sessionObjectHash = fwSession->sessionObjectHash;
   fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
 
   nssCKFWHash_Iterate(sessionObjectHash, 
                       nss_ckfw_session_object_destroy_iterator, 
                       (void *)NULL);
 
   for (i=0; i < NSSCKFWCryptoOperationState_Max; i++) {
-    if ((NSSCKFWCryptoOperation *)NULL != fwSession->fwOperationArray[i]) {
+    if (fwSession->fwOperationArray[i]) {
       nssCKFWCryptoOperation_Destroy(fwSession->fwOperationArray[i]);
     }
   }
 
 #ifdef DEBUG
   (void)session_remove_pointer(fwSession);
 #endif /* DEBUG */
   (void)nssCKFWHash_Destroy(sessionObjectHash);
@@ -334,17 +334,17 @@ nssCKFWSession_GetMDSession
 NSS_IMPLEMENT NSSArena *
 nssCKFWSession_GetArena
 (
   NSSCKFWSession *fwSession,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* NSSDEBUG */
@@ -495,18 +495,18 @@ nssCKFWSession_SetFWFindObjects
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
   /* fwFindObjects may be null */
 #endif /* NSSDEBUG */
 
-  if( ((NSSCKFWFindObjects *)NULL != fwSession->fwFindObjects) &&
-      ((NSSCKFWFindObjects *)NULL != fwFindObjects) ) {
+  if ((fwSession->fwFindObjects) &&
+      (fwFindObjects)) {
     return CKR_OPERATION_ACTIVE;
   }
 
   fwSession->fwFindObjects = fwFindObjects;
 
   return CKR_OK;
 }
 
@@ -517,27 +517,27 @@ nssCKFWSession_SetFWFindObjects
 NSS_IMPLEMENT NSSCKFWFindObjects *
 nssCKFWSession_GetFWFindObjects
 (
   NSSCKFWSession *fwSession,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWFindObjects *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (NSSCKFWFindObjects *)NULL;
   }
 #endif /* NSSDEBUG */
 
-  if( (NSSCKFWFindObjects *)NULL == fwSession->fwFindObjects ) {
+  if (!fwSession->fwFindObjects) {
     *pError = CKR_OPERATION_NOT_INITIALIZED;
     return (NSSCKFWFindObjects *)NULL;
   }
 
   return fwSession->fwFindObjects;
 }
 
 /*
@@ -556,22 +556,22 @@ nssCKFWSession_SetMDSession
 #endif /* NSSDEBUG */
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == mdSession ) {
+  if (!mdSession) {
     return CKR_ARGUMENTS_BAD;
   }
 #endif /* NSSDEBUG */
 
-  if( (NSSCKMDSession *)NULL != fwSession->mdSession ) {
+  if (fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 
   fwSession->mdSession = mdSession;
 
   return CKR_OK;
 }
 
@@ -639,17 +639,17 @@ nssCKFWSession_RegisterSessionObject
   CK_RV rv = CKR_OK;
 
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+  if (fwSession->sessionObjectHash) {
     rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
   }
 
   return rv;
 }
 
 /*
  * nssCKFWSession_DeregisterSessionObject
@@ -663,17 +663,17 @@ nssCKFWSession_DeregisterSessionObject
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (nssCKFWHash *)NULL != fwSession->sessionObjectHash ) {
+  if (fwSession->sessionObjectHash) {
     nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
   }
 
   return CKR_OK;
 }
 
 /*
  * nssCKFWSession_GetDeviceError
@@ -685,22 +685,22 @@ nssCKFWSession_GetDeviceError
   NSSCKFWSession *fwSession
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSession_verifyPointer(fwSession) ) {
     return (CK_ULONG)0;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->GetDeviceError ) {
+  if (!fwSession->mdSession->GetDeviceError) {
     return (CK_ULONG)0;
   }
 
   return fwSession->mdSession->GetDeviceError(fwSession->mdSession, 
     fwSession, fwSession->mdToken, fwSession->fwToken, 
     fwSession->mdInstance, fwSession->fwInstance);
 }
 
@@ -729,23 +729,23 @@ nssCKFWSession_Login
   switch( userType ) {
   case CKU_SO:
   case CKU_USER:
     break;
   default:
     return CKR_USER_TYPE_INVALID;
   }
 
-  if( (NSSItem *)NULL == pin ) {
+  if (!pin) {
     if( CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken) ) {
       return CKR_ARGUMENTS_BAD;
     }
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
 
   /*
    * It's not clear what happens when you're already logged in.
@@ -797,17 +797,17 @@ nssCKFWSession_Login
   /*
    * So now we're in one of three cases:
    *
    * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
    * Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
    * Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
    */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->Login ) {
+  if (!fwSession->mdSession->Login) {
     /*
      * The Module doesn't want to be informed (or check the pin)
      * it'll just rely on the Framework as needed.
      */
     ;
   } else {
     error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
       fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
@@ -836,17 +836,17 @@ nssCKFWSession_Logout
   CK_STATE newState;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
 
   switch( oldState ) {
   case CKS_RO_PUBLIC_SESSION:
@@ -869,17 +869,17 @@ nssCKFWSession_Logout
   /*
    * So now we're in one of three cases:
    *
    * Old == CKS_RW_SO_FUNCTIONS,   New == CKS_RW_PUBLIC_SESSION;
    * Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
    * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
    */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->Logout ) {
+  if (!fwSession->mdSession->Logout) {
     /*
      * The Module doesn't want to be informed.  Okay.
      */
     ;
   } else {
     error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
       fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
       fwSession->fwInstance, oldState, newState);
@@ -911,34 +911,34 @@ nssCKFWSession_InitPIN
   CK_STATE state;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   state = nssCKFWToken_GetSessionState(fwSession->fwToken);
   if( CKS_RW_SO_FUNCTIONS != state ) {
     return CKR_USER_NOT_LOGGED_IN;
   }
 
-  if( (NSSItem *)NULL == pin ) {
+  if (!pin) {
     CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
     if( CK_TRUE != has ) {
       return CKR_ARGUMENTS_BAD;
     }
   }
 
-  if( (void *)NULL == (void *)fwSession->mdSession->InitPIN ) {
+  if (!fwSession->mdSession->InitPIN) {
     return CKR_TOKEN_WRITE_PROTECTED;
   }
 
   error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
     fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
     fwSession->fwInstance, pin);
 
   return error;
@@ -959,36 +959,36 @@ nssCKFWSession_SetPIN
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (NSSItem *)NULL == newPin ) {
+  if (!newPin) {
     CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
     if( CK_TRUE != has ) {
       return CKR_ARGUMENTS_BAD;
     }
   }
 
-  if( (NSSItem *)NULL == oldPin ) {
+  if (!oldPin) {
     CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
     if( CK_TRUE != has ) {
       return CKR_ARGUMENTS_BAD;
     }
   }
 
-  if( (void *)NULL == (void *)fwSession->mdSession->SetPIN ) {
+  if (!fwSession->mdSession->SetPIN) {
     return CKR_TOKEN_WRITE_PROTECTED;
   }
 
   error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
     fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
     fwSession->fwInstance, newPin, oldPin);
 
   return error;
@@ -1004,32 +1004,32 @@ nssCKFWSession_GetOperationStateLen
   NSSCKFWSession *fwSession,
   CK_RV *pError
 )
 {
   CK_ULONG mdAmt;
   CK_ULONG fwAmt;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (CK_ULONG)0;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (CK_ULONG)0;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     *pError = CKR_GENERAL_ERROR;
     return (CK_ULONG)0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationStateLen ) {
+  if (!fwSession->mdSession->GetOperationStateLen) {
     *pError = CKR_STATE_UNSAVEABLE;
     return (CK_ULONG)0;
   }
 
   /*
    * We could check that the session is actually in some state..
    */
 
@@ -1067,30 +1067,30 @@ nssCKFWSession_GetOperationState
   CK_ULONG n, i;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSItem *)NULL == buffer ) {
+  if (!buffer) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (void *)NULL == buffer->data ) {
+  if (!buffer->data) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->GetOperationState ) {
+  if (!fwSession->mdSession->GetOperationState) {
     return CKR_STATE_UNSAVEABLE;
   }
 
   /*
    * Sanity-check the caller's buffer.
    */
 
   error = CKR_OK;
@@ -1154,39 +1154,39 @@ nssCKFWSession_SetOperationState
   NSSCKMDObject *mdak;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSItem *)NULL == state ) {
+  if (!state) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (void *)NULL == state->data ) {
+  if (!state->data) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+  if (encryptionKey) {
     error = nssCKFWObject_verifyPointer(encryptionKey);
     if( CKR_OK != error ) {
       return error;
     }
   }
 
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+  if (authenticationKey) {
     error = nssCKFWObject_verifyPointer(authenticationKey);
     if( CKR_OK != error ) {
       return error;
     }
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   ulBuffer = (CK_ULONG *)state->data;
   if( 0x43b4657 != ulBuffer[0] ) {
     return CKR_SAVED_STATE_INVALID;
   }
@@ -1195,30 +1195,30 @@ nssCKFWSession_SetOperationState
   for( i = 0; i < n; i++ ) {
     x ^= ulBuffer[2+i];
   }
 
   if( x != ulBuffer[1] ) {
     return CKR_SAVED_STATE_INVALID;
   }
 
-  if( (void *)NULL == (void *)fwSession->mdSession->SetOperationState ) {
+  if (!fwSession->mdSession->SetOperationState) {
     return CKR_GENERAL_ERROR;
   }
 
   s.size = state->size - 2*sizeof(CK_ULONG);
   s.data = (void *)&ulBuffer[2];
 
-  if( (NSSCKFWObject *)NULL != encryptionKey ) {
+  if (encryptionKey) {
     mdek = nssCKFWObject_GetMDObject(encryptionKey);
   } else {
     mdek = (NSSCKMDObject *)NULL;
   }
 
-  if( (NSSCKFWObject *)NULL != authenticationKey ) {
+  if (authenticationKey) {
     mdak = nssCKFWObject_GetMDObject(authenticationKey);
   } else {
     mdak = (NSSCKMDObject *)NULL;
   }
 
   error = fwSession->mdSession->SetOperationState(fwSession->mdSession, 
     fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
     fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
@@ -1273,74 +1273,74 @@ nssCKFWSession_CreateObject
 )
 {
   NSSArena *arena;
   NSSCKMDObject *mdObject;
   NSSCKFWObject *fwObject;
   CK_BBOOL isTokenObject;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWObject *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != pError ) {
     return (NSSCKFWObject *)NULL;
   }
 
   if( (CK_ATTRIBUTE_PTR)NULL == pTemplate ) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWObject *)NULL;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWObject *)NULL;
   }
 #endif /* NSSDEBUG */
 
   /*
    * Here would be an excellent place to sanity-check the object.
    */
 
   isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
   if( CK_TRUE == isTokenObject ) {
     /* === TOKEN OBJECT === */
 
-    if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+    if (!fwSession->mdSession->CreateObject) {
       *pError = CKR_TOKEN_WRITE_PROTECTED;
       return (NSSCKFWObject *)NULL;
     }
 
     arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-    if( (NSSArena *)NULL == arena ) {
+    if (!arena) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWObject *)NULL;
     }
 
     goto callmdcreateobject;
   } else {
     /* === SESSION OBJECT === */
 
     arena = nssCKFWSession_GetArena(fwSession, pError);
-    if( (NSSArena *)NULL == arena ) {
+    if (!arena) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWObject *)NULL;
     }
 
     if( CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
                      fwSession->fwInstance) ) {
       /* --- module handles the session object -- */
 
-      if( (void *)NULL == (void *)fwSession->mdSession->CreateObject ) {
+      if (!fwSession->mdSession->CreateObject) {
         *pError = CKR_GENERAL_ERROR;
         return (NSSCKFWObject *)NULL;
       }
       
       goto callmdcreateobject;
     } else {
       /* --- framework handles the session object -- */
       mdObject = nssCKMDSessionObject_Create(fwSession->fwToken, 
@@ -1351,32 +1351,32 @@ nssCKFWSession_CreateObject
 
  callmdcreateobject:
   mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
     fwSession, fwSession->mdToken, fwSession->fwToken,
     fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
     ulAttributeCount, pError);
 
  gotmdobject:
-  if( (NSSCKMDObject *)NULL == mdObject ) {
+  if (!mdObject) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     return (NSSCKFWObject *)NULL;
   }
 
   fwObject = nssCKFWObject_Create(arena, mdObject, 
     isTokenObject ? NULL : fwSession, 
     fwSession->fwToken, fwSession->fwInstance, pError);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     
-    if( (void *)NULL != (void *)mdObject->Destroy ) {
+    if (mdObject->Destroy) {
       (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
         fwSession->mdSession, fwSession, fwSession->mdToken,
         fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
     }
     
     return (NSSCKFWObject *)NULL;
   }
 
@@ -1408,41 +1408,41 @@ nssCKFWSession_CopyObject
 )
 {
   CK_BBOOL oldIsToken;
   CK_BBOOL newIsToken;
   CK_ULONG i;
   NSSCKFWObject *rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWObject *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (NSSCKFWObject *)NULL;
   }
 
   *pError = nssCKFWObject_verifyPointer(fwObject);
   if( CKR_OK != *pError ) {
     return (NSSCKFWObject *)NULL;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWObject *)NULL;
   }
 #endif /* NSSDEBUG */
 
   /*
    * Sanity-check object
    */
 
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWObject *)NULL;
   }
 
   oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
 
   newIsToken = oldIsToken;
   for( i = 0; i < ulAttributeCount; i++ ) {
@@ -1453,44 +1453,44 @@ nssCKFWSession_CopyObject
     }
   }
 
   /*
    * If the Module handles its session objects, or if both the new
    * and old object are token objects, use CopyObject if it exists.
    */
 
-  if( ((void *)NULL != (void *)fwSession->mdSession->CopyObject) &&
+  if ((fwSession->mdSession->CopyObject) &&
       (((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
        (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
                      fwSession->fwInstance))) ) {
     /* use copy object */
     NSSArena *arena;
     NSSCKMDObject *mdOldObject;
     NSSCKMDObject *mdObject;
 
     mdOldObject = nssCKFWObject_GetMDObject(fwObject);
 
     if( CK_TRUE == newIsToken ) {
       arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
     } else {
       arena = nssCKFWSession_GetArena(fwSession, pError);
     }
-    if( (NSSArena *)NULL == arena ) {
+    if (!arena) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWObject *)NULL;
     }
 
     mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
       fwSession, fwSession->mdToken, fwSession->fwToken,
       fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
       fwObject, arena, pTemplate, ulAttributeCount, pError);
-    if( (NSSCKMDObject *)NULL == mdObject ) {
+    if (!mdObject) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWObject *)NULL;
     }
 
     rv = nssCKFWObject_Create(arena, mdObject, 
       newIsToken ? NULL : fwSession,
@@ -1511,17 +1511,17 @@ nssCKFWSession_CopyObject
     /* use create object */
     NSSArena *tmpArena;
     CK_ATTRIBUTE_PTR newTemplate;
     CK_ULONG i, j, n, newLength, k;
     CK_ATTRIBUTE_TYPE_PTR oldTypes;
     NSSCKFWObject *rv;
     
     tmpArena = NSSArena_Create();
-    if( (NSSArena *)NULL == tmpArena ) {
+    if (!tmpArena) {
       *pError = CKR_HOST_MEMORY;
       return (NSSCKFWObject *)NULL;
     }
 
     n = nssCKFWObject_GetAttributeCount(fwObject, pError);
     if( (0 == n) && (CKR_OK != *pError) ) {
       return (NSSCKFWObject *)NULL;
     }
@@ -1582,33 +1582,33 @@ nssCKFWSession_CopyObject
       }
       if( i == ulAttributeCount ) {
         /* This attribute is being copied over from the old object */
         NSSItem item, *it;
         item.size = 0;
         item.data = (void *)NULL;
         it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
           &item, tmpArena, pError);
-        if( (NSSItem *)NULL == it ) {
+        if (!it) {
           if( CKR_OK == *pError ) {
             *pError = CKR_GENERAL_ERROR;
           }
           NSSArena_Destroy(tmpArena);
           return (NSSCKFWObject *)NULL;
         }
         newTemplate[k].type = oldTypes[j];
         newTemplate[k].pValue = it->data;
         newTemplate[k].ulValueLen = it->size;
         k++;
       }
     }
     /* assert that k == newLength */
 
     rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
-    if( (NSSCKFWObject *)NULL == rv ) {
+    if (!rv) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       NSSArena_Destroy(tmpArena);
       return (NSSCKFWObject *)NULL;
     }
 
     NSSArena_Destroy(tmpArena);
@@ -1628,31 +1628,31 @@ nssCKFWSession_FindObjectsInit
   CK_ULONG ulAttributeCount,
   CK_RV *pError
 )
 {
   NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
   NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWFindObjects *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (NSSCKFWFindObjects *)NULL;
   }
 
   if( ((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0) ) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKFWFindObjects *)NULL;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWFindObjects *)NULL;
   }
 #endif /* NSSDEBUG */
 
   if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
                    fwSession->fwInstance) ) {
     CK_ULONG i;
@@ -1669,31 +1669,31 @@ nssCKFWSession_FindObjectsInit
         if( sizeof(CK_BBOOL) != pTemplate[i].ulValueLen ) {
           *pError = CKR_ATTRIBUTE_VALUE_INVALID;
           return (NSSCKFWFindObjects *)NULL;
         }
         (void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
 
         if( CK_TRUE == isToken ) {
           /* Pass it on to the module's search routine */
-          if( (void *)NULL == (void *)fwSession->mdSession->FindObjectsInit ) {
+          if (!fwSession->mdSession->FindObjectsInit) {
             goto wrap;
           }
 
           mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                     fwSession, fwSession->mdToken, fwSession->fwToken,
                     fwSession->mdInstance, fwSession->fwInstance, 
                     pTemplate, ulAttributeCount, pError);
         } else {
           /* Do the search ourselves */
           mdfo1 = nssCKMDFindSessionObjects_Create(fwSession->fwToken, 
                     pTemplate, ulAttributeCount, pError);
         }
 
-        if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+        if (!mdfo1) {
           if( CKR_OK == *pError ) {
             *pError = CKR_GENERAL_ERROR;
           }
           return (NSSCKFWFindObjects *)NULL;
         }
         
         goto wrap;
       }
@@ -1701,30 +1701,30 @@ nssCKFWSession_FindObjectsInit
 
     if( i == ulAttributeCount ) {
       /* No, it doesn't.  Do a hybrid search. */
       mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                 fwSession, fwSession->mdToken, fwSession->fwToken,
                 fwSession->mdInstance, fwSession->fwInstance, 
                 pTemplate, ulAttributeCount, pError);
 
-      if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+      if (!mdfo1) {
         if( CKR_OK == *pError ) {
           *pError = CKR_GENERAL_ERROR;
         }
         return (NSSCKFWFindObjects *)NULL;
       }
 
       mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
                 pTemplate, ulAttributeCount, pError);
-      if( (NSSCKMDFindObjects *)NULL == mdfo2 ) {
+      if (!mdfo2) {
         if( CKR_OK == *pError ) {
           *pError = CKR_GENERAL_ERROR;
         }
-        if( (void *)NULL != (void *)mdfo1->Final ) {
+        if (mdfo1->Final) {
           mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
             fwSession, fwSession->mdToken, fwSession->fwToken, 
             fwSession->mdInstance, fwSession->fwInstance);
         }
         return (NSSCKFWFindObjects *)NULL;
       }
 
       goto wrap;
@@ -1732,17 +1732,17 @@ nssCKFWSession_FindObjectsInit
     /*NOTREACHED*/
   } else {
     /* Module handles all its own objects.  Pass on to module's search */
     mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
               fwSession, fwSession->mdToken, fwSession->fwToken,
               fwSession->mdInstance, fwSession->fwInstance, 
               pTemplate, ulAttributeCount, pError);
 
-    if( (NSSCKMDFindObjects *)NULL == mdfo1 ) {
+    if (!mdfo1) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWFindObjects *)NULL;
     }
 
     goto wrap;
   }
@@ -1766,34 +1766,34 @@ nssCKFWSession_SeedRandom
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSItem *)NULL == seed ) {
+  if (!seed) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (void *)NULL == seed->data ) {
+  if (!seed->data) {
     return CKR_ARGUMENTS_BAD;
   }
 
   if( 0 == seed->size ) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->SeedRandom ) {
+  if (!fwSession->mdSession->SeedRandom) {
     return CKR_RANDOM_SEED_NOT_SUPPORTED;
   }
 
   error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
     fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
     fwSession->fwInstance, seed);
 
   return error;
@@ -1813,30 +1813,30 @@ nssCKFWSession_GetRandom
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSItem *)NULL == buffer ) {
+  if (!buffer) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (void *)NULL == buffer->data ) {
+  if (!buffer->data) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSession->mdSession->GetRandom ) {
+  if (!fwSession->mdSession->GetRandom) {
     if( CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken) ) {
       return CKR_GENERAL_ERROR;
     } else {
       return CKR_RANDOM_NO_RNG;
     }
   }
 
   if( 0 == buffer->size ) {
@@ -1868,17 +1868,17 @@ nssCKFWSession_SetCurrentCryptoOperation
   if( CKR_OK != error ) {
     return;
   }
 
   if ( state >= NSSCKFWCryptoOperationState_Max) {
     return;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return;
   }
 #endif /* NSSDEBUG */
   fwSession->fwOperationArray[state] = fwOperation;
   return;
 }
 
 /*
@@ -1897,17 +1897,17 @@ nssCKFWSession_GetCurrentCryptoOperation
   if( CKR_OK != error ) {
     return (NSSCKFWCryptoOperation *)NULL;
   }
 
   if ( state >= NSSCKFWCryptoOperationState_Max) {
     return (NSSCKFWCryptoOperation *)NULL;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return (NSSCKFWCryptoOperation *)NULL;
   }
 #endif /* NSSDEBUG */
   return fwSession->fwOperationArray[state];
 }
 
 /*
  * nssCKFWSession_Final
@@ -1927,24 +1927,24 @@ nssCKFWSession_Final
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
@@ -2007,24 +2007,24 @@ nssCKFWSession_Update
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
@@ -2072,24 +2072,24 @@ nssCKFWSession_DigestUpdate
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
@@ -2116,42 +2116,42 @@ nssCKFWSession_DigestKey
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                                  NSSCKFWCryptoOperationState_Digest);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (NSSCKFWCryptoOperationType_Digest != 
       nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   error = nssCKFWCryptoOperation_DigestKey(fwOperation, fwKey);
   if (CKR_FUNCTION_FAILED != error) {
     return error;
   }
 
   /* no machine depended way for this to happen, do it by hand */
   inputBuffer=nssCKFWObject_GetAttribute(fwKey, CKA_VALUE, NULL, NULL, &error);
-  if ((NSSItem *)NULL == inputBuffer) {
+  if (!inputBuffer) {
     /* couldn't get the value, just fail then */
     return error;
   }
   error = nssCKFWCryptoOperation_DigestUpdate(fwOperation, inputBuffer);
   nssItem_Destroy(inputBuffer);
   return error;
 }
 
@@ -2177,24 +2177,24 @@ nssCKFWSession_UpdateFinal
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
@@ -2284,36 +2284,36 @@ nssCKFWSession_UpdateCombo
   CK_RV error = CKR_OK;
 
 #ifdef NSSDEBUG
   error = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSCKMDSession *)NULL == fwSession->mdSession ) {
+  if (!fwSession->mdSession) {
     return CKR_GENERAL_ERROR;
   }
 #endif /* NSSDEBUG */
 
   /* make sure we have a valid operation initialized */
   fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                 NSSCKFWCryptoOperationState_EncryptDecrypt);
-  if ((NSSCKFWCryptoOperation *)NULL == fwOperation) {
+  if (!fwOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (encryptType != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
   /* make sure we have a valid operation initialized */
   fwPeerOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, 
                   digestState);
-  if ((NSSCKFWCryptoOperation *)NULL == fwPeerOperation) {
+  if (!fwPeerOperation) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
   /* make sure it's the correct type */
   if (digestType != nssCKFWCryptoOperation_GetType(fwOperation)) {
     return CKR_OPERATION_NOT_INITIALIZED;
   }
 
