Bug 1296266, NSS_3_27_BETA3, r=ttaubert
authorKai Engert <kaie@kuix.de>
Thu, 08 Sep 2016 17:03:14 +0200
changeset 313212 979e180c5045a08ff7a7236c3c464ed8194a938a
parent 313211 8e68d6ac1801e51f965d47b73d64981c92671ccf
child 313213 c1b0b9ddb452370e233b840bec3ecfe772157221
push id81566
push userkaie@kuix.de
push dateThu, 08 Sep 2016 15:03:30 +0000
treeherdermozilla-inbound@979e180c5045 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersttaubert
bugs1296266
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296266, NSS_3_27_BETA3, r=ttaubert
security/nss/TAG-INFO
security/nss/automation/taskcluster/decision_task.yml
security/nss/automation/taskcluster/docker-decision/Dockerfile
security/nss/automation/taskcluster/docker-decision/bin/checkout.sh
security/nss/automation/taskcluster/docker-decision/setup.sh
security/nss/automation/taskcluster/graph/build.js
security/nss/automation/taskcluster/graph/image_builder.js
security/nss/automation/taskcluster/graph/image_builder.yml
security/nss/automation/taskcluster/graph/linux/_build_base.yml
security/nss/automation/taskcluster/graph/linux/_test_base.yml
security/nss/automation/taskcluster/graph/package.json
security/nss/automation/taskcluster/graph/tools/_build_base.yml
security/nss/automation/taskcluster/graph/yaml.js
security/nss/automation/taskcluster/scripts/run_clang_format.sh
security/nss/coreconf/coreconf.dep
security/nss/doc/certutil.xml
security/nss/doc/html/certutil.html
security/nss/doc/nroff/certutil.1
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/nss/nssoptions.c
security/nss/lib/nss/nssoptions.h
security/nss/lib/nss/utilwrap.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/tls13con.c
security/nss/lib/sysinit/nsssysinit.c
security/nss/lib/util/SECerrs.h
security/nss/lib/util/base64.h
security/nss/lib/util/ciferfam.h
security/nss/lib/util/derdec.c
security/nss/lib/util/derenc.c
security/nss/lib/util/dersubr.c
security/nss/lib/util/dertime.c
security/nss/lib/util/errstrs.c
security/nss/lib/util/hasht.h
security/nss/lib/util/nssb64.h
security/nss/lib/util/nssb64d.c
security/nss/lib/util/nssb64e.c
security/nss/lib/util/nssilckt.h
security/nss/lib/util/nssilock.c
security/nss/lib/util/nssilock.h
security/nss/lib/util/nssrwlk.c
security/nss/lib/util/nssrwlk.h
security/nss/lib/util/nssrwlkt.h
security/nss/lib/util/nssutil.def
security/nss/lib/util/nssutil.h
security/nss/lib/util/oidstring.c
security/nss/lib/util/pkcs11.h
security/nss/lib/util/pkcs11f.h
security/nss/lib/util/pkcs11n.h
security/nss/lib/util/pkcs11p.h
security/nss/lib/util/pkcs11t.h
security/nss/lib/util/pkcs11u.h
security/nss/lib/util/pkcs1sig.c
security/nss/lib/util/portreg.c
security/nss/lib/util/portreg.h
security/nss/lib/util/quickder.c
security/nss/lib/util/secalgid.c
security/nss/lib/util/secasn1.h
security/nss/lib/util/secasn1d.c
security/nss/lib/util/secasn1e.c
security/nss/lib/util/secasn1t.h
security/nss/lib/util/secasn1u.c
security/nss/lib/util/seccomon.h
security/nss/lib/util/secder.h
security/nss/lib/util/secdert.h
security/nss/lib/util/secdig.c
security/nss/lib/util/secdig.h
security/nss/lib/util/secdigt.h
security/nss/lib/util/secerr.h
security/nss/lib/util/secitem.c
security/nss/lib/util/secitem.h
security/nss/lib/util/secload.c
security/nss/lib/util/secoid.c
security/nss/lib/util/secoid.h
security/nss/lib/util/secoidt.h
security/nss/lib/util/secplcy.c
security/nss/lib/util/secplcy.h
security/nss/lib/util/secport.c
security/nss/lib/util/secport.h
security/nss/lib/util/sectime.c
security/nss/lib/util/templates.c
security/nss/lib/util/utf8.c
security/nss/lib/util/utilmod.c
security/nss/lib/util/utilmodt.h
security/nss/lib/util/utilpars.c
security/nss/lib/util/utilpars.h
security/nss/lib/util/utilparst.h
security/nss/lib/util/verref.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_27_BETA2
+NSS_3_27_BETA3
--- a/security/nss/automation/taskcluster/decision_task.yml
+++ b/security/nss/automation/taskcluster/decision_task.yml
@@ -52,24 +52,23 @@ tasks:
       tags:
         createdForUser: {{owner}}
 
       routes:
         - "tc-treeherder-stage.v2.{{project}}.{{revision}}.{{pushlog_id}}"
         - "tc-treeherder.v2.{{project}}.{{revision}}.{{pushlog_id}}"
 
       payload:
-        image: "ttaubert/nss-ci:0.0.22"
+        image: ttaubert/nss-decision:0.0.2
 
         env:
           TC_OWNER: {{owner}}
           TC_SOURCE: {{{source}}}
           TC_PROJECT: {{project}}
           TC_COMMENT: '{{comment}}'
-          TC_IMAGE: "ttaubert/nss-ci:0.0.22"
           NSS_PUSHLOG_ID: '{{pushlog_id}}'
           NSS_HEAD_REPOSITORY: '{{{url}}}'
           NSS_HEAD_REVISION: '{{revision}}'
 
         maxRunTime: 1800
 
         command:
           - bash
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-decision/Dockerfile
@@ -0,0 +1,27 @@
+FROM ubuntu:16.04
+MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+
+RUN useradd -d /home/worker -s /bin/bash -m worker
+WORKDIR /home/worker
+
+# Add build and test scripts.
+ADD bin /home/worker/bin
+RUN chmod +x /home/worker/bin/*
+
+# Install dependencies.
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Env variables.
+ENV HOME /home/worker
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME worker
+ENV HOSTNAME taskcluster-worker
+ENV LANG en_US.UTF-8
+ENV LC_ALL en_US.UTF-8
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-decision/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-decision/setup.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -y update && apt-get -y upgrade
+
+# Need those to install newer packages below.
+apt-get install -y --no-install-recommends apt-utils curl ca-certificates
+
+# Latest Mercurial.
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
+echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
+
+# Install packages.
+apt-get -y update && apt-get install -y --no-install-recommends mercurial
+
+# Latest Node.JS.
+curl -sL https://deb.nodesource.com/setup_6.x | bash -
+apt-get install -y --no-install-recommends nodejs
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
+rm $0
--- a/security/nss/automation/taskcluster/graph/build.js
+++ b/security/nss/automation/taskcluster/graph/build.js
@@ -1,71 +1,30 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 var fs = require("fs");
 var path = require("path");
 var merge = require("merge");
-var yaml = require("js-yaml");
 var slugid = require("slugid");
 var flatmap = require("flatmap");
+
+var yaml = require("./yaml");
 var try_syntax = require("./try_syntax");
+var image_builder = require("./image_builder");
 
 // Default values for debugging.
 var TC_OWNER = process.env.TC_OWNER || "{{tc_owner}}";
 var TC_SOURCE = process.env.TC_SOURCE || "{{tc_source}}";
 var TC_PROJECT = process.env.TC_PROJECT || "{{tc_project}}";
 var TC_COMMENT = process.env.TC_COMMENT || "{{tc_comment}}";
 var NSS_PUSHLOG_ID = process.env.NSS_PUSHLOG_ID || "{{nss_pushlog_id}}";
 var NSS_HEAD_REVISION = process.env.NSS_HEAD_REVISION || "{{nss_head_rev}}";
 
-// Register custom YAML types.
-var YAML_SCHEMA = yaml.Schema.create([
-  // Point in time at $now + x hours.
-  new yaml.Type('!from_now', {
-    kind: "scalar",
-
-    resolve: function (data) {
-      return true;
-    },
-
-    construct: function (data) {
-      var d = new Date();
-      d.setHours(d.getHours() + (data|0));
-      return d.toJSON();
-    }
-  }),
-
-  // Environment variables.
-  new yaml.Type('!env', {
-    kind: "scalar",
-
-    resolve: function (data) {
-      return true;
-    },
-
-    construct: function (data) {
-      return process.env[data] || "{{" + data.toLowerCase() + "}}";
-    }
-  })
-]);
-
-// Parse a given YAML file.
-function parseYamlFile(file, fallback) {
-  // Return fallback if the file doesn't exist.
-  if (!fs.existsSync(file) && fallback) {
-    return fallback;
-  }
-
-  // Otherwise, read the file or fail.
-  var source = fs.readFileSync(file, "utf-8");
-  return yaml.load(source, {schema: YAML_SCHEMA});
-}
-
 // Add base information to the given task.
 function decorateTask(task) {
   // Assign random task id.
   task.taskId = slugid.v4();
 
   // TreeHerder routes.
   task.task.routes = [
     "tc-treeherder-stage.v2." + TC_PROJECT + "." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID,
@@ -73,20 +32,20 @@ function decorateTask(task) {
   ];
 }
 
 // Generate all tasks for a given build.
 function generateBuildTasks(platform, file) {
   var dir = path.join(__dirname, "./" + platform);
 
   // Parse base definitions.
-  var buildBase = parseYamlFile(path.join(dir, "_build_base.yml"), {});
-  var testBase = parseYamlFile(path.join(dir, "_test_base.yml"), {});
+  var buildBase = yaml.parse(path.join(dir, "_build_base.yml"), {});
+  var testBase = yaml.parse(path.join(dir, "_test_base.yml"), {});
 
-  return flatmap(parseYamlFile(path.join(dir, file)), function (task) {
+  return flatmap(yaml.parse(path.join(dir, file)), function (task) {
     // Merge base build task definition with the current one.
     var tasks = [task = merge.recursive(true, buildBase, task)];
 
     // Add base info.
     decorateTask(task);
 
     // Generate test tasks.
     if (task.tests) {
@@ -115,17 +74,17 @@ function generateBuildTasks(platform, fi
     return tasks;
   });
 }
 
 // Generate all tasks for a given test.
 function generateTestTasks(name, base, task) {
   // Load test definitions.
   var dir = path.join(__dirname, "./tests");
-  var tests = parseYamlFile(path.join(dir, name + ".yml"));
+  var tests = yaml.parse(path.join(dir, name + ".yml"));
 
   return tests.map(function (test) {
     // Merge test with base definition.
     test = merge.recursive(true, base, test);
 
     // Add base info.
     decorateTask(test);
 
@@ -141,18 +100,18 @@ function generateTestTasks(name, base, t
 
     return test;
   });
 }
 
 // Generate all tasks for a given platform.
 function generatePlatformTasks(platform) {
   var dir = path.join(__dirname, "./" + platform);
-  var buildBase = parseYamlFile(path.join(dir, "_build_base.yml"), {});
-  var testBase = parseYamlFile(path.join(dir, "_test_base.yml"), {});
+  var buildBase = yaml.parse(path.join(dir, "_build_base.yml"), {});
+  var testBase = yaml.parse(path.join(dir, "_test_base.yml"), {});
 
   // Parse all build tasks.
   return flatmap(fs.readdirSync(dir), function (file) {
     if (!file.startsWith("_") && file.endsWith(".yml")) {
       var tasks = generateBuildTasks(platform, file);
 
       // Convert env variables to strings.
       tasks.forEach(function (task) {
@@ -174,10 +133,15 @@ var graph = {
   tasks: flatmap(["linux", "windows", "arm", "tools"], generatePlatformTasks)
 };
 
 // Filter tasks when try syntax is given.
 if (TC_PROJECT == "nss-try") {
   graph.tasks = try_syntax.filterTasks(graph.tasks, TC_COMMENT);
 }
 
-// Output the final graph.
-process.stdout.write(JSON.stringify(graph, null, 2));
+// Inject the image builder tasks and dependencies.
+image_builder.asyncTweakTasks(graph.tasks).then(function (tasks) {
+  graph.tasks = tasks;
+
+  // Output the final graph.
+  process.stdout.write(JSON.stringify(graph, null, 2));
+});
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/graph/image_builder.js
@@ -0,0 +1,148 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var fs = require("fs");
+var path = require("path");
+var crypto = require("crypto");
+var slugid = require("slugid");
+var flatmap = require("flatmap");
+var taskcluster = require("taskcluster-client");
+
+var yaml = require("./yaml");
+
+// Default values for debugging.
+var TC_PROJECT = process.env.TC_PROJECT || "{{tc_project}}";
+var NSS_PUSHLOG_ID = process.env.NSS_PUSHLOG_ID || "{{nss_pushlog_id}}";
+var NSS_HEAD_REVISION = process.env.NSS_HEAD_REVISION || "{{nss_head_rev}}";
+
+// Add base information to the given task.
+function decorateTask(task) {
+  // Assign random task id.
+  task.taskId = slugid.v4();
+
+  // TreeHerder routes.
+  task.task.routes = [
+    "tc-treeherder-stage.v2." + TC_PROJECT + "." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID,
+    "tc-treeherder.v2." + TC_PROJECT + "." + NSS_HEAD_REVISION + "." + NSS_PUSHLOG_ID
+  ];
+}
+
+// Compute the SHA-256 digest.
+function sha256(data) {
+  var hash = crypto.createHash("sha256");
+  hash.update(data);
+  return hash.digest("hex");
+}
+
+// Recursively collect a list of all files of a given directory.
+function collectFilesInDirectory(dir) {
+  return flatmap(fs.readdirSync(dir), function (entry) {
+    var entry_path = path.join(dir, entry);
+
+    if (fs.lstatSync(entry_path).isDirectory()) {
+      return collectFilesInDirectory(entry_path);
+    }
+
+    return [entry_path];
+  });
+}
+
+// Compute a context hash for the given context path.
+function computeContextHash(context_path) {
+  var root = path.join(__dirname, "../../..");
+  var dir = path.join(root, context_path);
+  var files = collectFilesInDirectory(dir).sort();
+  var hashes = files.map(function (file) {
+    return sha256(file + "|" + fs.readFileSync(file, "utf-8"));
+  });
+
+  return sha256(hashes.join(","));
+}
+
+// Generates the image-builder task description.
+function generateImageBuilderTask(context_path) {
+  var task = yaml.parse(path.join(__dirname, "image_builder.yml"), {});
+
+  // Add base info.
+  decorateTask(task);
+
+  // Add info for docker image building.
+  task.task.payload.env.CONTEXT_PATH = context_path;
+  task.task.payload.env.HASH = computeContextHash(context_path);
+
+  return task;
+}
+
+// Returns a Promise<bool> that tells whether the task with the given id
+// has a public/image.tar artifact with a ready-to-use docker image.
+function asyncTaskHasImageArtifact(taskId) {
+  var queue = new taskcluster.Queue();
+
+  return queue.listLatestArtifacts(taskId).then(function (result) {
+    return result.artifacts.some(function (artifact) {
+      return artifact.name == "public/image.tar";
+    });
+  }, function () {
+    return false;
+  });
+}
+
+// Returns a Promise<task-id|null> with either a task id or null, depending
+// on whether we could find a task in the given namespace with a docker image.
+function asyncFindTaskWithImageArtifact(ns) {
+  var index = new taskcluster.Index();
+
+  return index.findTask(ns).then(function (result) {
+    return asyncTaskHasImageArtifact(result.taskId).then(function (has_image) {
+      return has_image ? result.taskId : null;
+    });
+  }, function () {
+    return null;
+  });
+}
+
+// Tweak the given list of tasks by injecting the image-builder task
+// and setting the right dependencies where needed.
+function asyncTweakTasks(tasks) {
+  var id = "linux";
+  var cx_path = "automation/taskcluster/docker";
+  var hash = computeContextHash(cx_path);
+  var ns = "docker.images.v1." + TC_PROJECT + "." + id + ".hash." + hash;
+  var additional_tasks = [];
+
+  // Check whether the docker image was already built.
+  return asyncFindTaskWithImageArtifact(ns).then(function (taskId) {
+    var builder_task;
+
+    if (!taskId) {
+      // No docker image found, add a task to build one.
+      builder_task = generateImageBuilderTask(cx_path);
+      taskId = builder_task.taskId;
+
+      // Add a route so we can find the task later again.
+      builder_task.task.routes.push("index." + ns);
+      additional_tasks.push(builder_task);
+    }
+
+    tasks.forEach(function (task) {
+      if (task.task.payload.image == cx_path) {
+        task.task.payload.image = {
+          path: "public/image.tar",
+          type: "task-image",
+          taskId: taskId
+        };
+
+        // Add a dependency only for top-level tasks (builds & tools) and only
+        // if we added an image building task. Otherwise we don't need to wait.
+        if (builder_task && !task.requires) {
+          task.requires = [taskId];
+        }
+      }
+    });
+
+    return additional_tasks.concat(tasks);
+  });
+}
+
+module.exports.asyncTweakTasks = asyncTweakTasks;
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/graph/image_builder.yml
@@ -0,0 +1,49 @@
+---
+reruns: 2
+
+task:
+  created: !from_now 0
+  deadline: !from_now 24
+  provisionerId: aws-provisioner-v1
+  workerType: hg-worker
+  schedulerId: task-graph-scheduler
+
+  metadata:
+    name: Image Builder
+    description: Image Builder
+    owner: !env TC_OWNER
+    source: !env TC_SOURCE
+
+  payload:
+    maxRunTime: 3600
+    image: taskcluster/image_builder:0.1.5
+
+    artifacts:
+      public/image.tar:
+        type: file
+        path: /artifacts/image.tar
+        expires: !from_now 8760
+
+    command:
+      - "/bin/bash"
+      - "-c"
+      - "/home/worker/bin/build_image.sh"
+
+    env:
+      HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
+      BASE_REPOSITORY: !env NSS_HEAD_REPOSITORY
+      HEAD_REV: !env NSS_HEAD_REVISION
+      HEAD_REF: !env NSS_HEAD_REVISION
+      PROJECT: !env TC_PROJECT
+
+    features:
+      dind: true
+
+  extra:
+    treeherder:
+      build:
+        platform: nss-decision
+      machine:
+        platform: nss-decision
+      jobKind: build
+      symbol: I
--- a/security/nss/automation/taskcluster/graph/linux/_build_base.yml
+++ b/security/nss/automation/taskcluster/graph/linux/_build_base.yml
@@ -9,17 +9,17 @@ task:
   schedulerId: task-graph-scheduler
 
   metadata:
     owner: !env TC_OWNER
     source: !env TC_SOURCE
 
   payload:
     maxRunTime: 3600
-    image: !env TC_IMAGE
+    image: automation/taskcluster/docker
 
     artifacts:
       public:
         type: directory
         path: /home/worker/artifacts
         expires: !from_now 24
 
     command:
--- a/security/nss/automation/taskcluster/graph/linux/_test_base.yml
+++ b/security/nss/automation/taskcluster/graph/linux/_test_base.yml
@@ -9,17 +9,17 @@ task:
   schedulerId: task-graph-scheduler
 
   metadata:
     owner: !env TC_OWNER
     source: !env TC_SOURCE
 
   payload:
     maxRunTime: 3600
-    image: !env TC_IMAGE
+    image: automation/taskcluster/docker
 
     command:
       - "/bin/bash"
       - "-c"
       - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
 
   extra:
     treeherder:
--- a/security/nss/automation/taskcluster/graph/package.json
+++ b/security/nss/automation/taskcluster/graph/package.json
@@ -5,11 +5,12 @@
   "author": "Tim Taubert <ttaubert@mozilla.com>",
   "description": "Decision Task for NSS",
   "dependencies": {
     "flatmap": "0.0.3",
     "intersect": "^1.0.1",
     "js-yaml": "^3.6.1",
     "merge": "^1.2.0",
     "minimist": "^1.2.0",
-    "slugid": "^1.1.0"
+    "slugid": "^1.1.0",
+    "taskcluster-client": "^1.2.1"
   }
 }
--- a/security/nss/automation/taskcluster/graph/tools/_build_base.yml
+++ b/security/nss/automation/taskcluster/graph/tools/_build_base.yml
@@ -9,17 +9,17 @@ task:
   schedulerId: task-graph-scheduler
 
   metadata:
     owner: !env TC_OWNER
     source: !env TC_SOURCE
 
   payload:
     maxRunTime: 3600
-    image: !env TC_IMAGE
+    image: automation/taskcluster/docker
 
     env:
       NSS_HEAD_REPOSITORY: !env NSS_HEAD_REPOSITORY
       NSS_HEAD_REVISION: !env NSS_HEAD_REVISION
 
   extra:
     treeherder:
       build:
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/graph/yaml.js
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var fs = require("fs");
+var yaml = require("js-yaml");
+
+// Register custom YAML types.
+var YAML_SCHEMA = yaml.Schema.create([
+  // Point in time at $now + x hours.
+  new yaml.Type('!from_now', {
+    kind: "scalar",
+
+    resolve: function (data) {
+      return true;
+    },
+
+    construct: function (data) {
+      var d = new Date();
+      d.setHours(d.getHours() + (data|0));
+      return d.toJSON();
+    }
+  }),
+
+  // Environment variables.
+  new yaml.Type('!env', {
+    kind: "scalar",
+
+    resolve: function (data) {
+      return true;
+    },
+
+    construct: function (data) {
+      return process.env[data] || "{{" + data.toLowerCase() + "}}";
+    }
+  })
+]);
+
+// Parse a given YAML file.
+function parse(file, fallback) {
+  // Return fallback if the file doesn't exist.
+  if (!fs.existsSync(file) && fallback) {
+    return fallback;
+  }
+
+  // Otherwise, read the file or fail.
+  var source = fs.readFileSync(file, "utf-8");
+  return yaml.load(source, {schema: YAML_SCHEMA});
+}
+
+module.exports.parse = parse;
--- a/security/nss/automation/taskcluster/scripts/run_clang_format.sh
+++ b/security/nss/automation/taskcluster/scripts/run_clang_format.sh
@@ -29,18 +29,21 @@ else
          "$top/lib/certdb" \
          "$top/lib/certhigh" \
          "$top/lib/ckfw" \
          "$top/lib/crmf" \
          "$top/lib/cryptohi" \
          "$top/lib/dbm" \
          "$top/lib/dev" \
          "$top/lib/freebl" \
+         "$top/lib/nss" \
          "$top/lib/softoken" \
          "$top/lib/ssl" \
+         "$top/lib/util" \
+         "$top/lib/sysinit" \
          "$top/external_tests/common" \
          "$top/external_tests/der_gtest" \
          "$top/external_tests/pk11_gtest" \
          "$top/external_tests/ssl_gtest" \
          "$top/external_tests/util_gtest" \
     )
 fi
 
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -368,22 +368,22 @@ of the attribute codes:
 	</listitem>
 	<listitem>
 	<para>
 		<command>c</command> - Valid CA
 	</para>
 	</listitem>
 	<listitem>
 	<para>
-		<command>T</command> - Trusted CA (implies c)
+		<command>C</command> - Trusted CA (implies c)
 	</para>
 	</listitem>
 	<listitem>
 	<para>
-		<command>C</command> - trusted CA for client authentication (ssl server only)
+		<command>T</command> - trusted CA for client authentication (ssl server only)
 	</para>
 	</listitem>
 	<listitem>
 	<para>
 		<command>u</command> - user
 	</para>
 	</listitem>
 	</itemizedlist>
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,9 +1,9 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139984205904704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm139861295402064"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
 <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
 </p><p>
 When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
 For certificate requests, ASCII output defaults to standard output unless redirected.</p></dd><dt><span class="term">-b validity-time</span></dt><dd><p>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <code class="option">-V</code> option. The format of the <span class="emphasis"><em>validity-time</em></span> argument is <span class="emphasis"><em>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</em></span>, which allows offsets to be set relative to the validity end time. Specifying seconds (<span class="emphasis"><em>SS</em></span>) is optional. When specifying an explicit time, use a Z at the end of the term, <span class="emphasis"><em>YYMMDDHHMMSSZ</em></span>, to close it. When specifying an offset time, use <span class="emphasis"><em>YYMMDDHHMMSS+HHMM</em></span> or <span class="emphasis"><em>YYMMDDHHMMSS-HHMM</em></span> for adding or subtracting time, respectively.
@@ -43,19 +43,19 @@ Add one or multiple extensions that cert
 of the attribute codes: 
 	</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
 		<span class="command"><strong>p</strong></span> - Valid peer
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>P</strong></span> - Trusted peer (implies p)
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>c</strong></span> - Valid CA
 	</p></li><li class="listitem"><p>
-		<span class="command"><strong>T</strong></span> - Trusted CA (implies c)
+		<span class="command"><strong>C</strong></span> - Trusted CA (implies c)
 	</p></li><li class="listitem"><p>
-		<span class="command"><strong>C</strong></span> - trusted CA for client authentication (ssl server only)
+		<span class="command"><strong>T</strong></span> - trusted CA for client authentication (ssl server only)
 	</p></li><li class="listitem"><p>
 		<span class="command"><strong>u</strong></span> - user
 	</p></li></ul></div><p>
 		The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example:
 	</p><p><span class="command"><strong>-t "TCu,Cu,Tu"</strong></span></p><p>
 	Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Specify a usage context to apply when validating a certificate with the -V option.</p><p>The contexts are the following:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>C</strong></span> (as an SSL client)</p></li><li class="listitem"><p><span class="command"><strong>V</strong></span> (as an SSL server)</p></li><li class="listitem"><p><span class="command"><strong>L</strong></span> (as an SSL CA)</p></li><li class="listitem"><p><span class="command"><strong>A</strong></span> (as Any CA)</p></li><li class="listitem"><p><span class="command"><strong>Y</strong></span> (Verify CA)</p></li><li class="listitem"><p><span class="command"><strong>S</strong></span> (as an email signer)</p></li><li class="listitem"><p><span class="command"><strong>R</strong></span> (as an email recipient)</p></li><li class="listitem"><p><span class="command"><strong>O</strong></span> (as an OCSP status responder)</p></li><li class="listitem"><p><span class="command"><strong>J</strong></span> (as an object signer)</p></li></ul></div></dd><dt><span class="term">-v valid-months</span></dt><dd><p>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <code class="option">-w</code> option. If this argument is not used, the default validity period is three months. </p></dd><dt><span class="term">-w offset-months</span></dt><dd><p>Set an offset from the current system time, in months, 
  for the beginning of a certificate's validity period. Use when creating 
  the certificate or adding it to a database. Express the offset in integers, 
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -1,18 +1,18 @@
 '\" t
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 13 August 2015
+.\"      Date:  7 September 2016
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "13 August 2015" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "7 September 2016" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .\" http://bugs.debian.org/507673
 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 .ie \n(.g .ds Aq \(aq
@@ -431,29 +431,29 @@ for each trust setting\&. In each catego
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-\fBT\fR
+\fBC\fR
 \- Trusted CA (implies c)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
-\fBC\fR
+\fBT\fR
 \- trusted CA for client authentication (ssl server only)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -7,110 +7,109 @@
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_CUSTOMIZED is for NSS internal use only. */
 #if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
 #define _NSS_CUSTOMIZED " (Customized build)"
 #else
-#define _NSS_CUSTOMIZED 
+#define _NSS_CUSTOMIZED
 #endif
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.27" _NSS_CUSTOMIZED " Beta"
-#define NSS_VMAJOR   3
-#define NSS_VMINOR   27
-#define NSS_VPATCH   0
-#define NSS_VBUILD   0
-#define NSS_BETA     PR_TRUE
+#define NSS_VERSION "3.27" _NSS_CUSTOMIZED " Beta"
+#define NSS_VMAJOR 3
+#define NSS_VMINOR 27
+#define NSS_VPATCH 0
+#define NSS_VBUILD 0
+#define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
- * parameters used to initialize softoken. Mostly strings used to 
+ * parameters used to initialize softoken. Mostly strings used to
  * internationalize softoken. Memory for the strings are owned by the caller,
- * who is free to free them once NSS_ContextInit returns. If the string 
+ * who is free to free them once NSS_ContextInit returns. If the string
  * parameter is NULL (as opposed to empty, zero length), then the softoken
- * default is used. These are equivalent to the parameters for 
+ * default is used. These are equivalent to the parameters for
  * PK11_ConfigurePKCS11().
  *
- * field names match their equivalent parameter names for softoken strings 
+ * field names match their equivalent parameter names for softoken strings
  * documented at https://developer.mozilla.org/en/PKCS11_Module_Specs.
- * 
- * minPWLen 
- *     Minimum password length in bytes. 
- * manufacturerID 
- *     Override the default manufactureID value for the module returned in 
- *     the CK_INFO, CK_SLOT_INFO, and CK_TOKEN_INFO structures with an 
- *     internationalize string (UTF8). This value will be truncated at 32 
+ *
+ * minPWLen
+ *     Minimum password length in bytes.
+ * manufacturerID
+ *     Override the default manufactureID value for the module returned in
+ *     the CK_INFO, CK_SLOT_INFO, and CK_TOKEN_INFO structures with an
+ *     internationalize string (UTF8). This value will be truncated at 32
  *     bytes (not including the trailing NULL, partial UTF8 characters will be
- *     dropped). 
- * libraryDescription 
+ *     dropped).
+ * libraryDescription
  *     Override the default libraryDescription value for the module returned in
  *     the CK_INFO structure with an internationalize string (UTF8). This value
- *     will be truncated at 32 bytes(not including the trailing NULL, partial 
- *     UTF8 characters will be dropped). 
- * cryptoTokenDescription 
+ *     will be truncated at 32 bytes(not including the trailing NULL, partial
+ *     UTF8 characters will be dropped).
+ * cryptoTokenDescription
  *     Override the default label value for the internal crypto token returned
  *     in the CK_TOKEN_INFO structure with an internationalize string (UTF8).
  *     This value will be truncated at 32 bytes (not including the trailing
- *     NULL, partial UTF8 characters will be dropped). 
- * dbTokenDescription 
- *     Override the default label value for the internal DB token returned in 
+ *     NULL, partial UTF8 characters will be dropped).
+ * dbTokenDescription
+ *     Override the default label value for the internal DB token returned in
  *     the CK_TOKEN_INFO structure with an internationalize string (UTF8). This
  *     value will be truncated at 32 bytes (not including the trailing NULL,
- *     partial UTF8 characters will be dropped). 
- * FIPSTokenDescription 
+ *     partial UTF8 characters will be dropped).
+ * FIPSTokenDescription
  *     Override the default label value for the internal FIPS token returned in
  *     the CK_TOKEN_INFO structure with an internationalize string (UTF8). This
  *     value will be truncated at 32 bytes (not including the trailing NULL,
- *     partial UTF8 characters will be dropped). 
- * cryptoSlotDescription 
+ *     partial UTF8 characters will be dropped).
+ * cryptoSlotDescription
  *     Override the default slotDescription value for the internal crypto token
  *     returned in the CK_SLOT_INFO structure with an internationalize string
  *     (UTF8). This value will be truncated at 64 bytes (not including the
- *     trailing NULL, partial UTF8 characters will be dropped). 
- * dbSlotDescription 
- *     Override the default slotDescription value for the internal DB token 
- *     returned in the CK_SLOT_INFO structure with an internationalize string 
+ *     trailing NULL, partial UTF8 characters will be dropped).
+ * dbSlotDescription
+ *     Override the default slotDescription value for the internal DB token
+ *     returned in the CK_SLOT_INFO structure with an internationalize string
  *     (UTF8). This value will be truncated at 64 bytes (not including the
- *     trailing NULL, partial UTF8 characters will be dropped). 
- * FIPSSlotDescription 
+ *     trailing NULL, partial UTF8 characters will be dropped).
+ * FIPSSlotDescription
  *     Override the default slotDecription value for the internal FIPS token
  *     returned in the CK_SLOT_INFO structure with an internationalize string
  *     (UTF8). This value will be truncated at 64 bytes (not including the
- *     trailing NULL, partial UTF8 characters will be dropped). 
+ *     trailing NULL, partial UTF8 characters will be dropped).
  *
  */
 struct NSSInitParametersStr {
-   unsigned int	  length;      /* allow this structure to grow in the future,
-				* must be set */
-   PRBool passwordRequired;
-   int    minPWLen;
-   char * manufactureID;           /* variable names for strings match the */
-   char * libraryDescription;      /*   parameter name in softoken */
-   char * cryptoTokenDescription;
-   char * dbTokenDescription;
-   char * FIPSTokenDescription;
-   char * cryptoSlotDescription;
-   char * dbSlotDescription;
-   char * FIPSSlotDescription;
+    unsigned int length; /* allow this structure to grow in the future,
+                                * must be set */
+    PRBool passwordRequired;
+    int minPWLen;
+    char *manufactureID;      /* variable names for strings match the */
+    char *libraryDescription; /*   parameter name in softoken */
+    char *cryptoTokenDescription;
+    char *dbTokenDescription;
+    char *FIPSTokenDescription;
+    char *cryptoSlotDescription;
+    char *dbSlotDescription;
+    char *FIPSSlotDescription;
 };
-   
 
 SEC_BEGIN_PROTOS
 
 /*
  * Return a boolean that indicates whether the underlying library
  * will perform as the caller expects.
  *
  * The only argument is a string, which should be the version
@@ -153,30 +152,30 @@ extern SECStatus NSS_InitReadWrite(const
  * Default policy settings disallow all ciphers.
  *
  * This allows using application defined prefixes for the cert and key db's
  * and an alternate name for the secmod database. NOTE: In future releases,
  * the database prefixes my not necessarily map to database names.
  *
  * configdir - base directory where all the cert, key, and module datbases live.
  * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
+ *                      "https-server1-"
  * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
+ *                      "https-server1-"
  * secmodName - name of the security module database (usually "secmod.db").
  * flags - change the open options of NSS_Initialize as follows:
- * 	NSS_INIT_READONLY - Open the databases read only.
- * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
- * 			initialize the volatile certdb.
- * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
- *			initialize the 	PKCS #11 module.
- *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
- * 			databases cannot be opened.
+ *      NSS_INIT_READONLY - Open the databases read only.
+ *      NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just
+ *                      initialize the volatile certdb.
+ *      NSS_INIT_NOMODDB  - Don't open the security module DB, just
+ *                      initialize the  PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the
+ *                      databases cannot be opened.
  *      NSS_INIT_NOROOTINIT - Don't try to look for the root certs module
- *			automatically.
+ *                      automatically.
  *      NSS_INIT_OPTIMIZESPACE - Use smaller tables and caches.
  *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
  *                      thread-safe, ie. that support locking - either OS
  *                      locking or NSS-provided locks . If a PKCS#11
  *                      module isn't thread-safe, don't serialize its
  *                      calls; just don't load it instead. This is necessary
  *                      if another piece of code is using the same PKCS#11
  *                      modules that NSS is accessing without going through
@@ -199,78 +198,77 @@ extern SECStatus NSS_InitReadWrite(const
  *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
  *                      future to trigger better cooperation between PKCS#11
  *                      modules used by both NSS and the Java SunPKCS11
  *                      provider. This should occur after a new flag is defined
  *                      for C_Initialize by the PKCS#11 working group.
  *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
  *                      use both NSS and the Java SunPKCS11 provider.
  *
- * Also NOTE: This is not the recommended method for initializing NSS. 
+ * Also NOTE: This is not the recommended method for initializing NSS.
  * The preferred method is NSS_init().
  */
-#define NSS_INIT_READONLY	0x1
-#define NSS_INIT_NOCERTDB	0x2
-#define NSS_INIT_NOMODDB	0x4
-#define NSS_INIT_FORCEOPEN	0x8
-#define NSS_INIT_NOROOTINIT     0x10
-#define NSS_INIT_OPTIMIZESPACE  0x20
-#define NSS_INIT_PK11THREADSAFE   0x40
-#define NSS_INIT_PK11RELOAD       0x80
-#define NSS_INIT_NOPK11FINALIZE   0x100
-#define NSS_INIT_RESERVED         0x200
+#define NSS_INIT_READONLY 0x1
+#define NSS_INIT_NOCERTDB 0x2
+#define NSS_INIT_NOMODDB 0x4
+#define NSS_INIT_FORCEOPEN 0x8
+#define NSS_INIT_NOROOTINIT 0x10
+#define NSS_INIT_OPTIMIZESPACE 0x20
+#define NSS_INIT_PK11THREADSAFE 0x40
+#define NSS_INIT_PK11RELOAD 0x80
+#define NSS_INIT_NOPK11FINALIZE 0x100
+#define NSS_INIT_RESERVED 0x200
 
-#define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE | \
-        NSS_INIT_PK11RELOAD | \
-        NSS_INIT_NOPK11FINALIZE | \
-        NSS_INIT_RESERVED
+#define NSS_INIT_COOPERATE NSS_INIT_PK11THREADSAFE |     \
+                               NSS_INIT_PK11RELOAD |     \
+                               NSS_INIT_NOPK11FINALIZE | \
+                               NSS_INIT_RESERVED
 
 #define SECMOD_DB "secmod.db"
 
 typedef struct NSSInitContextStr NSSInitContext;
 
+extern SECStatus NSS_Initialize(const char *configdir,
+                                const char *certPrefix, const char *keyPrefix,
+                                const char *secmodName, PRUint32 flags);
 
-extern SECStatus NSS_Initialize(const char *configdir, 
-	const char *certPrefix, const char *keyPrefix, 
-	const char *secmodName, PRUint32 flags);
-
-extern NSSInitContext *NSS_InitContext(const char *configdir, 
-	const char *certPrefix, const char *keyPrefix, 
-	const char *secmodName, NSSInitParameters *initParams, PRUint32 flags);
+extern NSSInitContext *NSS_InitContext(const char *configdir,
+                                       const char *certPrefix, const char *keyPrefix,
+                                       const char *secmodName, NSSInitParameters *initParams, PRUint32 flags);
 
 extern SECStatus NSS_ShutdownContext(NSSInitContext *);
 
 /*
  * same as NSS_Init, but checks to see if we need to merge an
  * old database in.
  *   updatedir is the directory where the old database lives.
  *   updCertPrefix is the certPrefix for the old database.
  *   updKeyPrefix is the keyPrefix for the old database.
  *   updateID is a unique identifier chosen by the application for
  *      the specific database.
  *   updatName is the name the user will be prompted for when
  *      asking to authenticate to the old database  */
-extern SECStatus NSS_InitWithMerge(const char *configdir, 
-	const char *certPrefix, const char *keyPrefix, const char *secmodName,
-	const char *updatedir,  const char *updCertPrefix, 
-	const char *updKeyPrefix, const char *updateID, 
-	const char *updateName, PRUint32 flags);
+extern SECStatus NSS_InitWithMerge(const char *configdir,
+                                   const char *certPrefix, const char *keyPrefix, const char *secmodName,
+                                   const char *updatedir, const char *updCertPrefix,
+                                   const char *updKeyPrefix, const char *updateID,
+                                   const char *updateName, PRUint32 flags);
 /*
  * initialize NSS without a creating cert db's, key db's, or secmod db's.
  */
 SECStatus NSS_NoDB_Init(const char *configdir);
 
 /*
  * Allow applications and libraries to register with NSS so that they are called
  * when NSS shuts down.
  *
- * void *appData application specific data passed in by the application at 
+ * void *appData application specific data passed in by the application at
  * NSS_RegisterShutdown() time.
- * void *nssData is NULL in this release, but is reserved for future versions of 
- * NSS to pass some future status information * back to the shutdown function. 
+ * void *nssData is NULL in this release, but is reserved for future versions of
+ * NSS to pass some future status information * back to the shutdown function.
  *
  * If the shutdown function returns SECFailure,
  * Shutdown will still complete, but NSS_Shutdown() will return SECFailure.
  */
 typedef SECStatus (*NSS_ShutdownFunc)(void *appData, void *nssData);
 
 /*
  * Register a shutdown function.
@@ -280,43 +278,42 @@ SECStatus NSS_RegisterShutdown(NSS_Shutd
 /*
  * Remove an existing shutdown function (you may do this if your library is
  * complete and going away, but NSS is still running).
  */
 SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
 
 /* Available options for NSS_OptionSet() and NSS_OptionGet().
  */
-#define NSS_RSA_MIN_KEY_SIZE        0x001
-#define NSS_DH_MIN_KEY_SIZE         0x002
-#define NSS_DSA_MIN_KEY_SIZE        0x004
-#define NSS_TLS_VERSION_MIN_POLICY  0x008
-#define NSS_TLS_VERSION_MAX_POLICY  0x009
+#define NSS_RSA_MIN_KEY_SIZE 0x001
+#define NSS_DH_MIN_KEY_SIZE 0x002
+#define NSS_DSA_MIN_KEY_SIZE 0x004
+#define NSS_TLS_VERSION_MIN_POLICY 0x008
+#define NSS_TLS_VERSION_MAX_POLICY 0x009
 #define NSS_DTLS_VERSION_MIN_POLICY 0x00a
 #define NSS_DTLS_VERSION_MAX_POLICY 0x00b
 
 /*
  * Set and get global options for the NSS library.
  */
 SECStatus NSS_OptionSet(PRInt32 which, PRInt32 value);
 SECStatus NSS_OptionGet(PRInt32 which, PRInt32 *value);
 
-
-/* 
+/*
  * Close the Cert, Key databases.
  */
 extern SECStatus NSS_Shutdown(void);
 
 /*
  * set the PKCS #11 strings for the internal token.
  */
-void PK11_ConfigurePKCS11(const char *man, const char *libdesc, 
-	const char *tokdesc, const char *ptokdesc, const char *slotdesc, 
-	const char *pslotdesc, const char *fslotdesc, const char *fpslotdesc,
-        int minPwd, int pwRequired);
+void PK11_ConfigurePKCS11(const char *man, const char *libdesc,
+                          const char *tokdesc, const char *ptokdesc, const char *slotdesc,
+                          const char *pslotdesc, const char *fslotdesc, const char *fpslotdesc,
+                          int minPwd, int pwRequired);
 
 /*
  * Dump the contents of the certificate cache and the temporary cert store.
  * Use to detect leaked references of certs at shutdown time.
  */
 void nss_DumpCertificateCacheInfo(void);
 
 SEC_END_PROTOS
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -47,451 +47,478 @@
 /* exported as 'mktemp' */
 char *
 nss_mktemp(char *path)
 {
     return _mktemp(path);
 }
 #endif
 
-#define NSS_MAX_FLAG_SIZE  sizeof("readOnly")+sizeof("noCertDB")+ \
-	sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")+ \
-	sizeof ("optimizeSpace")
+#define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") +                                  \
+                              sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \
+                              sizeof("optimizeSpace")
 #define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
 
 static char *
-nss_makeFlags(PRBool readOnly, PRBool noCertDB, 
-				PRBool noModDB, PRBool forceOpen, 
-				PRBool passwordRequired, PRBool optimizeSpace) 
+nss_makeFlags(PRBool readOnly, PRBool noCertDB,
+              PRBool noModDB, PRBool forceOpen,
+              PRBool passwordRequired, PRBool optimizeSpace)
 {
     char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE);
     PRBool first = PR_TRUE;
 
-    PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE);
+    PORT_Memset(flags, 0, NSS_MAX_FLAG_SIZE);
     if (readOnly) {
-        PORT_Strcat(flags,"readOnly");
+        PORT_Strcat(flags, "readOnly");
         first = PR_FALSE;
     }
     if (noCertDB) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"noCertDB");
+        if (!first)
+            PORT_Strcat(flags, ",");
+        PORT_Strcat(flags, "noCertDB");
         first = PR_FALSE;
     }
     if (noModDB) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"noModDB");
+        if (!first)
+            PORT_Strcat(flags, ",");
+        PORT_Strcat(flags, "noModDB");
         first = PR_FALSE;
     }
     if (forceOpen) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"forceOpen");
+        if (!first)
+            PORT_Strcat(flags, ",");
+        PORT_Strcat(flags, "forceOpen");
         first = PR_FALSE;
     }
     if (passwordRequired) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"passwordRequired");
+        if (!first)
+            PORT_Strcat(flags, ",");
+        PORT_Strcat(flags, "passwordRequired");
         first = PR_FALSE;
     }
     if (optimizeSpace) {
-        if (!first) PORT_Strcat(flags,",");
-        PORT_Strcat(flags,"optimizeSpace");
+        if (!first)
+            PORT_Strcat(flags, ",");
+        PORT_Strcat(flags, "optimizeSpace");
         first = PR_FALSE;
     }
     return flags;
 }
 
-
 /*
  * build config string from individual internationalized strings
  */
 char *
 nss_MkConfigString(const char *man, const char *libdesc, const char *tokdesc,
-	const char *ptokdesc, const char *slotdesc, const char *pslotdesc, 
-	const char *fslotdesc, const char *fpslotdesc, int minPwd)
+                   const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
+                   const char *fslotdesc, const char *fpslotdesc, int minPwd)
 {
     char *strings = NULL;
     char *newStrings;
 
     /* make sure the internationalization was done correctly... */
     strings = PR_smprintf("");
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (man) {
-        newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s manufacturerID='%s'", strings, man);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (libdesc) {
-        newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s libraryDescription='%s'", strings, libdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (tokdesc) {
-        newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
-								tokdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s cryptoTokenDescription='%s'", strings,
+                                 tokdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (ptokdesc) {
-        newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s dbTokenDescription='%s'", strings, ptokdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (slotdesc) {
-        newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
-								slotdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s cryptoSlotDescription='%s'", strings,
+                                 slotdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (pslotdesc) {
-        newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+        newStrings = PR_smprintf("%s dbSlotDescription='%s'", strings, pslotdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (fslotdesc) {
         newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
-							strings,fslotdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+                                 strings, fslotdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     if (fpslotdesc) {
         newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
-							strings,fpslotdesc);
-	PR_smprintf_free(strings);
-	strings = newStrings;
+                                 strings, fpslotdesc);
+        PR_smprintf_free(strings);
+        strings = newStrings;
     }
-    if (strings == NULL) return NULL;
+    if (strings == NULL)
+        return NULL;
 
     newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
     PR_smprintf_free(strings);
     strings = newStrings;
 
-    return(strings);
+    return (strings);
 }
 
 /*
  * statics to remember the PK11_ConfigurePKCS11()
  * info.
  */
-static char * pk11_config_strings = NULL;
-static char * pk11_config_name = NULL;
+static char *pk11_config_strings = NULL;
+static char *pk11_config_name = NULL;
 static PRBool pk11_password_required = PR_FALSE;
 
 /*
  * this is a legacy configuration function which used to be part of
  * the PKCS #11 internal token.
  */
 void
 PK11_ConfigurePKCS11(const char *man, const char *libdesc, const char *tokdesc,
-	const char *ptokdesc, const char *slotdesc, const char *pslotdesc, 
-	const char *fslotdesc, const char *fpslotdesc, int minPwd, 
-	int pwRequired)
+                     const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
+                     const char *fslotdesc, const char *fpslotdesc, int minPwd,
+                     int pwRequired)
 {
-    char * strings;
+    char *strings;
 
-    strings = nss_MkConfigString(man,libdesc,tokdesc,ptokdesc,slotdesc,
-	pslotdesc,fslotdesc,fpslotdesc,minPwd);
+    strings = nss_MkConfigString(man, libdesc, tokdesc, ptokdesc, slotdesc,
+                                 pslotdesc, fslotdesc, fpslotdesc, minPwd);
     if (strings == NULL) {
-	return;
+        return;
     }
 
     if (libdesc) {
-	if (pk11_config_name != NULL) {
-	    PORT_Free(pk11_config_name);
-	}
-	pk11_config_name = PORT_Strdup(libdesc);
+        if (pk11_config_name != NULL) {
+            PORT_Free(pk11_config_name);
+        }
+        pk11_config_name = PORT_Strdup(libdesc);
     }
 
     if (pk11_config_strings != NULL) {
-	PR_smprintf_free(pk11_config_strings);
+        PR_smprintf_free(pk11_config_strings);
     }
     pk11_config_strings = strings;
     pk11_password_required = pwRequired;
 
     return;
 }
 
-void PK11_UnconfigurePKCS11(void)
+void
+PK11_UnconfigurePKCS11(void)
 {
     if (pk11_config_strings != NULL) {
-	PR_smprintf_free(pk11_config_strings);
+        PR_smprintf_free(pk11_config_strings);
         pk11_config_strings = NULL;
     }
     if (pk11_config_name) {
         PORT_Free(pk11_config_name);
         pk11_config_name = NULL;
     }
 }
 
 /*
  * The following code is an attempt to automagically find the external root
  * module.
  * Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
  */
 
 static const char *dllname =
 #if defined(XP_WIN32) || defined(XP_OS2)
-	"nssckbi.dll";
-#elif defined(HPUX) && !defined(__ia64)  /* HP-UX PA-RISC */
-	"libnssckbi.sl";
+    "nssckbi.dll";
+#elif defined(HPUX) && !defined(__ia64) /* HP-UX PA-RISC */
+    "libnssckbi.sl";
 #elif defined(DARWIN)
-	"libnssckbi.dylib";
+    "libnssckbi.dylib";
 #elif defined(XP_UNIX) || defined(XP_BEOS)
-	"libnssckbi.so";
+    "libnssckbi.so";
 #else
-	#error "Uh! Oh! I don't know about this platform."
+#error "Uh! Oh! I don't know about this platform."
 #endif
 
 /* Should we have platform ifdefs here??? */
 #define FILE_SEP '/'
 
-static void nss_FindExternalRootPaths(const char *dbpath, 
-                                      const char* secmodprefix,
-                              char** retoldpath, char** retnewpath)
+static void
+nss_FindExternalRootPaths(const char *dbpath,
+                          const char *secmodprefix,
+                          char **retoldpath, char **retnewpath)
 {
     char *path, *oldpath = NULL, *lastsep;
     int len, path_len, secmod_len, dll_len;
 
     path_len = PORT_Strlen(dbpath);
     secmod_len = secmodprefix ? PORT_Strlen(secmodprefix) : 0;
     dll_len = PORT_Strlen(dllname);
     len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */
 
     path = PORT_Alloc(len);
-    if (path == NULL) return;
+    if (path == NULL)
+        return;
 
     /* back up to the top of the directory */
-    PORT_Memcpy(path,dbpath,path_len);
-    if (path[path_len-1] != FILE_SEP) {
+    PORT_Memcpy(path, dbpath, path_len);
+    if (path[path_len - 1] != FILE_SEP) {
         path[path_len++] = FILE_SEP;
     }
-    PORT_Strcpy(&path[path_len],dllname);
+    PORT_Strcpy(&path[path_len], dllname);
     if (secmod_len > 0) {
         lastsep = PORT_Strrchr(secmodprefix, FILE_SEP);
         if (lastsep) {
-            int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */
+            int secmoddir_len = lastsep - secmodprefix + 1; /* FILE_SEP */
             oldpath = PORT_Alloc(len);
             if (oldpath == NULL) {
                 PORT_Free(path);
                 return;
             }
-            PORT_Memcpy(oldpath,path,path_len);
-            PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len);
-            PORT_Strcpy(&oldpath[path_len+secmoddir_len],dllname);
+            PORT_Memcpy(oldpath, path, path_len);
+            PORT_Memcpy(&oldpath[path_len], secmodprefix, secmoddir_len);
+            PORT_Strcpy(&oldpath[path_len + secmoddir_len], dllname);
         }
     }
     *retoldpath = oldpath;
     *retnewpath = path;
     return;
 }
 
-static void nss_FreeExternalRootPaths(char* oldpath, char* path)
+static void
+nss_FreeExternalRootPaths(char *oldpath, char *path)
 {
     if (path) {
         PORT_Free(path);
     }
     if (oldpath) {
         PORT_Free(oldpath);
     }
 }
 
 static void
-nss_FindExternalRoot(const char *dbpath, const char* secmodprefix)
+nss_FindExternalRoot(const char *dbpath, const char *secmodprefix)
 {
-	char *path = NULL;
-        char *oldpath = NULL;
-        PRBool hasrootcerts = PR_FALSE;
+    char *path = NULL;
+    char *oldpath = NULL;
+    PRBool hasrootcerts = PR_FALSE;
 
-        /*
-         * 'oldpath' is the external root path in NSS 3.3.x or older.
-         * For backward compatibility we try to load the root certs
-         * module with the old path first.
-         */
-        nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
-        if (oldpath) {
-            (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0);
-            hasrootcerts = SECMOD_HasRootCerts();
-        }
-        if (path && !hasrootcerts) {
-	    (void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
-        }
-        nss_FreeExternalRootPaths(oldpath, path);
-	return;
+    /*
+     * 'oldpath' is the external root path in NSS 3.3.x or older.
+     * For backward compatibility we try to load the root certs
+     * module with the old path first.
+     */
+    nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
+    if (oldpath) {
+        (void)SECMOD_AddNewModule("Root Certs", oldpath, 0, 0);
+        hasrootcerts = SECMOD_HasRootCerts();
+    }
+    if (path && !hasrootcerts) {
+        (void)SECMOD_AddNewModule("Root Certs", path, 0, 0);
+    }
+    nss_FreeExternalRootPaths(oldpath, path);
+    return;
 }
 
 /*
  * see nss_Init for definitions of the various options.
  *
  * this function builds a moduleSpec string from the options and previously
  * set statics (from PKCS11_Configure, for instance), and uses it to kick off
  * the loading of the various PKCS #11 modules.
  */
 static SECMODModule *
-nss_InitModules(const char *configdir, const char *certPrefix, 
-		const char *keyPrefix, const char *secmodName, 
-		const char *updateDir, const char *updCertPrefix, 
-		const char *updKeyPrefix, const char *updateID, 
-		const char *updateName, char *configName, char *configStrings,
-		PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
-		PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
-		PRBool isContextInit)
+nss_InitModules(const char *configdir, const char *certPrefix,
+                const char *keyPrefix, const char *secmodName,
+                const char *updateDir, const char *updCertPrefix,
+                const char *updKeyPrefix, const char *updateID,
+                const char *updateName, char *configName, char *configStrings,
+                PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
+                PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
+                PRBool isContextInit)
 {
     SECMODModule *module = NULL;
     char *moduleSpec = NULL;
     char *flags = NULL;
     char *lconfigdir = NULL;
     char *lcertPrefix = NULL;
     char *lkeyPrefix = NULL;
     char *lsecmodName = NULL;
     char *lupdateDir = NULL;
     char *lupdCertPrefix = NULL;
     char *lupdKeyPrefix = NULL;
     char *lupdateID = NULL;
     char *lupdateName = NULL;
 
     if (NSS_InitializePRErrorTable() != SECSuccess) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return NULL;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return NULL;
     }
 
-    flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
-					pwRequired, optimizeSpace);
-    if (flags == NULL) return NULL;
+    flags = nss_makeFlags(readOnly, noCertDB, noModDB, forceOpen,
+                          pwRequired, optimizeSpace);
+    if (flags == NULL)
+        return NULL;
 
     /*
      * configdir is double nested, and Windows uses the same character
      * for file seps as we use for escapes! (sigh).
      */
     lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
     if (lconfigdir == NULL) {
-	goto loser;
+        goto loser;
     }
     lcertPrefix = NSSUTIL_DoubleEscape(certPrefix, '\'', '\"');
     if (lcertPrefix == NULL) {
-	goto loser;
+        goto loser;
     }
     lkeyPrefix = NSSUTIL_DoubleEscape(keyPrefix, '\'', '\"');
     if (lkeyPrefix == NULL) {
-	goto loser;
+        goto loser;
     }
     lsecmodName = NSSUTIL_DoubleEscape(secmodName, '\'', '\"');
     if (lsecmodName == NULL) {
-	goto loser;
+        goto loser;
     }
     lupdateDir = NSSUTIL_DoubleEscape(updateDir, '\'', '\"');
     if (lupdateDir == NULL) {
-	goto loser;
+        goto loser;
     }
     lupdCertPrefix = NSSUTIL_DoubleEscape(updCertPrefix, '\'', '\"');
     if (lupdCertPrefix == NULL) {
-	goto loser;
+        goto loser;
     }
     lupdKeyPrefix = NSSUTIL_DoubleEscape(updKeyPrefix, '\'', '\"');
     if (lupdKeyPrefix == NULL) {
-	goto loser;
+        goto loser;
     }
     lupdateID = NSSUTIL_DoubleEscape(updateID, '\'', '\"');
     if (lupdateID == NULL) {
-	goto loser;
+        goto loser;
     }
     lupdateName = NSSUTIL_DoubleEscape(updateName, '\'', '\"');
     if (lupdateName == NULL) {
-	goto loser;
+        goto loser;
     }
 
     moduleSpec = PR_smprintf(
-     "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' "
-     "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' "
-     "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" "
-     "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"",
-		configName ? configName : NSS_DEFAULT_MOD_NAME,
-		lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
-		lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID, 
-		lupdateName, configStrings ? configStrings : "",
-		isContextInit ? "" : ",defaultModDB,internalKeySlot");
+        "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' "
+        "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' "
+        "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" "
+        "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"",
+        configName ? configName : NSS_DEFAULT_MOD_NAME,
+        lconfigdir, lcertPrefix, lkeyPrefix, lsecmodName, flags,
+        lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID,
+        lupdateName, configStrings ? configStrings : "",
+        isContextInit ? "" : ",defaultModDB,internalKeySlot");
 
 loser:
     PORT_Free(flags);
-    if (lconfigdir) PORT_Free(lconfigdir);
-    if (lcertPrefix) PORT_Free(lcertPrefix);
-    if (lkeyPrefix) PORT_Free(lkeyPrefix);
-    if (lsecmodName) PORT_Free(lsecmodName);
-    if (lupdateDir) PORT_Free(lupdateDir);
-    if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
-    if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
-    if (lupdateID) PORT_Free(lupdateID);
-    if (lupdateName) PORT_Free(lupdateName);
+    if (lconfigdir)
+        PORT_Free(lconfigdir);
+    if (lcertPrefix)
+        PORT_Free(lcertPrefix);
+    if (lkeyPrefix)
+        PORT_Free(lkeyPrefix);
+    if (lsecmodName)
+        PORT_Free(lsecmodName);
+    if (lupdateDir)
+        PORT_Free(lupdateDir);
+    if (lupdCertPrefix)
+        PORT_Free(lupdCertPrefix);
+    if (lupdKeyPrefix)
+        PORT_Free(lupdKeyPrefix);
+    if (lupdateID)
+        PORT_Free(lupdateID);
+    if (lupdateName)
+        PORT_Free(lupdateName);
 
     if (moduleSpec) {
-	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
-	PR_smprintf_free(moduleSpec);
-	if (module && !module->loaded) {
-	    SECMOD_DestroyModule(module);
-	    return NULL;
-	}
+        module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
+        PR_smprintf_free(moduleSpec);
+        if (module && !module->loaded) {
+            SECMOD_DestroyModule(module);
+            return NULL;
+        }
     }
     return module;
 }
 
 /*
  * OK there are now lots of options here, lets go through them all:
  *
  * configdir - base directory where all the cert, key, and module datbases live.
  * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
+ *             "https-server1-"
  * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
+ *             "https-server1-"
  * secmodName - name of the security module database (usually "secmod.db").
  * updateDir - used in initMerge, old directory to update from.
  * updateID - used in initMerge, unique ID to represent the updated directory.
  * updateName - used in initMerge, token name when updating.
  * initContextPtr -  used in initContext, pointer to return a unique context
  *            value.
  * readOnly - Boolean: true if the databases are to be opened read only.
- * nocertdb - Don't open the cert DB and key DB's, just initialize the 
- *			Volatile certdb.
- * nomoddb - Don't open the security module DB, just initialize the 
- *			PKCS #11 module.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ *             Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ *             PKCS #11 module.
  * forceOpen - Continue to force initializations even if the databases cannot
- * 			be opened.
+ *             be opened.
  * noRootInit - don't try to automatically load the root cert store if one is
  *           not found.
  * optimizeSpace - tell NSS to use fewer hash table buckets.
  *
  * The next three options are used in an attempt to share PKCS #11 modules
  * with other loaded, running libraries. PKCS #11 was not designed with this
  * sort of sharing in mind, so use of these options may lead to questionable
  * results. These options are may be incompatible with NSS_LoadContext() calls.
  *
  * noSingleThreadedModules - don't load modules that are not thread safe (many
  *           smart card tokens will not work).
  * allowAlreadyInitializedModules - if a module has already been loaded and
  *           initialize try to use it.
  * don'tFinalizeModules -  dont shutdown modules we may have loaded.
  */
 
-static PRBool          nssIsInitted = PR_FALSE;
+static PRBool nssIsInitted = PR_FALSE;
 static NSSInitContext *nssInitContextList = NULL;
 
 #ifndef NSS_DISABLE_LIBPKIX
-static void*           plContext = NULL;
+static void *plContext = NULL;
 #endif /* NSS_DISABLE_LIBPKIX */
 
 struct NSSInitContextStr {
     NSSInitContext *next;
     PRUint32 magic;
 };
 
 #define NSS_INIT_MAGIC 0x1413A91C
@@ -503,38 +530,37 @@ static PZLock *nssInitLock;
 static PZCondVar *nssInitCondition;
 static int nssIsInInit;
 
 static PRStatus
 nss_doLockInit(void)
 {
     nssInitLock = PZ_NewLock(nssILockOther);
     if (nssInitLock == NULL) {
-	return PR_FAILURE;
+        return PR_FAILURE;
     }
     nssInitCondition = PZ_NewCondVar(nssInitLock);
     if (nssInitCondition == NULL) {
-	return PR_FAILURE;
+        return PR_FAILURE;
     }
     return PR_SUCCESS;
 }
 
-
 static SECStatus
 nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
-		 const char *secmodName, const char *updateDir,
-		 const char *updCertPrefix, const char *updKeyPrefix,
-		 const char *updateID, const char *updateName,
-		 NSSInitContext ** initContextPtr,
-		 NSSInitParameters *initParams,
-		 PRBool readOnly, PRBool noCertDB,
-		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
-		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
-		 PRBool allowAlreadyInitializedModules,
-		 PRBool dontFinalizeModules)
+         const char *secmodName, const char *updateDir,
+         const char *updCertPrefix, const char *updKeyPrefix,
+         const char *updateID, const char *updateName,
+         NSSInitContext **initContextPtr,
+         NSSInitParameters *initParams,
+         PRBool readOnly, PRBool noCertDB,
+         PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+         PRBool optimizeSpace, PRBool noSingleThreadedModules,
+         PRBool allowAlreadyInitializedModules,
+         PRBool dontFinalizeModules)
 {
     SECMODModule *parent = NULL;
 #ifndef NSS_DISABLE_LIBPKIX
     PKIX_UInt32 actualMinorVersion = 0;
     PKIX_Error *pkixError = NULL;
 #endif /* NSS_DISABLE_LIBPKIX */
     PRBool isReallyInitted;
     char *configStrings = NULL;
@@ -542,283 +568,280 @@ nss_Init(const char *configdir, const ch
     PRBool passwordRequired = PR_FALSE;
 #ifdef POLICY_FILE
     char *ignoreVar;
 #endif
 
     /* if we are trying to init with a traditional NSS_Init call, maintain
      * the traditional idempotent behavior. */
     if (!initContextPtr && nssIsInitted) {
-	return SECSuccess;
+        return SECSuccess;
     }
 
     /* make sure our lock and condition variable are initialized one and only
-     * one time */ 
+     * one time */
     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
-	return SECFailure;
+        return SECFailure;
     }
 
     /*
-     * if we haven't done basic initialization, single thread the 
+     * if we haven't done basic initialization, single thread the
      * initializations.
      */
     PZ_Lock(nssInitLock);
     isReallyInitted = NSS_IsInitialized();
     if (!isReallyInitted) {
-	while (!isReallyInitted && nssIsInInit) {
-	    PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
-	    isReallyInitted = NSS_IsInitialized();
- 	}
-	/* once we've completed basic initialization, we can allow more than 
-	 * one process initialize NSS at a time. */
+        while (!isReallyInitted && nssIsInInit) {
+            PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT);
+            isReallyInitted = NSS_IsInitialized();
+        }
+        /* once we've completed basic initialization, we can allow more than
+         * one process initialize NSS at a time. */
     }
     nssIsInInit++;
     PZ_Unlock(nssInitLock);
 
     /* this tells us whether or not some library has already initialized us.
      * if so, we don't want to double call some of the basic initialization
      * functions */
 
     if (!isReallyInitted) {
 #ifdef DEBUG
         CERTCertificate dummyCert;
-	/* New option bits must not change the size of CERTCertificate. */
-	PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
+        /* New option bits must not change the size of CERTCertificate. */
+        PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
 #endif
 
-	if (SECSuccess != cert_InitLocks()) {
-	    goto loser;
-	}
+        if (SECSuccess != cert_InitLocks()) {
+            goto loser;
+        }
 
-	if (SECSuccess != InitCRLCache()) {
-	    goto loser;
-	}
-    
-	if (SECSuccess != OCSP_InitGlobal()) {
-	    goto loser;
-	}
+        if (SECSuccess != InitCRLCache()) {
+            goto loser;
+        }
+
+        if (SECSuccess != OCSP_InitGlobal()) {
+            goto loser;
+        }
     }
 
     if (noSingleThreadedModules || allowAlreadyInitializedModules ||
         dontFinalizeModules) {
         pk11_setGlobalOptions(noSingleThreadedModules,
                               allowAlreadyInitializedModules,
                               dontFinalizeModules);
     }
 
     if (initContextPtr) {
-	*initContextPtr = PORT_ZNew(NSSInitContext);
-	if (*initContextPtr == NULL) {
-	    goto loser;
-	}
-	/*
-	 * For traditional NSS_Init, we used the PK11_Configure() call to set
-	 * globals. with InitContext, we pass those strings in as parameters.
-	 *
-	 * This allows old NSS_Init calls to work as before, while at the same
-	 * time new calls and old calls will not interfere with each other.
-	 */
+        *initContextPtr = PORT_ZNew(NSSInitContext);
+        if (*initContextPtr == NULL) {
+            goto loser;
+        }
+        /*
+         * For traditional NSS_Init, we used the PK11_Configure() call to set
+         * globals. with InitContext, we pass those strings in as parameters.
+         *
+         * This allows old NSS_Init calls to work as before, while at the same
+         * time new calls and old calls will not interfere with each other.
+         */
         if (initParams) {
-	    if (initParams->length < sizeof(NSSInitParameters)) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		goto loser;
-	    }
-	    configStrings = nss_MkConfigString(initParams->manufactureID,
-		initParams->libraryDescription,
-		initParams->cryptoTokenDescription,
-		initParams->dbTokenDescription,
-		initParams->cryptoSlotDescription,
-		initParams->dbSlotDescription,
-		initParams->FIPSSlotDescription,
-		initParams->FIPSTokenDescription,
-		initParams->minPWLen);
-	    if (configStrings == NULL) {
-		PORT_SetError(SEC_ERROR_NO_MEMORY);
-		goto loser;
-	    }
-	    configName = initParams->libraryDescription;
-	    passwordRequired = initParams->passwordRequired;
-	}
+            if (initParams->length < sizeof(NSSInitParameters)) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                goto loser;
+            }
+            configStrings = nss_MkConfigString(initParams->manufactureID,
+                                               initParams->libraryDescription,
+                                               initParams->cryptoTokenDescription,
+                                               initParams->dbTokenDescription,
+                                               initParams->cryptoSlotDescription,
+                                               initParams->dbSlotDescription,
+                                               initParams->FIPSSlotDescription,
+                                               initParams->FIPSTokenDescription,
+                                               initParams->minPWLen);
+            if (configStrings == NULL) {
+                PORT_SetError(SEC_ERROR_NO_MEMORY);
+                goto loser;
+            }
+            configName = initParams->libraryDescription;
+            passwordRequired = initParams->passwordRequired;
+        }
     } else {
-	configStrings = pk11_config_strings;
-	configName = pk11_config_name;
-	passwordRequired = pk11_password_required;
+        configStrings = pk11_config_strings;
+        configName = pk11_config_name;
+        passwordRequired = pk11_password_required;
     }
 
     /* Skip the module init if we are already initted and we are trying
      * to init with noCertDB and noModDB */
     if (!(isReallyInitted && noCertDB && noModDB)) {
-	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
-		updateDir, updCertPrefix, updKeyPrefix, updateID,
-		updateName, configName, configStrings, passwordRequired,
-		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
-		(initContextPtr != NULL));
+        parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
+                                 updateDir, updCertPrefix, updKeyPrefix, updateID,
+                                 updateName, configName, configStrings, passwordRequired,
+                                 readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
+                                 (initContextPtr != NULL));
 
-	if (parent == NULL) {
-	    goto loser;
-	}
+        if (parent == NULL) {
+            goto loser;
+        }
     }
 
-
     /* finish up initialization */
     if (!isReallyInitted) {
-	if (SECOID_Init() != SECSuccess) {
-	    goto loser;
-	}
-	if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
-	    goto loser;
-	}
-	if (nss_InitShutdownList() != SECSuccess) {
-	    goto loser;
-	}
-	CERT_SetDefaultCertDB((CERTCertDBHandle *)
-				STAN_GetDefaultTrustDomain());
-	if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
-	    if (!SECMOD_HasRootCerts()) {
-		const char *dbpath = configdir;
-		/* handle supported database modifiers */
-		if (strncmp(dbpath, "sql:", 4) == 0) {
-		    dbpath += 4;
-		} else if(strncmp(dbpath, "dbm:", 4) == 0) {
-		    dbpath += 4;
-		} else if(strncmp(dbpath, "extern:", 7) == 0) {
-		    dbpath += 7;
-		} else if(strncmp(dbpath, "rdb:", 4) == 0) {
-		    /* if rdb: is specified, the configdir isn't really a 
-		     * path. Skip it */
-		    dbpath = NULL;
-		}
-		if (dbpath) {
-		    nss_FindExternalRoot(dbpath, secmodName);
-		}
-	    }
-	}
+        if (SECOID_Init() != SECSuccess) {
+            goto loser;
+        }
+        if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
+            goto loser;
+        }
+        if (nss_InitShutdownList() != SECSuccess) {
+            goto loser;
+        }
+        CERT_SetDefaultCertDB((CERTCertDBHandle *)
+                                  STAN_GetDefaultTrustDomain());
+        if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
+            if (!SECMOD_HasRootCerts()) {
+                const char *dbpath = configdir;
+                /* handle supported database modifiers */
+                if (strncmp(dbpath, "sql:", 4) == 0) {
+                    dbpath += 4;
+                } else if (strncmp(dbpath, "dbm:", 4) == 0) {
+                    dbpath += 4;
+                } else if (strncmp(dbpath, "extern:", 7) == 0) {
+                    dbpath += 7;
+                } else if (strncmp(dbpath, "rdb:", 4) == 0) {
+                    /* if rdb: is specified, the configdir isn't really a
+               * path. Skip it */
+                    dbpath = NULL;
+                }
+                if (dbpath) {
+                    nss_FindExternalRoot(dbpath, secmodName);
+                }
+            }
+        }
 #ifdef POLICY_FILE
-	/* Load the system crypto policy file if it exists,
-	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
-	 * variable has been set to 1. */
-	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
-	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
-	    SECMODModule *module = SECMOD_LoadModule(
-		"name=\"Policy File\" "
-		"parameters=\"configdir='sql:" POLICY_PATH "' "
-		"secmod='" POLICY_FILE "' "
-		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-		parent, PR_TRUE);
-	    if (module) {
-		PRBool isLoaded = module->loaded;
-		SECMOD_DestroyModule(module);
-		if (!isLoaded) {
-		    goto loser;
-		}
-	    }
-	}
-    }
+        /* Load the system crypto policy file if it exists,
+         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+         * variable has been set to 1. */
+        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+                SECMODModule *module = SECMOD_LoadModule(
+                    "name=\"Policy File\" "
+                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+                    "secmod='" POLICY_FILE "' "
+                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+                    parent, PR_TRUE);
+                if (module) {
+                    PRBool isLoaded = module->loaded;
+                    SECMOD_DestroyModule(module);
+                    if (!isLoaded) {
+                        goto loser;
+                    }
+                }
+            }
+        }
 #endif
-	pk11sdr_Init();
-	cert_CreateSubjectKeyIDHashTable();
+        pk11sdr_Init();
+        cert_CreateSubjectKeyIDHashTable();
 
 #ifndef NSS_DISABLE_LIBPKIX
-	pkixError = PKIX_Initialize
-	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
-	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+        pkixError = PKIX_Initialize(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+                                    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
 
-	if (pkixError != NULL) {
-	    goto loser;
-	} else {
+        if (pkixError != NULL) {
+            goto loser;
+        } else {
             char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
             if (ev && ev[0]) {
                 CERT_SetUsePKIXForValidation(PR_TRUE);
             }
         }
 #endif /* NSS_DISABLE_LIBPKIX */
     }
 
     /*
      * Now mark the appropriate init state. If initContextPtr was passed
      * in, then return the new context pointer and add it to the
      * nssInitContextList. Otherwise set the global nss_isInitted flag
      */
     PZ_Lock(nssInitLock);
     if (!initContextPtr) {
-	nssIsInitted = PR_TRUE;
+        nssIsInitted = PR_TRUE;
     } else {
-	(*initContextPtr)->magic = NSS_INIT_MAGIC;
-	(*initContextPtr)->next = nssInitContextList;
-	nssInitContextList = (*initContextPtr);
+        (*initContextPtr)->magic = NSS_INIT_MAGIC;
+        (*initContextPtr)->next = nssInitContextList;
+        nssInitContextList = (*initContextPtr);
     }
     nssIsInInit--;
     /* now that we are inited, all waiters can move forward */
     PZ_NotifyAllCondVar(nssInitCondition);
     PZ_Unlock(nssInitLock);
 
     if (initContextPtr && configStrings) {
-	PR_smprintf_free(configStrings);
+        PR_smprintf_free(configStrings);
     }
     if (parent) {
-	SECMOD_DestroyModule(parent);
+        SECMOD_DestroyModule(parent);
     }
 
     return SECSuccess;
 
 loser:
     if (initContextPtr && *initContextPtr) {
-	PORT_Free(*initContextPtr);
-	*initContextPtr = NULL;
-	if (configStrings) {
-	   PR_smprintf_free(configStrings);
-	}
+        PORT_Free(*initContextPtr);
+        *initContextPtr = NULL;
+        if (configStrings) {
+            PR_smprintf_free(configStrings);
+        }
     }
     PZ_Lock(nssInitLock);
     nssIsInInit--;
     /* We failed to init, allow one to move forward */
     PZ_NotifyCondVar(nssInitCondition);
     PZ_Unlock(nssInitLock);
     if (parent) {
-	SECMOD_DestroyModule(parent);
+        SECMOD_DestroyModule(parent);
     }
     return SECFailure;
 }
 