@@ -2392,17 +2392,17 @@ NSSCKFWSession_GetMDSession
 NSS_IMPLEMENT NSSArena *
 NSSCKFWSession_GetArena
 (
   NSSCKFWSession *fwSession,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWSession_verifyPointer(fwSession);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/sessobj.c
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.13 $ $Date: 2007/01/05 00:23:14 $";
+static const char CVS_ID[] = "@(#) $RCSfile: sessobj.c,v $ $Revision: 1.14 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * sessobj.c
  *
  * This file contains an NSSCKMDObject implementation for session 
  * objects.  The framework uses this implementation to manage
  * session objects when a Module doesn't wish to be bothered.
@@ -266,60 +266,60 @@ nssCKMDSessionObject_Create
   NSSCKMDObject *mdObject = (NSSCKMDObject *)NULL;
   nssCKMDSessionObject *mdso = (nssCKMDSessionObject *)NULL;
   CK_ULONG i;
   nssCKFWHash *hash;
 
   *pError = CKR_OK;
 
   mdso = nss_ZNEW(arena, nssCKMDSessionObject);
-  if( (nssCKMDSessionObject *)NULL == mdso ) {
+  if (!mdso) {
     goto loser;
   }
 
   mdso->arena = arena;
   mdso->n = ulCount;
   mdso->attributes = nss_ZNEWARRAY(arena, NSSItem, ulCount);
-  if( (NSSItem *)NULL == mdso->attributes ) {
+  if (!mdso->attributes) {
     goto loser;
   }
 
   mdso->types = nss_ZNEWARRAY(arena, CK_ATTRIBUTE_TYPE, ulCount);
   if (!mdso->types) {
     goto loser;
   }
   for( i = 0; i < ulCount; i++ ) {
     mdso->types[i] = attributes[i].type;
     mdso->attributes[i].size = attributes[i].ulValueLen;
     mdso->attributes[i].data = nss_ZAlloc(arena, attributes[i].ulValueLen);
-    if( (void *)NULL == mdso->attributes[i].data ) {
+    if (!mdso->attributes[i].data) {
       goto loser;
     }
     (void)nsslibc_memcpy(mdso->attributes[i].data, attributes[i].pValue,
       attributes[i].ulValueLen);
   }
 
   mdObject = nss_ZNEW(arena, NSSCKMDObject);
-  if( (NSSCKMDObject *)NULL == mdObject ) {
+  if (!mdObject) {
     goto loser;
   }
 
   mdObject->etc = (void *)mdso;
   mdObject->Finalize = nss_ckmdSessionObject_Finalize;
   mdObject->Destroy = nss_ckmdSessionObject_Destroy;
   mdObject->IsTokenObject = nss_ckmdSessionObject_IsTokenObject;
   mdObject->GetAttributeCount = nss_ckmdSessionObject_GetAttributeCount;
   mdObject->GetAttributeTypes = nss_ckmdSessionObject_GetAttributeTypes;
   mdObject->GetAttributeSize = nss_ckmdSessionObject_GetAttributeSize;
   mdObject->GetAttribute = nss_ckmdSessionObject_GetAttribute;
   mdObject->SetAttribute = nss_ckmdSessionObject_SetAttribute;
   mdObject->GetObjectSize = nss_ckmdSessionObject_GetObjectSize;
 
   hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
+  if (!hash) {
     *pError = CKR_GENERAL_ERROR;
     goto loser;
   }
 
   mdso->hash = hash;
 
   *pError = nssCKFWHash_Add(hash, mdObject, mdObject);
   if( CKR_OK != *pError ) {
@@ -330,18 +330,18 @@ nssCKMDSessionObject_Create
   if(( *pError = nss_ckmdSessionObject_add_pointer(mdObject)) != CKR_OK ) {
     goto loser;
   }
 #endif /* DEBUG */
 
   return mdObject;
 
  loser:
-  if( (nssCKMDSessionObject *)NULL != mdso ) {
-    if( (NSSItem *)NULL != mdso->attributes ) {
+  if (mdso) {
+    if (mdso->attributes) {
       for( i = 0; i < ulCount; i++ ) {
         nss_ZFreeIf(mdso->attributes[i].data);
       }
       nss_ZFreeIf(mdso->attributes);
     }
     nss_ZFreeIf(mdso->types);
     nss_ZFreeIf(mdso);
   }
@@ -470,17 +470,17 @@ nss_ckmdSessionObject_GetAttributeCount
   NSSCKMDInstance *mdInstance,
   NSSCKFWInstance *fwInstance,
   CK_RV *pError
 )
 {
   nssCKMDSessionObject *obj;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return 0;
   }
 
   *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
   if( CKR_OK != *pError ) {
     return 0;
   }
 
@@ -555,17 +555,17 @@ nss_ckmdSessionObject_GetAttributeSize
   CK_ATTRIBUTE_TYPE attribute,
   CK_RV *pError
 )
 {
   nssCKMDSessionObject *obj;
   CK_ULONG i;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return 0;
   }
 
   *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
   if( CKR_OK != *pError ) {
     return 0;
   }
 
@@ -605,17 +605,17 @@ nss_ckmdSessionObject_GetAttribute
 {
   NSSCKFWItem item;
   nssCKMDSessionObject *obj;
   CK_ULONG i;
 
   item.needsFreeing = PR_FALSE;
   item.item = NULL;
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return item;
   }
 
   *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
   if( CKR_OK != *pError ) {
     return item;
   }
 
@@ -679,17 +679,17 @@ nss_ckmdSessionObject_SetAttribute
 
   /* We could even check all the other arguments, for sanity. */
 #endif /* NSSDEBUG */
 
   obj = (nssCKMDSessionObject *)mdObject->etc;
 
   n.size = value->size;
   n.data = nss_ZAlloc(obj->arena, n.size);
-  if( (void *)NULL == n.data ) {
+  if (!n.data) {
     return CKR_HOST_MEMORY;
   }
   (void)nsslibc_memcpy(n.data, value->data, n.size);
 
   for( i = 0; i < obj->n; i++ ) {
     if( attribute == obj->types[i] ) {
       nss_ZFreeIf(obj->attributes[i].data);
       obj->attributes[i] = n;
@@ -697,26 +697,26 @@ nss_ckmdSessionObject_SetAttribute
     }
   }
 
   /*
    * It's new.
    */
 
   ra = (NSSItem *)nss_ZRealloc(obj->attributes, sizeof(NSSItem) * (obj->n + 1));
-  if( (NSSItem *)NULL == ra ) {
+  if (!ra) {
     nss_ZFreeIf(n.data);
     return CKR_HOST_MEMORY;
   }
 
   rt = (CK_ATTRIBUTE_TYPE_PTR)nss_ZRealloc(obj->types, (obj->n + 1));
   if( (CK_ATTRIBUTE_TYPE_PTR)NULL == rt ) {
     nss_ZFreeIf(n.data);
     obj->attributes = (NSSItem *)nss_ZRealloc(ra, sizeof(NSSItem) * obj->n);
-    if( (NSSItem *)NULL == obj->attributes ) {
+    if (!obj->attributes) {
       return CKR_GENERAL_ERROR;
     }
     return CKR_HOST_MEMORY;
   }
 
   obj->attributes = ra;
   obj->types = rt;
   obj->attributes[obj->n] = n;
@@ -744,17 +744,17 @@ nss_ckmdSessionObject_GetObjectSize
   CK_RV *pError
 )
 {
   nssCKMDSessionObject *obj;
   CK_ULONG i;
   CK_ULONG rv = (CK_ULONG)0;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return 0;
   }
 
   *pError = nss_ckmdSessionObject_verifyPointer(mdObject);
   if( CKR_OK != *pError ) {
     return 0;
   }
 
@@ -962,17 +962,17 @@ nssCKMDFindSessionObjects_Create
 )
 {
   NSSArena *arena;
   nssCKMDFindSessionObjects *mdfso;
   nssCKFWHash *hash;
   NSSCKMDFindObjects *rv;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKMDFindObjects *)NULL;
   }
 
   *pError = nssCKFWToken_verifyPointer(fwToken);
   if( CKR_OK != *pError ) {
     return (NSSCKMDFindObjects *)NULL;
   }
 
@@ -980,29 +980,29 @@ nssCKMDFindSessionObjects_Create
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSCKMDFindObjects *)NULL;
   }
 #endif /* NSSDEBUG */
 
   *pError = CKR_OK;
 
   hash = nssCKFWToken_GetSessionObjectHash(fwToken);
-  if( (nssCKFWHash *)NULL == hash ) {
+  if (!hash) {
     *pError= CKR_GENERAL_ERROR;
     return (NSSCKMDFindObjects *)NULL;
   }
 
   arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
+  if (!arena) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKMDFindObjects *)NULL;
   }
 
   mdfso = nss_ZNEW(arena, nssCKMDFindSessionObjects);
-  if( (nssCKMDFindSessionObjects *)NULL == mdfso ) {
+  if (!mdfso) {
     goto loser;
   }
 
   rv = nss_ZNEW(arena, NSSCKMDFindObjects);
   if(rv == NULL) {
     goto loser;
   }
 
@@ -1092,17 +1092,17 @@ nss_ckmdFindSessionObjects_Next
 #ifdef NSSDEBUG
   if( CKR_OK != nss_ckmdFindSessionObjects_verifyPointer(mdFindObjects) ) {
     return (NSSCKMDObject *)NULL;
   }
 #endif /* NSSDEBUG */
 
   mdfso = (nssCKMDFindSessionObjects *)mdFindObjects->etc;
 
-  while( (NSSCKMDObject *)NULL == rv ) {
+  while (!rv) {
     if( (struct nodeStr *)NULL == mdfso->list ) {
       *pError = CKR_OK;
       return (NSSCKMDObject *)NULL;
     }
 
     if( nssCKFWHash_Exists(mdfso->hash, mdfso->list->mdObject) ) {
       rv = mdfso->list->mdObject;
     }
--- a/security/nss/lib/ckfw/slot.c
+++ b/security/nss/lib/ckfw/slot.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: slot.c,v $ $Revision: 1.6 $ $Date: 2005/01/20 02:25:45 $";
+static const char CVS_ID[] = "@(#) $RCSfile: slot.c,v $ $Revision: 1.7 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * slot.c
  *
  * This file implements the NSSCKFWSlot type and methods.
  */
 
@@ -167,73 +167,73 @@ nssCKFWSlot_Create
   CK_RV *pError
 )
 {
   NSSCKFWSlot *fwSlot;
   NSSCKMDInstance *mdInstance;
   NSSArena *arena;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWSlot *)NULL;
   }
 
   *pError = nssCKFWInstance_verifyPointer(fwInstance);
   if( CKR_OK != *pError ) {
     return (NSSCKFWSlot *)NULL;
   }
 #endif /* NSSDEBUG */
 
   mdInstance = nssCKFWInstance_GetMDInstance(fwInstance);
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+  if (!mdInstance) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWSlot *)NULL;
   }
 
   arena = nssCKFWInstance_GetArena(fwInstance, pError);
-  if( (NSSArena *)NULL == arena ) {
+  if (!arena) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
   }
 
   fwSlot = nss_ZNEW(arena, NSSCKFWSlot);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     *pError = CKR_HOST_MEMORY;
     return (NSSCKFWSlot *)NULL;
   }
 
   fwSlot->mdSlot = mdSlot;
   fwSlot->fwInstance = fwInstance;
   fwSlot->mdInstance = mdInstance;
   fwSlot->slotID = slotID;
 
   fwSlot->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwSlot->mutex ) {
+  if (!fwSlot->mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     (void)nss_ZFreeIf(fwSlot);
     return (NSSCKFWSlot *)NULL;
   }
 
-  if( (void *)NULL != (void *)mdSlot->Initialize ) {
+  if (mdSlot->Initialize) {
     *pError = CKR_OK;
     *pError = mdSlot->Initialize(mdSlot, fwSlot, mdInstance, fwInstance);
     if( CKR_OK != *pError ) {
       (void)nssCKFWMutex_Destroy(fwSlot->mutex);
       (void)nss_ZFreeIf(fwSlot);
       return (NSSCKFWSlot *)NULL;
     }
   }
 
 #ifdef DEBUG
   *pError = slot_add_pointer(fwSlot);
   if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSlot->Destroy ) {
+    if (mdSlot->Destroy) {
       mdSlot->Destroy(mdSlot, fwSlot, mdInstance, fwInstance);
     }
 
     (void)nssCKFWMutex_Destroy(fwSlot->mutex);
     (void)nss_ZFreeIf(fwSlot);
     return (NSSCKFWSlot *)NULL;
   }
 #endif /* DEBUG */
@@ -260,17 +260,17 @@ nssCKFWSlot_Destroy
   }
 #endif /* NSSDEBUG */
   if (fwSlot->fwToken) {
     nssCKFWToken_Destroy(fwSlot->fwToken);
   }
 
   (void)nssCKFWMutex_Destroy(fwSlot->mutex);
 
-  if( (void *)NULL != (void *)fwSlot->mdSlot->Destroy ) {
+  if (fwSlot->mdSlot->Destroy) {
     fwSlot->mdSlot->Destroy(fwSlot->mdSlot, fwSlot, 
       fwSlot->mdInstance, fwSlot->fwInstance);
   }
 
 #ifdef DEBUG
   error = slot_remove_pointer(fwSlot);
 #endif /* DEBUG */
   (void)nss_ZFreeIf(fwSlot);
@@ -379,22 +379,22 @@ nssCKFWSlot_GetSlotDescription
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwSlot->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwSlot->slotDescription ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetSlotDescription ) {
+  if (!fwSlot->slotDescription) {
+    if (fwSlot->mdSlot->GetSlotDescription) {
       fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
         fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
         fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->slotDescription) && (CKR_OK != error) ) {
+      if ((!fwSlot->slotDescription) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwSlot->slotDescription = (NSSUTF8 *) "";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
@@ -429,22 +429,22 @@ nssCKFWSlot_GetManufacturerID
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwSlot->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwSlot->manufacturerID ) {
-    if( (void *)NULL != (void *)fwSlot->mdSlot->GetManufacturerID ) {
+  if (!fwSlot->manufacturerID) {
+    if (fwSlot->mdSlot->GetManufacturerID) {
       fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
         fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, 
         fwSlot->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwSlot->manufacturerID) && (CKR_OK != error) ) {
+      if ((!fwSlot->manufacturerID) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwSlot->manufacturerID = (NSSUTF8 *) "";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
@@ -466,17 +466,17 @@ nssCKFWSlot_GetTokenPresent
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetTokenPresent ) {
+  if (!fwSlot->mdSlot->GetTokenPresent) {
     return CK_TRUE;
   }
 
   return fwSlot->mdSlot->GetTokenPresent(fwSlot->mdSlot, fwSlot,
     fwSlot->mdInstance, fwSlot->fwInstance);
 }
 
 /*
@@ -490,17 +490,17 @@ nssCKFWSlot_GetRemovableDevice
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetRemovableDevice ) {
+  if (!fwSlot->mdSlot->GetRemovableDevice) {
     return CK_FALSE;
   }
 
   return fwSlot->mdSlot->GetRemovableDevice(fwSlot->mdSlot, fwSlot,
     fwSlot->mdInstance, fwSlot->fwInstance);
 }
 
 /*
@@ -514,17 +514,17 @@ nssCKFWSlot_GetHardwareSlot
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWSlot_verifyPointer(fwSlot) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwSlot->mdSlot->GetHardwareSlot ) {
+  if (!fwSlot->mdSlot->GetHardwareSlot) {
     return CK_FALSE;
   }
 
   return fwSlot->mdSlot->GetHardwareSlot(fwSlot->mdSlot, fwSlot,
     fwSlot->mdInstance, fwSlot->fwInstance);
 }
 
 /*
@@ -552,17 +552,17 @@ nssCKFWSlot_GetHardwareVersion
   }
 
   if( (0 != fwSlot->hardwareVersion.major) ||
       (0 != fwSlot->hardwareVersion.minor) ) {
     rv = fwSlot->hardwareVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetHardwareVersion ) {
+  if (fwSlot->mdSlot->GetHardwareVersion) {
     fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
       fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
   } else {
     fwSlot->hardwareVersion.major = 0;
     fwSlot->hardwareVersion.minor = 1;
   }
 
   rv = fwSlot->hardwareVersion;
@@ -596,17 +596,17 @@ nssCKFWSlot_GetFirmwareVersion
   }
 
   if( (0 != fwSlot->firmwareVersion.major) ||
       (0 != fwSlot->firmwareVersion.minor) ) {
     rv = fwSlot->firmwareVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwSlot->mdSlot->GetFirmwareVersion ) {
+  if (fwSlot->mdSlot->GetFirmwareVersion) {
     fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
       fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
   } else {
     fwSlot->firmwareVersion.major = 0;
     fwSlot->firmwareVersion.minor = 1;
   }
 
   rv = fwSlot->firmwareVersion;
@@ -625,41 +625,41 @@ nssCKFWSlot_GetToken
   NSSCKFWSlot *fwSlot,
   CK_RV *pError
 )
 {
   NSSCKMDToken *mdToken;
   NSSCKFWToken *fwToken;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWToken *)NULL;
   }
 
   *pError = nssCKFWSlot_verifyPointer(fwSlot);
   if( CKR_OK != *pError ) {
     return (NSSCKFWToken *)NULL;
   }
 #endif /* NSSDEBUG */
 
   *pError = nssCKFWMutex_Lock(fwSlot->mutex);
   if( CKR_OK != *pError ) {
     return (NSSCKFWToken *)NULL;
   }
 
-  if( (NSSCKFWToken *)NULL == fwSlot->fwToken ) {
-    if( (void *)NULL == (void *)fwSlot->mdSlot->GetToken ) {
+  if (!fwSlot->fwToken) {
+    if (!fwSlot->mdSlot->GetToken) {
       *pError = CKR_GENERAL_ERROR;
       fwToken = (NSSCKFWToken *)NULL;
       goto done;
     }
 
     mdToken = fwSlot->mdSlot->GetToken(fwSlot->mdSlot, fwSlot,
       fwSlot->mdInstance, fwSlot->fwInstance, pError);
-    if( (NSSCKMDToken *)NULL == mdToken ) {
+    if (!mdToken) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       return (NSSCKFWToken *)NULL;
     }
 
     fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
     fwSlot->fwToken = fwToken;
--- a/security/nss/lib/ckfw/token.c
+++ b/security/nss/lib/ckfw/token.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: token.c,v $ $Revision: 1.12 $ $Date: 2007/10/06 01:41:28 $";
+static const char CVS_ID[] = "@(#) $RCSfile: token.c,v $ $Revision: 1.13 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * token.c
  *
  * This file implements the NSSCKFWToken type and methods.
  */
 
@@ -213,85 +213,85 @@ nssCKFWToken_Create
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
   CK_BBOOL called_setup = CK_FALSE;
 
   /*
    * We have already verified the arguments in nssCKFWSlot_GetToken.
    */
 
   arena = NSSArena_Create();
-  if( (NSSArena *)NULL == arena ) {
+  if (!arena) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }
 
   fwToken = nss_ZNEW(arena, NSSCKFWToken);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }    
 
   fwToken->arena = arena;
   fwToken->mdToken = mdToken;
   fwToken->fwSlot = fwSlot;
   fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
   fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
   fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
   fwToken->sessionCount = 0;
   fwToken->rwSessionCount = 0;
 
   fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
-  if( (NSSCKFWMutex *)NULL == fwToken->mutex ) {
+  if (!fwToken->mutex) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
   fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+  if (!fwToken->sessions) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
                    fwToken->fwInstance) ) {
     fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
                                    arena, pError);
-    if( (nssCKFWHash *)NULL == fwToken->sessionObjectHash ) {
+    if (!fwToken->sessionObjectHash) {
       if( CKR_OK == *pError ) {
         *pError = CKR_GENERAL_ERROR;
       }
       goto loser;
     }
   }
 
   fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance, 
                             arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->mdObjectHash ) {
+  if (!fwToken->mdObjectHash) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
   fwToken->mdMechanismHash = nssCKFWHash_Create(fwToken->fwInstance, 
                             arena, pError);
-  if( (nssCKFWHash *)NULL == fwToken->mdMechanismHash ) {
+  if (!fwToken->mdMechanismHash) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto loser;
   }
 
   /* More here */
 
-  if( (void *)NULL != (void *)mdToken->Setup ) {
+  if (mdToken->Setup) {
     *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
     if( CKR_OK != *pError ) {
       goto loser;
     }
   }
 
   called_setup = CK_TRUE;
 
@@ -303,22 +303,22 @@ nssCKFWToken_Create
 #endif /* DEBUG */
 
   *pError = CKR_OK;
   return fwToken;
 
  loser:
 
   if( CK_TRUE == called_setup ) {
-    if( (void *)NULL != (void *)mdToken->Invalidate ) {
+    if (mdToken->Invalidate) {
       mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
     }
   }
 
-  if( (NSSArena *)NULL != arena ) {
+  if (arena) {
     (void)NSSArena_Destroy(arena);
   }
 
   return (NSSCKFWToken *)NULL;
 }
 
 static void
 nss_ckfwtoken_session_iterator
@@ -368,17 +368,17 @@ nssCKFWToken_Destroy
   error = nssCKFWToken_verifyPointer(fwToken);
   if( CKR_OK != error ) {
     return error;
   }
 #endif /* NSSDEBUG */
 
   (void)nssCKFWMutex_Destroy(fwToken->mutex);
   
-  if( (void *)NULL != (void *)fwToken->mdToken->Invalidate ) {
+  if (fwToken->mdToken->Invalidate) {
     fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
       fwToken->mdInstance, fwToken->fwInstance);
   }
   /* we can destroy the list without locking now because no one else is 
    * referencing us (or _Destroy was invalidly called!)
    */
   nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, 
                                                                 (void *)NULL);
@@ -435,17 +435,17 @@ nssCKFWToken_GetMDToken
 NSS_IMPLEMENT NSSArena *
 nssCKFWToken_GetArena
 (
   NSSCKFWToken *fwToken,
   CK_RV *pError
 )
 {
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   *pError = nssCKFWToken_verifyPointer(fwToken);
   if( CKR_OK != *pError ) {
     return (NSSArena *)NULL;
   }
 #endif /* NSSDEBUG */
@@ -547,31 +547,31 @@ nssCKFWToken_InitToken
     return error;
   }
 
   if( fwToken->sessionCount > 0 ) {
     error = CKR_SESSION_EXISTS;
     goto done;
   }
 
-  if( (void *)NULL == (void *)fwToken->mdToken->InitToken ) {
+  if (!fwToken->mdToken->InitToken) {
     error = CKR_DEVICE_ERROR;
     goto done;
   }
 
-  if( (NSSItem *)NULL == pin ) {
+  if (!pin) {
     if( nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken) ) {
       ; /* okay */
     } else {
       error = CKR_PIN_INCORRECT;
       goto done;
     }
   }
 
-  if( (NSSUTF8 *)NULL == label ) {
+  if (!label) {
     label = (NSSUTF8 *) "";
   }
 
   error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
             fwToken->mdInstance, fwToken->fwInstance, pin, label);
 
  done:
   (void)nssCKFWMutex_Unlock(fwToken->mutex);
@@ -602,21 +602,21 @@ nssCKFWToken_GetLabel
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwToken->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwToken->label ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetLabel ) {
+  if (!fwToken->label) {
+    if (fwToken->mdToken->GetLabel) {
       fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
         fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->label) && (CKR_OK != error) ) {
+      if ((!fwToken->label) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwToken->label = (NSSUTF8 *) "";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
@@ -651,21 +651,21 @@ nssCKFWToken_GetManufacturerID
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwToken->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwToken->manufacturerID ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetManufacturerID ) {
+  if (!fwToken->manufacturerID) {
+    if (fwToken->mdToken->GetManufacturerID) {
       fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
         fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->manufacturerID) && (CKR_OK != error) ) {
+      if ((!fwToken->manufacturerID) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwToken->manufacturerID = (NSSUTF8 *)"";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
@@ -700,21 +700,21 @@ nssCKFWToken_GetModel
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwToken->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwToken->model ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetModel ) {
+  if (!fwToken->model) {
+    if (fwToken->mdToken->GetModel) {
       fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
         fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->model) && (CKR_OK != error) ) {
+      if ((!fwToken->model) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwToken->model = (NSSUTF8 *)"";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
@@ -749,21 +749,21 @@ nssCKFWToken_GetSerialNumber
   }
 #endif /* NSSDEBUG */
 
   error = nssCKFWMutex_Lock(fwToken->mutex);
   if( CKR_OK != error ) {
     return error;
   }
 
-  if( (NSSUTF8 *)NULL == fwToken->serialNumber ) {
-    if( (void *)NULL != (void *)fwToken->mdToken->GetSerialNumber ) {
+  if (!fwToken->serialNumber) {
+    if (fwToken->mdToken->GetSerialNumber) {
       fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken, 
         fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
-      if( ((NSSUTF8 *)NULL == fwToken->serialNumber) && (CKR_OK != error) ) {
+      if ((!fwToken->serialNumber) && (CKR_OK != error)) {
         goto done;
       }
     } else {
       fwToken->serialNumber = (NSSUTF8 *)"";
     }
   }
 