-
 SECStatus
 NSS_Init(const char *configdir)
 {
     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
-		NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, 
-		PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
+                    NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
+                    PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
 }
 
 SECStatus
 NSS_InitReadWrite(const char *configdir)
 {
     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
-		NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, 
-		PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
+                    NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
+                    PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
 }
 
 /*
  * OK there are now lots of options here, lets go through them all:
  *
  * configdir - base directory where all the cert, key, and module datbases live.
  * certPrefix - prefix added to the beginning of the cert database example: "
- * 			"https-server1-"
+ *             "https-server1-"
  * keyPrefix - prefix added to the beginning of the key database example: "
- * 			"https-server1-"
+ *             "https-server1-"
  * secmodName - name of the security module database (usually "secmod.db").
  * flags - change the open options of NSS_Initialize as follows:
- * 	NSS_INIT_READONLY - Open the databases read only.
- * 	NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just 
- * 			initialize the volatile certdb.
- * 	NSS_INIT_NOMODDB  - Don't open the security module DB, just 
- *			initialize the 	PKCS #11 module.
- *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the 
- * 			databases cannot be opened.
+ *   NSS_INIT_READONLY - Open the databases read only.
+ *   NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just
+ *             initialize the volatile certdb.
+ *   NSS_INIT_NOMODDB  - Don't open the security module DB, just
+ *             initialize the      PKCS #11 module.
+ *      NSS_INIT_FORCEOPEN - Continue to force initializations even if the
+ *             databases cannot be opened.
  *      NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
  *                      thread-safe, ie. that support locking - either OS
  *                      locking or NSS-provided locks . If a PKCS#11
  *                      module isn't thread-safe, don't serialize its
  *                      calls; just don't load it instead. This is necessary
  *                      if another piece of code is using the same PKCS#11
  *                      modules that NSS is accessing without going through
  *                      NSS, for example the Java SunPKCS11 provider.
@@ -838,177 +861,174 @@ NSS_InitReadWrite(const char *configdir)
  *                      C_WaitForSlotEvent, in order to prevent the need for
  *                      C_Finalize. This call will be emulated instead.
  *      NSS_INIT_RESERVED - Currently has no effect, but may be used in the
  *                      future to trigger better cooperation between PKCS#11
  *                      modules used by both NSS and the Java SunPKCS11
  *                      provider. This should occur after a new flag is defined
  *                      for C_Initialize by the PKCS#11 working group.
  *      NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
- *                      use both NSS and the Java SunPKCS11 provider. 
+ *                      use both NSS and the Java SunPKCS11 provider.
  */
 SECStatus
-NSS_Initialize(const char *configdir, const char *certPrefix, 
-	const char *keyPrefix, const char *secmodName, PRUint32 flags)
+NSS_Initialize(const char *configdir, const char *certPrefix,
+               const char *keyPrefix, const char *secmodName, PRUint32 flags)
 {
     return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
-	"", "", "", "", "", NULL, NULL,
-	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
-	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
-	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
-	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
-	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
-	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
-        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
-        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
-        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
+                    "", "", "", "", "", NULL, NULL,
+                    ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+                    ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+                    ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+                    ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
+                    ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
+                    ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
+                    ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
+                    ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
+                    ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
 }
 
 NSSInitContext *
-NSS_InitContext(const char *configdir, const char *certPrefix, 
-	const char *keyPrefix, const char *secmodName, 
-	NSSInitParameters *initParams, PRUint32 flags)
+NSS_InitContext(const char *configdir, const char *certPrefix,
+                const char *keyPrefix, const char *secmodName,
+                NSSInitParameters *initParams, PRUint32 flags)
 {
     SECStatus rv;
     NSSInitContext *context;
 
     rv = nss_Init(configdir, certPrefix, keyPrefix, secmodName,
-	"", "", "", "", "", &context, initParams,
-	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
-	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
-	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
-	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), PR_TRUE,
-	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
-        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
-        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
-        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
+                  "", "", "", "", "", &context, initParams,
+                  ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+                  ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+                  ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+                  ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), PR_TRUE,
+                  ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
+                  ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
+                  ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
+                  ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
     return (rv == SECSuccess) ? context : NULL;
 }
 
 SECStatus
-NSS_InitWithMerge(const char *configdir, const char *certPrefix, 
-	const char *keyPrefix, const char *secmodName, 
-	const char *updateDir, const char *updCertPrefix,
-	const char *updKeyPrefix, const char *updateID, 
-	const char *updateName, PRUint32 flags)
+NSS_InitWithMerge(const char *configdir, const char *certPrefix,
+                  const char *keyPrefix, const char *secmodName,
+                  const char *updateDir, const char *updCertPrefix,
+                  const char *updKeyPrefix, const char *updateID,
+                  const char *updateName, PRUint32 flags)
 {
     return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
-	updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, 
-	NULL, NULL,
-	((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
-	((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
-	((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
-	((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
-	((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
-	((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
-        ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
-        ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
-        ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
+                    updateDir, updCertPrefix, updKeyPrefix, updateID, updateName,
+                    NULL, NULL,
+                    ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
+                    ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
+                    ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
+                    ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
+                    ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
+                    ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
+                    ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
+                    ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
+                    ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
 }
 
 /*
  * initialize NSS without a creating cert db's, key db's, or secmod db's.
  */
 SECStatus
-NSS_NoDB_Init(const char * configdir)
+NSS_NoDB_Init(const char *configdir)
 {
-      return nss_Init("","","","", "", "", "", "", "", NULL, NULL,
-			PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,
-			PR_FALSE,PR_FALSE,PR_FALSE);
+    return nss_Init("", "", "", "", "", "", "", "", "", NULL, NULL,
+                    PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE, PR_TRUE,
+                    PR_FALSE, PR_FALSE, PR_FALSE);
 }
 
-
 #define NSS_SHUTDOWN_STEP 10
 
 struct NSSShutdownFuncPair {
-    NSS_ShutdownFunc	func;
-    void		*appData;
+    NSS_ShutdownFunc func;
+    void *appData;
 };
 
 static struct NSSShutdownListStr {
-    PZLock		*lock;
-    int			allocatedFuncs;
-    int			peakFuncs;
-    struct NSSShutdownFuncPair	*funcs;
+    PZLock *lock;
+    int allocatedFuncs;
+    int peakFuncs;
+    struct NSSShutdownFuncPair *funcs;
 } nssShutdownList = { 0 };
 
 /*
  * find and existing shutdown function
  */
-static int 
+static int
 nss_GetShutdownEntry(NSS_ShutdownFunc sFunc, void *appData)
 {
     int count, i;
     count = nssShutdownList.peakFuncs;
 
-    for (i=0; i < count; i++) {
-	if ((nssShutdownList.funcs[i].func == sFunc) &&
-	    (nssShutdownList.funcs[i].appData == appData)){
-	    return i;
-	}
+    for (i = 0; i < count; i++) {
+        if ((nssShutdownList.funcs[i].func == sFunc) &&
+            (nssShutdownList.funcs[i].appData == appData)) {
+            return i;
+        }
     }
     return -1;
 }
-    
+
 /*
  * register a callback to be called when NSS shuts down
  */
 SECStatus
 NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
 {
     int i;
 
     /* make sure our lock and condition variable are initialized one and only
-     * one time */ 
+     * one time */
     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
-	return SECFailure;
+        return SECFailure;
     }
 
     PZ_Lock(nssInitLock);
     if (!NSS_IsInitialized()) {
-	PZ_Unlock(nssInitLock);
-	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-	return SECFailure;
+        PZ_Unlock(nssInitLock);
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
     }
     PZ_Unlock(nssInitLock);
     if (sFunc == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     PORT_Assert(nssShutdownList.lock);
     PZ_Lock(nssShutdownList.lock);
 
     /* make sure we don't have a duplicate */
     i = nss_GetShutdownEntry(sFunc, appData);
     if (i >= 0) {
-	PZ_Unlock(nssShutdownList.lock);
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+        PZ_Unlock(nssShutdownList.lock);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
     /* find an empty slot */
     i = nss_GetShutdownEntry(NULL, NULL);
     if (i >= 0) {
-	nssShutdownList.funcs[i].func = sFunc;
-	nssShutdownList.funcs[i].appData = appData;
-	PZ_Unlock(nssShutdownList.lock);
-	return SECSuccess;
+        nssShutdownList.funcs[i].func = sFunc;
+        nssShutdownList.funcs[i].appData = appData;
+        PZ_Unlock(nssShutdownList.lock);
+        return SECSuccess;
     }
     if (nssShutdownList.allocatedFuncs == nssShutdownList.peakFuncs) {
-	struct NSSShutdownFuncPair *funcs = 
-		(struct NSSShutdownFuncPair *)PORT_Realloc
-		(nssShutdownList.funcs, 
-		(nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) 
-		*sizeof(struct NSSShutdownFuncPair));
-	if (!funcs) {
-	    PZ_Unlock(nssShutdownList.lock);
-	    return SECFailure;
-	}
-	nssShutdownList.funcs = funcs;
-	nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP;
+        struct NSSShutdownFuncPair *funcs =
+            (struct NSSShutdownFuncPair *)PORT_Realloc(nssShutdownList.funcs,
+                                                       (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP) * sizeof(struct NSSShutdownFuncPair));
+        if (!funcs) {
+            PZ_Unlock(nssShutdownList.lock);
+            return SECFailure;
+        }
+        nssShutdownList.funcs = funcs;
+        nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP;
     }
     nssShutdownList.funcs[nssShutdownList.peakFuncs].func = sFunc;
     nssShutdownList.funcs[nssShutdownList.peakFuncs].appData = appData;
     nssShutdownList.peakFuncs++;
     PZ_Unlock(nssShutdownList.lock);
     return SECSuccess;
 }
 
@@ -1016,133 +1036,132 @@ NSS_RegisterShutdown(NSS_ShutdownFunc sF
  * unregister a callback so it won't get called on shutdown.
  */
 SECStatus
 NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
 {
     int i;
 
     /* make sure our lock and condition variable are initialized one and only
-     * one time */ 
+     * one time */
     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
-	return SECFailure;
+        return SECFailure;
     }
     PZ_Lock(nssInitLock);
     if (!NSS_IsInitialized()) {
-	PZ_Unlock(nssInitLock);
-	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-	return SECFailure;
+        PZ_Unlock(nssInitLock);
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
     }
     PZ_Unlock(nssInitLock);
 
     PORT_Assert(nssShutdownList.lock);
     PZ_Lock(nssShutdownList.lock);
     i = nss_GetShutdownEntry(sFunc, appData);
     if (i >= 0) {
-	nssShutdownList.funcs[i].func = NULL;
-	nssShutdownList.funcs[i].appData = NULL;
+        nssShutdownList.funcs[i].func = NULL;
+        nssShutdownList.funcs[i].appData = NULL;
     }
     PZ_Unlock(nssShutdownList.lock);
 
     if (i < 0) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
     return SECSuccess;
 }
 
 /*
  * bring up and shutdown the shutdown list
  */
 static SECStatus
 nss_InitShutdownList(void)
 {
     if (nssShutdownList.lock != NULL) {
-	return SECSuccess;
+        return SECSuccess;
     }
     nssShutdownList.lock = PZ_NewLock(nssILockOther);
     if (nssShutdownList.lock == NULL) {
-	return SECFailure;
+        return SECFailure;
     }
-    nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair, 
-				           NSS_SHUTDOWN_STEP);
+    nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair,
+                                           NSS_SHUTDOWN_STEP);
     if (nssShutdownList.funcs == NULL) {
-	PZ_DestroyLock(nssShutdownList.lock);
-    	nssShutdownList.lock = NULL;
-	return SECFailure;
+        PZ_DestroyLock(nssShutdownList.lock);
+        nssShutdownList.lock = NULL;
+        return SECFailure;
     }
     nssShutdownList.allocatedFuncs = NSS_SHUTDOWN_STEP;
     nssShutdownList.peakFuncs = 0;
 
     return SECSuccess;
 }
 
 static SECStatus
 nss_ShutdownShutdownList(void)
 {
     SECStatus rv = SECSuccess;
     int i;
 
     /* call all the registerd functions first */
-    for (i=0; i < nssShutdownList.peakFuncs; i++) {
-	struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i];
-	if (funcPair->func) {
-	    if ((*funcPair->func)(funcPair->appData,NULL) != SECSuccess) {
-		rv = SECFailure;
-	    }
-	}
+    for (i = 0; i < nssShutdownList.peakFuncs; i++) {
+        struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i];
+        if (funcPair->func) {
+            if ((*funcPair->func)(funcPair->appData, NULL) != SECSuccess) {
+                rv = SECFailure;
+            }
+        }
     }
 
     nssShutdownList.peakFuncs = 0;
     nssShutdownList.allocatedFuncs = 0;
     PORT_Free(nssShutdownList.funcs);
     nssShutdownList.funcs = NULL;
     if (nssShutdownList.lock) {
-	PZ_DestroyLock(nssShutdownList.lock);
+        PZ_DestroyLock(nssShutdownList.lock);
     }
     nssShutdownList.lock = NULL;
     return rv;
 }
 
-
 extern const NSSError NSS_ERROR_BUSY;
 
 SECStatus
 nss_Shutdown(void)
 {
     SECStatus shutdownRV = SECSuccess;
     SECStatus rv;
     PRStatus status;
     NSSInitContext *temp;
 
     rv = nss_ShutdownShutdownList();
     if (rv != SECSuccess) {
-	shutdownRV = SECFailure;
+        shutdownRV = SECFailure;
     }
     cert_DestroyLocks();
     ShutdownCRLCache();
     OCSP_ShutdownGlobal();
 #ifndef NSS_DISABLE_LIBPKIX
     PKIX_Shutdown(plContext);
 #endif /* NSS_DISABLE_LIBPKIX */
     SECOID_Shutdown();
     status = STAN_Shutdown();
     cert_DestroySubjectKeyIDHashTable();
     pk11_SetInternalKeySlot(NULL);
     rv = SECMOD_Shutdown();
     if (rv != SECSuccess) {
-	shutdownRV = SECFailure;
+        shutdownRV = SECFailure;
     }
     pk11sdr_Shutdown();
     nssArena_Shutdown();
     if (status == PR_FAILURE) {
-	if (NSS_GetError() == NSS_ERROR_BUSY) {
-	    PORT_SetError(SEC_ERROR_BUSY);
-	}
-	shutdownRV = SECFailure;
+        if (NSS_GetError() == NSS_ERROR_BUSY) {
+            PORT_SetError(SEC_ERROR_BUSY);
+        }
+        shutdownRV = SECFailure;
     }
     /*
      * A thread's error stack is automatically destroyed when the thread
      * terminates, except for the primordial thread, whose error stack is
      * destroyed by PR_Cleanup.  Since NSS is usually shut down by the
      * primordial thread and many NSS-based apps don't call PR_Cleanup,
      * we destroy the calling thread's error stack here. This must be
      * done after any NSS_GetError call, otherwise NSS_GetError will
@@ -1150,131 +1169,131 @@ nss_Shutdown(void)
      */
     nss_DestroyErrorStack();
     nssIsInitted = PR_FALSE;
     temp = nssInitContextList;
     nssInitContextList = NULL;
     /* free the old list. This is necessary when we are called from
      * NSS_Shutdown(). */
     while (temp) {
-	NSSInitContext *next = temp->next;
-	temp->magic = 0;
-	PORT_Free(temp);
-	temp = next;
+        NSSInitContext *next = temp->next;
+        temp->magic = 0;
+        PORT_Free(temp);
+        temp = next;
     }
     return shutdownRV;
 }
 
 SECStatus
 NSS_Shutdown(void)
 {
     SECStatus rv;
     /* make sure our lock and condition variable are initialized one and only
-     * one time */ 
+     * one time */
     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
-	return SECFailure;
+        return SECFailure;
     }
     PZ_Lock(nssInitLock);
 
     if (!nssIsInitted) {
-	PZ_Unlock(nssInitLock);
-	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-	return SECFailure;
+        PZ_Unlock(nssInitLock);
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
     }
 
     /* If one or more threads are in the middle of init, wait for them
      * to complete */
     while (nssIsInInit) {
-	PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
+        PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT);
     }
     rv = nss_Shutdown();
     PZ_Unlock(nssInitLock);
     return rv;
 }
 
 /*
  * remove the context from a list. return true if found, false if not
  */
 PRBool
-nss_RemoveList(NSSInitContext *context) {
+nss_RemoveList(NSSInitContext *context)
+{
     NSSInitContext *this = nssInitContextList;
     NSSInitContext **last = &nssInitContextList;
 
     while (this) {
-	if (this == context) {
-	    *last = this->next;
-	    this->magic = 0;
-	    PORT_Free(this);
-	    return PR_TRUE;
-	}
-	last = &this->next;
-	this=this->next;
+        if (this == context) {
+            *last = this->next;
+            this->magic = 0;
+            PORT_Free(this);
+            return PR_TRUE;
+        }
+        last = &this->next;
+        this = this->next;
     }
     return PR_FALSE;
 }
 
 /*
- * This form of shutdown is safe in the case where we may have multiple 
+ * This form of shutdown is safe in the case where we may have multiple
  * entities using NSS in a single process. Each entity calls shutdown with
  * it's own context. The application (which doesn't get a context), calls
  * shutdown with NULL. Once all users have 'checked in' NSS will shutdown.
  * This is different than NSS_Shutdown, where calling it will shutdown NSS
  * irreguardless of who else may have NSS open.
  */
 SECStatus
 NSS_ShutdownContext(NSSInitContext *context)
 {
     SECStatus rv = SECSuccess;
 
     /* make sure our lock and condition variable are initialized one and only
-     * one time */ 
+     * one time */
     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
-	return SECFailure;
+        return SECFailure;
     }
     PZ_Lock(nssInitLock);
     /* If one or more threads are in the middle of init, wait for them
      * to complete */
     while (nssIsInInit) {
-	PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
+        PZ_WaitCondVar(nssInitCondition, PR_INTERVAL_NO_TIMEOUT);
     }
 
     /* OK, we are the only thread now either initializing or shutting down */
-    
+
     if (!context) {
-	if (!nssIsInitted) {
-	    PZ_Unlock(nssInitLock);
-	    PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-	    return SECFailure;
-	}
-	nssIsInitted = 0;
-    } else if (! nss_RemoveList(context)) {
-	PZ_Unlock(nssInitLock);
-	/* context was already freed or wasn't valid */
-	PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-	return SECFailure;
+        if (!nssIsInitted) {
+            PZ_Unlock(nssInitLock);
+            PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+            return SECFailure;
+        }
+        nssIsInitted = 0;
+    } else if (!nss_RemoveList(context)) {
+        PZ_Unlock(nssInitLock);
+        /* context was already freed or wasn't valid */
+        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+        return SECFailure;
     }
     if ((nssIsInitted == 0) && (nssInitContextList == NULL)) {
-	rv = nss_Shutdown();
+        rv = nss_Shutdown();
     }
 
     /* NOTE: we don't try to free the nssInitLocks to prevent races against
      * the locks. There may be a thread, right now, waiting in NSS_Init for us
      * to free the lock below. If we delete the locks, bad things would happen
      * to that thread */
     PZ_Unlock(nssInitLock);
 
     return rv;
 }
 
 PRBool
 NSS_IsInitialized(void)
 {
     return (nssIsInitted) || (nssInitContextList != NULL);
 }
-	
 
 extern const char __nss_base_version[];
 
 PRBool
 NSS_VersionCheck(const char *importedVersion)
 {
     /*
      * This is the secret handshake algorithm.
--- a/security/nss/lib/nss/nssoptions.c
+++ b/security/nss/lib/nss/nssoptions.c
@@ -33,73 +33,72 @@ static struct nssOps nss_ops = {
     0xffff, /* set TLS max to more than the largest legal SSL value */
     1,
     0xffff,
 };
 
 SECStatus
 NSS_OptionSet(PRInt32 which, PRInt32 value)
 {
-SECStatus rv = SECSuccess;
+    SECStatus rv = SECSuccess;
 
     switch (which) {
-      case NSS_RSA_MIN_KEY_SIZE:
-        nss_ops.rsaMinKeySize = value;
-        break;
-      case NSS_DH_MIN_KEY_SIZE:
-        nss_ops.dhMinKeySize = value;
-        break;
-      case NSS_DSA_MIN_KEY_SIZE:
-        nss_ops.dsaMinKeySize = value;
-        break;
-      case NSS_TLS_VERSION_MIN_POLICY:
-	nss_ops.tlsVersionMinPolicy = value;
-	break;
-      case NSS_TLS_VERSION_MAX_POLICY:
-	nss_ops.tlsVersionMaxPolicy = value;
-	break;
-      case NSS_DTLS_VERSION_MIN_POLICY:
-	nss_ops.dtlsVersionMinPolicy = value;
-	break;
-      case NSS_DTLS_VERSION_MAX_POLICY:
-	nss_ops.dtlsVersionMaxPolicy = value;
-	break;
-      default:
-	rv = SECFailure;
+        case NSS_RSA_MIN_KEY_SIZE:
+            nss_ops.rsaMinKeySize = value;
+            break;
+        case NSS_DH_MIN_KEY_SIZE:
+            nss_ops.dhMinKeySize = value;
+            break;
+        case NSS_DSA_MIN_KEY_SIZE:
+            nss_ops.dsaMinKeySize = value;
+            break;
+        case NSS_TLS_VERSION_MIN_POLICY:
+            nss_ops.tlsVersionMinPolicy = value;
+            break;
+        case NSS_TLS_VERSION_MAX_POLICY:
+            nss_ops.tlsVersionMaxPolicy = value;
+            break;
+        case NSS_DTLS_VERSION_MIN_POLICY:
+            nss_ops.dtlsVersionMinPolicy = value;
+            break;
+        case NSS_DTLS_VERSION_MAX_POLICY:
+            nss_ops.dtlsVersionMaxPolicy = value;
+            break;
+        default:
+            rv = SECFailure;
     }
 
     return rv;
 }
 
 SECStatus
 NSS_OptionGet(PRInt32 which, PRInt32 *value)
 {
-SECStatus rv = SECSuccess;
+    SECStatus rv = SECSuccess;
 
     switch (which) {
-      case NSS_RSA_MIN_KEY_SIZE:
-        *value = nss_ops.rsaMinKeySize;
-        break;
-      case NSS_DH_MIN_KEY_SIZE:
-        *value = nss_ops.dhMinKeySize;
-        break;
-      case NSS_DSA_MIN_KEY_SIZE:
-        *value = nss_ops.dsaMinKeySize;
-        break;
-      case NSS_TLS_VERSION_MIN_POLICY:
-	*value = nss_ops.tlsVersionMinPolicy;
-	break;
-      case NSS_TLS_VERSION_MAX_POLICY:
-	*value = nss_ops.tlsVersionMaxPolicy;
-	break;
-      case NSS_DTLS_VERSION_MIN_POLICY:
-	*value = nss_ops.dtlsVersionMinPolicy;
-	break;
-      case NSS_DTLS_VERSION_MAX_POLICY:
-	*value = nss_ops.dtlsVersionMaxPolicy;
-	break;
-      default:
-	rv = SECFailure;
+        case NSS_RSA_MIN_KEY_SIZE:
+            *value = nss_ops.rsaMinKeySize;
+            break;
+        case NSS_DH_MIN_KEY_SIZE:
+            *value = nss_ops.dhMinKeySize;
+            break;
+        case NSS_DSA_MIN_KEY_SIZE:
+            *value = nss_ops.dsaMinKeySize;
+            break;
+        case NSS_TLS_VERSION_MIN_POLICY:
+            *value = nss_ops.tlsVersionMinPolicy;
+            break;
+        case NSS_TLS_VERSION_MAX_POLICY:
+            *value = nss_ops.tlsVersionMaxPolicy;
+            break;
+        case NSS_DTLS_VERSION_MIN_POLICY:
+            *value = nss_ops.dtlsVersionMinPolicy;
+            break;
+        case NSS_DTLS_VERSION_MAX_POLICY:
+            *value = nss_ops.dtlsVersionMaxPolicy;
+            break;
+        default:
+            rv = SECFailure;
     }
 
     return rv;
 }
-
--- a/security/nss/lib/nss/nssoptions.h
+++ b/security/nss/lib/nss/nssoptions.h
@@ -2,20 +2,19 @@
  * NSS utility functions
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  *  Include the default limits here
  */
-/* SSL default limits are here so we don't have to import a private SSL header 
+/* SSL default limits are here so we don't have to import a private SSL header
  * file into NSS proper */
 
 /* The minimum server key sizes accepted by the clients.
  * Not 1024 to be conservative. */
 #define SSL_RSA_MIN_MODULUS_BITS 1023
 /* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
  * only 1023 bits and similar.  We don't have good data on whether this
  * happens because NSS used to count bit lengths incorrectly. */
 #define SSL_DH_MIN_P_BITS 1023
 #define SSL_DSA_MIN_P_BITS 1023
-
--- a/security/nss/lib/nss/utilwrap.c
+++ b/security/nss/lib/nss/utilwrap.c
@@ -231,528 +231,605 @@ PORT_ArenaStrdup(PLArenaPool *arena, con
 void
 PORT_SetUCS4_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
 {
     PORT_SetUCS4_UTF8ConversionFunction_Util(convFunc);
 }
 
 void
 PORT_SetUCS2_ASCIIConversionFunction(PORTCharConversionWSwapFunc convFunc)
-{ 
+{
     PORT_SetUCS2_ASCIIConversionFunction_Util(convFunc);
 }
 
 void
 PORT_SetUCS2_UTF8ConversionFunction(PORTCharConversionFunc convFunc)
-{ 
+{
     PORT_SetUCS2_UTF8ConversionFunction_Util(convFunc);
 }
 
-PRBool 
+PRBool
 PORT_UCS2_UTF8Conversion(PRBool toUnicode, unsigned char *inBuf,
-			 unsigned int inBufLen, unsigned char *outBuf,
-			 unsigned int maxOutBufLen, unsigned int *outBufLen)
+                         unsigned int inBufLen, unsigned char *outBuf,
+                         unsigned int maxOutBufLen, unsigned int *outBufLen)
 {
     return PORT_UCS2_UTF8Conversion_Util(toUnicode, inBuf, inBufLen, outBuf,
-                                          maxOutBufLen, outBufLen);
-} 
+                                         maxOutBufLen, outBufLen);
+}
 
-PRBool 
+PRBool
 PORT_UCS2_ASCIIConversion(PRBool toUnicode, unsigned char *inBuf,
-			  unsigned int inBufLen, unsigned char *outBuf,
-			  unsigned int maxOutBufLen, unsigned int *outBufLen,
-			  PRBool swapBytes)
+                          unsigned int inBufLen, unsigned char *outBuf,
+                          unsigned int maxOutBufLen, unsigned int *outBufLen,
+                          PRBool swapBytes)
 {
     return PORT_UCS2_ASCIIConversion_Util(toUnicode, inBuf, inBufLen, outBuf,
-			  maxOutBufLen, outBufLen, swapBytes);
+                                          maxOutBufLen, outBufLen, swapBytes);
 }
 
 int
-NSS_PutEnv(const char * envVarName, const char * envValue)
+NSS_PutEnv(const char *envVarName, const char *envValue)
 {
     return NSS_PutEnv_Util(envVarName, envValue);
 }
 
-SECOidData *SECOID_FindOID( const SECItem *oid)
+SECOidData *
+SECOID_FindOID(const SECItem *oid)
 {
     return SECOID_FindOID_Util(oid);
 }
 
-SECOidTag SECOID_FindOIDTag(const SECItem *oid)
+SECOidTag
+SECOID_FindOIDTag(const SECItem *oid)
 {
     return SECOID_FindOIDTag_Util(oid);
 }
 
-SECOidData *SECOID_FindOIDByTag(SECOidTag tagnum)
+SECOidData *
+SECOID_FindOIDByTag(SECOidTag tagnum)
 {
     return SECOID_FindOIDByTag_Util(tagnum);
 }
 
-SECStatus SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *aid,
-				   SECOidTag tag, SECItem *params)
+SECStatus
+SECOID_SetAlgorithmID(PLArenaPool *arena, SECAlgorithmID *aid,
+                      SECOidTag tag, SECItem *params)
 {
     return SECOID_SetAlgorithmID_Util(arena, aid, tag, params);
 }
 
-SECStatus SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest,
-				 const SECAlgorithmID *src)
+SECStatus
+SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest,
+                       const SECAlgorithmID *src)
 {
     return SECOID_CopyAlgorithmID_Util(arena, dest, src);
 }
 
-SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *aid)
+SECOidTag
+SECOID_GetAlgorithmTag(const SECAlgorithmID *aid)
 {
     return SECOID_GetAlgorithmTag_Util(aid);
 }
 
-void SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit)
+void
+SECOID_DestroyAlgorithmID(SECAlgorithmID *aid, PRBool freeit)
 {
     SECOID_DestroyAlgorithmID_Util(aid, freeit);
 }
 
-SECComparison SECOID_CompareAlgorithmID(SECAlgorithmID *a,
-					   SECAlgorithmID *b)
+SECComparison
+SECOID_CompareAlgorithmID(SECAlgorithmID *a,
+                          SECAlgorithmID *b)
 {
     return SECOID_CompareAlgorithmID_Util(a, b);
 }
 
-const char *SECOID_FindOIDTagDescription(SECOidTag tagnum)
+const char *
+SECOID_FindOIDTagDescription(SECOidTag tagnum)
 {
     return SECOID_FindOIDTagDescription_Util(tagnum);
 }
 
-SECOidTag SECOID_AddEntry(const SECOidData * src)
+SECOidTag
+SECOID_AddEntry(const SECOidData *src)
 {
     return SECOID_AddEntry_Util(src);
 }
 
-SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
-				  unsigned int len)
+SECItem *
+SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
+                  unsigned int len)
 {
     return SECITEM_AllocItem_Util(arena, item, len);
 }
 
-SECComparison SECITEM_CompareItem(const SECItem *a, const SECItem *b)
+SECComparison
+SECITEM_CompareItem(const SECItem *a, const SECItem *b)
 {
     return SECITEM_CompareItem_Util(a, b);
 }
 
-PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
+PRBool
+SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b)
 {
     return SECITEM_ItemsAreEqual_Util(a, b);
 }
 
-SECStatus SECITEM_CopyItem(PLArenaPool *arena, SECItem *to,
-                                  const SECItem *from)
+SECStatus
+SECITEM_CopyItem(PLArenaPool *arena, SECItem *to,
+                 const SECItem *from)
 {
     return SECITEM_CopyItem_Util(arena, to, from);
 }
 
-SECItem *SECITEM_DupItem(const SECItem *from)
+SECItem *
+SECITEM_DupItem(const SECItem *from)
 {
     return SECITEM_DupItem_Util(from);
 }
 
-SECItem *SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from)
+SECItem *
+SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from)
 {
     return SECITEM_ArenaDupItem_Util(arena, from);
 }
 
-void SECITEM_FreeItem(SECItem *zap, PRBool freeit)
+void
+SECITEM_FreeItem(SECItem *zap, PRBool freeit)
 {
     SECITEM_FreeItem_Util(zap, freeit);
 }
 
-void SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
+void
+SECITEM_ZfreeItem(SECItem *zap, PRBool freeit)
 {
     SECITEM_ZfreeItem_Util(zap, freeit);
 }
 
-SGNDigestInfo *SGN_CreateDigestInfo(SECOidTag algorithm,
-					   unsigned char *sig,
-					   unsigned int sigLen)
+SGNDigestInfo *
+SGN_CreateDigestInfo(SECOidTag algorithm,
+                     unsigned char *sig,
+                     unsigned int sigLen)
 {
     return SGN_CreateDigestInfo_Util(algorithm, sig, sigLen);
 }
 
-void SGN_DestroyDigestInfo(SGNDigestInfo *info)
+void
+SGN_DestroyDigestInfo(SGNDigestInfo *info)
 {
     SGN_DestroyDigestInfo_Util(info);
 }
 
-SECStatus  SGN_CopyDigestInfo(PLArenaPool *poolp,
-					SGNDigestInfo *a, 
-					SGNDigestInfo *b)
+SECStatus
+SGN_CopyDigestInfo(PLArenaPool *poolp,
+                   SGNDigestInfo *a,
+                   SGNDigestInfo *b)
 {
     return SGN_CopyDigestInfo_Util(poolp, a, b);
 }
 
-SECComparison SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
+SECComparison
+SGN_CompareDigestInfo(SGNDigestInfo *a, SGNDigestInfo *b)
 {
     return SGN_CompareDigestInfo_Util(a, b);
 }
 
-SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
-			   void *src)
+SECStatus
+DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
+           void *src)
 {
     return DER_Encode_Util(arena, dest, t, src);
 }
 
-SECStatus DER_Lengths(SECItem *item, int *header_len_p,
-                             PRUint32 *contents_len_p)
+SECStatus
+DER_Lengths(SECItem *item, int *header_len_p,
+            PRUint32 *contents_len_p)
 {
     return DER_Lengths_Util(item, header_len_p, contents_len_p);
 }
 
-long DER_GetInteger(const SECItem *src)
+long
+DER_GetInteger(const SECItem *src)
 {
     return DER_GetInteger_Util(src);
 }
 
-SECStatus DER_TimeToUTCTime(SECItem *result, PRTime time)
+SECStatus
+DER_TimeToUTCTime(SECItem *result, PRTime time)
 {
     return DER_TimeToUTCTime_Util(result, time);
 }
 
-SECStatus DER_AsciiToTime(PRTime *result, const char *string)
+SECStatus
+DER_AsciiToTime(PRTime *result, const char *string)
 {
     return DER_AsciiToTime_Util(result, string);
 }
 
-SECStatus DER_UTCTimeToTime(PRTime *result, const SECItem *time)
+SECStatus
+DER_UTCTimeToTime(PRTime *result, const SECItem *time)
 {
     return DER_UTCTimeToTime_Util(result, time);
 }
 
-char *DER_UTCTimeToAscii(SECItem *utcTime)
+char *
+DER_UTCTimeToAscii(SECItem *utcTime)
 {
     return DER_UTCTimeToAscii_Util(utcTime);
 }
 
-char *DER_UTCDayToAscii(SECItem *utctime)
+char *
+DER_UTCDayToAscii(SECItem *utctime)
 {
     return DER_UTCDayToAscii_Util(utctime);
 }
 
-char *DER_GeneralizedDayToAscii(SECItem *gentime)
+char *
+DER_GeneralizedDayToAscii(SECItem *gentime)
 {
     return DER_GeneralizedDayToAscii_Util(gentime);
 }
 
-char *DER_TimeChoiceDayToAscii(SECItem *timechoice)
+char *
+DER_TimeChoiceDayToAscii(SECItem *timechoice)
 {
     return DER_TimeChoiceDayToAscii_Util(timechoice);
 }
 
-SECStatus DER_TimeToGeneralizedTime(SECItem *dst, PRTime gmttime)
+SECStatus
+DER_TimeToGeneralizedTime(SECItem *dst, PRTime gmttime)
 {
     return DER_TimeToGeneralizedTime_Util(dst, gmttime);
 }
 
-SECStatus DER_TimeToGeneralizedTimeArena(PLArenaPool* arenaOpt,
-                                         SECItem *dst, PRTime gmttime)
+SECStatus
+DER_TimeToGeneralizedTimeArena(PLArenaPool *arenaOpt,
+                               SECItem *dst, PRTime gmttime)
 {
     return DER_TimeToGeneralizedTimeArena_Util(arenaOpt, dst, gmttime);
 }
 
-SECStatus DER_GeneralizedTimeToTime(PRTime *dst, const SECItem *time)
+SECStatus
+DER_GeneralizedTimeToTime(PRTime *dst, const SECItem *time)
 {
     return DER_GeneralizedTimeToTime_Util(dst, time);
 }
 
-char *CERT_GenTime2FormattedAscii(PRTime genTime, char *format)
+char *
+CERT_GenTime2FormattedAscii(PRTime genTime, char *format)
 {
     return CERT_GenTime2FormattedAscii_Util(genTime, format);
 }
 
-SECStatus DER_DecodeTimeChoice(PRTime* output, const SECItem* input)
+SECStatus
+DER_DecodeTimeChoice(PRTime *output, const SECItem *input)
 {
     return DER_DecodeTimeChoice_Util(output, input);
 }
 
-SECStatus DER_EncodeTimeChoice(PLArenaPool* arena, SECItem* output,
-                                       PRTime input)
+SECStatus
+DER_EncodeTimeChoice(PLArenaPool *arena, SECItem *output,
+                     PRTime input)
 {
     return DER_EncodeTimeChoice_Util(arena, output, input);
 }
 
-SEC_ASN1DecoderContext *SEC_ASN1DecoderStart(PLArenaPool *pool,
-						    void *dest,
-						    const SEC_ASN1Template *t)
+SEC_ASN1DecoderContext *
+SEC_ASN1DecoderStart(PLArenaPool *pool,
+                     void *dest,
+                     const SEC_ASN1Template *t)
 {
     return SEC_ASN1DecoderStart_Util(pool, dest, t);
 }
 
-SECStatus SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
-				       const char *buf,
-				       unsigned long len)
+SECStatus
+SEC_ASN1DecoderUpdate(SEC_ASN1DecoderContext *cx,
+                      const char *buf,
+                      unsigned long len)
 {
     return SEC_ASN1DecoderUpdate_Util(cx, buf, len);
 }
 
-SECStatus SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx)
+SECStatus
+SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx)
 {
     return SEC_ASN1DecoderFinish_Util(cx);
 }
 
-void SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
+void
+SEC_ASN1DecoderAbort(SEC_ASN1DecoderContext *cx, int error)
 {
     SEC_ASN1DecoderAbort_Util(cx, error);
 }
 
-void SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1WriteProc fn,
-					 void *arg, PRBool no_store)
+void
+SEC_ASN1DecoderSetFilterProc(SEC_ASN1DecoderContext *cx,
+                             SEC_ASN1WriteProc fn,
+                             void *arg, PRBool no_store)
 {
     SEC_ASN1DecoderSetFilterProc_Util(cx, fn, arg, no_store);
 }
 
-void SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx)
+void
+SEC_ASN1DecoderClearFilterProc(SEC_ASN1DecoderContext *cx)
 {
     SEC_ASN1DecoderClearFilterProc_Util(cx);
 }
 
-void SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg)
+void
+SEC_ASN1DecoderSetNotifyProc(SEC_ASN1DecoderContext *cx,
+                             SEC_ASN1NotifyProc fn,
+                             void *arg)
 {
     SEC_ASN1DecoderSetNotifyProc_Util(cx, fn, arg);
 }
 
-void SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx)
+void
+SEC_ASN1DecoderClearNotifyProc(SEC_ASN1DecoderContext *cx)
 {
     SEC_ASN1DecoderClearNotifyProc_Util(cx);
 }
 
-SECStatus SEC_ASN1Decode(PLArenaPool *pool, void *dest,
-				const SEC_ASN1Template *t,
-				const char *buf, long len)
+SECStatus
+SEC_ASN1Decode(PLArenaPool *pool, void *dest,
+               const SEC_ASN1Template *t,
+               const char *buf, long len)
 {
     return SEC_ASN1Decode_Util(pool, dest, t, buf, len);
 }
 
-SECStatus SEC_ASN1DecodeItem(PLArenaPool *pool, void *dest,
-				    const SEC_ASN1Template *t,
-				    const SECItem *src)
+SECStatus
+SEC_ASN1DecodeItem(PLArenaPool *pool, void *dest,
+                   const SEC_ASN1Template *t,
+                   const SECItem *src)
 {
     return SEC_ASN1DecodeItem_Util(pool, dest, t, src);
 }
 
-SECStatus SEC_QuickDERDecodeItem(PLArenaPool* arena, void* dest,
-                     const SEC_ASN1Template* templateEntry,
-                     const SECItem* src)
+SECStatus
+SEC_QuickDERDecodeItem(PLArenaPool *arena, void *dest,
+                       const SEC_ASN1Template *templateEntry,
+                       const SECItem *src)
 {
     return SEC_QuickDERDecodeItem_Util(arena, dest, templateEntry, src);
 }
 
-SEC_ASN1EncoderContext *SEC_ASN1EncoderStart(const void *src,
-						    const SEC_ASN1Template *t,
-						    SEC_ASN1WriteProc fn,
-						    void *output_arg)
+SEC_ASN1EncoderContext *
+SEC_ASN1EncoderStart(const void *src,
+                     const SEC_ASN1Template *t,
+                     SEC_ASN1WriteProc fn,
+                     void *output_arg)
 {
     return SEC_ASN1EncoderStart_Util(src, t, fn, output_arg);
 }
 
-SECStatus SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
-				       const char *buf,
-				       unsigned long len)
+SECStatus
+SEC_ASN1EncoderUpdate(SEC_ASN1EncoderContext *cx,
+                      const char *buf,
+                      unsigned long len)
 {
     return SEC_ASN1EncoderUpdate_Util(cx, buf, len);
 }
 
-void SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderFinish(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderFinish_Util(cx);
 }
 
-void SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
+void
+SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
 {
     SEC_ASN1EncoderAbort_Util(cx, error);
 }
 
-void SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
-					 SEC_ASN1NotifyProc fn,
-					 void *arg)
+void
+SEC_ASN1EncoderSetNotifyProc(SEC_ASN1EncoderContext *cx,
+                             SEC_ASN1NotifyProc fn,
+                             void *arg)
 {
     SEC_ASN1EncoderSetNotifyProc_Util(cx, fn, arg);
 }
 
-void SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderClearNotifyProc(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderClearNotifyProc_Util(cx);
 }
 
-void SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderSetStreaming(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderSetStreaming_Util(cx);
 }
 
-void SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderClearStreaming(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderClearStreaming_Util(cx);
 }
 
-void SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderSetTakeFromBuf(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderSetTakeFromBuf_Util(cx);
 }
 
-void SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx)
+void
+SEC_ASN1EncoderClearTakeFromBuf(SEC_ASN1EncoderContext *cx)
 {
     SEC_ASN1EncoderClearTakeFromBuf_Util(cx);
 }
 
-SECStatus SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
-				SEC_ASN1WriteProc output_proc,
-				void *output_arg)
+SECStatus
+SEC_ASN1Encode(const void *src, const SEC_ASN1Template *t,
+               SEC_ASN1WriteProc output_proc,
+               void *output_arg)
 {
     return SEC_ASN1Encode_Util(src, t, output_proc, output_arg);
 }
 
-SECItem * SEC_ASN1EncodeItem(PLArenaPool *pool, SECItem *dest,
-				    const void *src, const SEC_ASN1Template *t)
+SECItem *
+SEC_ASN1EncodeItem(PLArenaPool *pool, SECItem *dest,
+                   const void *src, const SEC_ASN1Template *t)
 {
     return SEC_ASN1EncodeItem_Util(pool, dest, src, t);
 }
 
-SECItem * SEC_ASN1EncodeInteger(PLArenaPool *pool,
-				       SECItem *dest, long value)
+SECItem *
+SEC_ASN1EncodeInteger(PLArenaPool *pool,
+                      SECItem *dest, long value)
 {
     return SEC_ASN1EncodeInteger_Util(pool, dest, value);
 }
 
-SECItem * SEC_ASN1EncodeUnsignedInteger(PLArenaPool *pool,
-					       SECItem *dest,
-					       unsigned long value)
+SECItem *
+SEC_ASN1EncodeUnsignedInteger(PLArenaPool *pool,
+                              SECItem *dest,
+                              unsigned long value)
 {
     return SEC_ASN1EncodeUnsignedInteger_Util(pool, dest, value);
 }
 
-SECStatus SEC_ASN1DecodeInteger(SECItem *src,
-				       unsigned long *value)
+SECStatus
+SEC_ASN1DecodeInteger(SECItem *src,
+                      unsigned long *value)
 {
     return SEC_ASN1DecodeInteger_Util(src, value);
 }
 
-int SEC_ASN1LengthLength (unsigned long len)
+int
+SEC_ASN1LengthLength(unsigned long len)
 {
     return SEC_ASN1LengthLength_Util(len);
 }
 
-char *BTOA_DataToAscii(const unsigned char *data, unsigned int len)
+char *
+BTOA_DataToAscii(const unsigned char *data, unsigned int len)
 {
     return BTOA_DataToAscii_Util(data, len);
 }
 
-unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp)
+unsigned char *
+ATOB_AsciiToData(const char *string, unsigned int *lenp)
 {
     return ATOB_AsciiToData_Util(string, lenp);
 }
- 
-SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii)
+
+SECStatus
+ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii)
 {
     return ATOB_ConvertAsciiToItem_Util(binary_item, ascii);
 }
 
-char *BTOA_ConvertItemToAscii(SECItem *binary_item)
+char *
+BTOA_ConvertItemToAscii(SECItem *binary_item)
 {
     return BTOA_ConvertItemToAscii_Util(binary_item);
 }
 
 NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg)
+NSSBase64Decoder_Create(PRInt32 (*output_fn)(void *, const unsigned char *,
+                                             PRInt32),
+                        void *output_arg)
 {
     return NSSBase64Decoder_Create_Util(output_fn, output_arg);
 }
 
 NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg)
+NSSBase64Encoder_Create(PRInt32 (*output_fn)(void *, const char *, PRInt32),
+                        void *output_arg)
 {
     return NSSBase64Encoder_Create_Util(output_fn, output_arg);
 }
 
 SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size)
+NSSBase64Decoder_Update(NSSBase64Decoder *data, const char *buffer,
+                        PRUint32 size)
 {
     return NSSBase64Decoder_Update_Util(data, buffer, size);
 }
 
 SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size)
+NSSBase64Encoder_Update(NSSBase64Encoder *data, const unsigned char *buffer,
+                        PRUint32 size)
 {
     return NSSBase64Encoder_Update_Util(data, buffer, size);
 }
 
 SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
+NSSBase64Decoder_Destroy(NSSBase64Decoder *data, PRBool abort_p)
 {
     return NSSBase64Decoder_Destroy_Util(data, abort_p);
 }
 
 SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
+NSSBase64Encoder_Destroy(NSSBase64Encoder *data, PRBool abort_p)
 {
     return NSSBase64Encoder_Destroy_Util(data, abort_p);
 }
 
 SECItem *
-NSSBase64_DecodeBuffer (PLArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen)
+NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt,
+                       const char *inStr, unsigned int inLen)
 {
     return NSSBase64_DecodeBuffer_Util(arenaOpt, outItemOpt, inStr, inLen);
 }
 
 char *
-NSSBase64_EncodeItem (PLArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem)
+NSSBase64_EncodeItem(PLArenaPool *arenaOpt, char *outStrOpt,
+                     unsigned int maxOutLen, SECItem *inItem)
 {
     return NSSBase64_EncodeItem_Util(arenaOpt, outStrOpt, maxOutLen, inItem);
 }
 
-NSSRWLock* NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
+NSSRWLock *
+NSSRWLock_New(PRUint32 lock_rank, const char *lock_name)
 {
     return NSSRWLock_New_Util(lock_rank, lock_name);
 }
 
-void NSSRWLock_Destroy(NSSRWLock *lock)
+void
+NSSRWLock_Destroy(NSSRWLock *lock)
 {
     NSSRWLock_Destroy_Util(lock);
 }
 
-void NSSRWLock_LockRead(NSSRWLock *lock)
+void
+NSSRWLock_LockRead(NSSRWLock *lock)
 {
     NSSRWLock_LockRead_Util(lock);
 }
 
-void NSSRWLock_LockWrite(NSSRWLock *lock)
+void
+NSSRWLock_LockWrite(NSSRWLock *lock)
 {
     NSSRWLock_LockWrite_Util(lock);
 }
 
-void NSSRWLock_UnlockRead(NSSRWLock *lock)
+void
+NSSRWLock_UnlockRead(NSSRWLock *lock)
 {
     NSSRWLock_UnlockRead_Util(lock);
 }
 
-void NSSRWLock_UnlockWrite(NSSRWLock *lock)
+void
+NSSRWLock_UnlockWrite(NSSRWLock *lock)
 {
     NSSRWLock_UnlockWrite_Util(lock);
 }
 
-PRBool NSSRWLock_HaveWriteLock(NSSRWLock *rwlock)
+PRBool
+NSSRWLock_HaveWriteLock(NSSRWLock *rwlock)
 {
     return NSSRWLock_HaveWriteLock_Util(rwlock);
 }
 
-SECStatus __nss_InitLock(   PZLock    **ppLock, nssILockType ltype )
+SECStatus
+__nss_InitLock(PZLock **ppLock, nssILockType ltype)
 {
     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
     return SECFailure;
 }
 
 /* templates duplicated in libnss3 and libnssutil3 */
 
 #undef NSS_Get_SEC_AnyTemplate
@@ -786,9 +863,8 @@ SECStatus __nss_InitLock(   PZLock    **
 #undef SEC_PointerToOctetStringTemplate
 #undef SEC_SetOfAnyTemplate
 #undef SEC_UTCTimeTemplate
 #undef SEC_UTF8StringTemplate
 #undef SECOID_AlgorithmIDTemplate
 #undef sgn_DigestInfoTemplate
 
 #include "templates.c"
-
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -7010,27 +7010,18 @@ ssl_PickSignatureScheme(sslSocket *ss, S
 /* ssl3_PickServerSignatureScheme selects a signature scheme for signing the
  * handshake.  Most of this is determined by the key pair we are using.
  * Prior to TLS 1.2, the MD5/SHA1 combination is always used. With TLS 1.2, a
  * client may advertise its support for signature and hash combinations. */
 static SECStatus
 ssl3_PickServerSignatureScheme(sslSocket *ss)
 {
     sslKeyPair *keyPair = ss->sec.serverCert->serverKeyPair;
-    SECStatus rv;
 
     if (ss->ssl3.hs.numClientSigScheme == 0) {
-        if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
-            /* TODO test what happens when we strip signature_algorithms... this
-             might not be needed */
-            (void)SSL3_SendAlert(ss, alert_fatal, missing_extension);
-            PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
-            return SECFailure;
-        }
-
         /* If the client didn't provide any signature_algorithms extension then
          * we can assume that they support SHA-1: RFC5246, Section 7.4.1.4.1 */
         switch (SECKEY_GetPublicKeyType(keyPair->pubKey)) {
             case rsaKey:
                 ss->ssl3.hs.signatureScheme = ssl_sig_rsa_pkcs1_sha1;
                 break;
             case ecKey:
                 ss->ssl3.hs.signatureScheme = ssl_sig_ecdsa_sha1;
@@ -7041,26 +7032,21 @@ ssl3_PickServerSignatureScheme(sslSocket
             default:
                 PORT_Assert(0);
                 PORT_SetError(SEC_ERROR_INVALID_KEY);
                 return SECFailure;
         }
         return SECSuccess;
     }
 
-    rv = ssl_PickSignatureScheme(ss, keyPair->pubKey,
-                                 ss->ssl3.hs.clientSigSchemes,
-                                 ss->ssl3.hs.numClientSigScheme,
-                                 PR_FALSE);
-    if (rv != SECSuccess) {
-        (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
-        /* Error code set by ssl3_PickSignatureScheme */
-        return SECFailure;
-    }
-    return SECSuccess;
+    /* Sets error code, if needed. */
+    return ssl_PickSignatureScheme(ss, keyPair->pubKey,
+                                   ss->ssl3.hs.clientSigSchemes,
+                                   ss->ssl3.hs.numClientSigScheme,
+                                   PR_FALSE);
 }
 
 static SECStatus
 ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
                               unsigned int numSchemes)
 {
     SECKEYPublicKey *key;
     SECStatus rv;
@@ -13110,16 +13096,23 @@ ssl_ConstantTimeGE(unsigned int a, unsig
 static unsigned char
 ssl_ConstantTimeEQ8(unsigned char a, unsigned char b)
 {
     unsigned int c = a ^ b;
     c--;
     return DUPLICATE_MSB_TO_ALL_8(c);
 }
 
+/* ssl_constantTimeSelect return a if mask is 0xFF and b if mask is 0x00 */
+static unsigned char
+ssl_constantTimeSelect(unsigned char mask, unsigned char a, unsigned char b)
+{
+    return (mask & a) | (~mask & b);
+}
+
 static SECStatus
 ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
                           unsigned int blockSize,
                           unsigned int macSize)
 {
     unsigned int paddingLength, good, t;
     const unsigned int overhead = 1 /* padding length byte */ + macSize;
 
@@ -13213,53 +13206,89 @@ ssl_CBCExtractMAC(sslBuffer *plaintext,
     unsigned char rotatedMac[MAX_MAC_LENGTH];
     /* macEnd is the index of |plaintext->buf| just after the end of the
      * MAC. */
     unsigned macEnd = plaintext->len;
     unsigned macStart = macEnd - macSize;
     /* scanStart contains the number of bytes that we can ignore because
      * the MAC's position can only vary by 255 bytes. */
     unsigned scanStart = 0;
-    unsigned i, j, divSpoiler;
+    unsigned i, j;
     unsigned char rotateOffset;
 
-    if (originalLength > macSize + 255 + 1)
+    if (originalLength > macSize + 255 + 1) {
         scanStart = originalLength - (macSize + 255 + 1);
-
-    /* divSpoiler contains a multiple of macSize that is used to cause the
-     * modulo operation to be constant time. Without this, the time varies
-     * based on the amount of padding when running on Intel chips at least.
-     *
-     * The aim of right-shifting macSize is so that the compiler doesn't
-     * figure out that it can remove divSpoiler as that would require it
-     * to prove that macSize is always even, which I hope is beyond it. */
-    divSpoiler = macSize >> 1;
-    divSpoiler <<= (sizeof(divSpoiler) - 1) * 8;
-    rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
+    }
+
+    /* We want to compute
+     * rotateOffset = (macStart - scanStart) % macSize
+     * But the time to compute this varies based on the amount of padding. Thus
+     * we explicitely handle all mac sizes with (hopefully) constant time modulo
+     * using Barrett reduction:
+     *  q := (rotateOffset * m) >> k
+     *  rotateOffset -= q * n
+     *  if (n <= rotateOffset) rotateOffset -= n
+     */
+    rotateOffset = macStart - scanStart;
+    /* rotateOffset < 255 + 1 + 48 = 304 */
+    if (macSize == 16) {
+        rotateOffset &= 15;
+    } else if (macSize == 20) {
+        /*
+         * Correctness: rotateOffset * ( 1/20 - 25/2^9 ) < 1
+         *              with rotateOffset <= 853
+         */
+        unsigned q = (rotateOffset * 25) >> 9;
+        rotateOffset -= q * 20;
+        rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 20),
+                                               20, 0);
+    } else if (macSize == 32) {
+        rotateOffset &= 31;
+    } else if (macSize == 48) {
+        /*
+         * Correctness: rotateOffset * ( 1/48 - 10/2^9 ) < 1
+         *              with rotateOffset < 768
+         */
+        unsigned q = (rotateOffset * 10) >> 9;
+        rotateOffset -= q * 48;
+        rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 48),
+                                               48, 0);
+    } else {
+        /*
+         * SHA384 (macSize == 48) is the largest we support. We should never
+         * get here.
+         */
+        PORT_Assert(0);
+        rotateOffset = rotateOffset % macSize;
+    }
 
     memset(rotatedMac, 0, macSize);
     for (i = scanStart; i < originalLength;) {
         for (j = 0; j < macSize && i < originalLength; i++, j++) {
             unsigned char macStarted = ssl_ConstantTimeGE(i, macStart);
             unsigned char macEnded = ssl_ConstantTimeGE(i, macEnd);
             unsigned char b = 0;
             b = plaintext->buf[i];
             rotatedMac[j] |= b & macStarted & ~macEnded;
         }
     }
 
     /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
      * we could line-align |rotatedMac| and rotate in place. */
     memset(out, 0, macSize);
+    rotateOffset = macSize - rotateOffset;
+    rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize),
+                                          0, rotateOffset);
     for (i = 0; i < macSize; i++) {
-        unsigned char offset =
-            (divSpoiler + macSize - rotateOffset + i) % macSize;
         for (j = 0; j < macSize; j++) {
-            out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
-        }
+            out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, rotateOffset);
+        }
+        rotateOffset++;
+        rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize),
+                                              0, rotateOffset);
     }
 }
 
 /* Unprotect an SSL3 record and leave the result in plaintext.
  *
  * If SECFailure is returned, we:
  * 1. Set |*alert| to the alert to be sent.
  * 2. Call PORT_SetError() with an appropriate code.
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -1039,18 +1039,27 @@ tls13_HandleClientHelloPart2(sslSocket *
                                 &ss->ssl3.hs.srvVirtName) != SECEqual) {
             FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_CLIENT_HELLO,
                         handshake_failure);
             return SECFailure;
         }
     }
 
     if (!ss->statelessResume) {
+        if (ss->ssl3.hs.numClientSigScheme == 0) {
+            /* TODO test what happens when we strip signature_algorithms...
+                    this might not be needed */
+            PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+            FATAL_ERROR(ss, PORT_GetError(), missing_extension);
+            return SECFailure;
+        }
+
         rv = ssl3_SelectServerCert(ss);
         if (rv != SECSuccess) {
+            FATAL_ERROR(ss, PORT_GetError(), handshake_failure);
             return SECFailure;
         }
     }
 
     /* If this is TLS 1.3 we are expecting a ClientKeyShare
      * extension. Missing/absent extension cause failure
      * below. */
     rv = tls13_HandleClientKeyShare(ss);
--- a/security/nss/lib/sysinit/nsssysinit.c
+++ b/security/nss/lib/sysinit/nsssysinit.c
@@ -19,253 +19,253 @@
  * OS Specific function to get where the NSS user database should reside.
  */
 
 #ifdef XP_UNIX
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
-static int 
+static int
 testdir(char *dir)
 {
-   struct stat buf;
-   memset(&buf, 0, sizeof(buf));
+    struct stat buf;
+    memset(&buf, 0, sizeof(buf));
 
-   if (stat(dir,&buf) < 0) {
-	return 0;
-   }
+    if (stat(dir, &buf) < 0) {
+        return 0;
+    }
 
-   return S_ISDIR(buf.st_mode);
+    return S_ISDIR(buf.st_mode);
 }
 
 #define NSS_USER_PATH1 "/.pki"
 #define NSS_USER_PATH2 "/nssdb"
 static char *
 getUserDB(void)
 {
-   char *userdir = PR_GetEnvSecure("HOME");
-   char *nssdir = NULL;
+    char *userdir = PR_GetEnvSecure("HOME");
+    char *nssdir = NULL;
 
-   if (userdir == NULL) {
-	return NULL;
-   }
+    if (userdir == NULL) {
+        return NULL;
+    }
 
-   nssdir = PORT_Alloc(strlen(userdir)
-		+sizeof(NSS_USER_PATH1)+sizeof(NSS_USER_PATH2));
-   if (nssdir == NULL) {
-	return NULL;
-   }
-   PORT_Strcpy(nssdir, userdir);
-   /* verify it exists */
-   if (!testdir(nssdir)) {
-	PORT_Free(nssdir);
-	return NULL;
-   }
-   PORT_Strcat(nssdir, NSS_USER_PATH1);
-   if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
-	PORT_Free(nssdir);
-	return NULL;
-   }
-   PORT_Strcat(nssdir, NSS_USER_PATH2);
-   if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
-	PORT_Free(nssdir);
-	return NULL;
-   }
-   return nssdir;
+    nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
+    if (nssdir == NULL) {
+        return NULL;
+    }
+    PORT_Strcpy(nssdir, userdir);
+    /* verify it exists */
+    if (!testdir(nssdir)) {
+        PORT_Free(nssdir);
+        return NULL;
+    }
+    PORT_Strcat(nssdir, NSS_USER_PATH1);
+    if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
+        PORT_Free(nssdir);
+        return NULL;
+    }
+    PORT_Strcat(nssdir, NSS_USER_PATH2);
+    if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
+        PORT_Free(nssdir);
+        return NULL;
+    }
+    return nssdir;
 }
 
 #define NSS_DEFAULT_SYSTEM "/etc/pki/nssdb"
 static char *
-getSystemDB(void) {
-   return PORT_Strdup(NSS_DEFAULT_SYSTEM);
+getSystemDB(void)
+{
+    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
 }
 
 static PRBool
 userIsRoot()
 {
-   /* this works for linux and all unixes that we know off
-	  though it isn't stated as such in POSIX documentation */
-   return getuid() == 0;
+    /* this works for linux and all unixes that we know off
+       though it isn't stated as such in POSIX documentation */
+    return getuid() == 0;
 }
 
 static PRBool
 userCanModifySystemDB()
 {
-   return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
+    return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
 }
 
 #else
 #ifdef XP_WIN
 static char *
 getUserDB(void)
 {
-   /* use the registry to find the user's NSS_DIR. if no entry exists, create
-    * one in the users Appdir location */
-   return NULL;
+    /* use the registry to find the user's NSS_DIR. if no entry exists, create
+     * one in the users Appdir location */
+    return NULL;
 }
 
 static char *
 getSystemDB(void)
 {
-   /* use the registry to find the system's NSS_DIR. if no entry exists, create
-    * one based on the windows system data area */
-   return NULL;
+    /* use the registry to find the system's NSS_DIR. if no entry exists, create
+     * one based on the windows system data area */
+    return NULL;
 }
 
 static PRBool
 userIsRoot()
 {
-   /* use the registry to find if the user is the system administrator. */
-   return PR_FALSE;
+    /* use the registry to find if the user is the system administrator. */
+    return PR_FALSE;
 }
 
 static PRBool
 userCanModifySystemDB()
 {
-   /* use the registry to find if the user has administrative privilege 
+    /* use the registry to find if the user has administrative privilege
     * to modify the system's nss database. */
-   return PR_FALSE;
+    return PR_FALSE;
 }
 
 #else
 #error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
-static PRBool 
+static PRBool
 getFIPSEnv(void)
 {
     char *fipsEnv = PR_GetEnvSecure("NSS_FIPS");
     if (!fipsEnv) {
-	return PR_FALSE;
+        return PR_FALSE;
     }
-    if ((strcasecmp(fipsEnv,"fips") == 0) ||
-	(strcasecmp(fipsEnv,"true") == 0) ||
-	(strcasecmp(fipsEnv,"on") == 0) ||
-	(strcasecmp(fipsEnv,"1") == 0)) {
-	 return PR_TRUE;
+    if ((strcasecmp(fipsEnv, "fips") == 0) ||
+        (strcasecmp(fipsEnv, "true") == 0) ||
+        (strcasecmp(fipsEnv, "on") == 0) ||
+        (strcasecmp(fipsEnv, "1") == 0)) {
+        return PR_TRUE;
     }
     return PR_FALSE;
 }
 #ifdef XP_LINUX
 
-static PRBool 
+static PRBool
 getFIPSMode(void)
 {
     FILE *f;
     char d;
     size_t size;
 
     f = fopen("/proc/sys/crypto/fips_enabled", "r");
     if (!f) {
-	/* if we don't have a proc flag, fall back to the 
-	 * environment variable */
-	return getFIPSEnv();
+        /* if we don't have a proc flag, fall back to the
+     * environment variable */
+        return getFIPSEnv();
     }
 
     size = fread(&d, 1, 1, f);
     fclose(f);
     if (size != 1)
         return PR_FALSE;
     if (d != '1')
         return PR_FALSE;
     return PR_TRUE;
 }
 
 #else
-static PRBool 
+static PRBool
 getFIPSMode(void)
 {
     return getFIPSEnv();
 }
 #endif
 
-
 #define NSS_DEFAULT_FLAGS "flags=readonly"
 
 /* configuration flags according to
  * https://developer.mozilla.org/en/PKCS11_Module_Specs
  * As stated there the slotParams start with a slot name which is a slotID
  * Slots 1 through 3 are reserved for the nss internal modules as follows:
  * 1 for crypto operations slot non-fips,
  * 2 for the key slot, and
  * 3 for the crypto operations slot fips
  */
 #define CIPHER_ORDER_FLAGS "cipherOrder=100"
-#define SLOT_FLAGS \
-	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
-	" askpw=any timeout=30 ]"
- 
+#define SLOT_FLAGS                                                  \
+    "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+    " askpw=any timeout=30 ]"
+
 static const char *nssDefaultFlags =
-	CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
+    CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
 
 static const char *nssDefaultFIPSFlags =
-	CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
+    CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
 
 /*
  * This function builds the list of databases and modules to load, and sets
  * their configuration. For the sample we have a fixed set.
  *  1. We load the user's home nss database.
  *  2. We load the user's custom PKCS #11 modules.
  *  3. We load the system nss database readonly.
  *
  * Any space allocated in get_list must be freed in release_list.
  * This function can use whatever information is available to the application.
- * it is running in the process of the application for which it is making 
+ * it is running in the process of the application for which it is making
  * decisions, so it's possible to acquire the application name as part of
  * the decision making process.
  *
  */
 static char **
 get_list(char *filename, char *stripped_parameters)
 {
     char **module_list = PORT_ZNewArray(char *, 5);
     char *userdb, *sysdb;
     int isFIPS = getFIPSMode();
     const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
     int next = 0;
 
     /* can't get any space */
     if (module_list == NULL) {
-	return NULL;
+        return NULL;
     }
 
     sysdb = getSystemDB();
     userdb = getUserDB();
 
     /* Don't open root's user DB */
     if (userdb != NULL && !userIsRoot()) {
-	/* return a list of databases to open. First the user Database */
-	module_list[next++] = PR_smprintf(
-	    "library= "
-	    "module=\"NSS User database\" "
-	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
-        "NSS=\"trustOrder=75 %sflags=internal%s\"",
-        userdb, stripped_parameters, nssflags,
-        isFIPS ? ",FIPS" : "");
+        /* return a list of databases to open. First the user Database */
+        module_list[next++] = PR_smprintf(
+            "library= "
+            "module=\"NSS User database\" "
+            "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
+            "NSS=\"trustOrder=75 %sflags=internal%s\"",
+            userdb, stripped_parameters, nssflags,
+            isFIPS ? ",FIPS" : "");
 
-	/* now open the user's defined PKCS #11 modules */
-	/* skip the local user DB entry */
-	module_list[next++] = PR_smprintf(
-	    "library= "
-	    "module=\"NSS User database\" "
-	    "parameters=\"configdir='sql:%s' %s\" "
-	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
-		userdb, stripped_parameters);
-	}
+        /* now open the user's defined PKCS #11 modules */
+        /* skip the local user DB entry */
+        module_list[next++] = PR_smprintf(
+            "library= "
+            "module=\"NSS User database\" "
+            "parameters=\"configdir='sql:%s' %s\" "
+            "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"",
+            userdb, stripped_parameters);
+    }
 
     /* now the system database (always read only unless it's root) */
     if (sysdb) {
-	    const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
-	    module_list[next++] = PR_smprintf(
-	      "library= "
-	      "module=\"NSS system database\" "
-	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-	      "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
+        const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+        module_list[next++] = PR_smprintf(
+            "library= "
+            "module=\"NSS system database\" "
+            "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+            "NSS=\"trustOrder=80 %sflags=internal,critical\"",
+            sysdb, readonly, nssflags);
     }
 
     /* that was the last module */
     module_list[next] = 0;
 
     PORT_Free(userdb);
     PORT_Free(sysdb);
 
@@ -274,48 +274,47 @@ get_list(char *filename, char *stripped_
 
 static char **
 release_list(char **arg)
 {
     static char *success = "Success";
     int next;
 
     for (next = 0; arg[next]; next++) {
-	free(arg[next]);
+        free(arg[next]);
     }
     PORT_Free(arg);
     return &success;
 }
 
-
 #include "utilpars.h"
 
-#define TARGET_SPEC_COPY(new, start, end)    \
-  if (end > start) {                         \
-        int _cnt = end - start;              \
-        PORT_Memcpy(new, start, _cnt);       \
-        new += _cnt;                         \
-  }
+#define TARGET_SPEC_COPY(new, start, end) \
+    if (end > start) {                    \
+        int _cnt = end - start;           \
+        PORT_Memcpy(new, start, _cnt);    \
+        new += _cnt;                      \
+    }
 
 /*
  * According the strcpy man page:
  *
  * The strings  may  not overlap, and the destination string dest must be
  * large enough to receive the copy.
- * 
+ *
  * This implementation allows target to overlap with src.
  * It does not allow the src to overlap the target.
  *  example: overlapstrcpy(string, string+4) is fine
  *           overlapstrcpy(string+4, string) is not.
  */
 static void
 overlapstrcpy(char *target, char *src)
 {
     while (*src) {
-	*target++ = *src++;
+        *target++ = *src++;
     }
     *target = 0;
 }
 
 /* determine what options the user was trying to open this database with */
 /* filename is the directory pointed to by configdir= */
 /* stripped is the rest of the parameters with configdir= stripped out */
 static SECStatus
@@ -323,82 +322,82 @@ parse_parameters(const char *parameters,
 {
     const char *sourcePrev;
     const char *sourceCurr;
     char *targetCurr;
     char *newStripped;
     *filename = NULL;
     *stripped = NULL;
 
-    newStripped = PORT_Alloc(PORT_Strlen(parameters)+2);
+    newStripped = PORT_Alloc(PORT_Strlen(parameters) + 2);
     targetCurr = newStripped;
     sourcePrev = parameters;
     sourceCurr = NSSUTIL_ArgStrip(parameters);
     TARGET_SPEC_COPY(targetCurr, sourcePrev, sourceCurr);
 
     while (*sourceCurr) {
-	int next;
-	sourcePrev = sourceCurr;
-	NSSUTIL_HANDLE_STRING_ARG(sourceCurr, *filename, "configdir=",
-		sourcePrev = sourceCurr; )
-	NSSUTIL_HANDLE_FINAL_ARG(sourceCurr);
-	TARGET_SPEC_COPY(targetCurr, sourcePrev, sourceCurr);
+        int next;
+        sourcePrev = sourceCurr;
+        NSSUTIL_HANDLE_STRING_ARG(sourceCurr, *filename, "configdir=",
+                                  sourcePrev = sourceCurr;)
+        NSSUTIL_HANDLE_FINAL_ARG(sourceCurr);
+        TARGET_SPEC_COPY(targetCurr, sourcePrev, sourceCurr);
     }
     *targetCurr = 0;
     if (*filename == NULL) {
-	PORT_Free(newStripped);
-	return SECFailure;
+        PORT_Free(newStripped);
+        return SECFailure;
     }
     /* strip off any directives from the filename */
     if (strncmp("sql:", *filename, 4) == 0) {
-	overlapstrcpy(*filename, (*filename)+4);
+        overlapstrcpy(*filename, (*filename) + 4);
     } else if (strncmp("dbm:", *filename, 4) == 0) {
-	overlapstrcpy(*filename, (*filename)+4);
+        overlapstrcpy(*filename, (*filename) + 4);
     } else if (strncmp("extern:", *filename, 7) == 0) {
-	overlapstrcpy(*filename, (*filename)+7);
+        overlapstrcpy(*filename, (*filename) + 7);
     }
     *stripped = newStripped;
     return SECSuccess;
 }
 
 /* entry point */
 char **
 NSS_ReturnModuleSpecData(unsigned long function, char *parameters, void *args)
 {
     char *filename = NULL;
     char *stripped = NULL;
     char **retString = NULL;
     SECStatus rv;
 
     rv = parse_parameters(parameters, &filename, &stripped);
     if (rv != SECSuccess) {
-	/* use defaults */
-	filename = getSystemDB();
-	if (!filename) {
-	    return NULL;
-	}
-	stripped = PORT_Strdup(NSS_DEFAULT_FLAGS);
-	if (!stripped) {
-	    free(filename);
-	    return NULL;
-	}
+        /* use defaults */
+        filename = getSystemDB();
+        if (!filename) {
+            return NULL;
+        }
+        stripped = PORT_Strdup(NSS_DEFAULT_FLAGS);
+        if (!stripped) {
+            free(filename);
+            return NULL;
+        }
     }
     switch (function) {
-    case SECMOD_MODULE_DB_FUNCTION_FIND:
-	retString = get_list(filename, stripped);
-	break;
-    case SECMOD_MODULE_DB_FUNCTION_RELEASE:
-	retString = release_list((char **)args);
-	break;
-    /* can't add or delete from this module DB */
-    case SECMOD_MODULE_DB_FUNCTION_ADD:
-    case SECMOD_MODULE_DB_FUNCTION_DEL:
-	retString = NULL;
-	break;
-    default:
-	retString = NULL;
-	break;
+        case SECMOD_MODULE_DB_FUNCTION_FIND:
+            retString = get_list(filename, stripped);
+            break;
+        case SECMOD_MODULE_DB_FUNCTION_RELEASE:
+            retString = release_list((char **)args);
+            break;
+        /* can't add or delete from this module DB */
+        case SECMOD_MODULE_DB_FUNCTION_ADD:
+        case SECMOD_MODULE_DB_FUNCTION_DEL:
+            retString = NULL;
+            break;
+        default:
+            retString = NULL;
+            break;
     }
 
     PORT_Free(filename);
     PORT_Free(stripped);
     return retString;
 }
--- a/security/nss/lib/util/SECerrs.h
+++ b/security/nss/lib/util/SECerrs.h
@@ -1,553 +1,551 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* General security error codes  */
 /* Caller must #include "secerr.h" */
 
-ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
-"An I/O error occurred during security authorization.")
+ER3(SEC_ERROR_IO, SEC_ERROR_BASE + 0,
+    "An I/O error occurred during security authorization.")
 
-ER3(SEC_ERROR_LIBRARY_FAILURE,			SEC_ERROR_BASE + 1,
-"security library failure.")
+ER3(SEC_ERROR_LIBRARY_FAILURE, SEC_ERROR_BASE + 1,
+    "security library failure.")
 
-ER3(SEC_ERROR_BAD_DATA,				SEC_ERROR_BASE + 2,
-"security library: received bad data.")
+ER3(SEC_ERROR_BAD_DATA, SEC_ERROR_BASE + 2,
+    "security library: received bad data.")
 
-ER3(SEC_ERROR_OUTPUT_LEN,			SEC_ERROR_BASE + 3,
-"security library: output length error.")
+ER3(SEC_ERROR_OUTPUT_LEN, SEC_ERROR_BASE + 3,
+    "security library: output length error.")
 