   (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
@@ -786,17 +786,17 @@ nssCKFWToken_GetHasRNG
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasRNG ) {
+  if (!fwToken->mdToken->GetHasRNG) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -810,17 +810,17 @@ nssCKFWToken_GetIsWriteProtected
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetIsWriteProtected ) {
+  if (!fwToken->mdToken->GetIsWriteProtected) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -834,17 +834,17 @@ nssCKFWToken_GetLoginRequired
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetLoginRequired ) {
+  if (!fwToken->mdToken->GetLoginRequired) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -858,17 +858,17 @@ nssCKFWToken_GetUserPinInitialized
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUserPinInitialized ) {
+  if (!fwToken->mdToken->GetUserPinInitialized) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -882,17 +882,17 @@ nssCKFWToken_GetRestoreKeyNotNeeded
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetRestoreKeyNotNeeded ) {
+  if (!fwToken->mdToken->GetRestoreKeyNotNeeded) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -906,17 +906,17 @@ nssCKFWToken_GetHasClockOnToken
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasClockOnToken ) {
+  if (!fwToken->mdToken->GetHasClockOnToken) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -930,17 +930,17 @@ nssCKFWToken_GetHasProtectedAuthenticati
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetHasProtectedAuthenticationPath ) {
+  if (!fwToken->mdToken->GetHasProtectedAuthenticationPath) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken, 
     fwToken, fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -954,17 +954,17 @@ nssCKFWToken_GetSupportsDualCryptoOperat
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_FALSE;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetSupportsDualCryptoOperations ) {
+  if (!fwToken->mdToken->GetSupportsDualCryptoOperations) {
     return CK_FALSE;
   }
 
   return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken, 
     fwToken, fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -978,17 +978,17 @@ nssCKFWToken_GetMaxSessionCount
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxSessionCount ) {
+  if (!fwToken->mdToken->GetMaxSessionCount) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1002,17 +1002,17 @@ nssCKFWToken_GetMaxRwSessionCount
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxRwSessionCount ) {
+  if (!fwToken->mdToken->GetMaxRwSessionCount) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1026,17 +1026,17 @@ nssCKFWToken_GetMaxPinLen
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMaxPinLen ) {
+  if (!fwToken->mdToken->GetMaxPinLen) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1050,17 +1050,17 @@ nssCKFWToken_GetMinPinLen
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMinPinLen ) {
+  if (!fwToken->mdToken->GetMinPinLen) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1074,17 +1074,17 @@ nssCKFWToken_GetTotalPublicMemory
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPublicMemory ) {
+  if (!fwToken->mdToken->GetTotalPublicMemory) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1098,17 +1098,17 @@ nssCKFWToken_GetFreePublicMemory
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePublicMemory ) {
+  if (!fwToken->mdToken->GetFreePublicMemory) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1122,17 +1122,17 @@ nssCKFWToken_GetTotalPrivateMemory
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetTotalPrivateMemory ) {
+  if (!fwToken->mdToken->GetTotalPrivateMemory) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1146,17 +1146,17 @@ nssCKFWToken_GetFreePrivateMemory
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetFreePrivateMemory ) {
+  if (!fwToken->mdToken->GetFreePrivateMemory) {
     return CK_UNAVAILABLE_INFORMATION;
   }
 
   return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken, 
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1184,17 +1184,17 @@ nssCKFWToken_GetHardwareVersion
   }
 
   if( (0 != fwToken->hardwareVersion.major) ||
       (0 != fwToken->hardwareVersion.minor) ) {
     rv = fwToken->hardwareVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwToken->mdToken->GetHardwareVersion ) {
+  if (fwToken->mdToken->GetHardwareVersion) {
     fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
       fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
   } else {
     fwToken->hardwareVersion.major = 0;
     fwToken->hardwareVersion.minor = 1;
   }
 
   rv = fwToken->hardwareVersion;
@@ -1229,17 +1229,17 @@ nssCKFWToken_GetFirmwareVersion
   }
 
   if( (0 != fwToken->firmwareVersion.major) ||
       (0 != fwToken->firmwareVersion.minor) ) {
     rv = fwToken->firmwareVersion;
     goto done;
   }
 
-  if( (void *)NULL != (void *)fwToken->mdToken->GetFirmwareVersion ) {
+  if (fwToken->mdToken->GetFirmwareVersion) {
     fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
       fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
   } else {
     fwToken->firmwareVersion.major = 0;
     fwToken->firmwareVersion.minor = 1;
   }
 
   rv = fwToken->firmwareVersion;
@@ -1274,17 +1274,17 @@ nssCKFWToken_GetUTCTime
 #endif /* DEBUG */
 
   if( CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken) ) {
     /* return CKR_DEVICE_ERROR; */
     (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, (char *)utcTime, 16, ' ');
     return CKR_OK;
   }
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetUTCTime ) {
+  if (!fwToken->mdToken->GetUTCTime) {
     /* It said it had one! */
     return CKR_GENERAL_ERROR;
   }
 
   error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken, 
             fwToken->mdInstance, fwToken->fwInstance, utcTime);
   if( CKR_OK != error ) {
     return error;
@@ -1350,17 +1350,17 @@ nssCKFWToken_OpenSession
   CK_NOTIFY Notify,
   CK_RV *pError
 )
 {
   NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
   NSSCKMDSession *mdSession;
 
 #ifdef NSSDEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSCKFWSession *)NULL;
   }
 
   *pError = nssCKFWToken_verifyPointer(fwToken);
   if( CKR_OK != *pError ) {
     return (NSSCKFWSession *)NULL;
   }
 
@@ -1390,48 +1390,48 @@ nssCKFWToken_OpenSession
     if( CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken) ) {
       *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
       goto done;
     }
   }
 
   /* We could compare sesion counts to any limits we know of, I guess.. */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->OpenSession ) {
+  if (!fwToken->mdToken->OpenSession) {
     /*
      * I'm not sure that the Module actually needs to implement
      * mdSessions -- the Framework can keep track of everything 
      * needed, really.  But I'll sort out that detail later..
      */
     *pError = CKR_GENERAL_ERROR;
     goto done;
   }
 
   fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto done;
   }
 
   mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
                 fwToken->mdInstance, fwToken->fwInstance, fwSession,
                 rw, pError);
-  if( (NSSCKMDSession *)NULL == mdSession ) {
+  if (!mdSession) {
     (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
     if( CKR_OK == *pError ) {
       *pError = CKR_GENERAL_ERROR;
     }
     goto done;
   }
 
   *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
   if( CKR_OK != *pError ) {
-    if( (void *)NULL != (void *)mdSession->Close ) {
+    if (mdSession->Close) {
       mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
       fwToken->mdInstance, fwToken->fwInstance);
     }
     (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
     goto done;
   }
 
   *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
@@ -1457,17 +1457,17 @@ nssCKFWToken_GetMechanismCount
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return 0;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismCount ) {
+  if (!fwToken->mdToken->GetMechanismCount) {
     return 0;
   }
 
   return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 /*
@@ -1481,22 +1481,22 @@ nssCKFWToken_GetMechanismTypes
   CK_MECHANISM_TYPE types[]
 )
 {
 #ifdef NSSDEBUG
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     return CKR_ARGUMENTS_BAD;
   }
 
-  if( (CK_MECHANISM_TYPE *)NULL == types ) {
+  if (!types) {
     return CKR_ARGUMENTS_BAD;
   }
 #endif /* NSSDEBUG */
 
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanismTypes ) {
+  if (!fwToken->mdToken->GetMechanismTypes) {
     /*
      * This should only be called with a sufficiently-large
      * "types" array, which can only be done if GetMechanismCount
      * is implemented.  If that's implemented (and returns nonzero),
      * then this should be too.  So return an error.
      */
     return CKR_GENERAL_ERROR;
   }
@@ -1514,34 +1514,34 @@ NSS_IMPLEMENT NSSCKFWMechanism *
 nssCKFWToken_GetMechanism
 (
   NSSCKFWToken *fwToken,
   CK_MECHANISM_TYPE which,
   CK_RV *pError
 )
 {
   NSSCKMDMechanism *mdMechanism;
-  if ((nssCKFWHash *)NULL == fwToken->mdMechanismHash) {
+  if (!fwToken->mdMechanismHash) {
     *pError = CKR_GENERAL_ERROR;
     return (NSSCKFWMechanism *)NULL;
   }
   
-  if( (void *)NULL == (void *)fwToken->mdToken->GetMechanism ) {
+  if (!fwToken->mdToken->GetMechanism) {
     /*
      * If we don't implement any GetMechanism function, then we must
      * not support any.
      */
     *pError = CKR_MECHANISM_INVALID;
     return (NSSCKFWMechanism *)NULL;
   }
 
   /* lookup in hash table */
   mdMechanism = fwToken->mdToken->GetMechanism(fwToken->mdToken, fwToken,
     fwToken->mdInstance, fwToken->fwInstance, which, pError);
-  if ((NSSCKMDMechanism *)NULL == mdMechanism) {
+  if (!mdMechanism) {
     return (NSSCKFWMechanism *) NULL;
   }
   /* store in hash table */
   return nssCKFWMechanism_Create(mdMechanism, fwToken->mdToken, fwToken,
     fwToken->mdInstance, fwToken->fwInstance);
 }
 
 NSS_IMPLEMENT CK_RV
@@ -1660,17 +1660,17 @@ nssCKFWToken_CloseAllSessions
     return error;
   }
 
   nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);
 
   nssCKFWHash_Destroy(fwToken->sessions);
 
   fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
-  if( (nssCKFWHash *)NULL == fwToken->sessions ) {
+  if (!fwToken->sessions) {
     if( CKR_OK == error ) {
       error = CKR_GENERAL_ERROR;
     }
     goto done;
   }
 
   fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
   fwToken->sessionCount = 0;
@@ -1849,17 +1849,17 @@ NSSCKFWToken_GetMDToken
 NSS_IMPLEMENT NSSArena *
 NSSCKFWToken_GetArena
 (
   NSSCKFWToken *fwToken,
   CK_RV *pError
 )
 {
 #ifdef DEBUG
-  if( (CK_RV *)NULL == pError ) {
+  if (!pError) {
     return (NSSArena *)NULL;
   }
 
   if( CKR_OK != nssCKFWToken_verifyPointer(fwToken) ) {
     *pError = CKR_ARGUMENTS_BAD;
     return (NSSArena *)NULL;
   }
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/wrap.c
+++ b/security/nss/lib/ckfw/wrap.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.17 $ $Date: 2008/08/25 22:47:32 $";
+static const char CVS_ID[] = "@(#) $RCSfile: wrap.c,v $ $Revision: 1.18 $ $Date: 2009/02/09 07:55:53 $";
 #endif /* DEBUG */
 
 /*
  * wrap.c
  *
  * This file contains the routines that actually implement the cryptoki
  * API, using the internal APIs of the NSS Cryptoki Framework.  There is
  * one routine here for every cryptoki routine.  For linking reasons
@@ -182,33 +182,33 @@ NSSCKFWC_Initialize
   CK_RV error = CKR_OK;
   CryptokiLockingState locking_state;
 
   if( (NSSCKFWInstance **)NULL == pFwInstance ) {
     error = CKR_GENERAL_ERROR;
     goto loser;
   }
 
-  if( (NSSCKFWInstance *)NULL != *pFwInstance ) {
+  if (*pFwInstance) {
     error = CKR_CRYPTOKI_ALREADY_INITIALIZED;
     goto loser;
   }
 
-  if( (NSSCKMDInstance *)NULL == mdInstance ) {
+  if (!mdInstance) {
     error = CKR_GENERAL_ERROR;
     goto loser;
   }
 
   error = nssCKFW_GetThreadSafeState(pInitArgs,&locking_state);
   if( CKR_OK != error ) {
     goto loser;
   }
 
   *pFwInstance = nssCKFWInstance_Create(pInitArgs, locking_state, mdInstance, &error);
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+  if (!*pFwInstance) {
     goto loser;
   }
   PR_AtomicIncrement(&liveInstances);
   return CKR_OK;
 
  loser:
   switch( error ) {
   case CKR_ARGUMENTS_BAD:
@@ -240,17 +240,17 @@ NSSCKFWC_Finalize
 {
   CK_RV error = CKR_OK;
 
   if( (NSSCKFWInstance **)NULL == pFwInstance ) {
     error = CKR_GENERAL_ERROR;
     goto loser;
   }
 
-  if( (NSSCKFWInstance *)NULL == *pFwInstance ) {
+  if (!*pFwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   error = nssCKFWInstance_Destroy(*pFwInstance);
 
   /* In any case */
   *pFwInstance = (NSSCKFWInstance *)NULL;
@@ -361,17 +361,17 @@ NSSCKFWC_GetSlotList
   CK_BBOOL tokenPresent,
   CK_SLOT_ID_PTR pSlotList,
   CK_ULONG_PTR pulCount
 )
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   switch( tokenPresent ) {
   case CK_TRUE:
   case CK_FALSE:
     break;
@@ -449,17 +449,17 @@ NSSCKFWC_GetSlotInfo
   CK_SLOT_INFO_PTR pInfo
 )
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -543,17 +543,17 @@ NSSCKFWC_GetTokenInfo
 )
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -581,17 +581,17 @@ NSSCKFWC_GetTokenInfo
   fwSlot = slots[ slotID-1 ];
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   error = nssCKFWToken_GetLabel(fwToken, pInfo->label);
   if( CKR_OK != error ) {
     goto loser;
   }
 
@@ -702,17 +702,17 @@ NSSCKFWC_WaitForSlotEvent
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   CK_BBOOL block;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   CK_ULONG i;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   if( flags & ~CKF_DONT_BLOCK ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -735,17 +735,17 @@ NSSCKFWC_WaitForSlotEvent
   }
 
   slots = nssCKFWInstance_GetSlots(fwInstance, &error);
   if( (NSSCKFWSlot **)NULL == slots ) {
     goto loser;
   }
 
   fwSlot = nssCKFWInstance_WaitForSlotEvent(fwInstance, block, &error);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     goto loser;
   }
 
   for( i = 0; i < nSlots; i++ ) {
     if( fwSlot == slots[i] ) {
       *pSlot = (CK_SLOT_ID)(CK_ULONG)(i+1);
       return CKR_OK;
     }
@@ -785,17 +785,17 @@ NSSCKFWC_GetMechanismList
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
   CK_ULONG count;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -818,17 +818,17 @@ NSSCKFWC_GetMechanismList
   fwSlot = slots[ slotID-1 ];
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   count = nssCKFWToken_GetMechanismCount(fwToken);
 
   if( (CK_MECHANISM_TYPE_PTR)CK_NULL_PTR == pMechanismList ) {
     *pulCount = count;
     return CKR_OK;
@@ -899,17 +899,17 @@ NSSCKFWC_GetMechanismInfo
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -937,22 +937,22 @@ NSSCKFWC_GetMechanismInfo
   }
 
   /*
    * A purify error here indicates caller error.
    */
   (void)nsslibc_memset(pInfo, 0, sizeof(CK_MECHANISM_INFO));
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, type, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   pInfo->ulMinKeySize = nssCKFWMechanism_GetMinKeySize(fwMechanism, &error);
   pInfo->ulMaxKeySize = nssCKFWMechanism_GetMaxKeySize(fwMechanism, &error);
 
   if( nssCKFWMechanism_GetInHardware(fwMechanism, &error) ) {
     pInfo->flags |= CKF_HW;
@@ -1041,17 +1041,17 @@ NSSCKFWC_InitToken
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
   NSSItem pin;
   NSSUTF8 *label;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -1069,17 +1069,17 @@ NSSCKFWC_InitToken
   fwSlot = slots[ slotID-1 ];
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   pin.size = (PRUint32)ulPinLen;
   pin.data = (void *)pPin;
   label = (NSSUTF8 *)pLabel; /* identity conversion */
 
   error = nssCKFWToken_InitToken(fwToken, &pin, label);
@@ -1131,23 +1131,23 @@ NSSCKFWC_InitPIN
   CK_CHAR_PTR pPin,
   CK_ULONG ulPinLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSItem pin, *arg;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
     arg = (NSSItem *)NULL;
   } else {
     arg = &pin;
@@ -1207,23 +1207,23 @@ NSSCKFWC_SetPIN
   CK_CHAR_PTR pNewPin,
   CK_ULONG ulNewLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSItem oldPin, newPin, *oldArg, *newArg;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_CHAR_PTR)CK_NULL_PTR == pOldPin ) {
     oldArg = (NSSItem *)NULL;
   } else {
     oldArg = &oldPin;
@@ -1296,17 +1296,17 @@ NSSCKFWC_OpenSession
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
   NSSCKFWSession *fwSession;
   CK_BBOOL rw;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -1352,23 +1352,23 @@ NSSCKFWC_OpenSession
   fwSlot = slots[ slotID-1 ];
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwSession = nssCKFWToken_OpenSession(fwToken, rw, pApplication,
                Notify, &error);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     goto loser;
   }
 
   *phSession = nssCKFWInstance_CreateSessionHandle(fwInstance,
                  fwSession, &error);
   if( (CK_SESSION_HANDLE)0 == *phSession ) {
     goto loser;
   }
@@ -1416,23 +1416,23 @@ NSSCKFWC_CloseSession
 (
   NSSCKFWInstance *fwInstance,
   CK_SESSION_HANDLE hSession
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   nssCKFWInstance_DestroySessionHandle(fwInstance, hSession);
   error = nssCKFWSession_Destroy(fwSession, CK_TRUE);
 
   if( CKR_OK != error ) {
@@ -1478,17 +1478,17 @@ NSSCKFWC_CloseAllSessions
 )
 {
   CK_RV error = CKR_OK;
   CK_ULONG nSlots;
   NSSCKFWSlot **slots;
   NSSCKFWSlot *fwSlot;
   NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   nSlots = nssCKFWInstance_GetNSlots(fwInstance, &error);
   if( (CK_ULONG)0 == nSlots ) {
     goto loser;
   }
@@ -1506,17 +1506,17 @@ NSSCKFWC_CloseAllSessions
   fwSlot = slots[ slotID-1 ];
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   error = nssCKFWToken_CloseAllSessions(fwToken);
   if( CKR_OK != error ) {
     goto loser;
   }
 
@@ -1556,39 +1556,39 @@ NSSCKFWC_GetSessionInfo
   CK_SESSION_HANDLE hSession,
   CK_SESSION_INFO_PTR pInfo
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWSlot *fwSlot;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_SESSION_INFO_PTR)CK_NULL_PTR == pInfo ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   /*
    * A purify error here indicates caller error.
    */
   (void)nsslibc_memset(pInfo, 0, sizeof(CK_SESSION_INFO));
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR;
     goto loser;
   }
 
   pInfo->slotID = nssCKFWSlot_GetSlotID(fwSlot);
   pInfo->state = nssCKFWSession_GetSessionState(fwSession);
 
   if( CK_TRUE == nssCKFWSession_IsRWSession(fwSession) ) {
@@ -1639,23 +1639,23 @@ NSSCKFWC_GetOperationState
   CK_ULONG_PTR pulOperationStateLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   CK_ULONG len;
   NSSItem buf;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_ULONG_PTR)CK_NULL_PTR == pulOperationStateLen ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -1731,52 +1731,52 @@ NSSCKFWC_SetOperationState
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *eKey;
   NSSCKFWObject *aKey;
   NSSItem state;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   if( (CK_BYTE_PTR)CK_NULL_PTR == pOperationState ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   /* 
    * We could loop through the buffer, to catch any purify errors
    * in a place with a "user error" note.
    */
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_OBJECT_HANDLE)0 == hEncryptionKey ) {
     eKey = (NSSCKFWObject *)NULL;
   } else {
     eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
-    if( (NSSCKFWObject *)NULL == eKey ) {
+    if (!eKey) {
       error = CKR_KEY_HANDLE_INVALID;
       goto loser;
     }
   }
 
   if( (CK_OBJECT_HANDLE)0 == hAuthenticationKey ) {
     aKey = (NSSCKFWObject *)NULL;
   } else {
     aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
-    if( (NSSCKFWObject *)NULL == aKey ) {
+    if (!aKey) {
       error = CKR_KEY_HANDLE_INVALID;
       goto loser;
     }
   }
 
   error = nssCKFWSession_SetOperationState(fwSession, &state, eKey, aKey);
   if( CKR_OK != error ) {
     goto loser;
@@ -1826,23 +1826,23 @@ NSSCKFWC_Login
   CK_CHAR_PTR pPin,
   CK_ULONG ulPinLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSItem pin, *arg;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_CHAR_PTR)CK_NULL_PTR == pPin ) {
     arg = (NSSItem *)NULL;
   } else {
     arg = &pin;
@@ -1900,23 +1900,23 @@ NSSCKFWC_Logout
 (
   NSSCKFWInstance *fwInstance,
   CK_SESSION_HANDLE hSession
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Logout(fwSession);
   if( CKR_OK != error ) {
     goto loser;
   }
@@ -1962,40 +1962,40 @@ NSSCKFWC_CreateObject
   CK_ULONG ulCount,
   CK_OBJECT_HANDLE_PTR phObject
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   /*
    * A purify error here indicates caller error.
    */
   *phObject = (CK_OBJECT_HANDLE)0;
 
   fwObject = nssCKFWSession_CreateObject(fwSession, pTemplate,
                ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     goto loser;
   }
 
   *phObject = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
   if( (CK_OBJECT_HANDLE)0 == *phObject ) {
     nssCKFWObject_Destroy(fwObject);
     goto loser;
   }
@@ -2050,46 +2050,46 @@ NSSCKFWC_CopyObject
   CK_OBJECT_HANDLE_PTR phNewObject
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWObject *fwNewObject;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phNewObject ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   /*
    * A purify error here indicates caller error.
    */
   *phNewObject = (CK_OBJECT_HANDLE)0;
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_OBJECT_HANDLE_INVALID;
     goto loser;
   }
 
   fwNewObject = nssCKFWSession_CopyObject(fwSession, fwObject,
                   pTemplate, ulCount, &error);
-  if( (NSSCKFWObject *)NULL == fwNewObject ) {
+  if (!fwNewObject) {
     goto loser;
   }
 
   *phNewObject = nssCKFWInstance_CreateObjectHandle(fwInstance, 
                    fwNewObject, &error);
   if( (CK_OBJECT_HANDLE)0 == *phNewObject ) {
     nssCKFWObject_Destroy(fwNewObject);
     goto loser;
@@ -2141,29 +2141,29 @@ NSSCKFWC_DestroyObject
   CK_SESSION_HANDLE hSession,
   CK_OBJECT_HANDLE hObject
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_OBJECT_HANDLE_INVALID;
     goto loser;
   }
 
   nssCKFWInstance_DestroyObjectHandle(fwInstance, hObject);
   nssCKFWObject_Destroy(fwObject);
 
   return CKR_OK;
@@ -2208,29 +2208,29 @@ NSSCKFWC_GetObjectSize
   CK_OBJECT_HANDLE hObject,
   CK_ULONG_PTR pulSize
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_OBJECT_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_ULONG_PTR)CK_NULL_PTR == pulSize ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -2291,29 +2291,29 @@ NSSCKFWC_GetAttributeValue
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   CK_BBOOL sensitive = CK_FALSE;
   CK_BBOOL invalid = CK_FALSE;
   CK_BBOOL tooSmall = CK_FALSE;
   CK_ULONG i;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_OBJECT_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -2348,17 +2348,17 @@ NSSCKFWC_GetAttributeValue
         tooSmall = CK_TRUE;
         continue;
       }
 
       it.size = (PRUint32)pTemplate[i].ulValueLen;
       it.data = (void *)pTemplate[i].pValue;
       p = nssCKFWObject_GetAttribute(fwObject, pTemplate[i].type, &it, 
             (NSSArena *)NULL, &error);
-      if( (NSSItem *)NULL == p ) {
+      if (!p) {
         switch( error ) {
         case CKR_ATTRIBUTE_SENSITIVE:
         case CKR_INFORMATION_SENSITIVE:
           sensitive = CK_TRUE;
           pTemplate[i].ulValueLen = (CK_ULONG)(-1);
           continue;
         case CKR_ATTRIBUTE_TYPE_INVALID:
           invalid = CK_TRUE;
@@ -2429,29 +2429,29 @@ NSSCKFWC_SetAttributeValue
   CK_ULONG ulCount
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   CK_ULONG i;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hObject);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_OBJECT_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -2516,45 +2516,45 @@ NSSCKFWC_FindObjectsInit
   CK_ATTRIBUTE_PTR pTemplate,
   CK_ULONG ulCount
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWFindObjects *fwFindObjects;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( ((CK_ATTRIBUTE_PTR)CK_NULL_PTR == pTemplate) && (ulCount != 0) ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL != fwFindObjects ) {
+  if (fwFindObjects) {
     error = CKR_OPERATION_ACTIVE;
     goto loser;
   }
 
   if( CKR_OPERATION_NOT_INITIALIZED != error ) {
     goto loser;
   }
 
   fwFindObjects = nssCKFWSession_FindObjectsInit(fwSession,
                     pTemplate, ulCount, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+  if (!fwFindObjects) {
     goto loser;
   }
 
   error = nssCKFWSession_SetFWFindObjects(fwSession, fwFindObjects);
 
   if( CKR_OK != error ) {
     nssCKFWFindObjects_Destroy(fwFindObjects);
     goto loser;
@@ -2604,47 +2604,47 @@ NSSCKFWC_FindObjects
   CK_ULONG_PTR pulObjectCount
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWFindObjects *fwFindObjects;
   CK_ULONG i;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_OBJECT_HANDLE_PTR)CK_NULL_PTR == phObject ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
 