-ER3(SEC_ERROR_INPUT_LEN,			SEC_ERROR_BASE + 4,
-"security library has experienced an input length error.")
+ER3(SEC_ERROR_INPUT_LEN, SEC_ERROR_BASE + 4,
+    "security library has experienced an input length error.")
 
-ER3(SEC_ERROR_INVALID_ARGS,			SEC_ERROR_BASE + 5,
-"security library: invalid arguments.")
+ER3(SEC_ERROR_INVALID_ARGS, SEC_ERROR_BASE + 5,
+    "security library: invalid arguments.")
 
-ER3(SEC_ERROR_INVALID_ALGORITHM,		SEC_ERROR_BASE + 6,
-"security library: invalid algorithm.")
+ER3(SEC_ERROR_INVALID_ALGORITHM, SEC_ERROR_BASE + 6,
+    "security library: invalid algorithm.")
 
-ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
-"security library: invalid AVA.")
+ER3(SEC_ERROR_INVALID_AVA, SEC_ERROR_BASE + 7,
+    "security library: invalid AVA.")
 
-ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
-"Improperly formatted time string.")
+ER3(SEC_ERROR_INVALID_TIME, SEC_ERROR_BASE + 8,
+    "Improperly formatted time string.")
 
-ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
-"security library: improperly formatted DER-encoded message.")
+ER3(SEC_ERROR_BAD_DER, SEC_ERROR_BASE + 9,
+    "security library: improperly formatted DER-encoded message.")
 
-ER3(SEC_ERROR_BAD_SIGNATURE,			SEC_ERROR_BASE + 10,
-"Peer's certificate has an invalid signature.")
+ER3(SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BASE + 10,
+    "Peer's certificate has an invalid signature.")
 
-ER3(SEC_ERROR_EXPIRED_CERTIFICATE,		SEC_ERROR_BASE + 11,
-"Peer's Certificate has expired.")
+ER3(SEC_ERROR_EXPIRED_CERTIFICATE, SEC_ERROR_BASE + 11,
+    "Peer's Certificate has expired.")
 
-ER3(SEC_ERROR_REVOKED_CERTIFICATE,		SEC_ERROR_BASE + 12,
-"Peer's Certificate has been revoked.")
+ER3(SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_BASE + 12,
+    "Peer's Certificate has been revoked.")
 
-ER3(SEC_ERROR_UNKNOWN_ISSUER,			SEC_ERROR_BASE + 13,
-"Peer's Certificate issuer is not recognized.")
+ER3(SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_BASE + 13,
+    "Peer's Certificate issuer is not recognized.")
 
-ER3(SEC_ERROR_BAD_KEY,				SEC_ERROR_BASE + 14,
-"Peer's public key is invalid.")
+ER3(SEC_ERROR_BAD_KEY, SEC_ERROR_BASE + 14,
+    "Peer's public key is invalid.")
 
-ER3(SEC_ERROR_BAD_PASSWORD,			SEC_ERROR_BASE + 15,
-"The security password entered is incorrect.")
+ER3(SEC_ERROR_BAD_PASSWORD, SEC_ERROR_BASE + 15,
+    "The security password entered is incorrect.")
 
-ER3(SEC_ERROR_RETRY_PASSWORD,			SEC_ERROR_BASE + 16,
-"New password entered incorrectly.  Please try again.")
+ER3(SEC_ERROR_RETRY_PASSWORD, SEC_ERROR_BASE + 16,
+    "New password entered incorrectly.  Please try again.")
 
-ER3(SEC_ERROR_NO_NODELOCK,			SEC_ERROR_BASE + 17,
-"security library: no nodelock.")
+ER3(SEC_ERROR_NO_NODELOCK, SEC_ERROR_BASE + 17,
+    "security library: no nodelock.")
 
-ER3(SEC_ERROR_BAD_DATABASE,			SEC_ERROR_BASE + 18,
-"security library: bad database.")
+ER3(SEC_ERROR_BAD_DATABASE, SEC_ERROR_BASE + 18,
+    "security library: bad database.")
 
-ER3(SEC_ERROR_NO_MEMORY,			SEC_ERROR_BASE + 19,
-"security library: memory allocation failure.")
+ER3(SEC_ERROR_NO_MEMORY, SEC_ERROR_BASE + 19,
+    "security library: memory allocation failure.")
 
-ER3(SEC_ERROR_UNTRUSTED_ISSUER,			SEC_ERROR_BASE + 20,
-"Peer's certificate issuer has been marked as not trusted by the user.")
+ER3(SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_BASE + 20,
+    "Peer's certificate issuer has been marked as not trusted by the user.")
 
-ER3(SEC_ERROR_UNTRUSTED_CERT,			SEC_ERROR_BASE + 21,
-"Peer's certificate has been marked as not trusted by the user.")
+ER3(SEC_ERROR_UNTRUSTED_CERT, SEC_ERROR_BASE + 21,
+    "Peer's certificate has been marked as not trusted by the user.")
 
-ER3(SEC_ERROR_DUPLICATE_CERT,			(SEC_ERROR_BASE + 22),
-"Certificate already exists in your database.")
+ER3(SEC_ERROR_DUPLICATE_CERT, (SEC_ERROR_BASE + 22),
+    "Certificate already exists in your database.")
 
-ER3(SEC_ERROR_DUPLICATE_CERT_NAME,		(SEC_ERROR_BASE + 23),
-"Downloaded certificate's name duplicates one already in your database.")
+ER3(SEC_ERROR_DUPLICATE_CERT_NAME, (SEC_ERROR_BASE + 23),
+    "Downloaded certificate's name duplicates one already in your database.")
 
-ER3(SEC_ERROR_ADDING_CERT,			(SEC_ERROR_BASE + 24),
-"Error adding certificate to database.")
+ER3(SEC_ERROR_ADDING_CERT, (SEC_ERROR_BASE + 24),
+    "Error adding certificate to database.")
 
-ER3(SEC_ERROR_FILING_KEY,			(SEC_ERROR_BASE + 25),
-"Error refiling the key for this certificate.")
+ER3(SEC_ERROR_FILING_KEY, (SEC_ERROR_BASE + 25),
+    "Error refiling the key for this certificate.")
 
-ER3(SEC_ERROR_NO_KEY,				(SEC_ERROR_BASE + 26),
-"The private key for this certificate cannot be found in key database")
+ER3(SEC_ERROR_NO_KEY, (SEC_ERROR_BASE + 26),
+    "The private key for this certificate cannot be found in key database")
 
-ER3(SEC_ERROR_CERT_VALID,			(SEC_ERROR_BASE + 27),
-"This certificate is valid.")
+ER3(SEC_ERROR_CERT_VALID, (SEC_ERROR_BASE + 27),
+    "This certificate is valid.")
 
-ER3(SEC_ERROR_CERT_NOT_VALID,			(SEC_ERROR_BASE + 28),
-"This certificate is not valid.")
+ER3(SEC_ERROR_CERT_NOT_VALID, (SEC_ERROR_BASE + 28),
+    "This certificate is not valid.")
 
-ER3(SEC_ERROR_CERT_NO_RESPONSE,			(SEC_ERROR_BASE + 29),
-"Cert Library: No Response")
+ER3(SEC_ERROR_CERT_NO_RESPONSE, (SEC_ERROR_BASE + 29),
+    "Cert Library: No Response")
 
-ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE,	(SEC_ERROR_BASE + 30),
-"The certificate issuer's certificate has expired.  Check your system date and time.")
+ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, (SEC_ERROR_BASE + 30),
+    "The certificate issuer's certificate has expired.  Check your system date and time.")
 
-ER3(SEC_ERROR_CRL_EXPIRED,			(SEC_ERROR_BASE + 31),
-"The CRL for the certificate's issuer has expired.  Update it or check your system date and time.")
+ER3(SEC_ERROR_CRL_EXPIRED, (SEC_ERROR_BASE + 31),
+    "The CRL for the certificate's issuer has expired.  Update it or check your system date and time.")
 
-ER3(SEC_ERROR_CRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 32),
-"The CRL for the certificate's issuer has an invalid signature.")
+ER3(SEC_ERROR_CRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 32),
+    "The CRL for the certificate's issuer has an invalid signature.")
 
-ER3(SEC_ERROR_CRL_INVALID,			(SEC_ERROR_BASE + 33),
-"New CRL has an invalid format.")
+ER3(SEC_ERROR_CRL_INVALID, (SEC_ERROR_BASE + 33),
+    "New CRL has an invalid format.")
 
-ER3(SEC_ERROR_EXTENSION_VALUE_INVALID,		(SEC_ERROR_BASE + 34),
-"Certificate extension value is invalid.")
+ER3(SEC_ERROR_EXTENSION_VALUE_INVALID, (SEC_ERROR_BASE + 34),
+    "Certificate extension value is invalid.")
 
-ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
-"Certificate extension not found.")
+ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35),
+    "Certificate extension not found.")
+
+ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36),
+    "Issuer certificate is invalid.")
 
-ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
-"Issuer certificate is invalid.")
-   
-ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
-"Certificate path length constraint is invalid.")
+ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37),
+    "Certificate path length constraint is invalid.")
 
-ER3(SEC_ERROR_CERT_USAGES_INVALID,		(SEC_ERROR_BASE + 38),
-"Certificate usages field is invalid.")
+ER3(SEC_ERROR_CERT_USAGES_INVALID, (SEC_ERROR_BASE + 38),
+    "Certificate usages field is invalid.")
 
-ER3(SEC_INTERNAL_ONLY,				(SEC_ERROR_BASE + 39),
-"**Internal ONLY module**")
+ER3(SEC_INTERNAL_ONLY, (SEC_ERROR_BASE + 39),
+    "**Internal ONLY module**")
 
-ER3(SEC_ERROR_INVALID_KEY,			(SEC_ERROR_BASE + 40),
-"The key does not support the requested operation.")
+ER3(SEC_ERROR_INVALID_KEY, (SEC_ERROR_BASE + 40),
+    "The key does not support the requested operation.")
 
-ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION,	(SEC_ERROR_BASE + 41),
-"Certificate contains unknown critical extension.")
+ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 41),
+    "Certificate contains unknown critical extension.")
 
-ER3(SEC_ERROR_OLD_CRL,				(SEC_ERROR_BASE + 42),
-"New CRL is not later than the current one.")
+ER3(SEC_ERROR_OLD_CRL, (SEC_ERROR_BASE + 42),
+    "New CRL is not later than the current one.")
 
-ER3(SEC_ERROR_NO_EMAIL_CERT,			(SEC_ERROR_BASE + 43),
-"Not encrypted or signed: you do not yet have an email certificate.")
+ER3(SEC_ERROR_NO_EMAIL_CERT, (SEC_ERROR_BASE + 43),
+    "Not encrypted or signed: you do not yet have an email certificate.")
 
-ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY,		(SEC_ERROR_BASE + 44),
-"Not encrypted: you do not have certificates for each of the recipients.")
+ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, (SEC_ERROR_BASE + 44),
+    "Not encrypted: you do not have certificates for each of the recipients.")
 
-ER3(SEC_ERROR_NOT_A_RECIPIENT,			(SEC_ERROR_BASE + 45),
-"Cannot decrypt: you are not a recipient, or matching certificate and \
+ER3(SEC_ERROR_NOT_A_RECIPIENT, (SEC_ERROR_BASE + 45),
+    "Cannot decrypt: you are not a recipient, or matching certificate and \
 private key not found.")
 
-ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH,		(SEC_ERROR_BASE + 46),
-"Cannot decrypt: key encryption algorithm does not match your certificate.")
+ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH, (SEC_ERROR_BASE + 46),
+    "Cannot decrypt: key encryption algorithm does not match your certificate.")
 
-ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE,		(SEC_ERROR_BASE + 47),
-"Signature verification failed: no signer found, too many signers found, \
+ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE, (SEC_ERROR_BASE + 47),
+    "Signature verification failed: no signer found, too many signers found, \
 or improper or corrupted data.")
 
-ER3(SEC_ERROR_UNSUPPORTED_KEYALG,		(SEC_ERROR_BASE + 48),
-"Unsupported or unknown key algorithm.")
+ER3(SEC_ERROR_UNSUPPORTED_KEYALG, (SEC_ERROR_BASE + 48),
+    "Unsupported or unknown key algorithm.")
 
-ER3(SEC_ERROR_DECRYPTION_DISALLOWED,		(SEC_ERROR_BASE + 49),
-"Cannot decrypt: encrypted using a disallowed algorithm or key size.")
-
+ER3(SEC_ERROR_DECRYPTION_DISALLOWED, (SEC_ERROR_BASE + 49),
+    "Cannot decrypt: encrypted using a disallowed algorithm or key size.")
 
 /* Fortezza Alerts */
-ER3(XP_SEC_FORTEZZA_BAD_CARD,			(SEC_ERROR_BASE + 50),
-"Fortezza card has not been properly initialized.  \
+ER3(XP_SEC_FORTEZZA_BAD_CARD, (SEC_ERROR_BASE + 50),
+    "Fortezza card has not been properly initialized.  \
 Please remove it and return it to your issuer.")
 
-ER3(XP_SEC_FORTEZZA_NO_CARD,			(SEC_ERROR_BASE + 51),
-"No Fortezza cards Found")
+ER3(XP_SEC_FORTEZZA_NO_CARD, (SEC_ERROR_BASE + 51),
+    "No Fortezza cards Found")
 
-ER3(XP_SEC_FORTEZZA_NONE_SELECTED,		(SEC_ERROR_BASE + 52),
-"No Fortezza card selected")
+ER3(XP_SEC_FORTEZZA_NONE_SELECTED, (SEC_ERROR_BASE + 52),
+    "No Fortezza card selected")
 
-ER3(XP_SEC_FORTEZZA_MORE_INFO,			(SEC_ERROR_BASE + 53),
-"Please select a personality to get more info on")
+ER3(XP_SEC_FORTEZZA_MORE_INFO, (SEC_ERROR_BASE + 53),
+    "Please select a personality to get more info on")
 
-ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND,		(SEC_ERROR_BASE + 54),
-"Personality not found")
+ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND, (SEC_ERROR_BASE + 54),
+    "Personality not found")
 
-ER3(XP_SEC_FORTEZZA_NO_MORE_INFO,		(SEC_ERROR_BASE + 55),
-"No more information on that Personality")
+ER3(XP_SEC_FORTEZZA_NO_MORE_INFO, (SEC_ERROR_BASE + 55),
+    "No more information on that Personality")
 
-ER3(XP_SEC_FORTEZZA_BAD_PIN,			(SEC_ERROR_BASE + 56),
-"Invalid Pin")
+ER3(XP_SEC_FORTEZZA_BAD_PIN, (SEC_ERROR_BASE + 56),
+    "Invalid Pin")
 
-ER3(XP_SEC_FORTEZZA_PERSON_ERROR,		(SEC_ERROR_BASE + 57),
-"Couldn't initialize Fortezza personalities.")
+ER3(XP_SEC_FORTEZZA_PERSON_ERROR, (SEC_ERROR_BASE + 57),
+    "Couldn't initialize Fortezza personalities.")
 /* end fortezza alerts. */
 
-ER3(SEC_ERROR_NO_KRL,				(SEC_ERROR_BASE + 58),
-"No KRL for this site's certificate has been found.")
+ER3(SEC_ERROR_NO_KRL, (SEC_ERROR_BASE + 58),
+    "No KRL for this site's certificate has been found.")
 
-ER3(SEC_ERROR_KRL_EXPIRED,			(SEC_ERROR_BASE + 59),
-"The KRL for this site's certificate has expired.")
+ER3(SEC_ERROR_KRL_EXPIRED, (SEC_ERROR_BASE + 59),
+    "The KRL for this site's certificate has expired.")
 
-ER3(SEC_ERROR_KRL_BAD_SIGNATURE,		(SEC_ERROR_BASE + 60),
-"The KRL for this site's certificate has an invalid signature.")
+ER3(SEC_ERROR_KRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 60),
+    "The KRL for this site's certificate has an invalid signature.")
 
-ER3(SEC_ERROR_REVOKED_KEY,			(SEC_ERROR_BASE + 61),
-"The key for this site's certificate has been revoked.")
+ER3(SEC_ERROR_REVOKED_KEY, (SEC_ERROR_BASE + 61),
+    "The key for this site's certificate has been revoked.")
 
-ER3(SEC_ERROR_KRL_INVALID,			(SEC_ERROR_BASE + 62),
-"New KRL has an invalid format.")
+ER3(SEC_ERROR_KRL_INVALID, (SEC_ERROR_BASE + 62),
+    "New KRL has an invalid format.")
 
-ER3(SEC_ERROR_NEED_RANDOM,			(SEC_ERROR_BASE + 63),
-"security library: need random data.")
+ER3(SEC_ERROR_NEED_RANDOM, (SEC_ERROR_BASE + 63),
+    "security library: need random data.")
 
-ER3(SEC_ERROR_NO_MODULE,			(SEC_ERROR_BASE + 64),
-"security library: no security module can perform the requested operation.")
+ER3(SEC_ERROR_NO_MODULE, (SEC_ERROR_BASE + 64),
+    "security library: no security module can perform the requested operation.")
 
-ER3(SEC_ERROR_NO_TOKEN,				(SEC_ERROR_BASE + 65),
-"The security card or token does not exist, needs to be initialized, or has been removed.")
+ER3(SEC_ERROR_NO_TOKEN, (SEC_ERROR_BASE + 65),
+    "The security card or token does not exist, needs to be initialized, or has been removed.")
 
-ER3(SEC_ERROR_READ_ONLY,			(SEC_ERROR_BASE + 66),
-"security library: read-only database.")
+ER3(SEC_ERROR_READ_ONLY, (SEC_ERROR_BASE + 66),
+    "security library: read-only database.")
 
-ER3(SEC_ERROR_NO_SLOT_SELECTED,			(SEC_ERROR_BASE + 67),
-"No slot or token was selected.")
+ER3(SEC_ERROR_NO_SLOT_SELECTED, (SEC_ERROR_BASE + 67),
+    "No slot or token was selected.")
 
-ER3(SEC_ERROR_CERT_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 68),
-"A certificate with the same nickname already exists.")
+ER3(SEC_ERROR_CERT_NICKNAME_COLLISION, (SEC_ERROR_BASE + 68),
+    "A certificate with the same nickname already exists.")
 
-ER3(SEC_ERROR_KEY_NICKNAME_COLLISION,		(SEC_ERROR_BASE + 69),
-"A key with the same nickname already exists.")
+ER3(SEC_ERROR_KEY_NICKNAME_COLLISION, (SEC_ERROR_BASE + 69),
+    "A key with the same nickname already exists.")
 
-ER3(SEC_ERROR_SAFE_NOT_CREATED,			(SEC_ERROR_BASE + 70),
-"error while creating safe object")
+ER3(SEC_ERROR_SAFE_NOT_CREATED, (SEC_ERROR_BASE + 70),
+    "error while creating safe object")
 
-ER3(SEC_ERROR_BAGGAGE_NOT_CREATED,		(SEC_ERROR_BASE + 71),
-"error while creating baggage object")
+ER3(SEC_ERROR_BAGGAGE_NOT_CREATED, (SEC_ERROR_BASE + 71),
+    "error while creating baggage object")
 
-ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR,		(SEC_ERROR_BASE + 72),
-"Couldn't remove the principal")
+ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR, (SEC_ERROR_BASE + 72),
+    "Couldn't remove the principal")
 
-ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR,		(SEC_ERROR_BASE + 73),
-"Couldn't delete the privilege")
+ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR, (SEC_ERROR_BASE + 73),
+    "Couldn't delete the privilege")
 
-ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR,		(SEC_ERROR_BASE + 74),
-"This principal doesn't have a certificate")
+ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR, (SEC_ERROR_BASE + 74),
+    "This principal doesn't have a certificate")
 
-ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM,		(SEC_ERROR_BASE + 75),
-"Required algorithm is not allowed.")
+ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM, (SEC_ERROR_BASE + 75),
+    "Required algorithm is not allowed.")
 
-ER3(SEC_ERROR_EXPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 76),
-"Error attempting to export certificates.")
+ER3(SEC_ERROR_EXPORTING_CERTIFICATES, (SEC_ERROR_BASE + 76),
+    "Error attempting to export certificates.")
 
-ER3(SEC_ERROR_IMPORTING_CERTIFICATES,		(SEC_ERROR_BASE + 77),
-"Error attempting to import certificates.")
+ER3(SEC_ERROR_IMPORTING_CERTIFICATES, (SEC_ERROR_BASE + 77),
+    "Error attempting to import certificates.")
 
-ER3(SEC_ERROR_PKCS12_DECODING_PFX,		(SEC_ERROR_BASE + 78),
-"Unable to import.  Decoding error.  File not valid.")
+ER3(SEC_ERROR_PKCS12_DECODING_PFX, (SEC_ERROR_BASE + 78),
+    "Unable to import.  Decoding error.  File not valid.")
 
-ER3(SEC_ERROR_PKCS12_INVALID_MAC,		(SEC_ERROR_BASE + 79),
-"Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
+ER3(SEC_ERROR_PKCS12_INVALID_MAC, (SEC_ERROR_BASE + 79),
+    "Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
 
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM,	(SEC_ERROR_BASE + 80),
-"Unable to import.  MAC algorithm not supported.")
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, (SEC_ERROR_BASE + 80),
+    "Unable to import.  MAC algorithm not supported.")
 
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81),
-"Unable to import.  Only password integrity and privacy modes supported.")
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE, (SEC_ERROR_BASE + 81),
+    "Unable to import.  Only password integrity and privacy modes supported.")
 
-ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE,	(SEC_ERROR_BASE + 82),
-"Unable to import.  File structure is corrupt.")
+ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, (SEC_ERROR_BASE + 82),
+    "Unable to import.  File structure is corrupt.")
 
 ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83),
-"Unable to import.  Encryption algorithm not supported.")
+    "Unable to import.  Encryption algorithm not supported.")
 
-ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION,	(SEC_ERROR_BASE + 84),
-"Unable to import.  File version not supported.")
+ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, (SEC_ERROR_BASE + 84),
+    "Unable to import.  File version not supported.")
 
-ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85),
-"Unable to import.  Incorrect privacy password.")
+ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT, (SEC_ERROR_BASE + 85),
+    "Unable to import.  Incorrect privacy password.")
 
-ER3(SEC_ERROR_PKCS12_CERT_COLLISION,		(SEC_ERROR_BASE + 86),
-"Unable to import.  Same nickname already exists in database.")
+ER3(SEC_ERROR_PKCS12_CERT_COLLISION, (SEC_ERROR_BASE + 86),
+    "Unable to import.  Same nickname already exists in database.")
 
-ER3(SEC_ERROR_USER_CANCELLED,			(SEC_ERROR_BASE + 87),
-"The user pressed cancel.")
+ER3(SEC_ERROR_USER_CANCELLED, (SEC_ERROR_BASE + 87),
+    "The user pressed cancel.")
 
-ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA,		(SEC_ERROR_BASE + 88),
-"Not imported, already in database.")
+ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA, (SEC_ERROR_BASE + 88),
+    "Not imported, already in database.")
 
-ER3(SEC_ERROR_MESSAGE_SEND_ABORTED,		(SEC_ERROR_BASE + 89),
-"Message not sent.")
+ER3(SEC_ERROR_MESSAGE_SEND_ABORTED, (SEC_ERROR_BASE + 89),
+    "Message not sent.")
 
-ER3(SEC_ERROR_INADEQUATE_KEY_USAGE,		(SEC_ERROR_BASE + 90),
-"Certificate key usage inadequate for attempted operation.")
+ER3(SEC_ERROR_INADEQUATE_KEY_USAGE, (SEC_ERROR_BASE + 90),
+    "Certificate key usage inadequate for attempted operation.")
 
-ER3(SEC_ERROR_INADEQUATE_CERT_TYPE,		(SEC_ERROR_BASE + 91),
-"Certificate type not approved for application.")
+ER3(SEC_ERROR_INADEQUATE_CERT_TYPE, (SEC_ERROR_BASE + 91),
+    "Certificate type not approved for application.")
 
-ER3(SEC_ERROR_CERT_ADDR_MISMATCH,		(SEC_ERROR_BASE + 92),
-"Address in signing certificate does not match address in message headers.")
+ER3(SEC_ERROR_CERT_ADDR_MISMATCH, (SEC_ERROR_BASE + 92),
+    "Address in signing certificate does not match address in message headers.")
 
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY,	(SEC_ERROR_BASE + 93),
-"Unable to import.  Error attempting to import private key.")
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, (SEC_ERROR_BASE + 93),
+    "Unable to import.  Error attempting to import private key.")
 
-ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN,	(SEC_ERROR_BASE + 94),
-"Unable to import.  Error attempting to import certificate chain.")
+ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, (SEC_ERROR_BASE + 94),
+    "Unable to import.  Error attempting to import certificate chain.")
 
 ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95),
-"Unable to export.  Unable to locate certificate or key by nickname.")
+    "Unable to export.  Unable to locate certificate or key by nickname.")
 
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY,	(SEC_ERROR_BASE + 96),
-"Unable to export.  Private Key could not be located and exported.")
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, (SEC_ERROR_BASE + 96),
+    "Unable to export.  Private Key could not be located and exported.")
 
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, 		(SEC_ERROR_BASE + 97),
-"Unable to export.  Unable to write the export file.")
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, (SEC_ERROR_BASE + 97),
+    "Unable to export.  Unable to write the export file.")
 
-ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ,		(SEC_ERROR_BASE + 98),
-"Unable to import.  Unable to read the import file.")
+ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ, (SEC_ERROR_BASE + 98),
+    "Unable to import.  Unable to read the import file.")
 
 ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99),
-"Unable to export.  Key database corrupt or deleted.")
+    "Unable to export.  Key database corrupt or deleted.")
 
-ER3(SEC_ERROR_KEYGEN_FAIL,			(SEC_ERROR_BASE + 100),
-"Unable to generate public/private key pair.")
+ER3(SEC_ERROR_KEYGEN_FAIL, (SEC_ERROR_BASE + 100),
+    "Unable to generate public/private key pair.")
 
-ER3(SEC_ERROR_INVALID_PASSWORD,			(SEC_ERROR_BASE + 101),
-"Password entered is invalid.  Please pick a different one.")
+ER3(SEC_ERROR_INVALID_PASSWORD, (SEC_ERROR_BASE + 101),
+    "Password entered is invalid.  Please pick a different one.")
 
-ER3(SEC_ERROR_RETRY_OLD_PASSWORD,		(SEC_ERROR_BASE + 102),
-"Old password entered incorrectly.  Please try again.")
+ER3(SEC_ERROR_RETRY_OLD_PASSWORD, (SEC_ERROR_BASE + 102),
+    "Old password entered incorrectly.  Please try again.")
 
-ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
-"Certificate nickname already in use.")
+ER3(SEC_ERROR_BAD_NICKNAME, (SEC_ERROR_BASE + 103),
+    "Certificate nickname already in use.")
 
-ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
-"Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
+ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER, (SEC_ERROR_BASE + 104),
+    "Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
 
-ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, 	(SEC_ERROR_BASE + 105),
-"A sensitive key cannot be moved to the slot where it is needed.")
+ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, (SEC_ERROR_BASE + 105),
+    "A sensitive key cannot be moved to the slot where it is needed.")
 
-ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
-"Invalid module name.")
+ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, (SEC_ERROR_BASE + 106),
+    "Invalid module name.")
 
-ER3(SEC_ERROR_JS_INVALID_DLL, 			(SEC_ERROR_BASE + 107),
-"Invalid module path/filename")
+ER3(SEC_ERROR_JS_INVALID_DLL, (SEC_ERROR_BASE + 107),
+    "Invalid module path/filename")
 
-ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, 		(SEC_ERROR_BASE + 108),
-"Unable to add module")
+ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, (SEC_ERROR_BASE + 108),
+    "Unable to add module")
 
-ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
-"Unable to delete module")
+ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109),
+    "Unable to delete module")
+
+ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110),
+    "New KRL is not later than the current one.")
 
-ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
-"New KRL is not later than the current one.")
- 
-ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
-"New CKL has different issuer than current CKL.  Delete current CKL.")
+ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111),
+    "New CKL has different issuer than current CKL.  Delete current CKL.")
 
-ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
-"The Certifying Authority for this certificate is not permitted to issue a \
+ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, (SEC_ERROR_BASE + 112),
+    "The Certifying Authority for this certificate is not permitted to issue a \
 certificate with this name.")
 
-ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
-"The key revocation list for this certificate is not yet valid.")
+ER3(SEC_ERROR_KRL_NOT_YET_VALID, (SEC_ERROR_BASE + 113),
+    "The key revocation list for this certificate is not yet valid.")
 
-ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
-"The certificate revocation list for this certificate is not yet valid.")
+ER3(SEC_ERROR_CRL_NOT_YET_VALID, (SEC_ERROR_BASE + 114),
+    "The certificate revocation list for this certificate is not yet valid.")
 
-ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
-"The requested certificate could not be found.")
+ER3(SEC_ERROR_UNKNOWN_CERT, (SEC_ERROR_BASE + 115),
+    "The requested certificate could not be found.")
 
-ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
-"The signer's certificate could not be found.")
+ER3(SEC_ERROR_UNKNOWN_SIGNER, (SEC_ERROR_BASE + 116),
+    "The signer's certificate could not be found.")
 
-ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
-"The location for the certificate status server has invalid format.")
+ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, (SEC_ERROR_BASE + 117),
+    "The location for the certificate status server has invalid format.")
 
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
-"The OCSP response cannot be fully decoded; it is of an unknown type.")
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, (SEC_ERROR_BASE + 118),
+    "The OCSP response cannot be fully decoded; it is of an unknown type.")
 
-ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
-"The OCSP server returned unexpected/invalid HTTP data.")
+ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 119),
+    "The OCSP server returned unexpected/invalid HTTP data.")
 
-ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
-"The OCSP server found the request to be corrupted or improperly formed.")
+ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST, (SEC_ERROR_BASE + 120),
+    "The OCSP server found the request to be corrupted or improperly formed.")
 
-ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
-"The OCSP server experienced an internal error.")
+ER3(SEC_ERROR_OCSP_SERVER_ERROR, (SEC_ERROR_BASE + 121),
+    "The OCSP server experienced an internal error.")
 
-ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
-"The OCSP server suggests trying again later.")
+ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER, (SEC_ERROR_BASE + 122),
+    "The OCSP server suggests trying again later.")
 
-ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
-"The OCSP server requires a signature on this request.")
+ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, (SEC_ERROR_BASE + 123),
+    "The OCSP server requires a signature on this request.")
 
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
-"The OCSP server has refused this request as unauthorized.")
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, (SEC_ERROR_BASE + 124),
+    "The OCSP server has refused this request as unauthorized.")
 
-ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
-"The OCSP server returned an unrecognizable status.")
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, (SEC_ERROR_BASE + 125),
+    "The OCSP server returned an unrecognizable status.")
 
-ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
-"The OCSP server has no status for the certificate.")
+ER3(SEC_ERROR_OCSP_UNKNOWN_CERT, (SEC_ERROR_BASE + 126),
+    "The OCSP server has no status for the certificate.")
 
-ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
-"You must enable OCSP before performing this operation.")
+ER3(SEC_ERROR_OCSP_NOT_ENABLED, (SEC_ERROR_BASE + 127),
+    "You must enable OCSP before performing this operation.")
 
-ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
-"You must set the OCSP default responder before performing this operation.")
+ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, (SEC_ERROR_BASE + 128),
+    "You must set the OCSP default responder before performing this operation.")
 
-ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
-"The response from the OCSP server was corrupted or improperly formed.")
+ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE, (SEC_ERROR_BASE + 129),
+    "The response from the OCSP server was corrupted or improperly formed.")
 
-ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
-"The signer of the OCSP response is not authorized to give status for \
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, (SEC_ERROR_BASE + 130),
+    "The signer of the OCSP response is not authorized to give status for \
 this certificate.")
 
-ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
-"The OCSP response is not yet valid (contains a date in the future).")
+ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE, (SEC_ERROR_BASE + 131),
+    "The OCSP response is not yet valid (contains a date in the future).")
 
-ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
-"The OCSP response contains out-of-date information.")
+ER3(SEC_ERROR_OCSP_OLD_RESPONSE, (SEC_ERROR_BASE + 132),
+    "The OCSP response contains out-of-date information.")
 
-ER3(SEC_ERROR_DIGEST_NOT_FOUND,			(SEC_ERROR_BASE + 133),
-"The CMS or PKCS #7 Digest was not found in signed message.")
+ER3(SEC_ERROR_DIGEST_NOT_FOUND, (SEC_ERROR_BASE + 133),
+    "The CMS or PKCS #7 Digest was not found in signed message.")
 
-ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE,		(SEC_ERROR_BASE + 134),
-"The CMS or PKCS #7 Message type is unsupported.")
+ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, (SEC_ERROR_BASE + 134),
+    "The CMS or PKCS #7 Message type is unsupported.")
 
-ER3(SEC_ERROR_MODULE_STUCK,			(SEC_ERROR_BASE + 135),
-"PKCS #11 module could not be removed because it is still in use.")
+ER3(SEC_ERROR_MODULE_STUCK, (SEC_ERROR_BASE + 135),
+    "PKCS #11 module could not be removed because it is still in use.")
 
-ER3(SEC_ERROR_BAD_TEMPLATE,			(SEC_ERROR_BASE + 136),
-"Could not decode ASN.1 data. Specified template was invalid.")
+ER3(SEC_ERROR_BAD_TEMPLATE, (SEC_ERROR_BASE + 136),
+    "Could not decode ASN.1 data. Specified template was invalid.")
 
-ER3(SEC_ERROR_CRL_NOT_FOUND,			(SEC_ERROR_BASE + 137),
-"No matching CRL was found.")
+ER3(SEC_ERROR_CRL_NOT_FOUND, (SEC_ERROR_BASE + 137),
+    "No matching CRL was found.")
 
-ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL,        (SEC_ERROR_BASE + 138),
-"You are attempting to import a cert with the same issuer/serial as \
+ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL, (SEC_ERROR_BASE + 138),
+    "You are attempting to import a cert with the same issuer/serial as \
 an existing cert, but that is not the same cert.")
 
-ER3(SEC_ERROR_BUSY,				(SEC_ERROR_BASE + 139),
-"NSS could not shutdown. Objects are still in use.")
+ER3(SEC_ERROR_BUSY, (SEC_ERROR_BASE + 139),
+    "NSS could not shutdown. Objects are still in use.")
 
-ER3(SEC_ERROR_EXTRA_INPUT,			(SEC_ERROR_BASE + 140),
-"DER-encoded message contained extra unused data.")
+ER3(SEC_ERROR_EXTRA_INPUT, (SEC_ERROR_BASE + 140),
+    "DER-encoded message contained extra unused data.")
 
-ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE,	(SEC_ERROR_BASE + 141),
-"Unsupported elliptic curve.")
+ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, (SEC_ERROR_BASE + 141),
+    "Unsupported elliptic curve.")
 
-ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM,	(SEC_ERROR_BASE + 142),
-"Unsupported elliptic curve point form.")
+ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142),
+    "Unsupported elliptic curve point form.")
 
-ER3(SEC_ERROR_UNRECOGNIZED_OID,			(SEC_ERROR_BASE + 143),
-"Unrecognized Object Identifier.")
+ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143),
+    "Unrecognized Object Identifier.")
 
-ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,	(SEC_ERROR_BASE + 144),
-"Invalid OCSP signing certificate in OCSP response.")
+ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144),
+    "Invalid OCSP signing certificate in OCSP response.")
 
-ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL,          (SEC_ERROR_BASE + 145),
-"Certificate is revoked in issuer's certificate revocation list.")
+ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL, (SEC_ERROR_BASE + 145),
+    "Certificate is revoked in issuer's certificate revocation list.")
 
-ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP,         (SEC_ERROR_BASE + 146),
-"Issuer's OCSP responder reports certificate is revoked.")
+ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP, (SEC_ERROR_BASE + 146),
+    "Issuer's OCSP responder reports certificate is revoked.")
 
-ER3(SEC_ERROR_CRL_INVALID_VERSION,              (SEC_ERROR_BASE + 147),
-"Issuer's Certificate Revocation List has an unknown version number.")
+ER3(SEC_ERROR_CRL_INVALID_VERSION, (SEC_ERROR_BASE + 147),
+    "Issuer's Certificate Revocation List has an unknown version number.")
 
-ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION,        (SEC_ERROR_BASE + 148),
-"Issuer's V1 Certificate Revocation List has a critical extension.")
+ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 148),
+    "Issuer's V1 Certificate Revocation List has a critical extension.")
 
-ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION,   (SEC_ERROR_BASE + 149),
-"Issuer's V2 Certificate Revocation List has an unknown critical extension.")
+ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 149),
+    "Issuer's V2 Certificate Revocation List has an unknown critical extension.")
 
-ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE,	        (SEC_ERROR_BASE + 150),
-"Unknown object type specified.")
+ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE, (SEC_ERROR_BASE + 150),
+    "Unknown object type specified.")
 
-ER3(SEC_ERROR_INCOMPATIBLE_PKCS11,	        (SEC_ERROR_BASE + 151),
-"PKCS #11 driver violates the spec in an incompatible way.")
+ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151),
+    "PKCS #11 driver violates the spec in an incompatible way.")
 
-ER3(SEC_ERROR_NO_EVENT,	        		(SEC_ERROR_BASE + 152),
-"No new slot event is available at this time.")
+ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152),
+    "No new slot event is available at this time.")
 