   /*
    * A purify error here indicates caller error.
    */
   (void)nsslibc_memset(phObject, 0, sizeof(CK_OBJECT_HANDLE) * ulMaxObjectCount);
   *pulObjectCount = (CK_ULONG)0;
 
   fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+  if (!fwFindObjects) {
     goto loser;
   }
 
   for( i = 0; i < ulMaxObjectCount; i++ ) {
     NSSCKFWObject *fwObject = nssCKFWFindObjects_Next(fwFindObjects,
                                 NULL, &error);
-    if( (NSSCKFWObject *)NULL == fwObject ) {
+    if (!fwObject) {
       break;
     }
 
     phObject[i] = nssCKFWInstance_FindObjectHandle(fwInstance, fwObject);
     if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
       phObject[i] = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
     }
     if( (CK_OBJECT_HANDLE)0 == phObject[i] ) {
@@ -2694,29 +2694,29 @@ NSSCKFWC_FindObjectsFinal
   NSSCKFWInstance *fwInstance,
   CK_SESSION_HANDLE hSession
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWFindObjects *fwFindObjects;
   
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwFindObjects = nssCKFWSession_GetFWFindObjects(fwSession, &error);
-  if( (NSSCKFWFindObjects *)NULL == fwFindObjects ) {
+  if (!fwFindObjects) {
     error = CKR_OPERATION_NOT_INITIALIZED;
     goto loser;
   }
 
   nssCKFWFindObjects_Destroy(fwFindObjects);
   error = nssCKFWSession_SetFWFindObjects(fwSession, 
                                           (NSSCKFWFindObjects *)NULL);
 
@@ -2767,51 +2767,51 @@ NSSCKFWC_EncryptInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_EncryptInit(fwMechanism, pMechanism,
                                         fwSession, fwObject);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
@@ -2863,23 +2863,23 @@ NSSCKFWC_Encrypt
   CK_ULONG ulDataLen,
   CK_BYTE_PTR pEncryptedData,
   CK_ULONG_PTR pulEncryptedDataLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_Encrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pData, ulDataLen, pEncryptedData, pulEncryptedDataLen);
@@ -2928,23 +2928,23 @@ NSSCKFWC_EncryptUpdate
   CK_ULONG ulPartLen,
   CK_BYTE_PTR pEncryptedPart,
   CK_ULONG_PTR pulEncryptedPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Update(fwSession,
            NSSCKFWCryptoOperationType_Encrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen);
@@ -2990,23 +2990,23 @@ NSSCKFWC_EncryptFinal
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pLastEncryptedPart,
   CK_ULONG_PTR pulLastEncryptedPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Final(fwSession,
            NSSCKFWCryptoOperationType_Encrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pLastEncryptedPart, pulLastEncryptedPartLen);
@@ -3056,51 +3056,51 @@ NSSCKFWC_DecryptInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_DecryptInit(fwMechanism, pMechanism, 
                                        fwSession, fwObject);
   nssCKFWMechanism_Destroy(fwMechanism);
 
   if (CKR_OK == error) {
@@ -3152,23 +3152,23 @@ NSSCKFWC_Decrypt
   CK_ULONG ulEncryptedDataLen,
   CK_BYTE_PTR pData,
   CK_ULONG_PTR pulDataLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_Decrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pEncryptedData, ulEncryptedDataLen, pData, pulDataLen);
@@ -3224,23 +3224,23 @@ NSSCKFWC_DecryptUpdate
   CK_ULONG ulEncryptedPartLen,
   CK_BYTE_PTR pPart,
   CK_ULONG_PTR pulPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Update(fwSession,
            NSSCKFWCryptoOperationType_Decrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
@@ -3294,23 +3294,23 @@ NSSCKFWC_DecryptFinal
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pLastPart,
   CK_ULONG_PTR pulLastPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Final(fwSession,
            NSSCKFWCryptoOperationType_Decrypt, 
            NSSCKFWCryptoOperationState_EncryptDecrypt,
            pLastPart, pulLastPartLen);
@@ -3366,45 +3366,45 @@ NSSCKFWC_DigestInit
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_DigestInit(fwMechanism, pMechanism, fwSession);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
   if (CKR_OK == error) {
@@ -3452,23 +3452,23 @@ NSSCKFWC_Digest
   CK_ULONG ulDataLen,
   CK_BYTE_PTR pDigest,
   CK_ULONG_PTR pulDigestLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_Digest, 
            NSSCKFWCryptoOperationState_Digest,
            pData, ulDataLen, pDigest, pulDigestLen);
@@ -3513,23 +3513,23 @@ NSSCKFWC_DigestUpdate
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pData,
   CK_ULONG ulDataLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_DigestUpdate(fwSession,
            NSSCKFWCryptoOperationType_Digest, 
            NSSCKFWCryptoOperationState_Digest,
            pData, ulDataLen);
@@ -3573,29 +3573,29 @@ NSSCKFWC_DigestKey
   CK_SESSION_HANDLE hSession,
   CK_OBJECT_HANDLE hKey
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_DigestKey(fwSession, fwObject);
 
   if (CKR_OK == error) {
     return CKR_OK;
@@ -3638,23 +3638,23 @@ NSSCKFWC_DigestFinal
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pDigest,
   CK_ULONG_PTR pulDigestLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Final(fwSession,
            NSSCKFWCryptoOperationType_Digest, 
            NSSCKFWCryptoOperationState_Digest,
            pDigest, pulDigestLen);
@@ -3703,51 +3703,51 @@ NSSCKFWC_SignInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_SignInit(fwMechanism, pMechanism, fwSession, 
                                     fwObject);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
@@ -3800,23 +3800,23 @@ NSSCKFWC_Sign
   CK_ULONG ulDataLen,
   CK_BYTE_PTR pSignature,
   CK_ULONG_PTR pulSignatureLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_Sign, 
            NSSCKFWCryptoOperationState_SignVerify,
            pData, ulDataLen, pSignature, pulSignatureLen);
@@ -3865,23 +3865,23 @@ NSSCKFWC_SignUpdate
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pPart,
   CK_ULONG ulPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_DigestUpdate(fwSession,
            NSSCKFWCryptoOperationType_Sign, 
            NSSCKFWCryptoOperationState_SignVerify,
            pPart, ulPartLen);
@@ -3927,23 +3927,23 @@ NSSCKFWC_SignFinal
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pSignature,
   CK_ULONG_PTR pulSignatureLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Final(fwSession,
            NSSCKFWCryptoOperationType_Sign, 
            NSSCKFWCryptoOperationState_SignVerify,
            pSignature, pulSignatureLen);
@@ -3995,51 +3995,51 @@ NSSCKFWC_SignRecoverInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_SignRecoverInit(fwMechanism, pMechanism, fwSession, 
                                            fwObject);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
@@ -4092,23 +4092,23 @@ NSSCKFWC_SignRecover
   CK_ULONG ulDataLen,
   CK_BYTE_PTR pSignature,
   CK_ULONG_PTR pulSignatureLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_SignRecover, 
            NSSCKFWCryptoOperationState_SignVerify,
            pData, ulDataLen, pSignature, pulSignatureLen);
@@ -4160,51 +4160,51 @@ NSSCKFWC_VerifyInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_VerifyInit(fwMechanism, pMechanism, fwSession,
                                       fwObject);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
@@ -4257,23 +4257,23 @@ NSSCKFWC_Verify
   CK_ULONG ulDataLen,
   CK_BYTE_PTR pSignature,
   CK_ULONG ulSignatureLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_Verify, 
            NSSCKFWCryptoOperationState_SignVerify,
            pData, ulDataLen, pSignature, &ulSignatureLen);
@@ -4321,23 +4321,23 @@ NSSCKFWC_VerifyUpdate
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pPart,
   CK_ULONG ulPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_DigestUpdate(fwSession,
            NSSCKFWCryptoOperationType_Verify, 
            NSSCKFWCryptoOperationState_SignVerify,
            pPart, ulPartLen);
@@ -4382,23 +4382,23 @@ NSSCKFWC_VerifyFinal
   CK_SESSION_HANDLE hSession,
   CK_BYTE_PTR pSignature,
   CK_ULONG ulSignatureLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_Final(fwSession,
            NSSCKFWCryptoOperationType_Verify, 
            NSSCKFWCryptoOperationState_SignVerify,
            pSignature, &ulSignatureLen);
@@ -4449,51 +4449,51 @@ NSSCKFWC_VerifyRecoverInit
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwObject ) {
+  if (!fwObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error = nssCKFWMechanism_VerifyRecoverInit(fwMechanism, pMechanism, 
                                              fwSession, fwObject);
 
   nssCKFWMechanism_Destroy(fwMechanism);
 
@@ -4546,23 +4546,23 @@ NSSCKFWC_VerifyRecover
   CK_ULONG ulSignatureLen,
   CK_BYTE_PTR pData,
   CK_ULONG_PTR pulDataLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateFinal(fwSession,
            NSSCKFWCryptoOperationType_VerifyRecover, 
            NSSCKFWCryptoOperationState_SignVerify,
            pSignature, ulSignatureLen, pData, pulDataLen);
@@ -4611,23 +4611,23 @@ NSSCKFWC_DigestEncryptUpdate
   CK_ULONG ulPartLen,
   CK_BYTE_PTR pEncryptedPart,
   CK_ULONG_PTR pulEncryptedPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateCombo(fwSession,
            NSSCKFWCryptoOperationType_Encrypt, 
            NSSCKFWCryptoOperationType_Digest, 
            NSSCKFWCryptoOperationState_Digest,
@@ -4676,23 +4676,23 @@ NSSCKFWC_DecryptDigestUpdate
   CK_ULONG ulEncryptedPartLen,
   CK_BYTE_PTR pPart,
   CK_ULONG_PTR pulPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateCombo(fwSession,
            NSSCKFWCryptoOperationType_Decrypt, 
            NSSCKFWCryptoOperationType_Digest, 
            NSSCKFWCryptoOperationState_Digest,
@@ -4748,23 +4748,23 @@ NSSCKFWC_SignEncryptUpdate
   CK_ULONG ulPartLen,
   CK_BYTE_PTR pEncryptedPart,
   CK_ULONG_PTR pulEncryptedPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateCombo(fwSession,
            NSSCKFWCryptoOperationType_Encrypt, 
            NSSCKFWCryptoOperationType_Sign, 
            NSSCKFWCryptoOperationState_SignVerify,
@@ -4814,23 +4814,23 @@ NSSCKFWC_DecryptVerifyUpdate
   CK_ULONG ulEncryptedPartLen,
   CK_BYTE_PTR pPart,
   CK_ULONG_PTR pulPartLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   error = nssCKFWSession_UpdateCombo(fwSession,
            NSSCKFWCryptoOperationType_Decrypt, 
            NSSCKFWCryptoOperationType_Verify, 
            NSSCKFWCryptoOperationState_SignVerify,
@@ -4888,58 +4888,58 @@ NSSCKFWC_GenerateKey
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   fwObject = nssCKFWMechanism_GenerateKey(
                 fwMechanism, 
                 pMechanism, 
                 fwSession, 
                 pTemplate, 
                 ulCount, 
                 &error);
 
   nssCKFWMechanism_Destroy(fwMechanism);
-  if ((NSSCKFWObject *)NULL == fwObject) {
+  if (!fwObject) {
     goto loser;
   }
   *phKey= nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
 
   if (CKR_OK == error) {
     return CKR_OK;
   }
 
@@ -4999,45 +4999,45 @@ NSSCKFWC_GenerateKeyPair
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwPrivateKeyObject;
   NSSCKFWObject *fwPublicKeyObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   error= nssCKFWMechanism_GenerateKeyPair(
                 fwMechanism, 
                 pMechanism, 
                 fwSession, 
                 pPublicKeyTemplate, 
@@ -5121,58 +5121,58 @@ NSSCKFWC_WrapKey
   NSSCKFWObject *fwKeyObject;
   NSSCKFWObject *fwWrappingKeyObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
   NSSItem  wrappedKey;
   CK_ULONG wrappedKeyLength = 0;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
                                                             hWrappingKey);
-  if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) {
+  if (!fwWrappingKeyObject) {
     error = CKR_WRAPPING_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hKey);
-  if( (NSSCKFWObject *)NULL == fwKeyObject ) {
+  if (!fwKeyObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   /*
    * first get the length...
    */
   wrappedKeyLength = nssCKFWMechanism_GetWrapKeyLength(
                 fwMechanism, 
@@ -5276,52 +5276,52 @@ NSSCKFWC_UnwrapKey
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWObject *fwWrappingKeyObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
   NSSItem  wrappedKey;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwWrappingKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance,
                                                             hUnwrappingKey);
-  if( (NSSCKFWObject *)NULL == fwWrappingKeyObject ) {
+  if (!fwWrappingKeyObject) {
     error = CKR_WRAPPING_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   wrappedKey.data = pWrappedKey;
   wrappedKey.size = ulWrappedKeyLen;
 
   fwObject = nssCKFWMechanism_UnwrapKey(
                 fwMechanism, 
@@ -5329,17 +5329,17 @@ NSSCKFWC_UnwrapKey
                 fwSession, 
                 fwWrappingKeyObject,
                 &wrappedKey,
                 pTemplate, 
                 ulAttributeCount, 
                 &error);
 
   nssCKFWMechanism_Destroy(fwMechanism);
-  if ((NSSCKFWObject *)NULL == fwObject) {
+  if (!fwObject) {
     goto loser;
   }
   *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
 
   if (CKR_OK == error) {
     return CKR_OK;
   }
 
@@ -5419,65 +5419,65 @@ NSSCKFWC_DeriveKey
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSCKFWObject *fwObject;
   NSSCKFWObject *fwBaseKeyObject;
   NSSCKFWSlot  *fwSlot;
   NSSCKFWToken  *fwToken;
   NSSCKFWMechanism *fwMechanism;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
   
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   fwBaseKeyObject = nssCKFWInstance_ResolveObjectHandle(fwInstance, hBaseKey);
-  if( (NSSCKFWObject *)NULL == fwBaseKeyObject ) {
+  if (!fwBaseKeyObject) {
     error = CKR_KEY_HANDLE_INVALID;
     goto loser;
   }
 
   fwSlot = nssCKFWSession_GetFWSlot(fwSession);
-  if( (NSSCKFWSlot *)NULL == fwSlot ) {
+  if (!fwSlot) {
     error = CKR_GENERAL_ERROR; /* should never happen! */
     goto loser;
   }
 
   if( CK_TRUE != nssCKFWSlot_GetTokenPresent(fwSlot) ) {
     error = CKR_TOKEN_NOT_PRESENT;
     goto loser;
   }
 
   fwToken = nssCKFWSlot_GetToken(fwSlot, &error);
-  if( (NSSCKFWToken *)NULL == fwToken ) {
+  if (!fwToken) {
     goto loser;
   }
 
   fwMechanism = nssCKFWToken_GetMechanism(fwToken, pMechanism->mechanism, &error);
-  if( (NSSCKFWMechanism *)NULL == fwMechanism ) {
+  if (!fwMechanism) {
     goto loser;
   }
 
   fwObject = nssCKFWMechanism_DeriveKey(
                 fwMechanism, 
                 pMechanism, 
                 fwSession, 
                 fwBaseKeyObject,
                 pTemplate, 
                 ulAttributeCount, 
                 &error);
 
   nssCKFWMechanism_Destroy(fwMechanism);
-  if ((NSSCKFWObject *)NULL == fwObject) {
+  if (!fwObject) {
     goto loser;
   }
   *phKey = nssCKFWInstance_CreateObjectHandle(fwInstance, fwObject, &error);
 
   if (CKR_OK == error) {
     return CKR_OK;
   }
 
@@ -5532,23 +5532,23 @@ NSSCKFWC_SeedRandom
   CK_BYTE_PTR pSeed,
   CK_ULONG ulSeedLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSItem seed;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_BYTE_PTR)CK_NULL_PTR == pSeed ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
@@ -5609,23 +5609,23 @@ NSSCKFWC_GenerateRandom
   CK_BYTE_PTR pRandomData,
   CK_ULONG ulRandomLen
 )
 {
   CK_RV error = CKR_OK;
   NSSCKFWSession *fwSession;
   NSSItem buffer;
 
-  if( (NSSCKFWInstance *)NULL == fwInstance ) {
+  if (!fwInstance) {
     error = CKR_CRYPTOKI_NOT_INITIALIZED;
     goto loser;
   }
 
   fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
-  if( (NSSCKFWSession *)NULL == fwSession ) {
+  if (!fwSession) {
     error = CKR_SESSION_HANDLE_INVALID;
     goto loser;
   }
 
   if( (CK_BYTE_PTR)CK_NULL_PTR == pRandomData ) {
     error = CKR_ARGUMENTS_BAD;
     goto loser;
   }
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -30,17 +30,17 @@
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.38 $ $Date: 2008/09/30 04:09:02 $";
+static const char CVS_ID[] = "@(#) $RCSfile: ckhelper.c,v $ $Revision: 1.39 $ $Date: 2009/01/22 01:29:24 $";
 #endif /* DEBUG */
 
 #ifndef NSSCKEPV_H
 #include "nssckepv.h"
 #endif /* NSSCKEPV_H */
 
 #ifndef DEVM_H
 #include "devm.h"
@@ -128,18 +128,18 @@ nssCKObject_GetAttributes (
 	{
 	    nssSession_ExitMonitor(session);
 	    nss_SetError(NSS_ERROR_DEVICE_ERROR);
 	    goto loser;
 	}
 	/* Allocate memory for each attribute. */
 	for (i=0; i<count; i++) {
 	    CK_ULONG ulValueLen = obj_template[i].ulValueLen;
-	    if (ulValueLen == 0) continue;
-	    if (ulValueLen == (CK_ULONG) -1) {
+	    if (ulValueLen == 0 || ulValueLen == (CK_ULONG) -1) {
+		obj_template[i].pValue = NULL;
 		obj_template[i].ulValueLen = 0;
 		continue;
 	    }
 	    if (is_string_attribute(obj_template[i].type)) {
 		ulValueLen++;
 	    }
 	    obj_template[i].pValue = nss_ZAlloc(arenaOpt, ulValueLen);
 	    if (!obj_template[i].pValue) {
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@@ -32,32 +32,34 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: blapi.h,v 1.28 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */
+/* $Id: blapi.h,v 1.29 2009/02/03 05:34:40 julien.pierre.boogz%sun.com Exp $ */
 
 #ifndef _BLAPI_H_
 #define _BLAPI_H_
 
 #include "blapit.h"
 #include "hasht.h"
 #include "alghmac.h"
 
 SEC_BEGIN_PROTOS
 
 /*
 ** RSA encryption/decryption. When encrypting/decrypting the output
 ** buffer must be at least the size of the public key modulus.
 */
 
+extern SECStatus BL_Init(void);
+
 /*
 ** Generate and return a new RSA public and private key.
 **	Both keys are encoded in a single RSAPrivateKey structure.
 **	"cx" is the random number generator context
 **	"keySizeInBits" is the size of the key to be generated, in bits.
 **	   512, 1024, etc.
 **	"publicExponent" when not NULL is a pointer to some data that
 **	   represents the public exponent to use. The data is a byte
@@ -1188,11 +1190,13 @@ PRBool BLAPI_SHVerify(const char *name, 
 /**************************************************************************
  *  Verify Are Own Shared library signature                               *
  **************************************************************************/
 PRBool BLAPI_VerifySelf(const char *name);
 
 /*********************************************************************/
 extern const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType);
 
+extern void BL_SetForkState(PRBool forked);
+
 SEC_END_PROTOS
 
 #endif /* _BLAPI_H_ */
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/blapii.h
@@ -0,0 +1,60 @@
+/*
+ * blapii.h - private data structures and prototypes for the crypto library
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Network Security Services Library.
+ *
+ * The Initial Developer of the Original Code is
+ * Sun Microsystems, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2009
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef _BLAPII_H_
+#define _BLAPII_H_
+
+#include "blapit.h"
+
+SEC_BEGIN_PROTOS
+
+#if defined(XP_UNIX) && !defined(NO_CHECK_FORK)
+
+extern PRBool parentForkedAfterC_Initialize;
+
+#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
+
+#else
+
+#define SKIP_AFTER_FORK(x) x
+
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _BLAPII_H_ */
+
--- a/security/nss/lib/freebl/config.mk
+++ b/security/nss/lib/freebl/config.mk
@@ -1,9 +1,8 @@
-#
 # ***** BEGIN LICENSE BLOCK *****
 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
 # The contents of this file are subject to the Mozilla Public License Version
 # 1.1 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
 # http://www.mozilla.org/MPL/
 #
@@ -80,16 +79,20 @@ endif
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))
 
 # don't want the 32 in the shared library name
 SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
 
 RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
+ifndef WINCE
+OS_LIBS += shell32.lib
+endif
+
 ifdef NS_USE_GCC
 EXTRA_SHARED_LIBS += \
 	-L$(DIST)/lib \
 	-lnssutil3 \
 	-L$(NSPR_LIB_DIR) \
 	-lnspr4 \
 	$(NULL)
 else # ! NS_USE_GCC
--- a/security/nss/lib/freebl/ldvector.c
+++ b/security/nss/lib/freebl/ldvector.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: ldvector.c,v 1.19 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */
+/* $Id: ldvector.c,v 1.20 2009/02/03 05:34:40 julien.pierre.boogz%sun.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 extern int FREEBL_InitStubs(void);
 #endif
 
 #include "loader.h"
 #include "alghmac.h"
 
@@ -244,20 +244,24 @@ static const struct FREEBLVectorStr vect
 
     /* End of Version 3.010. */
 
     SEED_InitContext,
     SEED_AllocateContext,
     SEED_CreateContext,
     SEED_DestroyContext,
     SEED_Encrypt,
-    SEED_Decrypt
+    SEED_Decrypt,
 
     /* End of Version 3.011. */
 
+    BL_Init,
+    BL_SetForkState
+
+    /* End of Version 3.012. */
 };
 
 const FREEBLVector * 
 FREEBL_GetVector(void)
 {
     extern const char __nss_freebl_rcsid[];
     extern const char __nss_freebl_sccsid[];
 
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: loader.c,v 1.40 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */
+/* $Id: loader.c,v 1.41 2009/02/03 05:34:40 julien.pierre.boogz%sun.com Exp $ */
 
 #include "loader.h"
 #include "prmem.h"
 #include "prerror.h"
 #include "prinit.h"
 #include "prenv.h"
 
 static const char* default_name =
@@ -193,16 +193,23 @@ static PRStatus
 freebl_RunLoaderOnce( void )
 {
   PRStatus status;
 
   status = PR_CallOnce(&loadFreeBLOnce, &freebl_LoadDSO);
   return status;
 }
 
+SECStatus 
+BL_Init(void)
+{
+  if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+      return SECFailure;
+  return (vector->p_BL_Init)();
+}
 
 RSAPrivateKey * 
 RSA_NewKey(int keySizeInBits, SECItem * publicExponent)
 {
   if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
       return NULL;
   return (vector->p_RSA_NewKey)(keySizeInBits, publicExponent);
 }
@@ -1636,8 +1643,15 @@ Camellia_Decrypt(CamelliaContext *cx, un
 		 unsigned int *outputLen, unsigned int maxOutputLen,
 		 const unsigned char *input, unsigned int inputLen)
 {
     if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
 	return SECFailure;
     return (vector->p_Camellia_Decrypt)(cx, output, outputLen, maxOutputLen, 
 					input, inputLen);
 }
+
+void BL_SetForkState(PRBool forked)
+{
+    if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+	return;
+    (vector->p_BL_SetForkState)(forked);
+}
--- a/security/nss/lib/freebl/loader.h
+++ b/security/nss/lib/freebl/loader.h
@@ -32,17 +32,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: loader.h,v 1.22 2008/12/17 06:09:12 nelson%bolyard.com Exp $ */
+/* $Id: loader.h,v 1.23 2009/02/03 05:34:40 julien.pierre.boogz%sun.com Exp $ */
 