-ER3(SEC_ERROR_CRL_ALREADY_EXISTS,      		(SEC_ERROR_BASE + 153),
-"CRL already exists.")
+ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153),
+    "CRL already exists.")
 
-ER3(SEC_ERROR_NOT_INITIALIZED,      		(SEC_ERROR_BASE + 154),
-"NSS is not initialized.")
+ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154),
+    "NSS is not initialized.")
 
-ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN,  		(SEC_ERROR_BASE + 155),
-"The operation failed because the PKCS#11 token is not logged in.")
+ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155),
+    "The operation failed because the PKCS#11 token is not logged in.")
 
-ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID,  	(SEC_ERROR_BASE + 156),
-"Configured OCSP responder's certificate is invalid.")
+ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, (SEC_ERROR_BASE + 156),
+    "Configured OCSP responder's certificate is invalid.")
 
-ER3(SEC_ERROR_OCSP_BAD_SIGNATURE,      		(SEC_ERROR_BASE + 157),
-"OCSP response has an invalid signature.")
+ER3(SEC_ERROR_OCSP_BAD_SIGNATURE, (SEC_ERROR_BASE + 157),
+    "OCSP response has an invalid signature.")
 
-ER3(SEC_ERROR_OUT_OF_SEARCH_LIMITS,      		(SEC_ERROR_BASE + 158),
-"Cert validation search is out of search limits")
+ER3(SEC_ERROR_OUT_OF_SEARCH_LIMITS, (SEC_ERROR_BASE + 158),
+    "Cert validation search is out of search limits")
 
-ER3(SEC_ERROR_INVALID_POLICY_MAPPING,      		(SEC_ERROR_BASE + 159),
-"Policy mapping contains anypolicy")
+ER3(SEC_ERROR_INVALID_POLICY_MAPPING, (SEC_ERROR_BASE + 159),
+    "Policy mapping contains anypolicy")
 
-ER3(SEC_ERROR_POLICY_VALIDATION_FAILED,    		(SEC_ERROR_BASE + 160),
-"Cert chain fails policy validation")
+ER3(SEC_ERROR_POLICY_VALIDATION_FAILED, (SEC_ERROR_BASE + 160),
+    "Cert chain fails policy validation")
 
-ER3(SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE,    		(SEC_ERROR_BASE + 161),
-"Unknown location type in cert AIA extension")
+ER3(SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE, (SEC_ERROR_BASE + 161),
+    "Unknown location type in cert AIA extension")
 
-ER3(SEC_ERROR_BAD_HTTP_RESPONSE,    		(SEC_ERROR_BASE + 162),
-"Server returned bad HTTP response")
+ER3(SEC_ERROR_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 162),
+    "Server returned bad HTTP response")
 
-ER3(SEC_ERROR_BAD_LDAP_RESPONSE,    		(SEC_ERROR_BASE + 163),
-"Server returned bad LDAP response")
+ER3(SEC_ERROR_BAD_LDAP_RESPONSE, (SEC_ERROR_BASE + 163),
+    "Server returned bad LDAP response")
 
-ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA,    		(SEC_ERROR_BASE + 164),
-"Failed to encode data with ASN1 encoder")
+ER3(SEC_ERROR_FAILED_TO_ENCODE_DATA, (SEC_ERROR_BASE + 164),
+    "Failed to encode data with ASN1 encoder")
 
-ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION,    		(SEC_ERROR_BASE + 165),
-"Bad information access location in cert extension")
+ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165),
+    "Bad information access location in cert extension")
 
-ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(SEC_ERROR_BASE + 166),
-"Libpkix internal error occurred during cert validation.")
+ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166),
+    "Libpkix internal error occurred during cert validation.")
 
-ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
-"A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
+ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167),
+    "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
 
-ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED,      		(SEC_ERROR_BASE + 168),
-"A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
+ER3(SEC_ERROR_PKCS11_FUNCTION_FAILED, (SEC_ERROR_BASE + 168),
+    "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
 
-ER3(SEC_ERROR_PKCS11_DEVICE_ERROR,      		(SEC_ERROR_BASE + 169),
-"A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
+ER3(SEC_ERROR_PKCS11_DEVICE_ERROR, (SEC_ERROR_BASE + 169),
+    "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
 
-ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD,      		(SEC_ERROR_BASE + 170),
-"Unknown information access method in certificate extension.")
+ER3(SEC_ERROR_BAD_INFO_ACCESS_METHOD, (SEC_ERROR_BASE + 170),
+    "Unknown information access method in certificate extension.")
 
-ER3(SEC_ERROR_CRL_IMPORT_FAILED,        		(SEC_ERROR_BASE + 171),
-"Error attempting to import a CRL.")
+ER3(SEC_ERROR_CRL_IMPORT_FAILED, (SEC_ERROR_BASE + 171),
+    "Error attempting to import a CRL.")
 
-ER3(SEC_ERROR_EXPIRED_PASSWORD,        		(SEC_ERROR_BASE + 172),
-"The password expired.")
+ER3(SEC_ERROR_EXPIRED_PASSWORD, (SEC_ERROR_BASE + 172),
+    "The password expired.")
 
-ER3(SEC_ERROR_LOCKED_PASSWORD,        		(SEC_ERROR_BASE + 173),
-"The password is locked.")
+ER3(SEC_ERROR_LOCKED_PASSWORD, (SEC_ERROR_BASE + 173),
+    "The password is locked.")
 
-ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR,        		(SEC_ERROR_BASE + 174),
-"Unknown PKCS #11 error.")
+ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR, (SEC_ERROR_BASE + 174),
+    "Unknown PKCS #11 error.")
 
-ER3(SEC_ERROR_BAD_CRL_DP_URL,			(SEC_ERROR_BASE + 175),
-"Invalid or unsupported URL in CRL distribution point name.")
+ER3(SEC_ERROR_BAD_CRL_DP_URL, (SEC_ERROR_BASE + 175),
+    "Invalid or unsupported URL in CRL distribution point name.")
 
-ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,	(SEC_ERROR_BASE + 176),
-"The certificate was signed using a signature algorithm that is disabled because it is not secure.")
+ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 176),
+    "The certificate was signed using a signature algorithm that is disabled because it is not secure.")
 
-ER3(SEC_ERROR_LEGACY_DATABASE,			(SEC_ERROR_BASE + 177),
-"The certificate/key database is in an old, unsupported format.")
+ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERROR_BASE + 177),
+    "The certificate/key database is in an old, unsupported format.")
 
-ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR,        (SEC_ERROR_BASE + 178),
-"The certificate was rejected by extra checks in the application.")
-
+ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178),
+    "The certificate was rejected by extra checks in the application.")
--- a/security/nss/lib/util/base64.h
+++ b/security/nss/lib/util/base64.h
@@ -20,17 +20,17 @@ SEC_BEGIN_PROTOS
 */
 extern char *BTOA_DataToAscii(const unsigned char *data, unsigned int len);
 
 /*
 ** Return an PORT_Alloc'd string which is the base64 decoded version
 ** of the input string; set *lenp to the length of the returned data.
 */
 extern unsigned char *ATOB_AsciiToData(const char *string, unsigned int *lenp);
- 
+
 /*
 ** Convert from ascii to binary encoding of an item.
 */
 extern SECStatus ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii);
 
 /*
 ** Convert from binary encoding of an item to ascii.
 */
--- a/security/nss/lib/util/ciferfam.h
+++ b/security/nss/lib/util/ciferfam.h
@@ -7,53 +7,53 @@
  *              control
  */
 
 #ifndef _CIFERFAM_H_
 #define _CIFERFAM_H_
 
 #include "utilrename.h"
 /* Cipher Suite "Families" */
-#define CIPHER_FAMILY_PKCS12			"PKCS12"
-#define CIPHER_FAMILY_SMIME			"SMIME"
-#define CIPHER_FAMILY_SSL2                      "SSLv2" /* deprecated */
-#define CIPHER_FAMILY_SSL3			"SSLv3"
-#define CIPHER_FAMILY_SSL			"SSL"
-#define CIPHER_FAMILY_ALL			""
-#define CIPHER_FAMILY_UNKNOWN			"UNKNOWN"
+#define CIPHER_FAMILY_PKCS12 "PKCS12"
+#define CIPHER_FAMILY_SMIME "SMIME"
+#define CIPHER_FAMILY_SSL2 "SSLv2" /* deprecated */
+#define CIPHER_FAMILY_SSL3 "SSLv3"
+#define CIPHER_FAMILY_SSL "SSL"
+#define CIPHER_FAMILY_ALL ""
+#define CIPHER_FAMILY_UNKNOWN "UNKNOWN"
 
-#define CIPHER_FAMILYID_MASK			0xFFFF0000L
-#define CIPHER_FAMILYID_SSL			0x00000000L
-#define CIPHER_FAMILYID_SMIME			0x00010000L
-#define CIPHER_FAMILYID_PKCS12			0x00020000L
+#define CIPHER_FAMILYID_MASK 0xFFFF0000L
+#define CIPHER_FAMILYID_SSL 0x00000000L
+#define CIPHER_FAMILYID_SMIME 0x00010000L
+#define CIPHER_FAMILYID_PKCS12 0x00020000L
 
 /* SMIME "Cipher Suites" */
 /*
  * Note that it is assumed that the cipher number itself can be used
  * as a bit position in a mask, and that mask is currently 32 bits wide.
  * So, if you want to add a cipher that is greater than 0037, secmime.c
  * needs to be made smarter at the same time.
  */
-#define	SMIME_RC2_CBC_40		(CIPHER_FAMILYID_SMIME | 0001)
-#define	SMIME_RC2_CBC_64		(CIPHER_FAMILYID_SMIME | 0002)
-#define	SMIME_RC2_CBC_128		(CIPHER_FAMILYID_SMIME | 0003)
-#define	SMIME_DES_CBC_56		(CIPHER_FAMILYID_SMIME | 0011)
-#define	SMIME_DES_EDE3_168		(CIPHER_FAMILYID_SMIME | 0012)
-#define	SMIME_AES_CBC_128		(CIPHER_FAMILYID_SMIME | 0013)
-#define	SMIME_AES_CBC_256		(CIPHER_FAMILYID_SMIME | 0014)
-#define	SMIME_RC5PAD_64_16_40		(CIPHER_FAMILYID_SMIME | 0021)
-#define	SMIME_RC5PAD_64_16_64		(CIPHER_FAMILYID_SMIME | 0022)
-#define	SMIME_RC5PAD_64_16_128		(CIPHER_FAMILYID_SMIME | 0023)
-#define	SMIME_FORTEZZA			(CIPHER_FAMILYID_SMIME | 0031)
+#define SMIME_RC2_CBC_40 (CIPHER_FAMILYID_SMIME | 0001)
+#define SMIME_RC2_CBC_64 (CIPHER_FAMILYID_SMIME | 0002)
+#define SMIME_RC2_CBC_128 (CIPHER_FAMILYID_SMIME | 0003)
+#define SMIME_DES_CBC_56 (CIPHER_FAMILYID_SMIME | 0011)
+#define SMIME_DES_EDE3_168 (CIPHER_FAMILYID_SMIME | 0012)
+#define SMIME_AES_CBC_128 (CIPHER_FAMILYID_SMIME | 0013)
+#define SMIME_AES_CBC_256 (CIPHER_FAMILYID_SMIME | 0014)
+#define SMIME_RC5PAD_64_16_40 (CIPHER_FAMILYID_SMIME | 0021)
+#define SMIME_RC5PAD_64_16_64 (CIPHER_FAMILYID_SMIME | 0022)
+#define SMIME_RC5PAD_64_16_128 (CIPHER_FAMILYID_SMIME | 0023)
+#define SMIME_FORTEZZA (CIPHER_FAMILYID_SMIME | 0031)
 
 /* PKCS12 "Cipher Suites" */
 
-#define	PKCS12_RC2_CBC_40		(CIPHER_FAMILYID_PKCS12 | 0001)
-#define	PKCS12_RC2_CBC_128		(CIPHER_FAMILYID_PKCS12 | 0002)
-#define	PKCS12_RC4_40			(CIPHER_FAMILYID_PKCS12 | 0011)
-#define	PKCS12_RC4_128			(CIPHER_FAMILYID_PKCS12 | 0012)
-#define	PKCS12_DES_56			(CIPHER_FAMILYID_PKCS12 | 0021)
-#define	PKCS12_DES_EDE3_168		(CIPHER_FAMILYID_PKCS12 | 0022)
+#define PKCS12_RC2_CBC_40 (CIPHER_FAMILYID_PKCS12 | 0001)
+#define PKCS12_RC2_CBC_128 (CIPHER_FAMILYID_PKCS12 | 0002)
+#define PKCS12_RC4_40 (CIPHER_FAMILYID_PKCS12 | 0011)
+#define PKCS12_RC4_128 (CIPHER_FAMILYID_PKCS12 | 0012)
+#define PKCS12_DES_56 (CIPHER_FAMILYID_PKCS12 | 0021)
+#define PKCS12_DES_EDE3_168 (CIPHER_FAMILYID_PKCS12 | 0022)
 
 /* SMIME version numbers are negative, to avoid colliding with SSL versions */
-#define SMIME_LIBRARY_VERSION_1_0			-0x0100
+#define SMIME_LIBRARY_VERSION_1_0 -0x0100
 
 #endif /* _CIFERFAM_H_ */
--- a/security/nss/lib/util/derdec.c
+++ b/security/nss/lib/util/derdec.c
@@ -8,182 +8,182 @@
 static PRUint32
 der_indefinite_length(unsigned char *buf, unsigned char *end)
 {
     PRUint32 len, ret, dataLen;
     unsigned char tag, lenCode;
     int dataLenLen;
 
     len = 0;
-    while ( 1 ) {
-	if ((buf + 2) > end) {
-	    return(0);
-	}
-	
-	tag = *buf++;
-	lenCode = *buf++;
-	len += 2;
-	
-	if ( ( tag == 0 ) && ( lenCode == 0 ) ) {
-	    return(len);
-	}
-	
-	if ( lenCode == 0x80 ) {	/* indefinite length */
-	    ret = der_indefinite_length(buf, end); /* recurse to find length */
-	    if (ret == 0)
-		return 0;
-	    len += ret;
-	    buf += ret;
-	} else {			/* definite length */
-	    if (lenCode & 0x80) {
-		/* Length of data is in multibyte format */
-		dataLenLen = lenCode & 0x7f;
-		switch (dataLenLen) {
-		  case 1:
-		    dataLen = buf[0];
-		    break;
-		  case 2:
-		    dataLen = (buf[0]<<8)|buf[1];
-		    break;
-		  case 3:
-		    dataLen = ((unsigned long)buf[0]<<16)|(buf[1]<<8)|buf[2];
-		    break;
-		  case 4:
-		    dataLen = ((unsigned long)buf[0]<<24)|
-			((unsigned long)buf[1]<<16)|(buf[2]<<8)|buf[3];
-		    break;
-		  default:
-		    PORT_SetError(SEC_ERROR_BAD_DER);
-		    return SECFailure;
-		}
-	    } else {
-		/* Length of data is in single byte */
-		dataLen = lenCode;
-		dataLenLen = 0;
-	    }
+    while (1) {
+        if ((buf + 2) > end) {
+            return (0);
+        }
+
+        tag = *buf++;
+        lenCode = *buf++;
+        len += 2;
+
+        if ((tag == 0) && (lenCode == 0)) {
+            return (len);
+        }
 
-	    /* skip this item */
-	    buf = buf + dataLenLen + dataLen;
-	    len = len + dataLenLen + dataLen;
-	}
+        if (lenCode == 0x80) {                     /* indefinite length */
+            ret = der_indefinite_length(buf, end); /* recurse to find length */
+            if (ret == 0)
+                return 0;
+            len += ret;
+            buf += ret;
+        } else { /* definite length */
+            if (lenCode & 0x80) {
+                /* Length of data is in multibyte format */
+                dataLenLen = lenCode & 0x7f;
+                switch (dataLenLen) {
+                    case 1:
+                        dataLen = buf[0];
+                        break;
+                    case 2:
+                        dataLen = (buf[0] << 8) | buf[1];
+                        break;
+                    case 3:
+                        dataLen = ((unsigned long)buf[0] << 16) | (buf[1] << 8) | buf[2];
+                        break;
+                    case 4:
+                        dataLen = ((unsigned long)buf[0] << 24) |
+                                  ((unsigned long)buf[1] << 16) | (buf[2] << 8) | buf[3];
+                        break;
+                    default:
+                        PORT_SetError(SEC_ERROR_BAD_DER);
+                        return SECFailure;
+                }
+            } else {
+                /* Length of data is in single byte */
+                dataLen = lenCode;
+                dataLenLen = 0;
+            }
+
+            /* skip this item */
+            buf = buf + dataLenLen + dataLen;
+            len = len + dataLenLen + dataLen;
+        }
     }
 }
 
 /*
 ** Capture the next thing in the buffer.
 ** Returns the length of the header and the length of the contents.
 */
 static SECStatus
 der_capture(unsigned char *buf, unsigned char *end,
-	    int *header_len_p, PRUint32 *contents_len_p)
+            int *header_len_p, PRUint32 *contents_len_p)
 {
     unsigned char *bp;
     unsigned char whole_tag;
     PRUint32 contents_len;
     int tag_number;
 
     if ((buf + 2) > end) {
-	*header_len_p = 0;
-	*contents_len_p = 0;
-	if (buf == end)
-	    return SECSuccess;
-	return SECFailure;
+        *header_len_p = 0;
+        *contents_len_p = 0;
+        if (buf == end)
+            return SECSuccess;
+        return SECFailure;
     }
 
     bp = buf;
 
     /* Get tag and verify that it is ok. */
     whole_tag = *bp++;
     tag_number = whole_tag & DER_TAGNUM_MASK;
 
     /*
      * XXX This code does not (yet) handle the high-tag-number form!
      */
     if (tag_number == DER_HIGH_TAG_NUMBER) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
     }
 
     if ((whole_tag & DER_CLASS_MASK) == DER_UNIVERSAL) {
-	/* Check that the universal tag number is one we implement.  */
-	switch (tag_number) {
-	  case DER_BOOLEAN:
-	  case DER_INTEGER:
-	  case DER_BIT_STRING:
-	  case DER_OCTET_STRING:
-	  case DER_NULL:
-	  case DER_OBJECT_ID:
-	  case DER_SEQUENCE:
-	  case DER_SET:
-	  case DER_PRINTABLE_STRING:
-	  case DER_T61_STRING:
-	  case DER_IA5_STRING:
-	  case DER_VISIBLE_STRING:
-	  case DER_UTC_TIME:
-	  case 0:			/* end-of-contents tag */
-	    break;
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
+        /* Check that the universal tag number is one we implement.  */
+        switch (tag_number) {
+            case DER_BOOLEAN:
+            case DER_INTEGER:
+            case DER_BIT_STRING:
+            case DER_OCTET_STRING:
+            case DER_NULL:
+            case DER_OBJECT_ID:
+            case DER_SEQUENCE:
+            case DER_SET:
+            case DER_PRINTABLE_STRING:
+            case DER_T61_STRING:
+            case DER_IA5_STRING:
+            case DER_VISIBLE_STRING:
+            case DER_UTC_TIME:
+            case 0: /* end-of-contents tag */
+                break;
+            default:
+                PORT_SetError(SEC_ERROR_BAD_DER);
+                return SECFailure;
+        }
     }
 
     /*
      * Get first byte of length code (might contain entire length, might not).
      */
     contents_len = *bp++;
 
     /*
      * If the high bit is set, then the length is in multibyte format,
      * or the thing has an indefinite-length.
      */
     if (contents_len & 0x80) {
-	int bytes_of_encoded_len;
+        int bytes_of_encoded_len;
 
-	bytes_of_encoded_len = contents_len & 0x7f;
-	contents_len = 0;
+        bytes_of_encoded_len = contents_len & 0x7f;
+        contents_len = 0;
 
-	switch (bytes_of_encoded_len) {
-	  case 4:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 3:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 2:
-	    contents_len |= *bp++;
-	    contents_len <<= 8;
-	    /* fallthru */
-	  case 1:
-	    contents_len |= *bp++;
-	    break;
+        switch (bytes_of_encoded_len) {
+            case 4:
+                contents_len |= *bp++;
+                contents_len <<= 8;
+            /* fallthru */
+            case 3:
+                contents_len |= *bp++;
+                contents_len <<= 8;
+            /* fallthru */
+            case 2:
+                contents_len |= *bp++;
+                contents_len <<= 8;
+            /* fallthru */
+            case 1:
+                contents_len |= *bp++;
+                break;
 
-	  case 0:
-	    contents_len = der_indefinite_length (bp, end);
-	    if (contents_len)
-		break;
-	    /* fallthru */
-	  default:
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return SECFailure;
-	}
+            case 0:
+                contents_len = der_indefinite_length(bp, end);
+                if (contents_len)
+                    break;
+            /* fallthru */
+            default:
+                PORT_SetError(SEC_ERROR_BAD_DER);
+                return SECFailure;
+        }
     }
 
     if ((bp + contents_len) > end) {
-	/* Ran past end of buffer */
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return SECFailure;
+        /* Ran past end of buffer */
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
     }
 
     *header_len_p = (int)(bp - buf);
     *contents_len_p = contents_len;
 
     return SECSuccess;
 }
 
 SECStatus
 DER_Lengths(SECItem *item, int *header_len_p, PRUint32 *contents_len_p)
 {
-    return(der_capture(item->data, &item->data[item->len], header_len_p,
-		       contents_len_p));
+    return (der_capture(item->data, &item->data[item->len], header_len_p,
+                        contents_len_p));
 }
--- a/security/nss/lib/util/derenc.c
+++ b/security/nss/lib/util/derenc.c
@@ -74,399 +74,387 @@ header_length(DERTemplate *dtemplate, PR
     unsigned long encode_kind, under_kind;
     PRBool explicit, optional, universal;
 
     encode_kind = dtemplate->kind;
 
     explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
     optional = (encode_kind & DER_OPTIONAL) ? PR_TRUE : PR_FALSE;
     universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
+                    ? PR_TRUE
+                    : PR_FALSE;
 
-    PORT_Assert (!(explicit && universal));	/* bad templates */
+    PORT_Assert(!(explicit && universal)); /* bad templates */
 
     if (encode_kind & DER_POINTER) {
-	if (dtemplate->sub != NULL) {
-	    under_kind = dtemplate->sub->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
+        if (dtemplate->sub != NULL) {
+            under_kind = dtemplate->sub->kind;
+            if (universal) {
+                encode_kind = under_kind;
+            }
+        } else if (universal) {
+            under_kind = encode_kind & ~DER_POINTER;
+        } else {
+            under_kind = dtemplate->arg;
+        }
     } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	under_kind = dtemplate->sub->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
+        PORT_Assert(dtemplate->sub != NULL);
+        under_kind = dtemplate->sub->kind;
+        if (universal) {
+            encode_kind = under_kind;
+        }
     } else if (universal) {
-	under_kind = encode_kind;
+        under_kind = encode_kind;
     } else {
-	under_kind = dtemplate->arg;
+        under_kind = dtemplate->arg;
     }
 
     /* This is only used in decoding; it plays no part in encoding.  */
     if (under_kind & DER_DERPTR)
-	return 0;
+        return 0;
 
     /* No header at all for an "empty" optional.  */
     if ((contents_len == 0) && optional)
-	return 0;
+        return 0;
 
     /* And no header for a full DER_ANY.  */
     if (encode_kind & DER_ANY)
-	return 0;
+        return 0;
 
     /*
      * The common case: one octet for identifier and as many octets
      * as necessary to hold the content length.
      */
     len = 1 + DER_LengthLength(contents_len);
 
     /* Account for the explicit wrapper, if necessary.  */
     if (explicit) {
-#if 0		/*
-		 * Well, I was trying to do something useful, but these
-		 * assertions are too restrictive on valid templates.
-		 * I wanted to make sure that the top-level "kind" of
-		 * a template does not also specify DER_EXPLICIT, which
-		 * should only modify a component field.  Maybe later
-		 * I can figure out a better way to detect such a problem,
-		 * but for now I must remove these checks altogether.
-		 */
+#if 0 /*                                                         \
+       * Well, I was trying to do something useful, but these    \
+       * assertions are too restrictive on valid templates.      \
+       * I wanted to make sure that the top-level "kind" of      \
+       * a template does not also specify DER_EXPLICIT, which    \
+       * should only modify a component field.  Maybe later      \
+       * I can figure out a better way to detect such a problem, \
+       * but for now I must remove these checks altogether.      \
+       */
 	/*
 	 * This modifier applies only to components of a set or sequence;
 	 * it should never be used on a set/sequence itself -- confirm.
 	 */
 	PORT_Assert (under_kind != DER_SEQUENCE);
 	PORT_Assert (under_kind != DER_SET);
 #endif
 
-	len += 1 + DER_LengthLength(len + contents_len);
+        len += 1 + DER_LengthLength(len + contents_len);
     }
 
     return len;
 }
 
-
 static PRUint32
 contents_length(DERTemplate *dtemplate, void *src)
 {
     PRUint32 len;
     unsigned long encode_kind, under_kind;
     PRBool universal;
 
-
-    PORT_Assert (src != NULL);
+    PORT_Assert(src != NULL);
 
     encode_kind = dtemplate->kind;
 
     universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
+                    ? PR_TRUE
+                    : PR_FALSE;
     encode_kind &= ~DER_OPTIONAL;
 
     if (encode_kind & DER_POINTER) {
-	src = *(void **)src;
-	if (src == NULL) {
-	    return 0;
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
+        src = *(void **)src;
+        if (src == NULL) {
+            return 0;
+        }
+        if (dtemplate->sub != NULL) {
+            dtemplate = dtemplate->sub;
+            under_kind = dtemplate->kind;
+            src = (void *)((char *)src + dtemplate->offset);
+        } else if (universal) {
+            under_kind = encode_kind & ~DER_POINTER;
+        } else {
+            under_kind = dtemplate->arg;
+        }
     } else if (encode_kind & DER_INLINE) {
-	PORT_Assert (dtemplate->sub != NULL);
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	src = (void *)((char *)src + dtemplate->offset);
+        PORT_Assert(dtemplate->sub != NULL);
+        dtemplate = dtemplate->sub;
+        under_kind = dtemplate->kind;
+        src = (void *)((char *)src + dtemplate->offset);
     } else if (universal) {
-	under_kind = encode_kind;
+        under_kind = encode_kind;
     } else {
-	under_kind = dtemplate->arg;
+        under_kind = dtemplate->arg;
     }
 
     /* Having any of these bits is not expected here...  */
-    PORT_Assert ((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL
-				| DER_POINTER | DER_SKIP)) == 0);
+    PORT_Assert((under_kind & (DER_EXPLICIT | DER_INLINE | DER_OPTIONAL | DER_POINTER | DER_SKIP)) == 0);
 
     /* This is only used in decoding; it plays no part in encoding.  */
     if (under_kind & DER_DERPTR)
-	return 0;
+        return 0;
 
     if (under_kind & DER_INDEFINITE) {
-	PRUint32 sub_len;
-	void   **indp = *(void ***)src;
+        PRUint32 sub_len;
+        void **indp = *(void ***)src;
 
-	if (indp == NULL)
-	    return 0;
+        if (indp == NULL)
+            return 0;
 
-	len = 0;
-	under_kind &= ~DER_INDEFINITE;
+        len = 0;
+        under_kind &= ~DER_INDEFINITE;
 
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt = dtemplate->sub;
-	    PORT_Assert (tmpt != NULL);
+        if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+            DERTemplate *tmpt = dtemplate->sub;
+            PORT_Assert(tmpt != NULL);
 
-	    for (; *indp != NULL; indp++) {
-		void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	} else {
-	    /*
-	     * XXX Lisa is not sure this code (for handling, for example,
-	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
-	     */
-	    for (; *indp != NULL; indp++) {
-		SECItem *item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    sub_len = (sub_len + 7) >> 3;
-		    /* bit string contents involve an extra octet */
-		    if (sub_len)
-			sub_len++;
-		}
-		if (under_kind != DER_ANY)
-		    len += 1 + DER_LengthLength (sub_len);
-	    }
-	}
+            for (; *indp != NULL; indp++) {
+                void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
+                sub_len = contents_length(tmpt, sub_src);
+                len += sub_len + header_length(tmpt, sub_len);
+            }
+        } else {
+            /*
+    	     * XXX Lisa is not sure this code (for handling, for example,
+    	     * DER_INDEFINITE | DER_OCTET_STRING) is right.
+    	     */
+            for (; *indp != NULL; indp++) {
+                SECItem *item = (SECItem *)(*indp);
+                sub_len = item->len;
+                if (under_kind == DER_BIT_STRING) {
+                    sub_len = (sub_len + 7) >> 3;
+                    /* bit string contents involve an extra octet */
+                    if (sub_len)
+                        sub_len++;
+                }
+                if (under_kind != DER_ANY)
+                    len += 1 + DER_LengthLength(sub_len);
+            }
+        }
 
-	return len;
+        return len;
     }
 
     switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
-	    PRUint32 sub_len;
+        case DER_SEQUENCE:
+        case DER_SET: {
+            DERTemplate *tmpt;
+            void *sub_src;
+            PRUint32 sub_len;
 
-	    len = 0;
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		sub_len = contents_length (tmpt, sub_src);
-		len += sub_len + header_length (tmpt, sub_len);
-	    }
-	}
-	break;
+            len = 0;
+            for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+                sub_src = (void *)((char *)src + tmpt->offset);
+                sub_len = contents_length(tmpt, sub_src);
+                len += sub_len + header_length(tmpt, sub_len);
+            }
+        } break;
 
-      case DER_BIT_STRING:
-	len = (((SECItem *)src)->len + 7) >> 3;
-	/* bit string contents involve an extra octet */
-	if (len)
-	    len++;
-	break;
+        case DER_BIT_STRING:
+            len = (((SECItem *)src)->len + 7) >> 3;
+            /* bit string contents involve an extra octet */
+            if (len)
+                len++;
+            break;
 
-      default:
-	len = ((SECItem *)src)->len;
-	break;
+        default:
+            len = ((SECItem *)src)->len;
+            break;
     }
 
     return len;
 }
 
-
 static unsigned char *
 der_encode(unsigned char *buf, DERTemplate *dtemplate, void *src)
 {
     int header_len;
     PRUint32 contents_len;
     unsigned long encode_kind, under_kind;
     PRBool explicit, universal;
 
-
     /*
      * First figure out how long the encoding will be.  Do this by
      * traversing the template from top to bottom and accumulating
      * the length of each leaf item.
      */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
+    contents_len = contents_length(dtemplate, src);
+    header_len = header_length(dtemplate, contents_len);
 
     /*
      * Enough smarts was involved already, so that if both the
      * header and the contents have a length of zero, then we
      * are not doing any encoding for this element.
      */
     if (header_len == 0 && contents_len == 0)
-	return buf;
+        return buf;
 
     encode_kind = dtemplate->kind;
 
     explicit = (encode_kind & DER_EXPLICIT) ? PR_TRUE : PR_FALSE;
     encode_kind &= ~DER_OPTIONAL;
     universal = ((encode_kind & DER_CLASS_MASK) == DER_UNIVERSAL)
-		? PR_TRUE : PR_FALSE;
+                    ? PR_TRUE
+                    : PR_FALSE;
 
     if (encode_kind & DER_POINTER) {
-	if (contents_len) {
-	    src = *(void **)src;
-	    PORT_Assert (src != NULL);
-	}
-	if (dtemplate->sub != NULL) {
-	    dtemplate = dtemplate->sub;
-	    under_kind = dtemplate->kind;
-	    if (universal) {
-		encode_kind = under_kind;
-	    }
-	    src = (void *)((char *)src + dtemplate->offset);
-	} else if (universal) {
-	    under_kind = encode_kind & ~DER_POINTER;
-	} else {
-	    under_kind = dtemplate->arg;
-	}
+        if (contents_len) {
+            src = *(void **)src;
+            PORT_Assert(src != NULL);
+        }
+        if (dtemplate->sub != NULL) {
+            dtemplate = dtemplate->sub;
+            under_kind = dtemplate->kind;
+            if (universal) {
+                encode_kind = under_kind;
+            }
+            src = (void *)((char *)src + dtemplate->offset);
+        } else if (universal) {
+            under_kind = encode_kind & ~DER_POINTER;
+        } else {
+            under_kind = dtemplate->arg;
+        }
     } else if (encode_kind & DER_INLINE) {
-	dtemplate = dtemplate->sub;
-	under_kind = dtemplate->kind;
-	if (universal) {
-	    encode_kind = under_kind;
-	}
-	src = (void *)((char *)src + dtemplate->offset);
+        dtemplate = dtemplate->sub;
+        under_kind = dtemplate->kind;
+        if (universal) {
+            encode_kind = under_kind;
+        }
+        src = (void *)((char *)src + dtemplate->offset);
     } else if (universal) {
-	under_kind = encode_kind;
+        under_kind = encode_kind;
     } else {
-	under_kind = dtemplate->arg;
+        under_kind = dtemplate->arg;
     }
 
     if (explicit) {
-	buf = DER_StoreHeader (buf, encode_kind,
-			       (1 + DER_LengthLength(contents_len)
-				+ contents_len));
-	encode_kind = under_kind;
+        buf = DER_StoreHeader(buf, encode_kind,
+                              (1 + DER_LengthLength(contents_len) + contents_len));
+        encode_kind = under_kind;
     }
 
-    if ((encode_kind & DER_ANY) == 0) {	/* DER_ANY already contains header */
-	buf = DER_StoreHeader (buf, encode_kind, contents_len);
+    if ((encode_kind & DER_ANY) == 0) { /* DER_ANY already contains header */
+        buf = DER_StoreHeader(buf, encode_kind, contents_len);
     }
 
     /* If no real contents to encode, then we are done.  */
     if (contents_len == 0)
-	return buf;
+        return buf;
 
     if (under_kind & DER_INDEFINITE) {
-	void **indp;
+        void **indp;
 
-	indp = *(void ***)src;
-	PORT_Assert (indp != NULL);
+        indp = *(void ***)src;
+        PORT_Assert(indp != NULL);
 
-	under_kind &= ~DER_INDEFINITE;
-	if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
-	    DERTemplate *tmpt = dtemplate->sub;
-	    PORT_Assert (tmpt != NULL);
-	    for (; *indp != NULL; indp++) {
-		void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	} else {
-	    for (; *indp != NULL; indp++) {
-		SECItem *item;
-		int sub_len;
+        under_kind &= ~DER_INDEFINITE;
+        if (under_kind == DER_SET || under_kind == DER_SEQUENCE) {
+            DERTemplate *tmpt = dtemplate->sub;
+            PORT_Assert(tmpt != NULL);
+            for (; *indp != NULL; indp++) {
+                void *sub_src = (void *)((char *)(*indp) + tmpt->offset);
+                buf = der_encode(buf, tmpt, sub_src);
+            }
+        } else {
+            for (; *indp != NULL; indp++) {
+                SECItem *item;
+                int sub_len;
 
-		item = (SECItem *)(*indp);
-		sub_len = item->len;
-		if (under_kind == DER_BIT_STRING) {
-		    if (sub_len) {
-			int rem;
+                item = (SECItem *)(*indp);
+                sub_len = item->len;
+                if (under_kind == DER_BIT_STRING) {
+                    if (sub_len) {
+                        int rem;
 
-			sub_len = (sub_len + 7) >> 3;
-			buf = DER_StoreHeader (buf, under_kind, sub_len + 1);
-			rem = (sub_len << 3) - item->len;
-			*buf++ = rem;		/* remaining bits */
-		    } else {
-			buf = DER_StoreHeader (buf, under_kind, 0);
-		    }
-		} else if (under_kind != DER_ANY) {
-		    buf = DER_StoreHeader (buf, under_kind, sub_len);
-		}
-		PORT_Memcpy (buf, item->data, sub_len);
-		buf += sub_len;
-	    }
-	}
-	return buf;
+                        sub_len = (sub_len + 7) >> 3;
+                        buf = DER_StoreHeader(buf, under_kind, sub_len + 1);
+                        rem = (sub_len << 3) - item->len;
+                        *buf++ = rem; /* remaining bits */
+                    } else {
+                        buf = DER_StoreHeader(buf, under_kind, 0);
+                    }
+                } else if (under_kind != DER_ANY) {
+                    buf = DER_StoreHeader(buf, under_kind, sub_len);
+                }
+                PORT_Memcpy(buf, item->data, sub_len);
+                buf += sub_len;
+            }
+        }
+        return buf;
     }
 
     switch (under_kind) {
-      case DER_SEQUENCE:
-      case DER_SET:
-	{
-	    DERTemplate *tmpt;
-	    void *sub_src;
+        case DER_SEQUENCE:
+        case DER_SET: {
+            DERTemplate *tmpt;
+            void *sub_src;
 
-	    for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
-		sub_src = (void *)((char *)src + tmpt->offset);
-		buf = der_encode (buf, tmpt, sub_src);
-	    }
-	}
-	break;
+            for (tmpt = dtemplate + 1; tmpt->kind; tmpt++) {
+                sub_src = (void *)((char *)src + tmpt->offset);
+                buf = der_encode(buf, tmpt, sub_src);
+            }
+        } break;
 
-      case DER_BIT_STRING:
-	{
-	    SECItem *item;
-	    int rem;
+        case DER_BIT_STRING: {
+            SECItem *item;
+            int rem;
 