 #ifndef _LOADER_H_
 #define _LOADER_H_ 1
 
 #include "blapi.h"
 
 #define FREEBL_VERSION 0x030A
 
@@ -513,16 +513,20 @@ struct FREEBLVectorStr {
                             const unsigned char *input, unsigned int inputLen);
 
  SECStatus (* p_SEED_Decrypt)(SEEDContext *cx, unsigned char *output,
                             unsigned int *outputLen, unsigned int maxOutputLen,
                             const unsigned char *input, unsigned int inputLen);
 
    /* Version 3.011 came to here */
 
+ SECStatus (* p_BL_Init)(void);
+ void ( * p_BL_SetForkState)(PRBool);
+
+   /* Version 3.012 came to here */
 };
 
 typedef struct FREEBLVectorStr FREEBLVector;
 
 SEC_BEGIN_PROTOS
 
 typedef const FREEBLVector * FREEBLGetVectorFn(void);
 
--- a/security/nss/lib/freebl/prng_fips1861.c
+++ b/security/nss/lib/freebl/prng_fips1861.c
@@ -30,17 +30,17 @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: prng_fips1861.c,v 1.28 2008/11/18 19:48:23 rrelyea%redhat.com Exp $ */
+/* $Id: prng_fips1861.c,v 1.29 2009/02/03 05:34:41 julien.pierre.boogz%sun.com Exp $ */
 
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "prerr.h"
 #include "secerr.h"
 
@@ -48,16 +48,17 @@
 #include "prinit.h"
 #include "blapi.h"
 #include "nssilock.h"
 #include "secitem.h"
 #include "sha_fast.h"
 #include "sha256.h"
 #include "secrng.h"	/* for RNG_GetNoise() */
 #include "secmpi.h"
+#include "blapii.h"
 
 /*
  * The minimum amount of seed data required before the generator will
  * provide data.
  * Note that this is a measure of the number of bytes sent to
  * RNG_RandomUpdate, not the actual amount of entropy present in the
  * generator.  Naturally, it is impossible to know (at this level) just
  * how much entropy is present in the provided seed data.  A bare minimum
@@ -183,17 +184,17 @@ static RNGContext theGlobalRng;
  */
 static void
 freeRNGContext()
 {
     unsigned char inputhash[BSIZE];
     SECStatus rv;
 
     /* destroy context lock */
-    PZ_DestroyLock(globalrng->lock);
+    SKIP_AFTER_FORK(PZ_DestroyLock(globalrng->lock));
 
     /* zero global RNG context except for XKEY to preserve entropy */
     rv = SHA256_HashBuf(inputhash, globalrng->XKEY, BSIZE);
     PORT_Assert(SECSuccess == rv);
     memset(globalrng, 0, sizeof(*globalrng));
     memcpy(globalrng->XKEY, inputhash, BSIZE);
 
     globalrng = NULL;
--- a/security/nss/lib/freebl/rsa.c
+++ b/security/nss/lib/freebl/rsa.c
@@ -32,33 +32,34 @@
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 /*
  * RSA key generation, public key op, private key op.
  *
- * $Id: rsa.c,v 1.38 2008/11/18 19:48:24 rrelyea%redhat.com Exp $
+ * $Id: rsa.c,v 1.39 2009/02/03 05:34:41 julien.pierre.boogz%sun.com Exp $
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "secerr.h"
 
 #include "prclist.h"
 #include "nssilock.h"
 #include "prinit.h"
 #include "blapi.h"
 #include "mpi.h"
 #include "mpprime.h"
 #include "mplogic.h"
 #include "secmpi.h"
 #include "secitem.h"
+#include "blapii.h"
 
 /*
 ** Number of times to attempt to generate a prime (p or q) from a random
 ** seed (the seed changes for each iteration).
 */
 #define MAX_PRIME_GEN_ATTEMPTS 10
 /*
 ** Number of times to attempt to generate a key.  The primes p and q change
@@ -597,20 +598,18 @@ get_blinding_params(RSAPrivateKey *key, 
 {
     SECStatus rv = SECSuccess;
     mp_err err = MP_OKAY;
     int cmp;
     PRCList *el;
     struct RSABlindingParamsStr *rsabp = NULL;
     /* Init the list if neccessary (the init function is only called once!) */
     if (blindingParamsList.lock == NULL) {
-	if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
-	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	    return SECFailure;
-	}
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
     /* Acquire the list lock */
     PZ_Lock(blindingParamsList.lock);
     /* Walk the list looking for the private key */
     for (el = PR_NEXT_LINK(&blindingParamsList.head);
          el != &blindingParamsList.head;
          el = PR_NEXT_LINK(el)) {
 	rsabp = (struct RSABlindingParamsStr *)el;
@@ -916,16 +915,30 @@ cleanup:
     mp_clear(&res);
     if (err) {
 	MP_TO_SEC_ERROR(err);
 	rv = SECFailure;
     }
     return rv;
 }
 
+static SECStatus RSA_Init(void)
+{
+    if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus BL_Init(void)
+{
+    return RSA_Init();
+}
+
 /* cleanup at shutdown */
 void RSA_Cleanup(void)
 {
     if (!coBPInit.initialized)
 	return;
 
     while (!PR_CLIST_IS_EMPTY(&blindingParamsList.head))
     {
@@ -935,17 +948,17 @@ void RSA_Cleanup(void)
 	mp_clear(&rsabp->f);
 	mp_clear(&rsabp->g);
 	SECITEM_FreeItem(&rsabp->modulus,PR_FALSE);
 	PORT_Free(rsabp);
     }
 
     if (blindingParamsList.lock)
     {
-	PZ_DestroyLock(blindingParamsList.lock);
+	SKIP_AFTER_FORK(PZ_DestroyLock(blindingParamsList.lock));
 	blindingParamsList.lock = NULL;
     }
 
     coBPInit.initialized = 0;
     coBPInit.inProgress = 0;
     coBPInit.status = 0;
 }
 
@@ -953,8 +966,19 @@ void RSA_Cleanup(void)
  * need a central place for this function to free up all the memory that
  * free_bl may have allocated along the way. Currently only RSA does this,
  * so I've put it here for now.
  */
 void BL_Cleanup(void)
 {
     RSA_Cleanup();
 }
+
+PRBool parentForkedAfterC_Initialize;
+
+/*
+ * Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms.
+ */
+void BL_SetForkState(PRBool forked)
+{
+    parentForkedAfterC_Initialize = forked;
+}
+
--- a/security/nss/lib/freebl/win_rand.c
+++ b/security/nss/lib/freebl/win_rand.c
@@ -31,107 +31,50 @@
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
 #include "secrng.h"
 #include "secerr.h"
+
 #ifdef XP_WIN
 #include <windows.h>
+#include <shlobj.h>     /* for CSIDL constants */
 
 #if defined(_WIN32_WCE)
 #include <stdlib.h>	/* Win CE puts lots of stuff here. */
 #include "prprf.h"	/* for PR_snprintf */
 #else
 #include <time.h>
 #include <io.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #endif
 #include <stdio.h>
-
-#ifndef _WIN32
-#define VTD_Device_ID   5
-#define OP_OVERRIDE     _asm _emit 0x66
-#include <dos.h>
-#endif
-
 #include "prio.h"
 #include "prerror.h"
 
 static PRInt32  filesToRead;
 static DWORD    totalFileBytes;
 static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
 static DWORD    dwNumFiles, dwReadEvery;
 
 static BOOL
 CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
 {
-#ifdef _WIN32
     LARGE_INTEGER   liCount;
 
     if (!QueryPerformanceCounter(&liCount))
         return FALSE;
 
     *lpdwHigh = liCount.u.HighPart;
     *lpdwLow = liCount.u.LowPart;
     return TRUE;
-
-#else   /* is WIN16 */
-    BOOL    bRetVal;
-    FARPROC lpAPI;
-    WORD    w1, w2, w3, w4;
-
-    // Get direct access to the VTD and query the current clock tick time
-    _asm {
-        xor   di, di
-        mov   es, di
-        mov   ax, 1684h
-        mov   bx, VTD_Device_ID
-        int   2fh
-        mov   ax, es
-        or    ax, di
-        jz    EnumerateFailed
-
-        ; VTD API is available. First store the API address (the address actually
-        ; contains an instruction that causes a fault, the fault handler then
-        ; makes the ring transition and calls the API in the VxD)
-        mov   word ptr lpAPI, di
-        mov   word ptr lpAPI+2, es
-        mov   ax, 100h      ; API function to VTD_Get_Real_Time
-;       call  dword ptr [lpAPI]
-        call  [lpAPI]
-
-        ; Result is in EDX:EAX which we will get 16-bits at a time
-        mov   w2, dx
-        OP_OVERRIDE
-        shr   dx,10h        ; really "shr edx, 16"
-        mov   w1, dx
-
-        mov   w4, ax
-        OP_OVERRIDE
-        shr   ax,10h        ; really "shr eax, 16"
-        mov   w3, ax
-
-        mov   bRetVal, 1    ; return TRUE
-        jmp   EnumerateExit
-
-      EnumerateFailed:
-        mov   bRetVal, 0    ; return FALSE
-
-      EnumerateExit:
-    }
-
-    *lpdwHigh = MAKELONG(w2, w1);
-    *lpdwLow = MAKELONG(w4, w3);
-
-    return bRetVal;
-#endif  /* is WIN16 */
 }
 
 size_t RNG_GetNoise(void *buf, size_t maxbuf)
 {
     DWORD   dwHigh, dwLow, dwVal;
     int     n = 0;
     int     nBytes;
 
@@ -163,135 +106,110 @@ size_t RNG_GetNoise(void *buf, size_t ma
     nBytes = sizeof(dwVal) > maxbuf ? maxbuf : sizeof(dwVal);
     memcpy(((char *)buf) + n, &dwVal, nBytes);
     n += nBytes;
     maxbuf -= nBytes;
 
     if (maxbuf <= 0)
         return n;
 
+    {
 #if defined(_WIN32_WCE)
-    {
     // get the number of milliseconds elapsed since Windows CE was started. 
-    DWORD  tickCount = GetTickCount();
-    nBytes = (sizeof tickCount) > maxbuf ? maxbuf : (sizeof tickCount);
-    memcpy(((char *)buf) + n, &tickCount, nBytes);
-    n += nBytes;
-    }
+    FILETIME sTime;
+    SYSTEMTIME st;
+    GetSystemTime(&st);
+    SystemTimeToFileTime(&st,&sTime);
 #else
-    {
     time_t  sTime;
     // get the time in seconds since midnight Jan 1, 1970
     time(&sTime);
+#endif
     nBytes = sizeof(sTime) > maxbuf ? maxbuf : sizeof(sTime);
     memcpy(((char *)buf) + n, &sTime, nBytes);
     n += nBytes;
     }
-#endif
 
     return n;
 }
 
-#if defined(_WIN32_WCE)
-static BOOL
-EnumSystemFilesWithNSPR(const char * dirName, 
-			BOOL recursive,
-                        PRInt32 (*func)(const char *))
-{
-    PRDir *      pDir;
-    PRDirEntry * pEntry;
-    BOOL         rv 		= FALSE;
+typedef PRInt32 (* Handler)(const char *);
+#define MAX_DEPTH 2
 
-    pDir = PR_OpenDir(dirName);
-    if (!pDir)
-    	return rv;
-    while ((pEntry = PR_ReadDir(pDir, PR_SKIP_BOTH|PR_SKIP_HIDDEN)) != NULL) {
-	PRStatus    status;
-	PRInt32     count;
-	PRInt32     stop;
-	PRFileInfo  fileInfo;
-	char        szFileName[_MAX_PATH];
+static void
+EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) 
+{
+    int                 iContinue;
+    HANDLE              lFindHandle;
+    WIN32_FIND_DATAW    fdData;
+    PRUnichar           szFileName[_MAX_PATH];
+    char                narrowFileName[_MAX_PATH];
+
+    if (maxDepth < 0)
+    	return;
+    // tack *.* on the end so we actually look for files. this will
+    // not overflow
+    wcscpy(szFileName, szSysDir);
+    wcscat(szFileName, L"\\*.*");
 
-        count = (PRInt32)PR_snprintf(szFileName, sizeof szFileName, "%s\\%s", 
-	                             dirName, PR_DirName(pEntry));
-	if (count < 1)
-	    continue;
-	status = PR_GetFileInfo(szFileName, &fileInfo);
-	if (status != PR_SUCCESS)
-	    continue;
-	if (fileInfo.type == PR_FILE_FILE) {
-	    stop = (*func)(szFileName);
-	    rv = TRUE;
-	    if (stop)
-	        break;
-	    continue;
-    	}
-	if (recursive && fileInfo.type == PR_FILE_DIRECTORY) {
-	    rv |= EnumSystemFilesWithNSPR(szFileName, recursive, func);
+    lFindHandle = FindFirstFileW(szFileName, &fdData);
+    if (lFindHandle == INVALID_HANDLE_VALUE)
+        return;
+    do {
+	iContinue = 1;
+	if (wcscmp(fdData.cFileName, L".") == 0 ||
+            wcscmp(fdData.cFileName, L"..") == 0) {
+	    // skip "." and ".."
+	} else {
+	    // pass the full pathname to the callback
+	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
+		       fdData.cFileName);
+	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+		EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
+	    } else {
+		iContinue = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
+						narrowFileName, _MAX_PATH, 
+						NULL, NULL);
+		if (iContinue)
+		    iContinue = !(*func)(narrowFileName);
+	    }
 	}
-    }
-    PR_CloseDir(pDir);
-    return rv;
+	if (iContinue)
+	    iContinue = FindNextFileW(lFindHandle, &fdData);
+    } while (iContinue);
+    FindClose(lFindHandle);
 }
-#endif
 
 static BOOL
-EnumSystemFiles(PRInt32 (*func)(const char *))
+EnumSystemFiles(Handler func)
 {
-#if defined(_WIN32_WCE)
-    BOOL rv = FALSE;
-    rv |= EnumSystemFilesWithNSPR("\\Windows\\Temporary Internet Files", TRUE, func);
-    rv |= EnumSystemFilesWithNSPR("\\Temp",    FALSE, func);
-    rv |= EnumSystemFilesWithNSPR("\\Windows", FALSE, func);
-    return rv;
-#else
-    int                 iStatus;
-    char                szSysDir[_MAX_PATH];
-    char                szFileName[_MAX_PATH];
-#ifdef _WIN32
-    WIN32_FIND_DATA     fdData;
-    HANDLE              lFindHandle;
-#else
-    struct _find_t  fdData;
+    PRUnichar szSysDir[_MAX_PATH];
+    static const int folders[] = {
+    	CSIDL_BITBUCKET,  
+	CSIDL_RECENT,
+#ifndef WINCE		     
+	CSIDL_INTERNET_CACHE, 
+	CSIDL_COMPUTERSNEARME, 
+	CSIDL_HISTORY,
 #endif
-
-    if (!GetSystemDirectory(szSysDir, sizeof(szSysDir)))
-        return FALSE;
-
-    // tack *.* on the end so we actually look for files. this will
-    // not overflow
-    strcpy(szFileName, szSysDir);
-    strcat(szFileName, "\\*.*");
-
-#ifdef _WIN32
-    lFindHandle = FindFirstFile(szFileName, &fdData);
-    if (lFindHandle == INVALID_HANDLE_VALUE)
-        return FALSE;
-    do {
-        // pass the full pathname to the callback
-        sprintf(szFileName, "%s\\%s", szSysDir, fdData.cFileName);
-        (*func)(szFileName);
-        iStatus = FindNextFile(lFindHandle, &fdData);
-    } while (iStatus != 0);
-    FindClose(lFindHandle);
-#else
-    if (_dos_findfirst(szFileName, 
-             _A_NORMAL | _A_RDONLY | _A_ARCH | _A_SUBDIR, &fdData) != 0)
-        return FALSE;
-    do {
-        // pass the full pathname to the callback
-        sprintf(szFileName, "%s\\%s", szSysDir, fdData.name);
-        (*func)(szFileName);
-        iStatus = _dos_findnext(&fdData);
-    } while (iStatus == 0);
-    _dos_findclose(&fdData);
-#endif
-
-    return TRUE;
-#endif
+	0
+    };
+    int i = 0;
+    if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
+        if (i > 0 && szSysDir[i-1] == L'\\')
+	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
+        EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
+    }
+    for(i = 0; folders[i]; i++) {
+        DWORD rv = SHGetSpecialFolderPathW(NULL, szSysDir, folders[i], 0);
+        if (szSysDir[0])
+            EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
+        szSysDir[0] =  L'\0';
+    }
+    return PR_TRUE;
 }
 
 static PRInt32
 CountFiles(const char *file)
 {
     dwNumFiles++;
     return 0;
 }
@@ -337,85 +255,42 @@ ReadSystemFiles()
     EnumSystemFiles(ReadFiles);
 }
 
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
     char            buffer[256];
     int             nBytes;
-#ifdef _WIN32
     MEMORYSTATUS    sMem;
     HANDLE          hVal;
 #if !defined(_WIN32_WCE)
     DWORD           dwSerialNum;
     DWORD           dwComponentLen;
     DWORD           dwSysFlags;
     char            volName[128];
     DWORD           dwSectors, dwBytes, dwFreeClusters, dwNumClusters;
 #endif
-#else
-    int             iVal;
-    HTASK           hTask;
-    WORD            wDS, wCS;
-    LPSTR           lpszEnv;
-#endif
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 
-#ifdef _WIN32
     sMem.dwLength = sizeof(sMem);
     GlobalMemoryStatus(&sMem);                // assorted memory stats
     RNG_RandomUpdate(&sMem, sizeof(sMem));
 #if !defined(_WIN32_WCE)
     dwVal = GetLogicalDrives();
     RNG_RandomUpdate(&dwVal, sizeof(dwVal));  // bitfields in bits 0-25
 #endif
-#else
-    dwVal = GetFreeSpace(0);
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
 
-    _asm    mov wDS, ds;
-    _asm    mov wCS, cs;
-    RNG_RandomUpdate(&wDS, sizeof(wDS));
-    RNG_RandomUpdate(&wCS, sizeof(wCS));
-#endif
-
-#ifdef _WIN32
 #if !defined(_WIN32_WCE)
     dwVal = sizeof(buffer);
     if (GetComputerName(buffer, &dwVal))
         RNG_RandomUpdate(buffer, dwVal);
 #endif
-/* XXX This is code that got yanked because of NSPR20.  We should put it
- * back someday.
- */
-#ifdef notdef
-    {
-    POINT ptVal;
-    GetCursorPos(&ptVal);
-    RNG_RandomUpdate(&ptVal, sizeof(ptVal));
-    }
-
-    dwVal = GetQueueStatus(QS_ALLINPUT);      // high and low significant
-    RNG_RandomUpdate(&dwVal, sizeof(dwVal));
-
-    {
-    HWND hWnd;
-    hWnd = GetClipboardOwner();               // 2 or 4 bytes
-    RNG_RandomUpdate((void *)&hWnd, sizeof(hWnd));
-    }
-
-    {
-    UUID sUuid;
-    UuidCreate(&sUuid);                       // this will fail on machines with no ethernet
-    RNG_RandomUpdate(&sUuid, sizeof(sUuid));  // boards. shove the bits in regardless
-    }
-#endif
 
     hVal = GetCurrentProcess();               // 4 or 8 byte pseudo handle (a
                                               // constant!) of current process
     RNG_RandomUpdate(&hVal, sizeof(hVal));
 
     dwVal = GetCurrentProcessId();            // process ID (4 bytes)
     RNG_RandomUpdate(&dwVal, sizeof(dwVal));
 
@@ -435,59 +310,41 @@ void RNG_SystemInfoForRNG(void)
                          sizeof(buffer));
 
     RNG_RandomUpdate(volName,         strlen(volName));
     RNG_RandomUpdate(&dwSerialNum,    sizeof(dwSerialNum));
     RNG_RandomUpdate(&dwComponentLen, sizeof(dwComponentLen));
     RNG_RandomUpdate(&dwSysFlags,     sizeof(dwSysFlags));
     RNG_RandomUpdate(buffer,          strlen(buffer));
 
-    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, &dwNumClusters)) {
+    if (GetDiskFreeSpace(NULL, &dwSectors, &dwBytes, &dwFreeClusters, 
+                         &dwNumClusters)) {
         RNG_RandomUpdate(&dwSectors,      sizeof(dwSectors));
         RNG_RandomUpdate(&dwBytes,        sizeof(dwBytes));
         RNG_RandomUpdate(&dwFreeClusters, sizeof(dwFreeClusters));
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
 #endif
-#else   /* is WIN16 */
-    hTask = GetCurrentTask();
-    RNG_RandomUpdate((void *)&hTask, sizeof(hTask));
-
-    iVal = GetNumTasks();
-    RNG_RandomUpdate(&iVal, sizeof(iVal));      // number of running tasks
-
-    lpszEnv = GetDOSEnvironment();
-    while (*lpszEnv != '\0') {
-        RNG_RandomUpdate(lpszEnv, strlen(lpszEnv));
-
-        lpszEnv += strlen(lpszEnv) + 1;
-    }
-#endif  /* is WIN16 */
 
     // now let's do some files
     ReadSystemFiles();
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
 #if defined(_WIN32_WCE)
 void RNG_FileForRNG(const char *filename)
 {
     PRFileDesc *    file;
     int             nBytes;
     PRFileInfo      infoBuf;
     unsigned char   buffer[1024];
 
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&infoBuf, 0, sizeof infoBuf);
-
-    if (PR_GetFileInfo(filename, &infoBuf) < 0)
+    if (PR_GetFileInfo(filename, &infoBuf) != PR_SUCCESS)
         return;
 
     RNG_RandomUpdate((unsigned char*)&infoBuf, sizeof(infoBuf));
 
     file = PR_Open(filename, PR_RDONLY, 0);
     if (file != NULL) {
         for (;;) {
             PRInt32 bytes = PR_Read(file, buffer, sizeof buffer);
@@ -503,16 +360,35 @@ void RNG_FileForRNG(const char *filename
 
         PR_Close(file);
     }
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
+/*
+ * The Windows CE and Windows Mobile FIPS Security Policy, page 13,
+ * (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp825.pdf)
+ * says CeGenRandom is the right function to call for creating a seed
+ * for a random number generator.
+ */
+size_t RNG_SystemRNG(void *dest, size_t maxLen)
+{
+    size_t bytes = 0;
+    if (CeGenRandom(maxLen, dest)) {
+	    bytes = maxLen;
+    }
+    if (bytes == 0) {
+	PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
+    }
+    return bytes;
+}
+
+
 #else /* not WinCE */
 
 void RNG_FileForRNG(const char *filename)
 {
     FILE*           file;
     int             nBytes;
     struct stat     stat_buf;
     unsigned char   buffer[1024];
@@ -545,18 +421,16 @@ void RNG_FileForRNG(const char *filename
 
         fclose(file);
     }
 
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
-#endif  /* not WinCE */
-
 /*
  * CryptoAPI requires Windows NT 4.0 or Windows 95 OSR2 and later.
  * Until we drop support for Windows 95, we need to emulate some
  * definitions and declarations in <wincrypt.h> and look up the
  * functions in advapi32.dll at run time.
  */
 
 #ifndef WIN64
@@ -639,10 +513,11 @@ size_t RNG_SystemRNG(void *dest, size_t 
     }
     if (bytes == 0) {
 	PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
     }
 done:
     FreeLibrary(hModule);
     return bytes;
 }
+#endif  /* not WinCE */
 
 #endif  /* is XP_WIN */
--- a/security/nss/lib/libpkix/include/pkix_certstore.h
+++ b/security/nss/lib/libpkix/include/pkix_certstore.h
@@ -341,16 +341,17 @@ typedef PKIX_Error *
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 typedef PKIX_Error *
 (*PKIX_CertStore_CheckRevokationByCrlCallback)(
         PKIX_CertStore *store,
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
+        PKIX_Boolean delayCrlSigCheck,
         PKIX_UInt32 *reasonCode,
         PKIX_RevocationStatus *revStatus,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CrlContinue
  * DESCRIPTION:
  *
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@@ -235,16 +235,17 @@ PKIX_ERRORENTRY(CERTSELECTORMATCHNAMECON
 PKIX_ERRORENTRY(CERTSELECTORMATCHPATHTONAMESFAILED,pkix_CertSelector_Match_PathToNames failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHPOLICIESFAILED,pkix_CertSelector_Match_Policies failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJALTNAMESFAILED,pkix_CertSelector_Match_SubjAltNames failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJKEYIDFAILED,pkix_CertSelector_Match_SubjKeyId failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPKALGIDFAILED,pkix_CertSelector_Match_SubjPKAlgId failed,0),
 PKIX_ERRORENTRY(CERTSELECTORMATCHSUBJPUBKEYFAILED,pkix_CertSelector_Match_SubjPubKey failed,0),
 PKIX_ERRORENTRY(CERTSELECTORSELECTFAILED,pkix_CertSelector_Select failed,0),
 PKIX_ERRORENTRY(CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED,PKIX_CertSelector_SetCommonCertSelectorParams failed,0),
+PKIX_ERRORENTRY(CERTSETASTRUSTANCHORFAILED, PKIX_PL_Cert_SetAsTrustAnchor failed, 0),
 PKIX_ERRORENTRY(CERTSETCACHEFLAGFAILED,PKIX_PL_Cert_SetCacheFlag failed,0),
 PKIX_ERRORENTRY(CERTSETTRUSTCERTSTOREFAILED,PKIX_PL_Cert_SetTrustCertStore failed,0),
 PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFAILED,PKIX_CertStore_CertContinue failed,0),
 PKIX_ERRORENTRY(CERTSTORECERTCONTINUEFUNCTIONFAILED,PKIX_CertStore_CertContinueFunction failed,0),
 PKIX_ERRORENTRY(CERTSTORECREATEFAILED,PKIX_CertStore_Create failed,0),
 PKIX_ERRORENTRY(CERTSTORECRLCONTINUEFAILED,PKIX_CertStore_CrlContinue failed,0),
 PKIX_ERRORENTRY(CERTSTOREEQUALSFAILED,pkix_CertStore_Equals failed,0),
 PKIX_ERRORENTRY(CERTSTORECRLCHECKFAILED,Fail to check cert crl revocation,0),
@@ -430,16 +431,17 @@ PKIX_ERRORENTRY(DERDECODETIMECHOICEFORLA
 PKIX_ERRORENTRY(DERDECODETIMECHOICEFORNEXTUPDATEFAILED,DER_DecodeTimeChoice for nextUpdate failed,0),
 PKIX_ERRORENTRY(DERENCODETIMECHOICEFAILED,DER_EncodeTimeChoice failed,0),
 PKIX_ERRORENTRY(DERGENERALIZEDDAYTOASCIIFAILED,DER_GeneralizedDayToAscii failed,0),
 PKIX_ERRORENTRY(DERTIMETOUTCTIMEFAILED,DER_TimeToUTCTime failed,0),
 PKIX_ERRORENTRY(DERUTCTIMETOASCIIFAILED,DER_UTCTimeToAscii failed,0),
 PKIX_ERRORENTRY(DESTROYSPKIFAILED,pkix_pl_DestroySPKI failed,0),
 PKIX_ERRORENTRY(DIRECTORYNAMECREATEFAILED,pkix_pl_DirectoryName_Create failed,0),
 PKIX_ERRORENTRY(DUPLICATEIMMUTABLEFAILED,pkix_duplicateImmutable failed,0),
+PKIX_ERRORENTRY(CANNOTSORTIMMUTABLELIST,pkix_List_BubbleSort can not sort immutable list,0),
 PKIX_ERRORENTRY(EKUCHECKERGETREQUIREDEKUFAILED,pkix_pl_EkuChecker_GetRequiredEku failed,0),
 PKIX_ERRORENTRY(EKUCHECKERINITIALIZEFAILED,PKIX_PL_EkuChecker_Initialize failed,0),
 PKIX_ERRORENTRY(EKUCHECKERSTATECREATEFAILED,pkix_pl_EkuCheckerState_Create failed,0),
 PKIX_ERRORENTRY(ENABLEREVOCATIONWITHOUTCERTSTORE,Enable Revocation without CertStore,0),
 PKIX_ERRORENTRY(ERRORALLOCATINGMONITORLOCK,Error Allocating MonitorLock,0),
 PKIX_ERRORENTRY(ERRORALLOCATINGRWLOCK,Error Allocating RWLock,0),
 PKIX_ERRORENTRY(ERRORCREATINGCHILDSTRING,Error creating child string,0),
 PKIX_ERRORENTRY(ERRORCREATINGFORMATSTRING,Error creating format string,0),
@@ -472,16 +474,17 @@ PKIX_ERRORENTRY(ERRORUNLOCKINGOBJECT,Err
 PKIX_ERRORENTRY(ESCASCIITOUTF16FAILED,pkix_EscASCII_to_UTF16 failed,0),
 PKIX_ERRORENTRY(EXPIRATIONCHECKERINITIALIZEFAILED,pkix_ExpirationChecker_Initialize failed,0),
 PKIX_ERRORENTRY(EXTENDEDKEYUSAGECHECKINGFAILED,Extended Key Usage Checking failed,SEC_ERROR_INADEQUATE_CERT_TYPE),
 PKIX_ERRORENTRY(EXTENDEDKEYUSAGEUSEROBJECT,Extended Key Usage User Object,0),
 PKIX_ERRORENTRY(EXTRACTPARAMETERSFAILED,pkix_ExtractParameters failed,0),
 PKIX_ERRORENTRY(FAILEDINENCODINGSEARCHREQUEST,failed in encoding searchRequest,SEC_ERROR_FAILED_TO_ENCODE_DATA),
 PKIX_ERRORENTRY(FAILEDTOGETNSSTRUSTANCHORS,Failed to get nss trusted roots,0),
 PKIX_ERRORENTRY(FAILEDTOGETTRUST, failed to get trust from the cert,0),
+PKIX_ERRORENTRY(FAILTOSELECTCERTSFROMANCHORS,failed to select certs from anchors,0),
 PKIX_ERRORENTRY(FAILUREHASHINGCERT,Failure hashing Cert,0),
 PKIX_ERRORENTRY(FAILUREHASHINGERROR,Failure hashing Error,0),
 PKIX_ERRORENTRY(FAILUREHASHINGLISTEXPECTEDPOLICYSET,Failure hashing PKIX_List expectedPolicySet,0),
 PKIX_ERRORENTRY(FAILUREHASHINGLISTQUALIFIERSET,Failure hashing PKIX_List qualifierSet,0),
 PKIX_ERRORENTRY(FAILUREHASHINGOIDVALIDPOLICY,Failure hashing PKIX_PL_OID validPolicy,0),
 PKIX_ERRORENTRY(FANOUTEXCEEDSRESOURCELIMITS,Fanout exceeds Resource Limits,0),
 PKIX_ERRORENTRY(FETCHINGCACHEDCRLFAILED,Fetching Cached CRLfailed,0),
 PKIX_ERRORENTRY(FILLINPROCESSINGPARAMSFAILED,Fail to fill in parameters,0),
@@ -669,16 +672,17 @@ PKIX_ERRORENTRY(LISTDELETEITEMFAILED,PKI
 PKIX_ERRORENTRY(LISTDUPLICATEFAILED,pkix_List_Duplicate failed,0),
 PKIX_ERRORENTRY(LISTEQUALSFAILED,PKIX_List_Equals failed,0),
 PKIX_ERRORENTRY(LISTGETELEMENTFAILED,pkix_List_GetElement failed,0),
 PKIX_ERRORENTRY(LISTGETITEMFAILED,PKIX_List_GetItem failed,0),
 PKIX_ERRORENTRY(LISTGETLENGTHFAILED,PKIX_List_GetLength failed,0),
 PKIX_ERRORENTRY(LISTHASHCODEFAILED,pkix_List_Hashcode failed,0),
 PKIX_ERRORENTRY(LISTINSERTITEMFAILED,PKIX_List_InsertItem failed,0),
 PKIX_ERRORENTRY(LISTISEMPTYFAILED,PKIX_List_IsEmpty failed,0),
+PKIX_ERRORENTRY(LISTMERGEFAILED,pkix_List_MergeList failed,0),
 PKIX_ERRORENTRY(LISTQUICKSORTFAILED,pkix_List_QuickSort failed,0),
 PKIX_ERRORENTRY(LISTREMOVEFAILED,pkix_List_Remove failed,0),
 PKIX_ERRORENTRY(LISTREMOVEITEMSFAILED,pkix_List_RemoveItems failed,0),
 PKIX_ERRORENTRY(LISTREVERSELISTFAILED,PKIX_List_ReverseList failed,0),
 PKIX_ERRORENTRY(LISTSETIMMUTABLEFAILED,PKIX_List_SetImmutable failed,0),
 PKIX_ERRORENTRY(LISTSETITEMFAILED,PKIX_List_SetItem failed,0),
 PKIX_ERRORENTRY(LISTTOSTRINGFAILED,pkix_List_ToString failed,0),
 PKIX_ERRORENTRY(LISTTOSTRINGHELPERFAILED,pkix_List_ToString Helper failed,0),
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -1506,33 +1506,41 @@ PKIX_PL_Cert_VerifySignature(
  *
  *  If the Certificate is not intrinsically trustworthy, it still might end up a
  *  component in a successful chain.
  *
  * PARAMETERS
  *  "cert"
  *      Address of Cert whose trustworthiness is to be determined. Must be
  *      non-NULL.
+ *  "trustOnlyUserAnchors"
+ *      States that we can only trust explicitly defined user trust anchors.
  *  "pTrusted"
  *      Address where the Boolean value will be stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a CERT Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_PL_Cert_IsCertTrusted(
         PKIX_PL_Cert *cert,
+        PKIX_Boolean trustOnlyUserAnchors,
         PKIX_Boolean *pTrusted,
         void *plContext);
 
+/* FUNCTION: PKIX_PL_Cert_SetAsTrustAnchor */
+PKIX_Error*
+PKIX_PL_Cert_SetAsTrustAnchor(PKIX_PL_Cert *cert, 
+                              void *plContext);
+
 /*
  * FUNCTION: PKIX_PL_Cert_GetCacheFlag
  * DESCRIPTION:
  *
  *  Retrieves the value of the cache flag in "cert" and return it at address
  *  pointed by "pCacheFlag". The initila cache flag is determined by the
  *  CertStore this "cert" is fetched from. When CertStore is created, user
  *  need to specify if the data should be cached.
--- a/security/nss/lib/libpkix/include/pkix_revchecker.h
+++ b/security/nss/lib/libpkix/include/pkix_revchecker.h
@@ -121,17 +121,16 @@ extern "C" {
  *  worrying about conflicts, even if they're operating on the same objects.
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a RevocationChecker Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 PKIX_RevocationChecker_Create(
-    PKIX_PL_Date *revDate,
     PKIX_UInt32 leafMethodListFlags,
     PKIX_UInt32 chainMethodListFlags,
     PKIX_RevocationChecker **pChecker,
     void *plContext);
 
 /*
  * FUNCTION: PKIX_RevocationChecker_CreateAndAddMethod
  * DESCRIPTION:
--- a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.c
@@ -221,27 +221,29 @@ cleanup:
 PKIX_Error *
 pkix_CrlChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
-        PKIX_RevocationStatus *revStatus,
+        PKIX_Boolean chainVerificationState,
+        PKIX_RevocationStatus *pRevStatus,
         PKIX_UInt32 *pReasonCode,
         void *plContext)
 {
     PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn;
     PKIX_CertStore *certStore = NULL;
     pkix_CrlChecker *state = NULL;
     PKIX_UInt32 reasonCode = 0;
     PKIX_UInt32 crlStoreIndex = 0;
     PKIX_UInt32 numCrlStores = 0;
     PKIX_Boolean storeIsLocal = PKIX_FALSE;
+    PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
 
     PKIX_ENTER(CERTCHAINCHECKER, "pkix_CrlChecker_CheckLocal");
     PKIX_NULLCHECK_FOUR(cert, issuer, checkerObject, checkerObject);
     
     state = (pkix_CrlChecker*)checkerObject;
 
     PKIX_CHECK(
         PKIX_List_GetLength(state->certStores, &numCrlStores, plContext),
@@ -263,28 +265,33 @@ pkix_CrlChecker_CheckLocal(
                 PKIX_CertStore_GetCrlCheckerFn(certStore,
                                                &storeCheckRevocationFn,
                                                plContext),
                 PKIX_CERTSTOREGETCHECKREVBYCRLFAILED);
 
             if (storeCheckRevocationFn) {
                 PKIX_CHECK(
                     storeCheckRevocationFn(certStore, cert, issuer,
-                                           date, &reasonCode,
-                                           revStatus, plContext),
+                                           date,
+                                           /* delay sig check if building
+                                            * a chain */
+                                           !chainVerificationState,
+                                           &reasonCode,
+                                           &revStatus, plContext),
                     PKIX_CERTSTORECRLCHECKFAILED);
-                if (*revStatus == PKIX_RevStatus_Revoked) {
+                if (revStatus == PKIX_RevStatus_Revoked) {
                     break;
                 }
             }
         }
         PKIX_DECREF(certStore);
     } /* while */
 
 cleanup:
+    *pRevStatus = revStatus;
     PKIX_DECREF(certStore);
 
     PKIX_RETURN(CERTCHAINCHECKER);
 }
 
 /*
  * FUNCTION: pkix_CrlChecker_CheckRemote
  *
@@ -421,16 +428,17 @@ pkix_CrlChecker_CheckExternal(
             PKIX_GETCRLSFAILED);
         
         PKIX_CHECK(
             storeImportCrlFn(localStore, crlList, plContext),
             PKIX_CERTSTOREFAILTOIMPORTCRLLIST);
         
         PKIX_CHECK(
             storeCheckRevocationFn(certStore, cert, issuer, date,
+                                   PKIX_FALSE /* do not delay sig check */,
                                    &reasonCode, &revStatus, plContext),
             PKIX_CERTSTORECRLCHECKFAILED);
         if (revStatus != PKIX_RevStatus_NoInfo) {
             break;
         }
         PKIX_DECREF(crlList);
         PKIX_DECREF(certStore);
     } /* while */
--- a/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_crlchecker.h
@@ -57,16 +57,17 @@ extern "C" {
 PKIX_Error *
 pkix_CrlChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
+        PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
         PKIX_UInt32 *reasonCode,
         void *plContext);
 
 PKIX_Error *
 pkix_CrlChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -160,16 +160,17 @@ cleanup:
 PKIX_Error *
 pkix_OcspChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
+        PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
         PKIX_UInt32 *pReasonCode,
         void *plContext)
 {
         PKIX_PL_OcspCertID    *cid = NULL;
         PKIX_Boolean           hasFreshStatus = PKIX_FALSE;
         PKIX_Boolean           statusIsGood = PKIX_FALSE;
         SECErrorCodes          resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP;
@@ -198,16 +199,21 @@ pkix_OcspChecker_CheckLocal(
                 resultCode = 0;
             } else {
                 revStatus = PKIX_RevStatus_Revoked;
             }
         }
 
 cleanup:
         *pRevStatus = revStatus;
+
+        /* ocsp carries only tree statuses: good, bad, and unknown.
+         * revStatus is used to pass them. reasonCode is always set
+         * to be unknown. */
+        *pReasonCode = crlEntryReasonUnspecified;
         PKIX_DECREF(cid);
 
         PKIX_RETURN(OCSPCHECKER);
 }
 
 
 /*
  * The OCSPChecker is created in an idle state, and remains in this state until
@@ -309,17 +315,16 @@ pkix_OcspChecker_CheckExternal(
                                                  procParams, &passed, 
                                                  &nbioContext, plContext),
             PKIX_OCSPRESPONSEVERIFYSIGNATUREFAILED);
        	if (nbioContext != 0) {
                	*pNBIOContext = nbioContext;
                 goto cleanup;
         }
         if (passed == PKIX_FALSE) {
-                resultCode = PORT_GetError();
                 goto cleanup;
         }
 
         PKIX_CHECK(
             pkix_pl_OcspResponse_GetStatusForCert(cid, response,
                                                   &passed, &resultCode,
                                                   plContext),
             PKIX_OCSPRESPONSEGETSTATUSFORCERTFAILED);
@@ -331,16 +336,21 @@ pkix_OcspChecker_CheckExternal(
 
 cleanup:
         if (revStatus == PKIX_RevStatus_NoInfo && uriFound &&
             methodFlags & PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
             revStatus = PKIX_RevStatus_Revoked;
         }
         *pRevStatus = revStatus;
 
+        /* ocsp carries only tree statuses: good, bad, and unknown.
+         * revStatus is used to pass them. reasonCode is always set
+         * to be unknown. */
+        *pReasonCode = crlEntryReasonUnspecified;
+
         if (!passed && cid && cid->certID) {
                 /* We still own the certID object, which means that 
                  * it did not get consumed to create a cache entry.
                  * Let's make sure there is one.
                  */
                 PKIX_Error *err;
                 err = PKIX_PL_OcspCertID_RememberOCSPProcessingFailure(
                         cid, plContext);
--- a/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_ocspchecker.h
@@ -56,16 +56,17 @@ extern "C" {
 PKIX_Error *
 pkix_OcspChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
+        PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
         PKIX_UInt32 *reasonCode,
         void *plContext);
 
 PKIX_Error *
 pkix_OcspChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -62,17 +62,16 @@ pkix_RevocationChecker_Destroy(
 
         /* Check that this object is a revocation checker */
         PKIX_CHECK(pkix_CheckType
                     (object, PKIX_REVOCATIONCHECKER_TYPE, plContext),
                     PKIX_OBJECTNOTREVOCATIONCHECKER);
 
         checker = (PKIX_RevocationChecker *)object;
 
-        PKIX_DECREF(checker->date);
         PKIX_DECREF(checker->leafMethodList);
         PKIX_DECREF(checker->chainMethodList);
         
 cleanup:
 
         PKIX_RETURN(REVOCATIONCHECKER);
 }
 
@@ -111,18 +110,17 @@ pkix_RevocationChecker_Duplicate(
                 PKIX_CHECK(PKIX_PL_Object_Duplicate
                             ((PKIX_PL_Object *)checker->chainMethodList,
                             (PKIX_PL_Object **)&dupChainList,
                             plContext),
                             PKIX_OBJECTDUPLICATEFAILED);
         }
 
         PKIX_CHECK(
-            PKIX_RevocationChecker_Create(checker->date,
-                                          checker->leafMethodListFlags,
+            PKIX_RevocationChecker_Create(checker->leafMethodListFlags,
                                           checker->chainMethodListFlags,
                                           &checkerDuplicate,
                                           plContext),
             PKIX_REVOCATIONCHECKERCREATEFAILED);
 
         checkerDuplicate->leafMethodList = dupLeafList;
         checkerDuplicate->chainMethodList = dupChainList;
         dupLeafList = NULL;
@@ -196,17 +194,16 @@ pkix_RevocationChecker_SortComparator(
 /* --Public-Functions--------------------------------------------- */
 
 
 /*
  * FUNCTION: PKIX_RevocationChecker_Create (see comments in pkix_revchecker.h)
  */
 PKIX_Error *
 PKIX_RevocationChecker_Create(
-    PKIX_PL_Date *revDate,
     PKIX_UInt32 leafMethodListFlags,
     PKIX_UInt32 chainMethodListFlags,
     PKIX_RevocationChecker **pChecker,
     void *plContext)
 {
     PKIX_RevocationChecker *checker = NULL;
     
     PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Create");
@@ -214,19 +211,16 @@ PKIX_RevocationChecker_Create(
     
     PKIX_CHECK(
         PKIX_PL_Object_Alloc(PKIX_REVOCATIONCHECKER_TYPE,
                              sizeof (PKIX_RevocationChecker),
                              (PKIX_PL_Object **)&checker,
                              plContext),
         PKIX_COULDNOTCREATECERTCHAINCHECKEROBJECT);
     
-    PKIX_INCREF(revDate);
-    checker->date = revDate;
-
     checker->leafMethodListFlags = leafMethodListFlags;
     checker->chainMethodListFlags = chainMethodListFlags;
     checker->leafMethodList = NULL;
     checker->chainMethodList = NULL;
     
     *pChecker = checker;
     checker = NULL;
     
@@ -336,22 +330,23 @@ PKIX_RevocationChecker_Check(
     void **pNbioContext,
     void *plContext)
 {
     PKIX_RevocationStatus overallStatus = PKIX_RevStatus_NoInfo;
     PKIX_RevocationStatus methodStatus[PKIX_RevocationMethod_MAX];
     PKIX_Boolean onlyUseRemoteMethods = PKIX_FALSE;
     PKIX_UInt32 revFlags = 0;
     PKIX_List *revList = NULL;
+    PKIX_PL_Date *date = NULL;
     pkix_RevocationMethod *method = NULL;
     void *nbioContext;
     int tries;
     
     PKIX_ENTER(REVOCATIONCHECKER, "PKIX_RevocationChecker_Check");
-    PKIX_NULLCHECK_ONE(revChecker);
+    PKIX_NULLCHECK_TWO(revChecker, procParams);
 
     nbioContext = *pNbioContext;
     *pNbioContext = NULL;
     
     if (testingLeafCert) {
         revList = revChecker->leafMethodList;
         revFlags = revChecker->leafMethodListFlags;        
     } else {
@@ -361,16 +356,18 @@ PKIX_RevocationChecker_Check(
     if (!revList) {
         /* Return NoInfo status */
         goto cleanup;
     }
 
     PORT_Memset(methodStatus, PKIX_RevStatus_NoInfo,
                 sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
 
+    date = procParams->date;
+
     /* Need to have two loops if we testing all local info first:
      *    first we are going to test all local(cached) info
      *    second, all remote info(fetching) */
     for (tries = 0;tries < 2;tries++) {
         int methodNum = 0;
         for (;methodNum < revList->length;methodNum++) {
             PKIX_UInt32 methodFlags = 0;
 
@@ -387,57 +384,59 @@ PKIX_RevocationChecker_Check(
                 /* Will not check with this method. Skipping... */
                 continue;
             }
             if (!onlyUseRemoteMethods &&
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
 
                 pkixErrorResult =
-                    (*method->localRevChecker)(cert, issuer,
-                                               revChecker->date,
+                    (*method->localRevChecker)(cert, issuer, date,
                                                method, procParams,
-                                               methodFlags, &revStatus,
+                                               methodFlags, 
+                                               chainVerificationState,
+                                               &revStatus,
                                                pReasonCode, plContext);
                 methodStatus[methodNum] = revStatus;
+                if (revStatus == PKIX_RevStatus_Revoked) {
+                    /* if error was generated use it as final error. */
+                    overallStatus = PKIX_RevStatus_Revoked;
+                    goto cleanup;
+                }
                 if (pkixErrorResult) {
                     /* Disregard errors. Only returned revStatus matters. */
                     PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
                                           plContext);
                     pkixErrorResult = NULL;
                 }
-                if (revStatus == PKIX_RevStatus_Revoked) {
-                    overallStatus = PKIX_RevStatus_Revoked;
-                    goto cleanup;
-                }
             }
             if ((!(revFlags & PKIX_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST) ||
                  onlyUseRemoteMethods) &&
                 chainVerificationState &&
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
                     PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
                     pkixErrorResult =
-                        (*method->externalRevChecker)(cert, issuer,
-                                                      revChecker->date,
+                        (*method->externalRevChecker)(cert, issuer, date,
                                                       method,
                                                       procParams, methodFlags,
                                                       &revStatus, pReasonCode,
                                                       &nbioContext, plContext);
                     methodStatus[methodNum] = revStatus;
+                    if (revStatus == PKIX_RevStatus_Revoked) {
+                        /* if error was generated use it as final error. */
+                        overallStatus = PKIX_RevStatus_Revoked;
+                        goto cleanup;
+                    }
                     if (pkixErrorResult) {
                         /* Disregard errors. Only returned revStatus matters. */
                         PKIX_PL_Object_DecRef((PKIX_PL_Object*)pkixErrorResult,
                                               plContext);
                         pkixErrorResult = NULL;
                     }
-                    if (revStatus == PKIX_RevStatus_Revoked) {
-                        overallStatus = PKIX_RevStatus_Revoked;
-                        goto cleanup;
-                    }
                 } else if (methodFlags &
                            PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO) {
                     /* Info is not in the local cache. Network fetching is not
                      * allowed. If need to fail on missing fresh info for the
                      * the method, then we should fail right here.*/
                     overallStatus = PKIX_RevStatus_Revoked;
                     goto cleanup;
                 }
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.h
@@ -161,17 +161,16 @@ extern "C" {
  *     If we were unable to find fresh info, it's a failure.
  */
 #define PKIX_REV_MI_NO_OVERALL_INFO_REQUIREMENT       0x00L
 #define PKIX_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 0x02L
 