-	    /*
-	     * The contents length includes our extra octet; subtract
-	     * it off so we just have the real string length there.
-	     */
-	    contents_len--;
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == ((item->len + 7) >> 3));
-	    rem = (contents_len << 3) - item->len;
-	    *buf++ = rem;		/* remaining bits */
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
+            /*
+    	     * The contents length includes our extra octet; subtract
+    	     * it off so we just have the real string length there.
+    	     */
+            contents_len--;
+            item = (SECItem *)src;
+            PORT_Assert(contents_len == ((item->len + 7) >> 3));
+            rem = (contents_len << 3) - item->len;
+            *buf++ = rem; /* remaining bits */
+            PORT_Memcpy(buf, item->data, contents_len);
+            buf += contents_len;
+        } break;
 
-      default:
-	{
-	    SECItem *item;
+        default: {
+            SECItem *item;
 
-	    item = (SECItem *)src;
-	    PORT_Assert (contents_len == item->len);
-	    PORT_Memcpy (buf, item->data, contents_len);
-	    buf += contents_len;
-	}
-	break;
+            item = (SECItem *)src;
+            PORT_Assert(contents_len == item->len);
+            PORT_Memcpy(buf, item->data, contents_len);
+            buf += contents_len;
+        } break;
     }
 
     return buf;
 }
 
-
 SECStatus
 DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *dtemplate, void *src)
 {
     unsigned int contents_len, header_len;
 
     src = (void **)((char *)src + dtemplate->offset);
 
     /*
      * First figure out how long the encoding will be. Do this by
      * traversing the template from top to bottom and accumulating
      * the length of each leaf item.
      */
-    contents_len = contents_length (dtemplate, src);
-    header_len = header_length (dtemplate, contents_len);
+    contents_len = contents_length(dtemplate, src);
+    header_len = header_length(dtemplate, contents_len);
 
     dest->len = contents_len + header_len;
 
     /* Allocate storage to hold the encoding */
-    dest->data = (unsigned char*) PORT_ArenaAlloc(arena, dest->len);
+    dest->data = (unsigned char *)PORT_ArenaAlloc(arena, dest->len);
     if (dest->data == NULL) {
-	PORT_SetError(SEC_ERROR_NO_MEMORY);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
     }
 
     /* Now encode into the buffer */
-    (void) der_encode (dest->data, dtemplate, src);
+    (void)der_encode(dest->data, dtemplate, src);
 
     return SECSuccess;
 }
--- a/security/nss/lib/util/dersubr.c
+++ b/security/nss/lib/util/dersubr.c
@@ -5,122 +5,121 @@
 #include "secder.h"
 #include <limits.h>
 #include "secerr.h"
 
 int
 DER_LengthLength(PRUint32 len)
 {
     if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535L) {
-		if (len > 16777215L) {
-		    return 5;
-		} else {
-		    return 4;
-		}
-	    } else {
-		return 3;
-	    }
-	} else {
-	    return 2;
-	}
+        if (len > 255) {
+            if (len > 65535L) {
+                if (len > 16777215L) {
+                    return 5;
+                } else {
+                    return 4;
+                }
+            } else {
+                return 3;
+            }
+        } else {
+            return 2;
+        }
     } else {
-	return 1;
+        return 1;
     }
 }
 
 unsigned char *
 DER_StoreHeader(unsigned char *buf, unsigned int code, PRUint32 len)
 {
     unsigned char b[4];
 
     b[0] = (unsigned char)(len >> 24);
     b[1] = (unsigned char)(len >> 16);
     b[2] = (unsigned char)(len >> 8);
     b[3] = (unsigned char)len;
-    if ((code & DER_TAGNUM_MASK) == DER_SET
-	|| (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
-	code |= DER_CONSTRUCTED;
+    if ((code & DER_TAGNUM_MASK) == DER_SET || (code & DER_TAGNUM_MASK) == DER_SEQUENCE)
+        code |= DER_CONSTRUCTED;
     *buf++ = code;
     if (len > 127) {
-	if (len > 255) {
-	    if (len > 65535) {
-		if (len > 16777215) {
-		    *buf++ = 0x84;
-		    *buf++ = b[0];
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		} else {
-		    *buf++ = 0x83;
-		    *buf++ = b[1];
-		    *buf++ = b[2];
-		    *buf++ = b[3];
-		}
-	    } else {
-		*buf++ = 0x82;
-		*buf++ = b[2];
-		*buf++ = b[3];
-	    }
-	} else {
-	    *buf++ = 0x81;
-	    *buf++ = b[3];
-	}
+        if (len > 255) {
+            if (len > 65535) {
+                if (len > 16777215) {
+                    *buf++ = 0x84;
+                    *buf++ = b[0];
+                    *buf++ = b[1];
+                    *buf++ = b[2];
+                    *buf++ = b[3];
+                } else {
+                    *buf++ = 0x83;
+                    *buf++ = b[1];
+                    *buf++ = b[2];
+                    *buf++ = b[3];
+                }
+            } else {
+                *buf++ = 0x82;
+                *buf++ = b[2];
+                *buf++ = b[3];
+            }
+        } else {
+            *buf++ = 0x81;
+            *buf++ = b[3];
+        }
     } else {
-	*buf++ = b[3];
+        *buf++ = b[3];
     }
     return buf;
 }
 
 /*
  * XXX This should be rewritten, generalized, to take a long instead
  * of a PRInt32.
  */
 SECStatus
 DER_SetInteger(PLArenaPool *arena, SECItem *it, PRInt32 i)
 {
     unsigned char bb[4];
     unsigned len;
 
-    bb[0] = (unsigned char) (i >> 24);
-    bb[1] = (unsigned char) (i >> 16);
-    bb[2] = (unsigned char) (i >> 8);
-    bb[3] = (unsigned char) (i);
+    bb[0] = (unsigned char)(i >> 24);
+    bb[1] = (unsigned char)(i >> 16);
+    bb[2] = (unsigned char)(i >> 8);
+    bb[3] = (unsigned char)(i);
 
     /*
     ** Small integers are encoded in a single byte. Larger integers
     ** require progressively more space.
     */
     if (i < -128) {
-	if (i < -32768L) {
-	    if (i < -8388608L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
+        if (i < -32768L) {
+            if (i < -8388608L) {
+                len = 4;
+            } else {
+                len = 3;
+            }
+        } else {
+            len = 2;
+        }
     } else if (i > 127) {
-	if (i > 32767L) {
-	    if (i > 8388607L) {
-		len = 4;
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
+        if (i > 32767L) {
+            if (i > 8388607L) {
+                len = 4;
+            } else {
+                len = 3;
+            }
+        } else {
+            len = 2;
+        }
     } else {
-	len = 1;
+        len = 1;
     }
-    it->data = (unsigned char*) PORT_ArenaAlloc(arena, len);
+    it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
     if (!it->data) {
-	return SECFailure;
+        return SECFailure;
     }
     it->len = len;
     PORT_Memcpy(it->data, bb + (4 - len), len);
     return SECSuccess;
 }
 
 /*
  * XXX This should be rewritten, generalized, to take an unsigned long instead
@@ -128,46 +127,46 @@ DER_SetInteger(PLArenaPool *arena, SECIt
  */
 SECStatus
 DER_SetUInteger(PLArenaPool *arena, SECItem *it, PRUint32 ui)
 {
     unsigned char bb[5];
     int len;
 
     bb[0] = 0;
-    bb[1] = (unsigned char) (ui >> 24);
-    bb[2] = (unsigned char) (ui >> 16);
-    bb[3] = (unsigned char) (ui >> 8);
-    bb[4] = (unsigned char) (ui);
+    bb[1] = (unsigned char)(ui >> 24);
+    bb[2] = (unsigned char)(ui >> 16);
+    bb[3] = (unsigned char)(ui >> 8);
+    bb[4] = (unsigned char)(ui);
 
     /*
     ** Small integers are encoded in a single byte. Larger integers
     ** require progressively more space.
     */
     if (ui > 0x7f) {
-	if (ui > 0x7fff) {
-	    if (ui > 0x7fffffL) {
-		if (ui >= 0x80000000L) {
-		    len = 5;
-		} else {
-		    len = 4;
-		}
-	    } else {
-		len = 3;
-	    }
-	} else {
-	    len = 2;
-	}
+        if (ui > 0x7fff) {
+            if (ui > 0x7fffffL) {
+                if (ui >= 0x80000000L) {
+                    len = 5;
+                } else {
+                    len = 4;
+                }
+            } else {
+                len = 3;
+            }
+        } else {
+            len = 2;
+        }
     } else {
-	len = 1;
+        len = 1;
     }
 
     it->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
     if (it->data == NULL) {
-	return SECFailure;
+        return SECFailure;
     }
 
     it->len = len;
     PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
 
     return SECSuccess;
 }
 
@@ -183,41 +182,41 @@ DER_GetInteger(const SECItem *it)
     unsigned int len = it->len;
     unsigned int originalLength = len;
     unsigned char *cp = it->data;
     unsigned long overflow = 0x1ffUL << (((sizeof(ival) - 1) * 8) - 1);
     unsigned long mask = 1;
 
     PORT_Assert(len);
     if (!len) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return 0;
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return 0;
     }
 
     if (*cp & 0x80) {
-	negative = PR_TRUE;
-	overflow <<= 1;
+        negative = PR_TRUE;
+        overflow <<= 1;
     }
 
     while (len) {
-	if ((ival & overflow) != 0) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    if (negative) {
-		return LONG_MIN;
-	    }
-	    return LONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
+        if ((ival & overflow) != 0) {
+            PORT_SetError(SEC_ERROR_BAD_DER);
+            if (negative) {
+                return LONG_MIN;
+            }
+            return LONG_MAX;
+        }
+        ival = ival << 8;
+        ival |= *cp++;
+        --len;
     }
     if (negative && ival && (overflow & ival) == 0) {
-	mask <<=  ((originalLength  * 8) - 1);
-	ival &= ~mask;
-	ival -= mask;
+        mask <<= ((originalLength * 8) - 1);
+        ival &= ~mask;
+        ival -= mask;
     }
     return ival;
 }
 
 /*
 ** Convert a der encoded *unsigned* integer into a machine integral value.
 ** If an overflow occurs, sets error code and returns max.
 */
@@ -226,29 +225,29 @@ DER_GetUInteger(SECItem *it)
 {
     unsigned long ival = 0;
     unsigned len = it->len;
     unsigned char *cp = it->data;
     unsigned long overflow = 0xffUL << ((sizeof(ival) - 1) * 8);
 
     PORT_Assert(len);
     if (!len) {
-	PORT_SetError(SEC_ERROR_INPUT_LEN);
-	return 0;
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
+        return 0;
     }
 
     /* Cannot put a negative value into an unsigned container. */
     if (*cp & 0x80) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return 0;
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return 0;
     }
 
     while (len) {
-	if (ival & overflow) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return ULONG_MAX;
-	}
-	ival = ival << 8;
-	ival |= *cp++;
-	--len;
+        if (ival & overflow) {
+            PORT_SetError(SEC_ERROR_BAD_DER);
+            return ULONG_MAX;
+        }
+        ival = ival << 8;
+        ival |= *cp++;
+        --len;
     }
     return ival;
 }
--- a/security/nss/lib/util/dertime.c
+++ b/security/nss/lib/util/dertime.c
@@ -7,60 +7,61 @@
 #include "secder.h"
 #include "prlong.h"
 #include "secerr.h"
 
 #define HIDIGIT(v) (((v) / 10) + '0')
 #define LODIGIT(v) (((v) % 10) + '0')
 
 #define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
-#define CAPTURE(var,p,label)				  \
-{							  \
-    if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
-    (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0');	  \
-    p += 2; \
-}
+#define CAPTURE(var, p, label)                        \
+    {                                                 \
+        if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1]))     \
+            goto label;                               \
+        (var) = ((p)[0] - '0') * 10 + ((p)[1] - '0'); \
+        p += 2;                                       \
+    }
 
-static const PRTime January1st1     = PR_INT64(0xff23400100d44000);
-static const PRTime January1st1950  = PR_INT64(0xfffdc1f8793da000);
-static const PRTime January1st2050  = PR_INT64(0x0008f81e1b098000);
+static const PRTime January1st1 = PR_INT64(0xff23400100d44000);
+static const PRTime January1st1950 = PR_INT64(0xfffdc1f8793da000);
+static const PRTime January1st2050 = PR_INT64(0x0008f81e1b098000);
 static const PRTime January1st10000 = PR_INT64(0x0384440ccc736000);
 
 /* gmttime must contains UTC time in micro-seconds unit */
 SECStatus
-DER_TimeToUTCTimeArena(PLArenaPool* arenaOpt, SECItem *dst, PRTime gmttime)
+DER_TimeToUTCTimeArena(PLArenaPool *arenaOpt, SECItem *dst, PRTime gmttime)
 {
     PRExplodedTime printableTime;
     unsigned char *d;
 
-    if ( (gmttime < January1st1950) || (gmttime >= January1st2050) ) {
+    if ((gmttime < January1st1950) || (gmttime >= January1st2050)) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     dst->len = 13;
     if (arenaOpt) {
-        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
+        dst->data = d = (unsigned char *)PORT_ArenaAlloc(arenaOpt, dst->len);
     } else {
-        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
+        dst->data = d = (unsigned char *)PORT_Alloc(dst->len);
     }
     dst->type = siUTCTime;
     if (!d) {
-	return SECFailure;
+        return SECFailure;
     }
 
     /* Convert a PRTime to a printable format.  */
     PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
 
     /* The month in UTC time is base one */
     printableTime.tm_month++;
 
-    /* remove the century since it's added to the tm_year by the 
+    /* remove the century since it's added to the tm_year by the
        PR_ExplodeTime routine, but is not needed for UTC time */
-    printableTime.tm_year %= 100; 
+    printableTime.tm_year %= 100;
 
     d[0] = HIDIGIT(printableTime.tm_year);
     d[1] = LODIGIT(printableTime.tm_year);
     d[2] = HIDIGIT(printableTime.tm_month);
     d[3] = LODIGIT(printableTime.tm_month);
     d[4] = HIDIGIT(printableTime.tm_mday);
     d[5] = LODIGIT(printableTime.tm_mday);
     d[6] = HIDIGIT(printableTime.tm_hour);
@@ -75,106 +76,106 @@ DER_TimeToUTCTimeArena(PLArenaPool* aren
 
 SECStatus
 DER_TimeToUTCTime(SECItem *dst, PRTime gmttime)
 {
     return DER_TimeToUTCTimeArena(NULL, dst, gmttime);
 }
 
 static SECStatus /* forward */
-der_TimeStringToTime(PRTime *dst, const char *string, int generalized,
-                     const char **endptr);
+    der_TimeStringToTime(PRTime *dst, const char *string, int generalized,
+                         const char **endptr);
 
 #define GEN_STRING 2 /* TimeString is a GeneralizedTime */
 #define UTC_STRING 0 /* TimeString is a UTCTime         */
 
 /* The caller of DER_AsciiToItem MUST ENSURE that either
 ** a) "string" points to a null-terminated ASCII string, or
-** b) "string" points to a buffer containing a valid UTCTime, 
+** b) "string" points to a buffer containing a valid UTCTime,
 **     whether null terminated or not, or
 ** c) "string" contains at least 19 characters, with or without null char.
 ** otherwise, this function may UMR and/or crash.
 ** It suffices to ensure that the input "string" is at least 17 bytes long.
 */
 SECStatus
 DER_AsciiToTime(PRTime *dst, const char *string)
 {
     return der_TimeStringToTime(dst, string, UTC_STRING, NULL);
 }
 
 SECStatus
 DER_UTCTimeToTime(PRTime *dst, const SECItem *time)
 {
-    /* Minimum valid UTCTime is yymmddhhmmZ       which is 11 bytes. 
+    /* Minimum valid UTCTime is yymmddhhmmZ       which is 11 bytes.
     ** Maximum valid UTCTime is yymmddhhmmss+0000 which is 17 bytes.
-    ** 20 should be large enough for all valid encoded times. 
+    ** 20 should be large enough for all valid encoded times.
     */
     unsigned int i;
     char localBuf[20];
     const char *end = NULL;
     SECStatus rv;
 
     if (!time || !time->data || time->len < 11 || time->len > 17) {
-	PORT_SetError(SEC_ERROR_INVALID_TIME);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_TIME);
+        return SECFailure;
     }
 
     for (i = 0; i < time->len; i++) {
-	if (time->data[i] == '\0') {
-	    PORT_SetError(SEC_ERROR_INVALID_TIME);
-	    return SECFailure;
-	}
-	localBuf[i] = time->data[i];
+        if (time->data[i] == '\0') {
+            PORT_SetError(SEC_ERROR_INVALID_TIME);
+            return SECFailure;
+        }
+        localBuf[i] = time->data[i];
     }
     localBuf[i] = '\0';
 
     rv = der_TimeStringToTime(dst, localBuf, UTC_STRING, &end);
     if (rv == SECSuccess && *end != '\0') {
-	PORT_SetError(SEC_ERROR_INVALID_TIME);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_TIME);
+        return SECFailure;
     }
     return rv;
 }
 
 /*
    gmttime must contains UTC time in micro-seconds unit.
    Note: the caller should make sure that Generalized time
    should only be used for certifiate validities after the
    year 2049.  Otherwise, UTC time should be used.  This routine
    does not check this case, since it can be used to encode
-   certificate extension, which does not have this restriction. 
+   certificate extension, which does not have this restriction.
  */
 SECStatus
-DER_TimeToGeneralizedTimeArena(PLArenaPool* arenaOpt, SECItem *dst, PRTime gmttime)
+DER_TimeToGeneralizedTimeArena(PLArenaPool *arenaOpt, SECItem *dst, PRTime gmttime)
 {
     PRExplodedTime printableTime;
     unsigned char *d;
 
-    if ( (gmttime<January1st1) || (gmttime>=January1st10000) ) {
+    if ((gmttime < January1st1) || (gmttime >= January1st10000)) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     dst->len = 15;
     if (arenaOpt) {
-        dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
+        dst->data = d = (unsigned char *)PORT_ArenaAlloc(arenaOpt, dst->len);
     } else {
-        dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
+        dst->data = d = (unsigned char *)PORT_Alloc(dst->len);
     }
     dst->type = siGeneralizedTime;
     if (!d) {
-	return SECFailure;
+        return SECFailure;
     }
 
     /* Convert a PRTime to a printable format.  */
     PR_ExplodeTime(gmttime, PR_GMTParameters, &printableTime);
 
     /* The month in Generalized time is base one */
     printableTime.tm_month++;
 
-    d[0] = (printableTime.tm_year /1000) + '0';
+    d[0] = (printableTime.tm_year / 1000) + '0';
     d[1] = ((printableTime.tm_year % 1000) / 100) + '0';
     d[2] = ((printableTime.tm_year % 100) / 10) + '0';
     d[3] = (printableTime.tm_year % 10) + '0';
     d[4] = HIDIGIT(printableTime.tm_month);
     d[5] = LODIGIT(printableTime.tm_month);
     d[6] = HIDIGIT(printableTime.tm_mday);
     d[7] = LODIGIT(printableTime.tm_mday);
     d[8] = HIDIGIT(printableTime.tm_hour);
@@ -188,119 +189,118 @@ DER_TimeToGeneralizedTimeArena(PLArenaPo
 }
 
 SECStatus
 DER_TimeToGeneralizedTime(SECItem *dst, PRTime gmttime)
 {
     return DER_TimeToGeneralizedTimeArena(NULL, dst, gmttime);
 }
 
-
 SECStatus
 DER_GeneralizedTimeToTime(PRTime *dst, const SECItem *time)
 {
     /* Minimum valid GeneralizedTime is ccyymmddhhmmZ       which is 13 bytes.
     ** Maximum valid GeneralizedTime is ccyymmddhhmmss+0000 which is 19 bytes.
-    ** 20 should be large enough for all valid encoded times. 
+    ** 20 should be large enough for all valid encoded times.
     */
     unsigned int i;
     char localBuf[20];
     const char *end = NULL;
     SECStatus rv;
 
     if (!time || !time->data || time->len < 13 || time->len > 19) {
-	PORT_SetError(SEC_ERROR_INVALID_TIME);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_TIME);
+        return SECFailure;
     }
 
     for (i = 0; i < time->len; i++) {
-	if (time->data[i] == '\0') {
-	    PORT_SetError(SEC_ERROR_INVALID_TIME);
-	    return SECFailure;
-	}
-	localBuf[i] = time->data[i];
+        if (time->data[i] == '\0') {
+            PORT_SetError(SEC_ERROR_INVALID_TIME);
+            return SECFailure;
+        }
+        localBuf[i] = time->data[i];
     }
     localBuf[i] = '\0';
 
     rv = der_TimeStringToTime(dst, localBuf, GEN_STRING, &end);
     if (rv == SECSuccess && *end != '\0') {
-	PORT_SetError(SEC_ERROR_INVALID_TIME);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_TIME);
+        return SECFailure;
     }
     return rv;
 }
 
 static SECStatus
 der_TimeStringToTime(PRTime *dst, const char *string, int generalized,
                      const char **endptr)
 {
     PRExplodedTime genTime;
     long hourOff = 0, minOff = 0;
     PRUint16 century;
     char signum;
 
     if (string == NULL || dst == NULL) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     /* Verify time is formatted properly and capture information */
     memset(&genTime, 0, sizeof genTime);
 
     if (generalized == UTC_STRING) {
-	CAPTURE(genTime.tm_year, string, loser);
-	century = (genTime.tm_year < 50) ? 20 : 19;
+        CAPTURE(genTime.tm_year, string, loser);
+        century = (genTime.tm_year < 50) ? 20 : 19;
     } else {
-	CAPTURE(century, string, loser);
-	CAPTURE(genTime.tm_year, string, loser);
+        CAPTURE(century, string, loser);
+        CAPTURE(genTime.tm_year, string, loser);
     }
     genTime.tm_year += century * 100;
 
     CAPTURE(genTime.tm_month, string, loser);
-    if ((genTime.tm_month == 0) || (genTime.tm_month > 12)) 
-    	goto loser;
+    if ((genTime.tm_month == 0) || (genTime.tm_month > 12))
+        goto loser;
 
     /* NSPR month base is 0 */
     --genTime.tm_month;
-    
+
     CAPTURE(genTime.tm_mday, string, loser);
-    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31)) 
-    	goto loser;
-    
+    if ((genTime.tm_mday == 0) || (genTime.tm_mday > 31))
+        goto loser;
+
     CAPTURE(genTime.tm_hour, string, loser);
-    if (genTime.tm_hour > 23) 
-    	goto loser;
-    
+    if (genTime.tm_hour > 23)
+        goto loser;
+
     CAPTURE(genTime.tm_min, string, loser);
-    if (genTime.tm_min > 59) 
-    	goto loser;
-    
+    if (genTime.tm_min > 59)
+        goto loser;
+
     if (ISDIGIT(string[0])) {
-	CAPTURE(genTime.tm_sec, string, loser);
-	if (genTime.tm_sec > 59) 
-	    goto loser;
+        CAPTURE(genTime.tm_sec, string, loser);
+        if (genTime.tm_sec > 59)
+            goto loser;
     }
     signum = *string++;
     if (signum == '+' || signum == '-') {
-	CAPTURE(hourOff, string, loser);
-	if (hourOff > 23) 
-	    goto loser;
-	CAPTURE(minOff, string, loser);
-	if (minOff > 59) 
-	    goto loser;
-	if (signum == '-') {
-	    hourOff = -hourOff;
-	    minOff  = -minOff;
-	}
+        CAPTURE(hourOff, string, loser);
+        if (hourOff > 23)
+            goto loser;
+        CAPTURE(minOff, string, loser);
+        if (minOff > 59)
+            goto loser;
+        if (signum == '-') {
+            hourOff = -hourOff;
+            minOff = -minOff;
+        }
     } else if (signum != 'Z') {
-	goto loser;
+        goto loser;
     }
 
     if (endptr)
-    	*endptr = string;
+        *endptr = string;
 
     /* Convert the GMT offset to seconds and save it in genTime
      * for the implode time call.
      */
     genTime.tm_params.tp_gmt_offset = (PRInt32)((hourOff * 60L + minOff) * 60L);
     *dst = PR_ImplodeTime(&genTime);
     return SECSuccess;
 
--- a/security/nss/lib/util/errstrs.c
+++ b/security/nss/lib/util/errstrs.c
@@ -7,34 +7,35 @@
 #include "prinit.h"
 #include "prprf.h"
 #include "prtypes.h"
 #include "prlog.h"
 #include "plstr.h"
 #include "nssutil.h"
 #include <string.h>
 
-#define ER3(name, value, str) {#name, str},
+#define ER3(name, value, str) { #name, str },
 
 static const struct PRErrorMessage sectext[] = {
 #include "SECerrs.h"
-    {0,0}
+    { 0, 0 }
 };
 
 static const struct PRErrorTable sec_et = {
-    sectext, "secerrstrings", SEC_ERROR_BASE, 
-        (sizeof sectext)/(sizeof sectext[0]) 
+    sectext, "secerrstrings", SEC_ERROR_BASE,
+    (sizeof sectext) / (sizeof sectext[0])
 };
 
-static PRStatus 
-nss_InitializePRErrorTableOnce(void) {
+static PRStatus
+nss_InitializePRErrorTableOnce(void)
+{
     return PR_ErrorInstallTable(&sec_et);
 }
 
 static PRCallOnceType once;
 
 SECStatus
 NSS_InitializePRErrorTable(void)
 {
     return (PR_SUCCESS == PR_CallOnce(&once, nss_InitializePRErrorTableOnce))
-		? SECSuccess : SECFailure;
+               ? SECSuccess
+               : SECFailure;
 }
-
--- a/security/nss/lib/util/hasht.h
+++ b/security/nss/lib/util/hasht.h
@@ -11,51 +11,51 @@
 typedef struct SECHashObjectStr SECHashObject;
 typedef struct HASHContextStr HASHContext;
 
 /*
  * The hash functions the security library supports
  * NOTE the order must match the definition of SECHashObjects[]!
  */
 typedef enum {
-    HASH_AlgNULL   = 0,
-    HASH_AlgMD2    = 1,
-    HASH_AlgMD5    = 2,
-    HASH_AlgSHA1   = 3,
+    HASH_AlgNULL = 0,
+    HASH_AlgMD2 = 1,
+    HASH_AlgMD5 = 2,
+    HASH_AlgSHA1 = 3,
     HASH_AlgSHA256 = 4,
     HASH_AlgSHA384 = 5,
     HASH_AlgSHA512 = 6,
     HASH_AlgSHA224 = 7,
     HASH_AlgTOTAL
 } HASH_HashType;
 
 /*
  * Number of bytes each hash algorithm produces
  */
-#define MD2_LENGTH	16
-#define MD5_LENGTH	16
-#define SHA1_LENGTH	20
-#define SHA224_LENGTH 	28
-#define SHA256_LENGTH 	32
-#define SHA384_LENGTH 	48
-#define SHA512_LENGTH 	64
+#define MD2_LENGTH 16
+#define MD5_LENGTH 16
+#define SHA1_LENGTH 20
+#define SHA224_LENGTH 28
+#define SHA256_LENGTH 32
+#define SHA384_LENGTH 48
+#define SHA512_LENGTH 64
 #define HASH_LENGTH_MAX SHA512_LENGTH
 
 /*
  * Structure to hold hash computation info and routines
  */
 struct SECHashObjectStr {
-    unsigned int length;  /* hash output length (in bytes) */
-    void * (*create)(void);
-    void * (*clone)(void *);
+    unsigned int length; /* hash output length (in bytes) */
+    void *(*create)(void);
+    void *(*clone)(void *);
     void (*destroy)(void *, PRBool);
     void (*begin)(void *);
     void (*update)(void *, const unsigned char *, unsigned int);
     void (*end)(void *, unsigned char *, unsigned int *, unsigned int);
-    unsigned int blocklength;  /* hash input block size (in bytes) */
+    unsigned int blocklength; /* hash input block size (in bytes) */
     HASH_HashType type;
     void (*end_raw)(void *, unsigned char *, unsigned int *, unsigned int);
 };
 
 struct HASHContextStr {
     const struct SECHashObjectStr *hashobj;
     void *hash_context;
 };
--- a/security/nss/lib/util/nssb64.h
+++ b/security/nss/lib/util/nssb64.h
@@ -14,65 +14,65 @@
 
 SEC_BEGIN_PROTOS
 
 /*
  * Functions to start a base64 decoding/encoding context.
  */
 
 extern NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg);
+NSSBase64Decoder_Create(PRInt32 (*output_fn)(void *, const unsigned char *,
+                                             PRInt32),
+                        void *output_arg);
 
 extern NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg);
+NSSBase64Encoder_Create(PRInt32 (*output_fn)(void *, const char *, PRInt32),
+                        void *output_arg);
 
 /*
  * Push data through the decoder/encoder, causing the output_fn (provided
  * to Create) to be called with the decoded/encoded data.
  */
 
 extern SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size);
+NSSBase64Decoder_Update(NSSBase64Decoder *data, const char *buffer,
+                        PRUint32 size);
 
 extern SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size);
+NSSBase64Encoder_Update(NSSBase64Encoder *data, const unsigned char *buffer,
+                        PRUint32 size);
 
 /*
  * When you're done processing, call this to close the context.
  * If "abort_p" is false, then calling this may cause the output_fn
  * to be called one last time (as the last buffered data is flushed out).
  */
 
 extern SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p);
+NSSBase64Decoder_Destroy(NSSBase64Decoder *data, PRBool abort_p);
 
 extern SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p);
+NSSBase64Encoder_Destroy(NSSBase64Encoder *data, PRBool abort_p);
 
 /*
  * Perform base64 decoding from an ascii string "inStr" to an Item.
  * The length of the input must be provided as "inLen".  The Item
  * may be provided (as "outItemOpt"); you can also pass in a NULL
  * and the Item will be allocated for you.
  *
  * In any case, the data within the Item will be allocated for you.
  * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
  * If "arenaOpt" is NULL, standard allocation (heap) will be used and
  * you will want to free the result via SECITEM_FreeItem.
  *
  * Return value is NULL on error, the Item (allocated or provided) otherwise.
  */
 extern SECItem *
-NSSBase64_DecodeBuffer (PLArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen);
+NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt,
+                       const char *inStr, unsigned int inLen);
 
 /*
  * Perform base64 encoding of binary data "inItem" to an ascii string.
  * The output buffer may be provided (as "outStrOpt"); you can also pass
  * in a NULL and the buffer will be allocated for you.  The result will
  * be null-terminated, and if the buffer is provided, "maxOutLen" must
  * specify the maximum length of the buffer and will be checked to
  * supply sufficient space space for the encoded result.  (If "outStrOpt"
@@ -81,14 +81,14 @@ NSSBase64_DecodeBuffer (PLArenaPool *are
  * If "outStrOpt" is NULL, allocation will happen out of the passed-in
  * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
  * will be used.
  *
  * Return value is NULL on error, the output buffer (allocated or provided)
  * otherwise.
  */
 extern char *
-NSSBase64_EncodeItem (PLArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem);
+NSSBase64_EncodeItem(PLArenaPool *arenaOpt, char *outStrOpt,
+                     unsigned int maxOutLen, SECItem *inItem);
 
 SEC_END_PROTOS
 
 #endif /* _NSSB64_H_ */
--- a/security/nss/lib/util/nssb64d.c
+++ b/security/nss/lib/util/nssb64d.c
@@ -12,26 +12,26 @@
 #include "secerr.h"
 
 /*
  * XXX We want this basic support to go into NSPR (the PL part).
  * Until that can happen, the PL interface is going to be kept entirely
  * internal here -- all static functions and opaque data structures.
  * When someone can get it moved over into NSPR, that should be done:
  *    - giving everything names that are accepted by the NSPR module owners
- *	(though I tried to choose ones that would work without modification)
+ *  (though I tried to choose ones that would work without modification)
  *    - exporting the functions (remove static declarations and add
- *	to nssutil.def as necessary)
+ *  to nssutil.def as necessary)
  *    - put prototypes into appropriate header file (probably replacing
- *	the entire current lib/libc/include/plbase64.h in NSPR)
- *	along with a typedef for the context structure (which should be
- *	kept opaque -- definition in the source file only, but typedef
- *	ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
+ *  the entire current lib/libc/include/plbase64.h in NSPR)
+ *  along with a typedef for the context structure (which should be
+ *  kept opaque -- definition in the source file only, but typedef
+ *  ala "typedef struct PLBase64FooStr PLBase64Foo;" in header file)
  *    - modify anything else as necessary to conform to NSPR required style
- *	(I looked but found no formatting guide to follow)
+ *  (I looked but found no formatting guide to follow)
  *
  * You will want to move over everything from here down to the comment
  * which says "XXX End of base64 decoding code to be moved into NSPR",
  * into a new file in NSPR.
  */
 
 /*
  **************************************************************
@@ -70,701 +70,687 @@ struct PLBase64DecoderStr {
     int token_size;
 
     /*
      * Where to write the decoded data (used when streaming, not when
      * doing all in-memory (buffer) operations).
      *
      * Note that this definition is chosen to be compatible with PR_Write.
      */
-    PRInt32 (*output_fn) (void *output_arg, const unsigned char *buf,
-			  PRInt32 size);
+    PRInt32 (*output_fn)(void *output_arg, const unsigned char *buf,
+                         PRInt32 size);
     void *output_arg;
 
     /*
      * Where the decoded output goes -- either temporarily (in the streaming
      * case, staged here before it goes to the output function) or what will
      * be the entire buffered result for users of the buffer version.
      */
     unsigned char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
+    PRUint32 output_buflen; /* the total length of allocated buffer */
+    PRUint32 output_length; /* the length that is currently populated */
 };
 
 PR_END_EXTERN_C
 
-
 /*
  * Table to convert an ascii "code" to its corresponding binary value.
  * For ease of use, the binary values in the table are the actual values
  * PLUS ONE.  This is so that the special value of zero can denote an
  * invalid mapping; that was much easier than trying to fill in the other
  * values with some value other than zero, and to check for it.
  * Just remember to SUBTRACT ONE when using the value retrieved.
  */
 static unsigned char base64_codetovaluep1[256] = {
-/*   0: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*   8: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  16: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  24: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  32: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  40: */	  0,	  0,	  0,	 63,	  0,	  0,	  0,	 64,
-/*  48: */	 53,	 54,	 55,	 56,	 57,	 58,	 59,	 60,
-/*  56: */	 61,	 62,	  0,	  0,	  0,	  0,	  0,	  0,
-/*  64: */	  0,	  1,	  2,	  3,	  4,	  5,	  6,	  7,
-/*  72: */	  8,	  9,	 10,	 11,	 12,	 13,	 14,	 15,
-/*  80: */	 16,	 17,	 18,	 19,	 20,	 21,	 22,	 23,
-/*  88: */	 24,	 25,	 26,	  0,	  0,	  0,	  0,	  0,
-/*  96: */	  0,	 27,	 28,	 29,	 30,	 31,	 32,	 33,
-/* 104: */	 34,	 35,	 36,	 37,	 38,	 39,	 40,	 41,
-/* 112: */	 42,	 43,	 44,	 45,	 46,	 47,	 48,	 49,
-/* 120: */	 50,	 51,	 52,	  0,	  0,	  0,	  0,	  0,
-/* 128: */	  0,	  0,	  0,	  0,	  0,	  0,	  0,	  0
-/* and rest are all zero as well */
+    /*   0: */ 0, 0, 0, 0, 0, 0, 0, 0,
+    /*   8: */ 0, 0, 0, 0, 0, 0, 0, 0,
+    /*  16: */ 0, 0, 0, 0, 0, 0, 0, 0,
+    /*  24: */ 0, 0, 0, 0, 0, 0, 0, 0,
+    /*  32: */ 0, 0, 0, 0, 0, 0, 0, 0,
+    /*  40: */ 0, 0, 0, 63, 0, 0, 0, 64,
+    /*  48: */ 53, 54, 55, 56, 57, 58, 59, 60,
+    /*  56: */ 61, 62, 0, 0, 0, 0, 0, 0,
+    /*  64: */ 0, 1, 2, 3, 4, 5, 6, 7,
+    /*  72: */ 8, 9, 10, 11, 12, 13, 14, 15,
+    /*  80: */ 16, 17, 18, 19, 20, 21, 22, 23,
+    /*  88: */ 24, 25, 26, 0, 0, 0, 0, 0,
+    /*  96: */ 0, 27, 28, 29, 30, 31, 32, 33,
+    /* 104: */ 34, 35, 36, 37, 38, 39, 40, 41,
+    /* 112: */ 42, 43, 44, 45, 46, 47, 48, 49,
+    /* 120: */ 50, 51, 52, 0, 0, 0, 0, 0,
+    /* 128: */ 0, 0, 0, 0, 0, 0, 0, 0
+    /* and rest are all zero as well */
 };
 
-#define B64_PAD	'='
-
+#define B64_PAD '='
 
 /*
  * Reads 4; writes 3 (known, or expected, to have no trailing padding).
  * Returns bytes written; -1 on error (unexpected character).
  */
 static int
-pl_base64_decode_4to3 (const unsigned char *in, unsigned char *out)
+pl_base64_decode_4to3(const unsigned char *in, unsigned char *out)
 {
     int j;
     PRUint32 num = 0;
     unsigned char bits;
 
     for (j = 0; j < 4; j++) {
-	bits = base64_codetovaluep1[in[j]];
-	if (bits == 0)
-	    return -1;
-	num = (num << 6) | (bits - 1);
+        bits = base64_codetovaluep1[in[j]];
+        if (bits == 0)
+            return -1;
+        num = (num << 6) | (bits - 1);
     }
 