 /* Defines check time for the cert, revocation methods lists and
  * flags for leaf and chain certs revocation tests. */
 struct PKIX_RevocationCheckerStruct {
-    PKIX_PL_Date *date;
     PKIX_List *leafMethodList;
     PKIX_List *chainMethodList;
     PKIX_UInt32 leafMethodListFlags;
     PKIX_UInt32 chainMethodListFlags;
 };
 
 /* see source file for function documentation */
 
--- a/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_revocationmethod.h
@@ -57,16 +57,17 @@ typedef struct pkix_RevocationMethodStru
  * Revocation methods capable of checking revocation though local
  * means(cache) should implement this prototype. */
 typedef PKIX_Error *
 pkix_LocalRevocationCheckFn(PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer,
                             PKIX_PL_Date *date, 
                             pkix_RevocationMethod *checkerObject,
                             PKIX_ProcessingParams *procParams,
                             PKIX_UInt32 methodFlags,
+                            PKIX_Boolean chainVerificationState,
                             PKIX_RevocationStatus *pRevStatus,
                             PKIX_UInt32 *reasonCode,
                             void *plContext);
 
 /* External revocation check function prototype definition.
  * Revocation methods that required external communications(crldp
  * ocsp) shoult implement this prototype. */
 typedef PKIX_Error *
--- a/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_procparams.c
@@ -562,19 +562,22 @@ PKIX_ProcessingParams_Create(
                     PKIX_COULDNOTCREATEPROCESSINGPARAMSOBJECT);
 
         /* initialize fields */
         PKIX_CHECK(PKIX_List_Create(&params->trustAnchors, plContext),
                    PKIX_LISTCREATEFAILED);
         PKIX_CHECK(PKIX_List_SetImmutable(params->trustAnchors, plContext),
                     PKIX_LISTSETIMMUTABLEFAILED);
 
+        PKIX_CHECK(PKIX_PL_Date_Create_UTCTime
+                   (NULL, &params->date, plContext),
+                   PKIX_DATECREATEUTCTIMEFAILED);
+
         params->hintCerts = NULL;
         params->constraints = NULL;
-        params->date = NULL;
         params->initialPolicies = NULL;
         params->initialPolicyMappingInhibit = PKIX_FALSE;
         params->initialAnyPolicyInhibit = PKIX_FALSE;
         params->initialExplicitPolicy = PKIX_FALSE;
         params->qualifiersRejected = PKIX_FALSE;
         params->certChainCheckers = NULL;
         params->revChecker = NULL;
         params->certStores = NULL;
--- a/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
+++ b/security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c
@@ -388,16 +388,20 @@ PKIX_TrustAnchor_CreateWithCert(
         PKIX_CHECK(PKIX_PL_Object_Alloc
                     (PKIX_TRUSTANCHOR_TYPE,
                     sizeof (PKIX_TrustAnchor),
                     (PKIX_PL_Object **)&anchor,
                     plContext),
                     PKIX_COULDNOTCREATETRUSTANCHOROBJECT);
 
         /* initialize fields */
+        PKIX_CHECK(
+            PKIX_PL_Cert_SetAsTrustAnchor(cert, plContext),
+            PKIX_CERTSETASTRUSTANCHORFAILED);
+
         PKIX_INCREF(cert);
         anchor->trustedCert = cert;
 
         anchor->caName = NULL;
         anchor->caPubKey = NULL;
         anchor->nameConstraints = NULL;
 
         *pAnchor = anchor;
--- a/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c
+++ b/security/nss/lib/libpkix/pkix/results/pkix_verifynode.c
@@ -1198,17 +1198,17 @@ pkix_VerifyNode_FindError(
                 PKIX_VERIFYNODEFINDERRORFAILED);
             PKIX_DECREF(childNode);
             if (*error) {
                 goto cleanup;
             }
         }
     }
     
-    if (node->error) {
+    if (node->error && node->error->plErr) {
         PKIX_INCREF(node->error);
         *error = node->error;
     }
 
 cleanup:
     PKIX_DECREF(childNode);
     
     PKIX_RETURN(VERIFYNODE);
--- a/security/nss/lib/libpkix/pkix/top/pkix_build.c
+++ b/security/nss/lib/libpkix/pkix/top/pkix_build.c
@@ -121,24 +121,22 @@ pkix_ForwardBuilderState_Destroy(
 
         state->status = BUILD_INITIAL;
         state->traversedCACerts = 0;
         state->certStoreIndex = 0;
         state->numCerts = 0;
         state->numAias = 0;
         state->certIndex = 0;
         state->aiaIndex = 0;
-        state->anchorIndex = 0;
         state->certCheckedIndex = 0;
         state->checkerIndex = 0;
         state->hintCertIndex = 0;
         state->numFanout = 0;
         state->numDepth = 0;
         state->reasonCode = 0;
-        state->dsaParamsNeeded = PKIX_FALSE;
         state->revCheckDelayed = PKIX_FALSE;
         state->canBeCached = PKIX_FALSE;
         state->useOnlyLocal = PKIX_FALSE;
         state->revChecking = PKIX_FALSE;
         state->usingHintCerts = PKIX_FALSE;
         state->certLoopingDetected = PKIX_FALSE;
         PKIX_DECREF(state->validityDate);
         PKIX_DECREF(state->prevCert);
@@ -190,18 +188,16 @@ cleanup:
  *
  * PARAMETERS
  *  "traversedCACerts"
  *      Number of CA certificates traversed.
  *  "numFanout"
  *      Number of Certs that can be considered at this level (0 = no limit)
  *  "numDepth"
  *      Number of additional levels that can be searched (0 = no limit)
- *  "dsaParamsNeeded"
- *      Boolean value indicating whether DSA parameters are needed.
  *  "revCheckDelayed"
  *      Boolean value indicating whether rev check is delayed until after
  *      entire chain is built.
  *  "canBeCached"
  *      Boolean value indicating whether all certs on the chain can be cached.
  *  "validityDate"
  *      Address of Date at which build chain Certs' most restricted validity
  *      time is kept. May be NULL.
@@ -225,17 +221,16 @@ cleanup:
  *  Returns a Build Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_ForwardBuilderState_Create(
         PKIX_Int32 traversedCACerts,
         PKIX_UInt32 numFanout,
         PKIX_UInt32 numDepth,
-        PKIX_Boolean dsaParamsNeeded,
         PKIX_Boolean revCheckDelayed,
         PKIX_Boolean canBeCached,
         PKIX_PL_Date *validityDate,
         PKIX_PL_Cert *prevCert,
         PKIX_List *traversedSubjNames,
         PKIX_List *trustChain,
         PKIX_ForwardBuilderState *parentState,
         PKIX_ForwardBuilderState **pState,
@@ -255,25 +250,23 @@ pkix_ForwardBuilderState_Create(
 
         state->status = BUILD_INITIAL;
         state->traversedCACerts = traversedCACerts;
         state->certStoreIndex = 0;
         state->numCerts = 0;
         state->numAias = 0;
         state->certIndex = 0;
         state->aiaIndex = 0;
-        state->anchorIndex = 0;
         state->certCheckedIndex = 0;
         state->checkerIndex = 0;
         state->hintCertIndex = 0;
         state->numFanout = numFanout;
         state->numDepth = numDepth;
         state->reasonCode = 0;
         state->revChecking = numDepth;
-        state->dsaParamsNeeded = dsaParamsNeeded;
         state->revCheckDelayed = revCheckDelayed;
         state->canBeCached = canBeCached;
         state->useOnlyLocal = PKIX_TRUE;
         state->revChecking = PKIX_FALSE;
         state->usingHintCerts = PKIX_FALSE;
         state->certLoopingDetected = PKIX_FALSE;
 
         PKIX_INCREF(validityDate);
@@ -438,17 +431,16 @@ pkix_ForwardBuilderState_ToString
                 "\tcertStoreIndex: \t%d\n"
                 "\tnumCerts: \t%d\n"
                 "\tnumAias: \t%d\n"
                 "\tcertIndex: \t%d\n"
                 "\taiaIndex: \t%d\n"
                 "\tnumFanout: \t%d\n"
                 "\tnumDepth:  \t%d\n"
                 "\treasonCode:  \t%d\n"
-                "\tdsaParamsNeeded: \t%d\n"
                 "\trevCheckDelayed: \t%d\n"
                 "\tcanBeCached: \t%d\n"
                 "\tuseOnlyLocal: \t%d\n"
                 "\trevChecking: \t%d\n"
                 "\tvalidityDate: \t%s\n"
                 "\tprevCert: \t%s\n"
                 "\tcandidateCert: \t%s\n"
                 "\ttraversedSubjNames: \t%s\n"
@@ -496,18 +488,16 @@ pkix_ForwardBuilderState_ToString
             case BUILD_DATEPREP:        asciiStatus = "BUILD_DATEPREP";
                                         break;
             case BUILD_CHECKTRUSTED:    asciiStatus = "BUILD_CHECKTRUSTED";
                                         break;
             case BUILD_CHECKTRUSTED2:   asciiStatus = "BUILD_CHECKTRUSTED2";
                                         break;
             case BUILD_ADDTOCHAIN:      asciiStatus = "BUILD_ADDTOCHAIN";
                                         break;
-            case BUILD_CHECKWITHANCHORS:asciiStatus = "BUILD_CHECKWITHANCHORS";
-                                        break;
             case BUILD_CRL2:            asciiStatus = "BUILD_CRL2";
                                         break;
             case BUILD_VALCHAIN:        asciiStatus = "BUILD_VALCHAIN";
                                         break;
             case BUILD_VALCHAIN2:       asciiStatus = "BUILD_VALCHAIN2";
                                         break;
             case BUILD_EXTENDCHAIN:     asciiStatus = "BUILD_EXTENDCHAIN";
                                         break;
@@ -568,17 +558,16 @@ pkix_ForwardBuilderState_ToString
                 (PKIX_UInt32)state->certStoreIndex,
                 (PKIX_UInt32)state->numCerts,
                 (PKIX_UInt32)state->numAias,
                 (PKIX_UInt32)state->certIndex,
                 (PKIX_UInt32)state->aiaIndex,
                 (PKIX_UInt32)state->numFanout,
                 (PKIX_UInt32)state->numDepth,
                 (PKIX_UInt32)state->reasonCode,
-                state->dsaParamsNeeded,
                 state->revCheckDelayed,
                 state->canBeCached,
                 state->useOnlyLocal,
                 state->revChecking,
                 validityDateString,
                 prevCertString,
                 candidateCertString,
                 traversedSubjNamesString,
@@ -743,203 +732,16 @@ pkix_ForwardBuilderState_IsIOPending(
         }
 
         PKIX_RETURN(FORWARDBUILDERSTATE);
 }
 
 /* --Private-BuildChain-Functions------------------------------------------- */
 
 /*
- * FUNCTION: pkix_Build_CheckCertAgainstAnchor
- * DESCRIPTION:
- *
- *  Checks whether the Cert pointed to by "candidateCert" successfully chains to
- *  the TrustAnchor pointed to by "anchor". Successful chaining includes
- *  successful subject/issuer name chaining, using the List of traversed subject
- *  names pointed to by "traversedSubjNames" to check for name constraints
- *  violation, and successful signature verification. If the "candidateCert"
- *  successfully chains, PKIX_TRUE is stored at the address pointed to by
- *  "pPassed". Otherwise PKIX_FALSE is stored.
- *
- *  If a non-NULL VerifyNode is supplied, then this function will, in the event
- *  of a failure, set the Error associated with the failure in the VerifyNode.
- *  .
- *
- * PARAMETERS:
- *  "candidateCert"
- *      Address of Cert that is being checked. Must be non-NULL.
- *  "anchor"
- *      Address of TrustAnchor with which the Cert must successfully chain.
- *      Must be non-NULL.
- *  "traversedSubjNames"
- *      Address of List of subject names in certificates previously traversed.
- *      Must be non-NULL.
- *  "pPassed"
- *      Address at which Boolean result is stored. Must be non-NULL.
- *  "verifyNode"
- *      Address of the VerifyNode to receive the Error. May be NULL.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns NULL if the function succeeds.
- *  Returns a Build Error if the function fails in a non-fatal way
- *  Returns a Fatal Error if the function fails in an unrecoverable way.
- */
-static PKIX_Error *
-pkix_Build_CheckCertAgainstAnchor(
-        PKIX_PL_Cert *candidateCert,
-        PKIX_TrustAnchor *anchor,
-        PKIX_List *traversedSubjNames,
-        PKIX_Boolean *pPassed,
-        PKIX_VerifyNode *verifyNode,
-        void *plContext)
-{
-        PKIX_PL_Cert *trustedCert = NULL;
-        PKIX_PL_CertNameConstraints *anchorNC = NULL;
-        PKIX_CertSelector *certSel = NULL;
-        PKIX_ComCertSelParams *certSelParams = NULL;
-        PKIX_PL_X500Name *trustedSubject = NULL;
-        PKIX_PL_X500Name *candidateIssuer = NULL;
-        PKIX_CertSelector_MatchCallback selectorMatch = NULL;
-        PKIX_Boolean certMatch = PKIX_TRUE;
-        PKIX_Boolean anchorMatch = PKIX_FALSE;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
-        PKIX_VerifyNode *anchorVerifyNode = NULL;
-        PKIX_Error *verifyError = NULL;
-
-        PKIX_ENTER(BUILD, "pkix_Build_CheckCertAgainstAnchor");
-        PKIX_NULLCHECK_THREE(anchor, candidateCert, pPassed);
-
-        *pPassed = PKIX_FALSE;
-
-        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
-                    (anchor, &trustedCert, plContext),
-                    PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
-
-        PKIX_CHECK(PKIX_PL_Cert_GetSubject
-                    (trustedCert, &trustedSubject, plContext),
-                    PKIX_CERTGETSUBJECTFAILED);
-
-        PKIX_NULLCHECK_ONE(trustedSubject);
-
-        PKIX_CHECK(PKIX_PL_Cert_GetIssuer
-                    (candidateCert, &candidateIssuer, plContext),
-                    PKIX_CERTGETISSUERFAILED);
-
-        PKIX_CHECK(PKIX_PL_X500Name_Match
-                    (trustedSubject, candidateIssuer, &anchorMatch, plContext),
-                    PKIX_X500NAMEMATCHFAILED);
-
-        if (!anchorMatch) {
-                goto cleanup;
-        }
-
-        PKIX_CHECK(PKIX_TrustAnchor_GetNameConstraints
-                    (anchor, &anchorNC, plContext),
-                    PKIX_TRUSTANCHORGETNAMECONSTRAINTSFAILED);
-
-        if (anchorNC == NULL) {
-                PKIX_CHECK(PKIX_CertSelector_Create
-                            (NULL, NULL, &certSel, plContext),
-                            PKIX_CERTSELECTORCREATEFAILED);
-
-                PKIX_CHECK(PKIX_ComCertSelParams_Create
-                            (&certSelParams, plContext),
-                            PKIX_COMCERTSELPARAMSCREATEFAILED);
-
-                PKIX_NULLCHECK_ONE(traversedSubjNames);
-
-                PKIX_CHECK(PKIX_ComCertSelParams_SetPathToNames
-                        (certSelParams, traversedSubjNames, plContext),
-                        PKIX_COMCERTSELPARAMSSETPATHTONAMESFAILED);
-
-                PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
-                        (certSel, certSelParams, plContext),
-                        PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
-
-                PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
-                        (certSel, &selectorMatch, plContext),
-                        PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
-
-                PKIX_CHECK(selectorMatch
-                        (certSel, candidateCert, &certMatch, plContext),
-                        PKIX_SELECTORMATCHFAILED);
-
-                if (!certMatch) {
-                        goto cleanup;
-                }
-
-        }
-
-        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
-                (trustedCert, &trustedPubKey, plContext),
-                PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
-
-        PKIX_CHECK(PKIX_PL_Cert_VerifySignature
-                   (candidateCert, trustedPubKey, plContext),
-                   PKIX_CERTVERIFYSIGNATUREFAILED);
-
-cleanup:
-
-        if (PKIX_ERROR_RECEIVED || !anchorMatch || !certMatch) {
-                if (pkixErrorClass == PKIX_FATAL_ERROR) {
-                        goto fatal;
-                }
-                if (verifyNode != NULL) {
-                        if (!anchorMatch) {
-                            PKIX_ERROR_CREATE
-                                (BUILD,
-                                PKIX_ANCHORDIDNOTCHAINTOCERT,
-                                verifyError);
-                        } else if (!certMatch) {
-                            PKIX_ERROR_CREATE
-                                (BUILD,
-                                PKIX_ANCHORDIDNOTPASSCERTSELECTORCRITERIA,
-                                verifyError);
-                        } else {
-                            verifyError = pkixErrorResult;
-                            pkixErrorResult = NULL;
-                        }
-                        PKIX_DECREF(pkixErrorResult);
-                }
-        } else {
-                *pPassed = PKIX_TRUE;
-        }
-
-        if (verifyNode != NULL) {
-                PKIX_CHECK_FATAL(pkix_VerifyNode_Create
-                        (trustedCert,
-                        1,
-                        verifyError,
-                        &anchorVerifyNode,
-                        plContext),
-                        PKIX_VERIFYNODECREATEFAILED);
-                PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
-                        (verifyNode, anchorVerifyNode, plContext),
-                        PKIX_VERIFYNODEADDTOTREEFAILED);
-                PKIX_DECREF(verifyError);
-        }
-
-fatal:
-        PKIX_DECREF(verifyError);
-        PKIX_DECREF(anchorVerifyNode);
-        PKIX_DECREF(trustedCert);
-        PKIX_DECREF(anchorNC);
-        PKIX_DECREF(certSel);
-        PKIX_DECREF(certSelParams);
-        PKIX_DECREF(trustedSubject);
-        PKIX_DECREF(trustedPubKey);
-        PKIX_DECREF(candidateIssuer);
-
-        PKIX_RETURN(BUILD);
-}
-
-/*
  * FUNCTION: pkix_Build_SortCertComparator
  * DESCRIPTION:
  *
  *  This Function takes two Certificates cast in "obj1" and "obj2",
  *  compares their validity NotAfter dates and returns the result at
  *  "pResult". The comparison key(s) can be expanded by using other
  *  data in the Certificate in the future.
  *
@@ -1088,44 +890,47 @@ pkix_Build_VerifyCertificate(
         PKIX_Boolean *pTrusted,
         PKIX_Boolean *pNeedsCRLChecking,
         PKIX_VerifyNode *verifyNode,
         void *plContext)
 {
         PKIX_UInt32 numUserCheckers = 0;
         PKIX_UInt32 i = 0;
         PKIX_Boolean loopFound = PKIX_FALSE;
-        PKIX_Boolean dsaParamsNeeded = PKIX_FALSE;
-        PKIX_Boolean isSelfIssued = PKIX_FALSE;
         PKIX_Boolean supportForwardChecking = PKIX_FALSE;
         PKIX_Boolean trusted = PKIX_FALSE;
         PKIX_PL_Cert *candidateCert = NULL;
         PKIX_PL_PublicKey *candidatePubKey = NULL;
         PKIX_CertChainChecker *userChecker = NULL;
         PKIX_CertChainChecker_CheckCallback checkerCheck = NULL;
+        PKIX_Boolean trustOnlyUserAnchors = PKIX_FALSE;
         void *nbioContext = NULL;
-
+        
         PKIX_ENTER(BUILD, "pkix_Build_VerifyCertificate");
         PKIX_NULLCHECK_THREE(state, pTrusted, pNeedsCRLChecking);
         PKIX_NULLCHECK_THREE
                 (state->candidateCerts, state->prevCert, state->trustChain);
 
         *pNeedsCRLChecking = PKIX_FALSE;
 
         PKIX_INCREF(state->candidateCert);
         candidateCert = state->candidateCert;
 
         /* If user defined trust anchor list is not empty, do not
          * trust any certs except to the ones that are in the list */
-        if (!state->buildConstants.numAnchors) {
-            PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
-                       (candidateCert, &trusted, plContext),
-                       PKIX_CERTISCERTTRUSTEDFAILED);
+        if (state->buildConstants.numAnchors) {
+            trustOnlyUserAnchors = PKIX_TRUE;
         }
 
+        PKIX_CHECK(
+            PKIX_PL_Cert_IsCertTrusted(candidateCert,
+                                       trustOnlyUserAnchors,
+                                       &trusted, plContext),
+            PKIX_CERTISCERTTRUSTEDFAILED);
+
         *pTrusted = trusted;
 
         /* check for loops */
         PKIX_CHECK(pkix_List_Contains
                 (state->trustChain,
                 (PKIX_PL_Object *)candidateCert,
                 &loopFound,
                 plContext),
@@ -1181,70 +986,52 @@ pkix_Build_VerifyCertificate(
 
                         ERROR_CHECK(PKIX_USERCHECKERCHECKFAILED);
                     }
 
                     PKIX_DECREF(userChecker);
                 }
         }
 
-        /* signature check */
-
-        if ((!(state->dsaParamsNeeded)) || trusted) {
-                PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
-                            (candidateCert, &candidatePubKey, plContext),
-                            PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
-
-                PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
-                            (candidatePubKey, &dsaParamsNeeded, plContext),
-                            PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
-
-                if (dsaParamsNeeded) {
-                        if (trusted) {
-                                PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
-                        } else {
-                                state->dsaParamsNeeded = PKIX_TRUE;
-                                goto cleanup;
-                        }
+        /* Check that public key of the trusted dsa cert has
+         * dsa parameters */
+        if (trusted) {
+            PKIX_Boolean paramsNeeded = PKIX_FALSE;
+            PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                       (candidateCert, &candidatePubKey, plContext),
+                       PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+            PKIX_CHECK(PKIX_PL_PublicKey_NeedsDSAParameters
+                       (candidatePubKey, &paramsNeeded, plContext),
+                       PKIX_PUBLICKEYNEEDSDSAPARAMETERSFAILED);
+            if (paramsNeeded) {
+                PKIX_ERROR(PKIX_MISSINGDSAPARAMETERS);
+            }
+        }
+        
+        
+        if (revocationChecking) {
+            if (!trusted) {
+                if (state->revCheckDelayed) {
+                    goto cleanup;
+                } else {
+                    PKIX_Boolean isSelfIssued = PKIX_FALSE;
+                    PKIX_CHECK(
+                        pkix_IsCertSelfIssued(candidateCert, &isSelfIssued,
+                                              plContext),
+                        PKIX_ISCERTSELFISSUEDFAILED);
+                    if (isSelfIssued) {
+                        state->revCheckDelayed = PKIX_TRUE;
+                        goto cleanup;
+                    }
                 }
-
-                pkixErrorResult = PKIX_PL_Cert_VerifyKeyUsage
-                        (candidateCert, PKIX_KEY_CERT_SIGN, plContext);
-
-                ERROR_CHECK(PKIX_CERTVERIFYKEYUSAGEFAILED);
-
-                pkixErrorResult = PKIX_PL_Cert_VerifySignature
-                        (state->prevCert, candidatePubKey, plContext);
-
-                ERROR_CHECK(PKIX_CERTVERIFYSIGNATUREFAILED);
-
-                if (revocationChecking) {
-                        if (!trusted) {
-                            if (state->revCheckDelayed) {
-                                goto cleanup;
-                            } else {
-                                PKIX_CHECK(pkix_IsCertSelfIssued
-                                        (candidateCert,
-                                        &isSelfIssued,
-                                        plContext),
-                                        PKIX_ISCERTSELFISSUEDFAILED);
-
-                                if (isSelfIssued) {
-                                        state->revCheckDelayed = PKIX_TRUE;
-                                        goto cleanup;
-                                }
-                            }
-                        }
-
-                        *pNeedsCRLChecking = PKIX_TRUE;
-                }
+            }
+            *pNeedsCRLChecking = PKIX_TRUE;
         }
 
 cleanup:
-
         PKIX_DECREF(candidateCert);
         PKIX_DECREF(candidatePubKey);
         PKIX_DECREF(userChecker);
 
         PKIX_RETURN(BUILD);
 }
 
 /*
@@ -1451,40 +1238,37 @@ pkix_Build_ValidationCheckers(
                                 PKIX_LISTAPPENDITEMFAILED);
                         }
 
                         PKIX_DECREF(userCheckerExtOIDs);
                         PKIX_DECREF(userChecker);
                 }
         }
 
-        if (state->dsaParamsNeeded) {
-            PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
-                       (anchor, &trustedCert, plContext),
-                       PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
-            
-            PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
-                       (trustedCert, &trustedPubKey, plContext),
-                       PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
-            
-            PKIX_NULLCHECK_ONE(state->buildConstants.certStores);
-            
-            PKIX_CHECK(pkix_SignatureChecker_Initialize
-                       (trustedPubKey,
-                        numChainCerts,
-                        &sigChecker,
-                        plContext),
-                       PKIX_SIGNATURECHECKERINITIALIZEFAILED);
-            
-            PKIX_CHECK(PKIX_List_AppendItem
-                       (checkers,
-                        (PKIX_PL_Object *)sigChecker,
-                        plContext),
-                       PKIX_LISTAPPENDITEMFAILED);
-        }
+        /* Inabling post chain building signature check on the certs. */
+        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                   (anchor, &trustedCert, plContext),
+                   PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+        
+        PKIX_CHECK(PKIX_PL_Cert_GetSubjectPublicKey
+                   (trustedCert, &trustedPubKey, plContext),
+                   PKIX_CERTGETSUBJECTPUBLICKEYFAILED);
+        
+        PKIX_CHECK(pkix_SignatureChecker_Initialize
+                   (trustedPubKey,
+                    numChainCerts,
+                    &sigChecker,
+                    plContext),
+                   PKIX_SIGNATURECHECKERINITIALIZEFAILED);
+        
+        PKIX_CHECK(PKIX_List_AppendItem
+                   (checkers,
+                    (PKIX_PL_Object *)sigChecker,
+                    plContext),
+                   PKIX_LISTAPPENDITEMFAILED);
 
         PKIX_INCREF(reversedCertChain);
         state->reversedCertChain = reversedCertChain;
         PKIX_INCREF(buildCheckedCritExtOIDsList);
         state->checkedCritExtOIDs = buildCheckedCritExtOIDsList;
         state->checkerChain = checkers;
         checkers = NULL;
         state->certCheckedIndex = 0;
@@ -1590,21 +1374,16 @@ pkix_Build_ValidateEntireChain(
         }
 
         ERROR_CHECK(PKIX_CHECKCHAINFAILED);
 
         if (state->reasonCode != 0) {
                 PKIX_ERROR(PKIX_CHAINREJECTEDBYREVOCATIONCHECKER);
         }
 
-        if (state->dsaParamsNeeded == PKIX_FALSE) {
-                PKIX_INCREF(state->buildConstants.targetPubKey);
-                subjPubKey = state->buildConstants.targetPubKey;
-        }
-
         PKIX_CHECK(pkix_ValidateResult_Create
                 (subjPubKey, anchor, policyTree, &valResult, plContext),
                 PKIX_VALIDATERESULTCREATEFAILED);
 
         *pValResult = valResult;
         valResult = NULL;
 
 cleanup:
@@ -1793,148 +1572,88 @@ cleanup:
         PKIX_DECREF(testDate);
         PKIX_DECREF(reqEkuOids);
         PKIX_DECREF(callerComCertSelParams);
         PKIX_DECREF(callerCertSelector);
 
         PKIX_RETURN(BUILD);
 }
 
-/*
- * FUNCTION: pkix_Build_CombineWithTrust
- * DESCRIPTION:
- *
- *  Adds each Cert in the List pointed to by "fromList" to the List pointed
- *  to by "toList", if it is not already a member of that List. If it is a
- *  member of both Lists, then the two instances are checked to see if either
- *  is trusted, in which case the trusted one is retained. In other words,
- *  "toList" becomes the union of the two sets, with trust preserved.
- *
- *  It is assumed that fromList does not contain duplicates. Therefore as
- *  elements of "fromlist" are added to "tolist", subsequent additions do
- *  not need to be checked for equality against these new members.
- *
- * PARAMETERS:
- *  "fromList"
- *      Address of a List of Certs to be added, if not already present, to
- *      "toList". Must be non-NULL, but may be empty.
- *  "toList"
- *      Address of a List of Certs to be augmented by "fromList". Must be
- *      non-NULL, but may be empty.
- *  "plContext"
- *      Platform-specific context pointer.
- * THREAD SAFETY:
- *  Not Thread Safe - assumes exclusive access to "toList"
- *  (see Thread Safety Definitions in Programmer's Guide)
- * RETURNS:
- *  Returns NULL if the function succeeds
- *  Returns a Build Error if the function fails in a non-fatal way.
- *  Returns a Fatal Error if the function fails in an unrecoverable way
- */
-static PKIX_Error *
-pkix_Build_CombineWithTrust(
-        PKIX_List *toList,
-        PKIX_List *fromList,
-        void *plContext)
+/* Match trust anchor to select params in order to find next cert. */
+static PKIX_Error*
+pkix_Build_SelectCertsFromTrustAnchors(
+    PKIX_List *trustAnchorsList,
+    PKIX_ComCertSelParams *certSelParams,
+    PKIX_List **pMatchList,
+    void *plContext) 
 {
-        PKIX_Boolean match = PKIX_FALSE;
-        PKIX_Boolean trusted = PKIX_FALSE;
-        PKIX_UInt32 fromlistLen = 0;
-        PKIX_UInt32 originalTolistLen = 0;
-        PKIX_UInt32 fromlistIx = 0;
-        PKIX_UInt32 tolistIx = 0;
-        PKIX_PL_Object *fObject = NULL;
-        PKIX_PL_Object *tObject = NULL;
-
-        PKIX_ENTER(BUILD, "pkix_Build_CombineWithTrust");
-        PKIX_NULLCHECK_TWO(fromList, toList);
-
-        PKIX_CHECK(PKIX_List_GetLength(fromList, &fromlistLen, plContext),
-                PKIX_LISTGETLENGTHFAILED);
-
-        PKIX_CHECK(PKIX_List_GetLength(toList, &originalTolistLen, plContext),
-                PKIX_LISTGETLENGTHFAILED);
-
-        for (fromlistIx = 0; fromlistIx < fromlistLen; fromlistIx++) {
-
-                PKIX_CHECK(PKIX_List_GetItem
-                        (fromList, fromlistIx, &fObject, plContext),
-                        PKIX_LISTGETITEMFAILED);
-
-                PKIX_NULLCHECK_ONE(fObject);
-
-                match = PKIX_FALSE;
-                for (tolistIx = 0; tolistIx < originalTolistLen; tolistIx++) {
-                        PKIX_CHECK(PKIX_List_GetItem
-                                (toList, tolistIx, &tObject, plContext),
-                                PKIX_LISTGETITEMFAILED);
-
-                        PKIX_NULLCHECK_ONE(tObject);
-
-                        PKIX_CHECK(PKIX_PL_Object_Equals
-                                (fObject, tObject, &match, plContext),
-                                PKIX_OBJECTEQUALSFAILED);
-
-                        if (match) {
-                                PKIX_CHECK(pkix_CheckType
-                                        (tObject, PKIX_CERT_TYPE, plContext),
-                                        PKIX_OBJECTNOTCERT);
-
-                                PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
-                                        ((PKIX_PL_Cert *)tObject, &trusted,
-                                         plContext),
-                                        PKIX_CERTISCERTTRUSTEDFAILED);
-        
-                                /* If tObject is a trusted cert, keep it. */
-                                if (trusted == PKIX_TRUE) {
-                                        PKIX_DECREF(tObject);
-                                        break;
-                                }
-
-                                PKIX_CHECK(pkix_CheckType
-                                        (fObject, PKIX_CERT_TYPE, plContext),
-                                        PKIX_OBJECTNOTCERT);
-
-                                PKIX_CHECK(PKIX_PL_Cert_IsCertTrusted
-                                        ((PKIX_PL_Cert *)fObject, &trusted,
-                                         plContext),
-                                        PKIX_CERTISCERTTRUSTEDFAILED);
-
-                                /* If fObject is a trusted cert, replace it. */
-                                if (trusted == PKIX_TRUE) {
-                                        PKIX_CHECK(PKIX_List_SetItem
-                                                (toList,
-                                                tolistIx,
-                                                fObject,
-                                                plContext),
-                                                PKIX_LISTSETITEMFAILED);
-                                        PKIX_DECREF(tObject);
-                                        break;
-                                }
-                        }
-                        PKIX_DECREF(tObject);
-                }
-
-                if (match == PKIX_FALSE) {
-                        PKIX_CHECK(PKIX_List_AppendItem
-                                (toList, fObject, plContext),
-                                PKIX_LISTAPPENDITEMFAILED);
-                }
-
-                PKIX_DECREF(fObject);
+    int anchorIndex = 0;
+    PKIX_TrustAnchor *anchor = NULL;
+    PKIX_PL_Cert *trustedCert = NULL;
+    PKIX_List *matchList = NULL;
+    PKIX_CertSelector *certSel = NULL;
+    PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
+    PKIX_Boolean certMatch = PKIX_TRUE;
+
+    PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
+    
+    PKIX_CHECK(PKIX_CertSelector_Create
+               (NULL, NULL, &certSel, plContext),
+               PKIX_CERTSELECTORCREATEFAILED);
+    PKIX_CHECK(PKIX_CertSelector_SetCommonCertSelectorParams
+               (certSel, certSelParams, plContext),
+               PKIX_CERTSELECTORSETCOMMONCERTSELECTORPARAMSFAILED);
+    PKIX_CHECK(PKIX_CertSelector_GetMatchCallback
+               (certSel, &selectorMatchCB, plContext),
+               PKIX_CERTSELECTORGETMATCHCALLBACKFAILED);
+
+    for (anchorIndex = 0;anchorIndex < trustAnchorsList->length; anchorIndex++) {
+        PKIX_CHECK(
+            PKIX_List_GetItem(trustAnchorsList,
+                              anchorIndex,
+                              (PKIX_PL_Object **)&anchor,
+                              plContext),
+            PKIX_LISTGETITEMFAILED);
+        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
+                   (anchor, &trustedCert, plContext),
+                   PKIX_TRUSTANCHORGETTRUSTEDCERTFAILED);
+        pkixErrorResult =
+            (*selectorMatchCB)(certSel, trustedCert,
+                               &certMatch, plContext);
+        if (!pkixErrorResult && certMatch) {
+            if (!matchList) {
+                PKIX_CHECK(PKIX_List_Create(&matchList,
+                                            plContext),
+                           PKIX_LISTCREATEFAILED);
+            }
+            PKIX_CHECK(
+                PKIX_List_AppendItem(matchList,
+                    (PKIX_PL_Object*)trustedCert,
+                                     plContext),
+                PKIX_LISTAPPENDITEMFAILED);
+        } else {
+            PKIX_DECREF(pkixErrorResult);
         }
+        PKIX_DECREF(trustedCert);
+        PKIX_DECREF(anchor);
+     }
+    
+    *pMatchList = matchList;
+    matchList = NULL;
 
 cleanup:
-
-        PKIX_DECREF(fObject);
-        PKIX_DECREF(tObject);
-
-        PKIX_RETURN(BUILD);
+    PKIX_DECREF(matchList);
+    PKIX_DECREF(trustedCert);
+    PKIX_DECREF(anchor);
+    PKIX_DECREF(certSel);
+    
+    PKIX_RETURN(BUILD);
 }
 
+
 /*
  * FUNCTION: pkix_Build_GatherCerts
  * DESCRIPTION:
  *
  *  This function traverses the CertStores in the List of CertStores contained
  *  in "state",  using the certSelector and other parameters contained in
  *  "state", to obtain a List of all available Certs that satisfy the criteria.
  *  If a CertStore has a cache, "certSelParams" is used both to query the cache
@@ -1972,45 +1691,29 @@ pkix_Build_GatherCerts(
         PKIX_ForwardBuilderState *state,
         PKIX_ComCertSelParams *certSelParams,
         void **pNBIOContext,
         void *plContext)
 {
         PKIX_Boolean certStoreIsCached = PKIX_FALSE;
         PKIX_Boolean certStoreIsLocal = PKIX_FALSE;
         PKIX_Boolean foundInCache = PKIX_FALSE;
-        PKIX_Boolean listIsEmpty = PKIX_FALSE;
         PKIX_CertStore *certStore = NULL;
         PKIX_CertStore_CertCallback getCerts = NULL;
         PKIX_List *certsFound = NULL;
-        PKIX_List *sorted = NULL;
+        PKIX_List *trustedCertList = NULL;
         void *nbioContext = NULL;
 
         PKIX_ENTER(BUILD, "pkix_Build_GatherCerts");
         PKIX_NULLCHECK_THREE(state, certSelParams, pNBIOContext);
 
         nbioContext = *pNBIOContext;
         *pNBIOContext = NULL;
 
-        PKIX_CHECK(
-            PKIX_List_IsEmpty(state->candidateCerts, &listIsEmpty, plContext),
-            PKIX_LISTISEMPTYFAILED);
-
-        /* The caller is responsible to make sure that the list is empty */
-#ifdef UNDEF
-        /* I suspect that the list will not be empty. Commenting the assertion
-         * out for now. More work needs to be done for bug 418544 to clean up
-         * code related to candidateCerts list */
-        PORT_Assert(listIsEmpty);
-#endif
-        if (!listIsEmpty) {
-            PKIX_DECREF(state->candidateCerts);
-            PKIX_CHECK(PKIX_List_Create(&state->candidateCerts, plContext),
-                       PKIX_LISTCREATEFAILED);
-        }
+        PKIX_DECREF(state->candidateCerts);
 
         while (state->certStoreIndex < state->buildConstants.numCertStores) {
 
                 /* Get the current CertStore */
                 PKIX_CHECK(PKIX_List_GetItem
                         (state->buildConstants.certStores,
                         state->certStoreIndex,
                         (PKIX_PL_Object **)&certStore,
@@ -2099,49 +1802,58 @@ pkix_Build_GatherCerts(
                     /*
                      * getCerts returns an empty list for "NONE FOUND",
                      * a NULL list for "would block"
                      */
                     if (certsFound == NULL) {
                         state->status = BUILD_GATHERPENDING;
                         *pNBIOContext = nbioContext;
                         goto cleanup;
-                    } else {
-                        PKIX_CHECK(pkix_Build_CombineWithTrust
-                                (state->candidateCerts, certsFound, plContext),
-                                PKIX_BUILDCOMBINEWITHTRUSTFAILED);
-                        PKIX_DECREF(certsFound);
                     }
                 }
 
                 /* Are there any more certStores to query? */
                 PKIX_DECREF(certStore);
                 ++(state->certStoreIndex);
         }
 
+        if (certsFound && certsFound->length > 1) {
+            PKIX_List *sorted = NULL;
+            
+            /* sort Certs to try to optimize search */
+            PKIX_CHECK(pkix_Build_SortCandidateCerts
+                       (certsFound, &sorted, plContext),
+                       PKIX_BUILDSORTCANDIDATECERTSFAILED);
+            PKIX_DECREF(certsFound);
+            certsFound = sorted;
+        }
+
+        PKIX_CHECK(
+            pkix_Build_SelectCertsFromTrustAnchors(
+                state->buildConstants.anchors,
+                certSelParams, &trustedCertList,
+                plContext),
+            PKIX_FAILTOSELECTCERTSFROMANCHORS);
+
+        PKIX_CHECK(
+            pkix_List_MergeLists(trustedCertList,
+                                 certsFound,
+                                 &state->candidateCerts,
+                                 plContext),
+            PKIX_LISTMERGEFAILED);
+
         /* No, return the list we have gathered */
         PKIX_CHECK(PKIX_List_GetLength
                 (state->candidateCerts, &state->numCerts, plContext),
                 PKIX_LISTGETLENGTHFAILED);
 
-        if (state->numCerts > 1) {
-                /* sort Certs to try to optimize search */
-                PKIX_CHECK(pkix_Build_SortCandidateCerts
-                        (state->candidateCerts, &sorted, plContext),
-                        PKIX_BUILDSORTCANDIDATECERTSFAILED);
-
-                PKIX_DECREF(state->candidateCerts);
-                state->candidateCerts = sorted;
-                sorted = NULL;
-        }
-
         state->certIndex = 0;
 
 cleanup:
-
+        PKIX_DECREF(trustedCertList);
         PKIX_DECREF(certStore);
         PKIX_DECREF(certsFound);
 
         PKIX_RETURN(BUILD);
 }
 
 /*
  * FUNCTION: pkix_Build_UpdateDate
@@ -2305,17 +2017,16 @@ pkix_BuildForwardDepthFirstSearch(
         PKIX_ForwardBuilderState *state,
         PKIX_ValidateResult **pValResult,
         void *plContext)
 {
         PKIX_Boolean outOfOptions = PKIX_FALSE;
         PKIX_Boolean trusted = PKIX_FALSE;
         PKIX_Boolean isSelfIssued = PKIX_FALSE;
         PKIX_Boolean canBeCached = PKIX_FALSE;
-        PKIX_Boolean passed = PKIX_FALSE;
         PKIX_Boolean revocationCheckingExists = PKIX_FALSE;
         PKIX_Boolean needsCRLChecking = PKIX_FALSE;
         PKIX_Boolean ioPending = PKIX_FALSE;
         PKIX_PL_Date *validityDate = NULL;
         PKIX_PL_Date *currTime  = NULL;
         PKIX_Int32 childTraversedCACerts = 0;
         PKIX_UInt32 numSubjectNames = 0;
         PKIX_UInt32 numChained = 0;
@@ -2326,18 +2037,16 @@ pkix_BuildForwardDepthFirstSearch(
         PKIX_List *subjectNames = NULL;
         PKIX_List *unfilteredCerts = NULL;
         PKIX_List *filteredCerts = NULL;
         PKIX_PL_Object *subjectName = NULL;
         PKIX_ValidateResult *valResult = NULL;
         PKIX_ForwardBuilderState *childState = NULL;
         PKIX_ForwardBuilderState *parentState = NULL;
         PKIX_PL_Object *revCheckerState = NULL;
-        PKIX_PL_PublicKey *candidatePubKey = NULL;
-        PKIX_PL_PublicKey *trustedPubKey = NULL;
         PKIX_ComCertSelParams *certSelParams = NULL;
         PKIX_TrustAnchor *trustAnchor = NULL;
         PKIX_PL_Cert *trustedCert = NULL;
         PKIX_VerifyNode *verifyNode = NULL;
         PKIX_Error *verifyError = NULL;
         PKIX_Error *finalError = NULL;
         void *nbio = NULL;
 
@@ -2691,34 +2400,38 @@ pkix_BuildForwardDepthFirstSearch(
                             state->status = BUILD_DATEPREP;
                     }
             }
 
             if (state->status == BUILD_CRLPREP) {
                 PKIX_RevocationStatus revStatus;
                 PKIX_UInt32 reasonCode;
 
-                PKIX_CHECK(
+                verifyError =
                     PKIX_RevocationChecker_Check(
                              state->prevCert, state->candidateCert,
                              state->buildConstants.revChecker,
                              state->buildConstants.procParams,
                              PKIX_FALSE,
                              (state->parentState == NULL) ?
                                               PKIX_TRUE : PKIX_FALSE,
                              &revStatus, &reasonCode,
-                             &nbio, plContext),
-                    PKIX_REVCHECKERCHECKFAILED);
+                             &nbio, plContext);
                 if (nbio != NULL) {
                     *pNBIOContext = nbio;
                     goto cleanup;
                 }
-                if (revStatus == PKIX_RevStatus_Revoked) {
-                    PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
-                                      verifyError);
+                if (revStatus == PKIX_RevStatus_Revoked || verifyError) {
+                    if (!verifyError) {
+                        /* if verifyError is returned then use it as
+                         * it has a detailed revocation error code.
+                         * Otherwise create a new error */
+                        PKIX_ERROR_CREATE(VALIDATE, PKIX_CERTIFICATEREVOKED,
+                                          verifyError);
+                    }
                     if (state->verifyNode != NULL) {
                             PKIX_CHECK_FATAL(pkix_VerifyNode_SetError
                                     (verifyNode, verifyError, plContext),
                                     PKIX_VERIFYNODESETERRORFAILED);
                             PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
                                     (state->verifyNode,
                                     verifyNode,
                                     plContext),
@@ -2775,47 +2488,57 @@ pkix_BuildForwardDepthFirstSearch(
                                    * checked */
                       plContext),
                       PKIX_BUILDVALIDATIONCHECKERSFAILED);
 
                     state->status = BUILD_CHECKTRUSTED2;
             }
 
             if (state->status == BUILD_CHECKTRUSTED2) {
-                    PKIX_CHECK_ONLY_FATAL(pkix_Build_ValidateEntireChain
-                        (state,
-                        trustAnchor,
-                        &nbio, &valResult,
-                        verifyNode,
-                        plContext),
-                        PKIX_BUILDVALIDATEENTIRECHAINFAILED);
-
+                    verifyError = 
+                        pkix_Build_ValidateEntireChain(state,
+                                                       trustAnchor,
+                                                       &nbio, &valResult,
+                                                       verifyNode,
+                                                       plContext);
                     if (nbio != NULL) {
                             /* IO still pending, resume later */
                             goto cleanup;
                     } else {
                             PKIX_DECREF(state->reversedCertChain);
                             PKIX_DECREF(state->checkedCritExtOIDs);
                             PKIX_DECREF(state->checkerChain);
+                            /* checking the error for fatal status */
+                            if (verifyError) {
+                                pkixTempErrorReceived = PKIX_TRUE;
+                                pkixErrorClass = verifyError->errClass;
+                                if (pkixErrorClass == PKIX_FATAL_ERROR) {
+                                    pkixErrorResult = verifyError;
+                                    verifyError = NULL;
+                                    goto fatal;
+                                }
+                            }
                             if (state->verifyNode != NULL) {
                                 PKIX_CHECK_FATAL(pkix_VerifyNode_AddToTree
                                         (state->verifyNode,
                                         verifyNode,
                                         plContext),
                                         PKIX_VERIFYNODEADDTOTREEFAILED);
                                 PKIX_DECREF(verifyNode);
                             }
-
                             if (!PKIX_ERROR_RECEIVED) {
                                 *pValResult = valResult;
                                 valResult = NULL;
                                 /* Change state so IsIOPending is FALSE */
                                 state->status = BUILD_CHECKTRUSTED;
                                 goto cleanup;
                             }
+                            PKIX_DECREF(finalError);
+                            finalError = verifyError;
+                            verifyError = NULL;
                             /* Reset temp error that was set by 
                              * PKIX_CHECK_ONLY_FATAL and continue */
                             pkixTempErrorReceived = PKIX_FALSE;
                             PKIX_DECREF(trustAnchor);
                     }
 
                     /*
                      * If chain doesn't validate with a trusted Cert,
@@ -2835,167 +2558,19 @@ pkix_BuildForwardDepthFirstSearch(
              */
             if (state->status == BUILD_ADDTOCHAIN) {
                     PKIX_CHECK(PKIX_List_AppendItem
                             (state->trustChain,
                             (PKIX_PL_Object *)state->candidateCert,
                             plContext),
                             PKIX_LISTAPPENDITEMFAILED);
 
-                    state->status = BUILD_CHECKWITHANCHORS;
-                    state->anchorIndex = 0;
+                    state->status = BUILD_EXTENDCHAIN;
             }
 
-            while ((state->status == BUILD_CHECKWITHANCHORS) ||
-                (state->status == BUILD_CRL2) ||
-                (state->status == BUILD_VALCHAIN2)) {
-                    if (state->anchorIndex >=
-                            state->buildConstants.numAnchors) {
-                                   state->status = BUILD_EXTENDCHAIN;
-                            break;
-                    } else {
-
-                            PKIX_CHECK(PKIX_List_GetItem
-                                    (state->buildConstants.anchors,
-                                    state->anchorIndex,
-                                    (PKIX_PL_Object **)&trustAnchor,
-                                    plContext),
-                                    PKIX_LISTGETITEMFAILED);
-
-                    }
-
-                    if (state->status == BUILD_CHECKWITHANCHORS) {
-
-                            /*
-                             * Does this Trust Anchor chain to this cert?
-                             * (If state->verifyNode is non-NULL, this function
-                             * chains a verifyNode for each anchor checked.)
-                             */
-                            PKIX_CHECK(pkix_Build_CheckCertAgainstAnchor
-                                    (state->candidateCert,
-                                    trustAnchor,
-                                    state->traversedSubjNames,
-                                    &passed,
-                                    verifyNode,
-                                    plContext),
-                                    PKIX_CHECKCERTAGAINSTANCHORFAILED);
-
-                            if (passed == PKIX_TRUE) {
-                                    if (state->buildConstants.revChecker) {
-                                            state->status = BUILD_CRL2;
-                                    } else {
-                                            state->status = BUILD_VALCHAIN;
-                                    }
-                            } /* else increment anchorIndex and try next */
-                    }
-
-                    if (state->status == BUILD_CRL2) {
-                        PKIX_RevocationStatus revStatus;
-                        PKIX_UInt32 reasonCode;
-
-                        PKIX_CHECK(PKIX_TrustAnchor_GetTrustedCert
-                                   (trustAnchor, &trustedCert, plContext),
-                                   PKIX_TRUSTANCHORGETTRUSTEDCE