-    out[0] = (unsigned char) (num >> 16);
-    out[1] = (unsigned char) ((num >> 8) & 0xFF);
-    out[2] = (unsigned char) (num & 0xFF);
+    out[0] = (unsigned char)(num >> 16);
+    out[1] = (unsigned char)((num >> 8) & 0xFF);
+    out[2] = (unsigned char)(num & 0xFF);
 
     return 3;
 }
 
 /*
  * Reads 3; writes 2 (caller already confirmed EOF or trailing padding).
  * Returns bytes written; -1 on error (unexpected character).
  */
 static int
-pl_base64_decode_3to2 (const unsigned char *in, unsigned char *out)
+pl_base64_decode_3to2(const unsigned char *in, unsigned char *out)
 {
     PRUint32 num = 0;
     unsigned char bits1, bits2, bits3;
 
     bits1 = base64_codetovaluep1[in[0]];
     bits2 = base64_codetovaluep1[in[1]];
     bits3 = base64_codetovaluep1[in[2]];
 
     if ((bits1 == 0) || (bits2 == 0) || (bits3 == 0))
-	return -1;
+        return -1;
 
     num = ((PRUint32)(bits1 - 1)) << 10;
     num |= ((PRUint32)(bits2 - 1)) << 4;
     num |= ((PRUint32)(bits3 - 1)) >> 2;
 
-    out[0] = (unsigned char) (num >> 8);
-    out[1] = (unsigned char) (num & 0xFF);
+    out[0] = (unsigned char)(num >> 8);
+    out[1] = (unsigned char)(num & 0xFF);
 
     return 2;
 }
 
 /*
  * Reads 2; writes 1 (caller already confirmed EOF or trailing padding).
  * Returns bytes written; -1 on error (unexpected character).
  */
 static int
-pl_base64_decode_2to1 (const unsigned char *in, unsigned char *out)
+pl_base64_decode_2to1(const unsigned char *in, unsigned char *out)
 {
     PRUint32 num = 0;
     unsigned char bits1, bits2;
 
     bits1 = base64_codetovaluep1[in[0]];
     bits2 = base64_codetovaluep1[in[1]];
 
     if ((bits1 == 0) || (bits2 == 0))
-	return -1;
+        return -1;
 
     num = ((PRUint32)(bits1 - 1)) << 2;
     num |= ((PRUint32)(bits2 - 1)) >> 4;
 
-    out[0] = (unsigned char) num;
+    out[0] = (unsigned char)num;
 
     return 1;
 }
 
 /*
  * Reads 4; writes 0-3.  Returns bytes written or -1 on error.
  * (Writes less than 3 only at (presumed) EOF.)
  */
 static int
-pl_base64_decode_token (const unsigned char *in, unsigned char *out)
+pl_base64_decode_token(const unsigned char *in, unsigned char *out)
 {
     if (in[3] != B64_PAD)
-	return pl_base64_decode_4to3 (in, out);
+        return pl_base64_decode_4to3(in, out);
 
     if (in[2] == B64_PAD)
-	return pl_base64_decode_2to1 (in, out);
+        return pl_base64_decode_2to1(in, out);
 
-    return pl_base64_decode_3to2 (in, out);
+    return pl_base64_decode_3to2(in, out);
 }
 
 static PRStatus
-pl_base64_decode_buffer (PLBase64Decoder *data, const unsigned char *in,
-			 PRUint32 length)
+pl_base64_decode_buffer(PLBase64Decoder *data, const unsigned char *in,
+                        PRUint32 length)
 {
     unsigned char *out = data->output_buffer;
     unsigned char *token = data->token;
     int i, n = 0;
 
     i = data->token_size;
     data->token_size = 0;
 
     while (length > 0) {
-	while (i < 4 && length > 0) {
-	    /*
-	     * XXX Note that the following simply ignores any unexpected
-	     * characters.  This is exactly what the original code in
-	     * libmime did, and I am leaving it.  We certainly want to skip
-	     * over whitespace (we must); this does much more than that.
-	     * I am not confident changing it, and I don't want to slow
-	     * the processing down doing more complicated checking, but
-	     * someone else might have different ideas in the future.
-	     */
-	    if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
-		token[i++] = *in;
-	    in++;
-	    length--;
-	}
+        while (i < 4 && length > 0) {
+            /*
+             * XXX Note that the following simply ignores any unexpected
+             * characters.  This is exactly what the original code in
+             * libmime did, and I am leaving it.  We certainly want to skip
+             * over whitespace (we must); this does much more than that.
+             * I am not confident changing it, and I don't want to slow
+             * the processing down doing more complicated checking, but
+             * someone else might have different ideas in the future.
+             */
+            if (base64_codetovaluep1[*in] > 0 || *in == B64_PAD)
+                token[i++] = *in;
+            in++;
+            length--;
+        }
 
-	if (i < 4) {
-	    /* Didn't get enough for a complete token. */
-	    data->token_size = i;
-	    break;
-	}
-	i = 0;
+        if (i < 4) {
+            /* Didn't get enough for a complete token. */
+            data->token_size = i;
+            break;
+        }
+        i = 0;
 
-	PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
+        PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen);
 
-	/*
-	 * Assume we are not at the end; the following function only works
-	 * for an internal token (no trailing padding characters) but is
-	 * faster that way.  If it hits an invalid character (padding) it
-	 * will return an error; we break out of the loop and try again
-	 * calling the routine that will handle a final token.
-	 * Note that we intentionally do it this way rather than explicitly
-	 * add a check for padding here (because that would just slow down
-	 * the normal case) nor do we rely on checking whether we have more
-	 * input to process (because that would also slow it down but also
-	 * because we want to allow trailing garbage, especially white space
-	 * and cannot tell that without read-ahead, also a slow proposition).
-	 * Whew.  Understand?
-	 */
-	n = pl_base64_decode_4to3 (token, out);
-	if (n < 0)
-	    break;
+        /*
+         * Assume we are not at the end; the following function only works
+         * for an internal token (no trailing padding characters) but is
+         * faster that way.  If it hits an invalid character (padding) it
+         * will return an error; we break out of the loop and try again
+         * calling the routine that will handle a final token.
+         * Note that we intentionally do it this way rather than explicitly
+         * add a check for padding here (because that would just slow down
+         * the normal case) nor do we rely on checking whether we have more
+         * input to process (because that would also slow it down but also
+         * because we want to allow trailing garbage, especially white space
+         * and cannot tell that without read-ahead, also a slow proposition).
+         * Whew.  Understand?
+         */
+        n = pl_base64_decode_4to3(token, out);
+        if (n < 0)
+            break;
 
-	/* Advance "out" by the number of bytes just written to it. */
-	out += n;
-	n = 0;
+        /* Advance "out" by the number of bytes just written to it. */
+        out += n;
+        n = 0;
     }
 
     /*
      * See big comment above, before call to pl_base64_decode_4to3.
      * Here we check if we error'd out of loop, and allow for the case
      * that we are processing the last interesting token.  If the routine
      * which should handle padding characters also fails, then we just
      * have bad input and give up.
      */
     if (n < 0) {
-	n = pl_base64_decode_token (token, out);
-	if (n < 0)
-	    return PR_FAILURE;
+        n = pl_base64_decode_token(token, out);
+        if (n < 0)
+            return PR_FAILURE;
 
-	out += n;
+        out += n;
     }
 
     /*
      * As explained above, we can get here with more input remaining, but
      * it should be all characters we do not care about (i.e. would be
      * ignored when transferring from "in" to "token" in loop above,
      * except here we choose to ignore extraneous pad characters, too).
      * Swallow it, performing that check.  If we find more characters that
      * we would expect to decode, something is wrong.
      */
     while (length > 0) {
-	if (base64_codetovaluep1[*in] > 0)
-	    return PR_FAILURE;
-	in++;
-	length--;
+        if (base64_codetovaluep1[*in] > 0)
+            return PR_FAILURE;
+        in++;
+        length--;
     }
 
     /* Record the length of decoded data we have left in output_buffer. */
-    data->output_length = (PRUint32) (out - data->output_buffer);
+    data->output_length = (PRUint32)(out - data->output_buffer);
     return PR_SUCCESS;
 }
 
 /*
  * Flush any remaining buffered characters.  Given well-formed input,
  * this will have nothing to do.  If the input was missing the padding
  * characters at the end, though, there could be 1-3 characters left
  * behind -- we will tolerate that by adding the padding for them.
  */
 static PRStatus
-pl_base64_decode_flush (PLBase64Decoder *data)
+pl_base64_decode_flush(PLBase64Decoder *data)
 {
     int count;
 
     /*
      * If no remaining characters, or all are padding (also not well-formed
      * input, but again, be tolerant), then nothing more to do.  (And, that
      * is considered successful.)
      */
     if (data->token_size == 0 || data->token[0] == B64_PAD)
-	return PR_SUCCESS;
+        return PR_SUCCESS;
 
     /*
      * Assume we have all the interesting input except for some expected
      * padding characters.  Add them and decode the resulting token.
      */
     while (data->token_size < 4)
-	data->token[data->token_size++] = B64_PAD;
+        data->token[data->token_size++] = B64_PAD;
 
-    data->token_size = 0;	/* so a subsequent flush call is a no-op */
+    data->token_size = 0; /* so a subsequent flush call is a no-op */
 
-    count = pl_base64_decode_token (data->token,
-				    data->output_buffer + data->output_length);
+    count = pl_base64_decode_token(data->token,
+                                   data->output_buffer + data->output_length);
     if (count < 0)
-	return PR_FAILURE;
+        return PR_FAILURE;
 
     /*
      * If there is an output function, call it with this last bit of data.
      * Otherwise we are doing all buffered output, and the decoded bytes
      * are now there, we just need to reflect that in the length.
      */
     if (data->output_fn != NULL) {
-	PRInt32 output_result;
+        PRInt32 output_result;
 
-	PR_ASSERT(data->output_length == 0);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) count);
-	if (output_result < 0)
-	    return  PR_FAILURE;
+        PR_ASSERT(data->output_length == 0);
+        output_result = data->output_fn(data->output_arg,
+                                        data->output_buffer,
+                                        (PRInt32)count);
+        if (output_result < 0)
+            return PR_FAILURE;
     } else {
-	data->output_length += count;
+        data->output_length += count;
     }
 
     return PR_SUCCESS;
 }
 
-
 /*
  * The maximum space needed to hold the output of the decoder given
  * input data of length "size".
  */
 static PRUint32
-PL_Base64MaxDecodedLength (PRUint32 size)
+PL_Base64MaxDecodedLength(PRUint32 size)
 {
     return ((size * 3) / 4);
 }
 
-
 /*
  * A distinct internal creation function for the buffer version to use.
  * (It does not want to specify an output_fn, and we want the normal
  * Create function to require that.)  If more common initialization
  * of the decoding context needs to be done, it should be done *here*.
  */
 static PLBase64Decoder *
-pl_base64_create_decoder (void)
+pl_base64_create_decoder(void)
 {
     return PR_NEWZAP(PLBase64Decoder);
 }
 
 /*
  * Function to start a base64 decoding context.
  * An "output_fn" is required; the "output_arg" parameter to that is optional.
  */
 static PLBase64Decoder *
-PL_CreateBase64Decoder (PRInt32 (*output_fn) (void *, const unsigned char *,
-					      PRInt32),
-			void *output_arg)
+PL_CreateBase64Decoder(PRInt32 (*output_fn)(void *, const unsigned char *,
+                                            PRInt32),
+                       void *output_arg)
 {
     PLBase64Decoder *data;
 
     if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return NULL;
     }
 
-    data = pl_base64_create_decoder ();
+    data = pl_base64_create_decoder();
     if (data != NULL) {
-	data->output_fn = output_fn;
-	data->output_arg = output_arg;
+        data->output_fn = output_fn;
+        data->output_arg = output_arg;
     }
     return data;
 }
 
-
 /*
  * Push data through the decoder, causing the output_fn (provided to Create)
  * to be called with the decoded data.
  */
 static PRStatus
-PL_UpdateBase64Decoder (PLBase64Decoder *data, const char *buffer,
-			PRUint32 size)
+PL_UpdateBase64Decoder(PLBase64Decoder *data, const char *buffer,
+                       PRUint32 size)
 {
     PRUint32 need_length;
     PRStatus status;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return PR_FAILURE;
     }
 
     /*
      * How much space could this update need for decoding?
      */
-    need_length = PL_Base64MaxDecodedLength (size + data->token_size);
+    need_length = PL_Base64MaxDecodedLength(size + data->token_size);
 
     /*
      * Make sure we have at least that much.  If not, (re-)allocate.
      */
     if (need_length > data->output_buflen) {
-	unsigned char *output_buffer = data->output_buffer;
+        unsigned char *output_buffer = data->output_buffer;
 
-	if (output_buffer != NULL)
-	    output_buffer = (unsigned char *) PR_Realloc(output_buffer,
-							 need_length);
-	else
-	    output_buffer = (unsigned char *) PR_Malloc(need_length);
+        if (output_buffer != NULL)
+            output_buffer = (unsigned char *)PR_Realloc(output_buffer,
+                                                        need_length);
+        else
+            output_buffer = (unsigned char *)PR_Malloc(need_length);
 
-	if (output_buffer == NULL)
-	    return PR_FAILURE;
+        if (output_buffer == NULL)
+            return PR_FAILURE;
 
-	data->output_buffer = output_buffer;
-	data->output_buflen = need_length;
+        data->output_buffer = output_buffer;
+        data->output_buflen = need_length;
     }
 
     /* There should not have been any leftover output data in the buffer. */
     PR_ASSERT(data->output_length == 0);
     data->output_length = 0;
 
-    status = pl_base64_decode_buffer (data, (const unsigned char *) buffer,
-				      size);
+    status = pl_base64_decode_buffer(data, (const unsigned char *)buffer,
+                                     size);
 
     /* Now that we have some decoded data, write it. */
     if (status == PR_SUCCESS && data->output_length > 0) {
-	PRInt32 output_result;
+        PRInt32 output_result;
 
-	PR_ASSERT(data->output_fn != NULL);
-	output_result = data->output_fn (data->output_arg,
-					 data->output_buffer,
-					 (PRInt32) data->output_length);
-	if (output_result < 0)
-	    status = PR_FAILURE;
+        PR_ASSERT(data->output_fn != NULL);
+        output_result = data->output_fn(data->output_arg,
+                                        data->output_buffer,
+                                        (PRInt32)data->output_length);
+        if (output_result < 0)
+            status = PR_FAILURE;
     }
 
     data->output_length = 0;
     return status;
 }
 
-
 /*
  * When you're done decoding, call this to free the data.  If "abort_p"
  * is false, then calling this may cause the output_fn to be called
  * one last time (as the last buffered data is flushed out).
  */
 static PRStatus
-PL_DestroyBase64Decoder (PLBase64Decoder *data, PRBool abort_p)
+PL_DestroyBase64Decoder(PLBase64Decoder *data, PRBool abort_p)
 {
     PRStatus status = PR_SUCCESS;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return PR_FAILURE;
     }
 
     /* Flush out the last few buffered characters. */
     if (!abort_p)
-	status = pl_base64_decode_flush (data);
+        status = pl_base64_decode_flush(data);
 
     if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
+        PR_Free(data->output_buffer);
     PR_Free(data);
 
     return status;
 }
 
-
 /*
  * Perform base64 decoding from an input buffer to an output buffer.
  * The output buffer can be provided (as "dest"); you can also pass in
  * a NULL and this function will allocate a buffer large enough for you,
  * and return it.  If you do provide the output buffer, you must also
  * provide the maximum length of that buffer (as "maxdestlen").
  * The actual decoded length of output will be returned to you in
  * "output_destlen".
  *
  * Return value is NULL on error, the output buffer (allocated or provided)
  * otherwise.
  */
 static unsigned char *
-PL_Base64DecodeBuffer (const char *src, PRUint32 srclen, unsigned char *dest,
-		       PRUint32 maxdestlen, PRUint32 *output_destlen)
+PL_Base64DecodeBuffer(const char *src, PRUint32 srclen, unsigned char *dest,
+                      PRUint32 maxdestlen, PRUint32 *output_destlen)
 {
     PRUint32 need_length;
     unsigned char *output_buffer = NULL;
     PLBase64Decoder *data = NULL;
     PRStatus status;
 
     PR_ASSERT(srclen > 0);
     if (srclen == 0) {
-	PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return NULL;
     }
 
     /*
      * How much space could we possibly need for decoding this input?
      */
-    need_length = PL_Base64MaxDecodedLength (srclen);
+    need_length = PL_Base64MaxDecodedLength(srclen);
 
     /*
      * Make sure we have at least that much, if output buffer provided.
      * If no output buffer provided, then we allocate that much.
      */
     if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    goto loser;
-	}
-	output_buffer = dest;
+        PR_ASSERT(maxdestlen >= need_length);
+        if (maxdestlen < need_length) {
+            PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+            goto loser;
+        }
+        output_buffer = dest;
     } else {
-	output_buffer = (unsigned char *) PR_Malloc(need_length);
-	if (output_buffer == NULL)
-	    goto loser;
-	maxdestlen = need_length;
+        output_buffer = (unsigned char *)PR_Malloc(need_length);
+        if (output_buffer == NULL)
+            goto loser;
+        maxdestlen = need_length;
     }
 
     data = pl_base64_create_decoder();
     if (data == NULL)
-	goto loser;
+        goto loser;
 
     data->output_buflen = maxdestlen;
     data->output_buffer = output_buffer;
 
-    status = pl_base64_decode_buffer (data, (const unsigned char *) src,
-				      srclen);
+    status = pl_base64_decode_buffer(data, (const unsigned char *)src,
+                                     srclen);
 
     /*
      * We do not wait for Destroy to flush, because Destroy will also
      * get rid of our decoder context, which we need to look at first!
      */
     if (status == PR_SUCCESS)
-	status = pl_base64_decode_flush (data);
+        status = pl_base64_decode_flush(data);
 
     /* Must clear this or Destroy will free it. */
     data->output_buffer = NULL;
 
     if (status == PR_SUCCESS) {
-	*output_destlen = data->output_length;
-	status = PL_DestroyBase64Decoder (data, PR_FALSE);
-	data = NULL;
-	if (status == PR_FAILURE)
-	    goto loser;
-	return output_buffer;
+        *output_destlen = data->output_length;
+        status = PL_DestroyBase64Decoder(data, PR_FALSE);
+        data = NULL;
+        if (status == PR_FAILURE)
+            goto loser;
+        return output_buffer;
     }
 
 loser:
     if (dest == NULL && output_buffer != NULL)
-	PR_Free(output_buffer);
+        PR_Free(output_buffer);
     if (data != NULL)
-	(void) PL_DestroyBase64Decoder (data, PR_TRUE);
+        (void)PL_DestroyBase64Decoder(data, PR_TRUE);
     return NULL;
 }
 
-
 /*
  * XXX End of base64 decoding code to be moved into NSPR.
  ********************************************************
  */
 
 /*
  * This is the beginning of the NSS cover functions.  These will
  * provide the interface we want to expose as NSS-ish.  For example,
  * they will operate on our Items, do any special handling or checking
  * we want to do, etc.
  */
 
-
 PR_BEGIN_EXTERN_C
 
 /*
  * A boring cover structure for now.  Perhaps someday it will include
  * some more interesting fields.
  */
 struct NSSBase64DecoderStr {
     PLBase64Decoder *pl_data;
 };
 
 PR_END_EXTERN_C
 
-
 /*
  * Function to start a base64 decoding context.
  */
 NSSBase64Decoder *
-NSSBase64Decoder_Create (PRInt32 (*output_fn) (void *, const unsigned char *,
-					       PRInt32),
-			 void *output_arg)
+NSSBase64Decoder_Create(PRInt32 (*output_fn)(void *, const unsigned char *,
+                                             PRInt32),
+                        void *output_arg)
 {
     PLBase64Decoder *pl_data;
     NSSBase64Decoder *nss_data;
 
     nss_data = PORT_ZNew(NSSBase64Decoder);
     if (nss_data == NULL)
-	return NULL;
+        return NULL;
 
-    pl_data = PL_CreateBase64Decoder (output_fn, output_arg);
+    pl_data = PL_CreateBase64Decoder(output_fn, output_arg);
     if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
+        PORT_Free(nss_data);
+        return NULL;
     }
 
     nss_data->pl_data = pl_data;
     return nss_data;
 }
 
-
 /*
  * Push data through the decoder, causing the output_fn (provided to Create)
  * to be called with the decoded data.
  */
 SECStatus
-NSSBase64Decoder_Update (NSSBase64Decoder *data, const char *buffer,
-			 PRUint32 size)
+NSSBase64Decoder_Update(NSSBase64Decoder *data, const char *buffer,
+                        PRUint32 size)
 {
     PRStatus pr_status;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
-    pr_status = PL_UpdateBase64Decoder (data->pl_data, buffer, size);
+    pr_status = PL_UpdateBase64Decoder(data->pl_data, buffer, size);
     if (pr_status == PR_FAILURE)
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
 
-
 /*
  * When you're done decoding, call this to free the data.  If "abort_p"
  * is false, then calling this may cause the output_fn to be called
  * one last time (as the last buffered data is flushed out).
  */
 SECStatus
-NSSBase64Decoder_Destroy (NSSBase64Decoder *data, PRBool abort_p)
+NSSBase64Decoder_Destroy(NSSBase64Decoder *data, PRBool abort_p)
 {
     PRStatus pr_status;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
-    pr_status = PL_DestroyBase64Decoder (data->pl_data, abort_p);
+    pr_status = PL_DestroyBase64Decoder(data->pl_data, abort_p);
 
     PORT_Free(data);
 
     if (pr_status == PR_FAILURE)
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
 
-
 /*
  * Perform base64 decoding from an ascii string "inStr" to an Item.
  * The length of the input must be provided as "inLen".  The Item
  * may be provided (as "outItemOpt"); you can also pass in a NULL
  * and the Item will be allocated for you.
  *
  * In any case, the data within the Item will be allocated for you.
  * All allocation will happen out of the passed-in "arenaOpt", if non-NULL.
  * If "arenaOpt" is NULL, standard allocation (heap) will be used and
  * you will want to free the result via SECITEM_FreeItem.
  *
  * Return value is NULL on error, the Item (allocated or provided) otherwise.
  */
 SECItem *
-NSSBase64_DecodeBuffer (PLArenaPool *arenaOpt, SECItem *outItemOpt,
-			const char *inStr, unsigned int inLen)
+NSSBase64_DecodeBuffer(PLArenaPool *arenaOpt, SECItem *outItemOpt,
+                       const char *inStr, unsigned int inLen)
 {
     SECItem *out_item = NULL;
     PRUint32 max_out_len = 0;
     PRUint32 out_len;
     void *mark = NULL;
     unsigned char *dummy;
 
     if ((outItemOpt != NULL && outItemOpt->data != NULL) || inLen == 0) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return NULL;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
     }
 
     if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
+        mark = PORT_ArenaMark(arenaOpt);
 
-    max_out_len = PL_Base64MaxDecodedLength (inLen);
-    out_item = SECITEM_AllocItem (arenaOpt, outItemOpt, max_out_len);
+    max_out_len = PL_Base64MaxDecodedLength(inLen);
+    out_item = SECITEM_AllocItem(arenaOpt, outItemOpt, max_out_len);
     if (out_item == NULL) {
-	if (arenaOpt != NULL)
-	    PORT_ArenaRelease (arenaOpt, mark);
-	return NULL;
+        if (arenaOpt != NULL)
+            PORT_ArenaRelease(arenaOpt, mark);
+        return NULL;
     }
 
-    dummy = PL_Base64DecodeBuffer (inStr, inLen, out_item->data,
-				   max_out_len, &out_len);
+    dummy = PL_Base64DecodeBuffer(inStr, inLen, out_item->data,
+                                  max_out_len, &out_len);
     if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	    if (outItemOpt != NULL) {
-		outItemOpt->data = NULL;
-		outItemOpt->len = 0;
-	    }
-	} else {
-	    SECITEM_FreeItem (out_item,
-			      (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
-	}
-	return NULL;
+        if (arenaOpt != NULL) {
+            PORT_ArenaRelease(arenaOpt, mark);
+            if (outItemOpt != NULL) {
+                outItemOpt->data = NULL;
+                outItemOpt->len = 0;
+            }
+        } else {
+            SECITEM_FreeItem(out_item,
+                             (outItemOpt == NULL) ? PR_TRUE : PR_FALSE);
+        }
+        return NULL;
     }
 
     if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
+        PORT_ArenaUnmark(arenaOpt, mark);
     out_item->len = out_len;
     return out_item;
 }
 
-
 /*
  * XXX Everything below is deprecated.  If you add new stuff, put it
  * *above*, not below.
  */
 
 /*
  * XXX The following "ATOB" functions are provided for backward compatibility
  * with current code.  They should be considered strongly deprecated.
@@ -787,50 +773,50 @@ NSSBase64_DecodeBuffer (PLArenaPool *are
 unsigned char *
 ATOB_AsciiToData(const char *string, unsigned int *lenp)
 {
     SECItem binary_item, *dummy;
 
     binary_item.data = NULL;
     binary_item.len = 0;
 
-    dummy = NSSBase64_DecodeBuffer (NULL, &binary_item, string,
-				    (PRUint32) PORT_Strlen(string));
+    dummy = NSSBase64_DecodeBuffer(NULL, &binary_item, string,
+                                   (PRUint32)PORT_Strlen(string));
     if (dummy == NULL)
-	return NULL;
+        return NULL;
 
     PORT_Assert(dummy == &binary_item);
 
     *lenp = dummy->len;
     return dummy->data;
 }
- 
+
 /*
 ** Convert from ascii to binary encoding of an item.
 */
 SECStatus
 ATOB_ConvertAsciiToItem(SECItem *binary_item, const char *ascii)
 {
     SECItem *dummy;
 
     if (binary_item == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     /*
      * XXX Would prefer to assert here if data is non-null (actually,
      * don't need to, just let NSSBase64_DecodeBuffer do it), so as to
      * to catch unintended memory leaks, but callers are not clean in
      * this respect so we need to explicitly clear here to avoid the
      * assert in NSSBase64_DecodeBuffer.
      */
     binary_item->data = NULL;
     binary_item->len = 0;
 
-    dummy = NSSBase64_DecodeBuffer (NULL, binary_item, ascii,
-				    (PRUint32) PORT_Strlen(ascii));
+    dummy = NSSBase64_DecodeBuffer(NULL, binary_item, ascii,
+                                   (PRUint32)PORT_Strlen(ascii));
 
     if (dummy == NULL)
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
--- a/security/nss/lib/util/nssb64e.c
+++ b/security/nss/lib/util/nssb64e.c
@@ -10,24 +10,23 @@
 #include "nspr.h"
 #include "secitem.h"
 #include "secerr.h"
 
 /*
  * XXX See the big comment at the top of nssb64d.c about moving the
  * bulk of this code over into NSPR (the PL part).  It all applies
  * here but I didn't want to duplicate it, to avoid divergence problems.
- */ 
+ */
 
 /*
  **************************************************************
  * XXX Beginning of base64 encoding code to be moved into NSPR.
  */
 
-
 struct PLBase64EncodeStateStr {
     unsigned chunks;
     unsigned saved;
     unsigned char buf[3];
 };
 
 /*
  * This typedef would belong in the NSPR header file (i.e. plbase64.h).
@@ -69,369 +68,363 @@ struct PLBase64EncoderStr {
      * where they come out.  It must be a multiple of 4; if the caller
      * provides one that isn't, we round it down to the nearest
      * multiple of 4.
      *
      * The value of current_column counts how many characters have been
      * added since the last linebreaks (or since the beginning, on the
      * first line).  It is also always a multiple of 4; it is unused when
      * line_length is 0.
-     */ 
+     */
     PRUint32 line_length;
     PRUint32 current_column;
 
     /*
      * Where to write the encoded data (used when streaming, not when
      * doing all in-memory (buffer) operations).
      *
      * Note that this definition is chosen to be compatible with PR_Write.
      */
-    PRInt32 (*output_fn) (void *output_arg, const char *buf, PRInt32 size);
+    PRInt32 (*output_fn)(void *output_arg, const char *buf, PRInt32 size);
     void *output_arg;
 
     /*
      * Where the encoded output goes -- either temporarily (in the streaming
      * case, staged here before it goes to the output function) or what will
      * be the entire buffered result for users of the buffer version.
      */
     char *output_buffer;
-    PRUint32 output_buflen;	/* the total length of allocated buffer */
-    PRUint32 output_length;	/* the length that is currently populated */
+    PRUint32 output_buflen; /* the total length of allocated buffer */
+    PRUint32 output_length; /* the length that is currently populated */
 };
 
 PR_END_EXTERN_C
 
-
 /*
  * Table to convert a binary value to its corresponding ascii "code".
  */
 static unsigned char base64_valuetocode[64] =
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
-#define B64_PAD	'='
-#define B64_CR	'\r'
-#define B64_LF	'\n'
+#define B64_PAD '='
+#define B64_CR '\r'
+#define B64_LF '\n'
 
 static PRStatus
-pl_base64_encode_buffer (PLBase64Encoder *data, const unsigned char *in,
-			 PRUint32 size)
+pl_base64_encode_buffer(PLBase64Encoder *data, const unsigned char *in,
+                        PRUint32 size)
 {
     const unsigned char *end = in + size;
     char *out = data->output_buffer + data->output_length;
     unsigned int i = data->in_buffer_count;
     PRUint32 n = 0;
     int off;
     PRUint32 output_threshold;
 
     /* If this input buffer is too small, wait until next time. */
     if (size < (3 - i)) {
-	data->in_buffer[i++] = in[0];
-	if (size > 1)
-	    data->in_buffer[i++] = in[1];
-	PR_ASSERT(i < 3);
-	data->in_buffer_count = i;
-	return PR_SUCCESS;
+        data->in_buffer[i++] = in[0];
+        if (size > 1)
+            data->in_buffer[i++] = in[1];
+        PR_ASSERT(i < 3);
+        data->in_buffer_count = i;
+        return PR_SUCCESS;
     }
 
     /* If there are bytes that were put back last time, take them now. */
     if (i > 0) {
-	n = data->in_buffer[0];
-	if (i > 1)
-	    n = (n << 8) | data->in_buffer[1];
-	data->in_buffer_count = 0;
+        n = data->in_buffer[0];
+        if (i > 1)
+            n = (n << 8) | data->in_buffer[1];
+        data->in_buffer_count = 0;
     }
 
     /* If our total is not a multiple of three, put one or two bytes back. */
     off = (size + i) % 3;
     if (off > 0) {
-	size -= off;
-	data->in_buffer[0] = in[size];
-	if (off > 1)
-	    data->in_buffer[1] = in[size + 1];
-	data->in_buffer_count = off;
-	end -= off;
+        size -= off;
+        data->in_buffer[0] = in[size];
+        if (off > 1)
+            data->in_buffer[1] = in[size + 1];
+        data->in_buffer_count = off;
+        end -= off;
     }
 
     output_threshold = data->output_buflen - 3;
 
     /*
      * Populate the output buffer with base64 data, one line (or buffer)
      * at a time.
      */
     while (in < end) {
-	int j, k;
+        int j, k;
 
-	while (i < 3) {
-	    n = (n << 8) | *in++;
-	    i++;
-	}
-	i = 0;
+        while (i < 3) {
+            n = (n << 8) | *in++;
+            i++;
+        }
+        i = 0;
 
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	    data->current_column += 4;	/* the bytes we are about to add */
-	}
+        if (data->line_length > 0) {
+            if (data->current_column >= data->line_length) {
+                data->current_column = 0;
+                *out++ = B64_CR;
+                *out++ = B64_LF;
+                data->output_length += 2;
+            }
+            data->current_column += 4; /* the bytes we are about to add */
+        }
 
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
-	n = 0;
-	data->output_length += 4;
+        for (j = 18; j >= 0; j -= 6) {
+            k = (n >> j) & 0x3F;
+            *out++ = base64_valuetocode[k];
+        }
+        n = 0;
+        data->output_length += 4;
 
-	if (data->output_length >= output_threshold) {
-	    PR_ASSERT(data->output_length <= data->output_buflen);
-	    if (data->output_fn != NULL) {
-		PRInt32 output_result;
+        if (data->output_length >= output_threshold) {
+            PR_ASSERT(data->output_length <= data->output_buflen);
+            if (data->output_fn != NULL) {
+                PRInt32 output_result;
 
-		output_result = data->output_fn (data->output_arg,
-						 data->output_buffer,
-						 (PRInt32) data->output_length);
-		if (output_result < 0)
-		    return PR_FAILURE;
+                output_result = data->output_fn(data->output_arg,
+                                                data->output_buffer,
+                                                (PRInt32)data->output_length);
+                if (output_result < 0)
+                    return PR_FAILURE;
 
-		out = data->output_buffer;
-		data->output_length = 0;
-	    } else {
-		/*
-		 * Check that we are about to exit the loop.  (Since we
-		 * are over the threshold, there isn't enough room in the
-		 * output buffer for another trip around.)
-		 */
-		PR_ASSERT(in == end);
-		if (in < end) {
-		    PR_SetError (PR_BUFFER_OVERFLOW_ERROR, 0);
-		    return PR_FAILURE;
-		}
-	    }
-	}
+                out = data->output_buffer;
+                data->output_length = 0;
+            } else {
+                /*
+                 * Check that we are about to exit the loop.  (Since we
+                 * are over the threshold, there isn't enough room in the
+                 * output buffer for another trip around.)
+                 */
+                PR_ASSERT(in == end);
+                if (in < end) {
+                    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+                    return PR_FAILURE;
+                }
+            }
+        }
     }
 
     return PR_SUCCESS;
 }
 
 static PRStatus
-pl_base64_encode_flush (PLBase64Encoder *data)
+pl_base64_encode_flush(PLBase64Encoder *data)
 {
     int i = data->in_buffer_count;
 
     if (i == 0 && data->output_length == 0)
-	return PR_SUCCESS;
+        return PR_SUCCESS;
 
     if (i > 0) {
-	char *out = data->output_buffer + data->output_length;
-	PRUint32 n;
-	int j, k;
+        char *out = data->output_buffer + data->output_length;
+        PRUint32 n;
+        int j, k;
 
-	n = ((PRUint32) data->in_buffer[0]) << 16;
-	if (i > 1)
-	    n |= ((PRUint32) data->in_buffer[1] << 8);
+        n = ((PRUint32)data->in_buffer[0]) << 16;
+        if (i > 1)
+            n |= ((PRUint32)data->in_buffer[1] << 8);
 
-	data->in_buffer_count = 0;
+        data->in_buffer_count = 0;
 
-	if (data->line_length > 0) {
-	    if (data->current_column >= data->line_length) {
-		data->current_column = 0;
-		*out++ = B64_CR;
-		*out++ = B64_LF;
-		data->output_length += 2;
-	    }
-	}
+        if (data->line_length > 0) {
+            if (data->current_column >= data->line_length) {
+                data->current_column = 0;
+                *out++ = B64_CR;
+                *out++ = B64_LF;
+                data->output_length += 2;
+            }
+        }
 
-	/*
-	 * This will fill in more than we really have data for, but the
-	 * valid parts will end up in the correct position and the extras
-	 * will be over-written with pad characters below.
-	 */
-	for (j = 18; j >= 0; j -= 6) {
-	    k = (n >> j) & 0x3F;
-	    *out++ = base64_valuetocode[k];
-	}
+        /*
+         * This will fill in more than we really have data for, but the
+         * valid parts will end up in the correct position and the extras
+         * will be over-written with pad characters below.
+         */
+        for (j = 18; j >= 0; j -= 6) {
+            k = (n >> j) & 0x3F;
+            *out++ = base64_valuetocode[k];
+        }
 
-	/* Pad with equal-signs. */
-	if (i == 1)
-	    out[-2] = B64_PAD;
-	out[-1] = B64_PAD;
+        /* Pad with equal-signs. */
+        if (i == 1)
+            out[-2] = B64_PAD;
+        out[-1] = B64_PAD;
 
-	data->output_length += 4;
+        data->output_length += 4;
     }
 
     if (data->output_fn != NULL) {
-	PRInt32 output_result;
+        PRInt32 output_result;
 
-	output_result = data->output_fn (data->output_arg, data->output_buffer,
-					 (PRInt32) data->output_length);
-	data->output_length = 0;
+        output_result = data->output_fn(data->output_arg, data->output_buffer,
+                                        (PRInt32)data->output_length);
+        data->output_length = 0;
 
-	if (output_result < 0)
-	    return PR_FAILURE;
+        if (output_result < 0)
+            return PR_FAILURE;
     }
 
     return PR_SUCCESS;
 }
 
-
 /*
  * The maximum space needed to hold the output of the encoder given input
  * data of length "size", and allowing for CRLF added at least every
  * line_length bytes (we will add it at nearest lower multiple of 4).
  * There is no trailing CRLF.
  */
 static PRUint32
-PL_Base64MaxEncodedLength (PRUint32 size, PRUint32 line_length)
+PL_Base64MaxEncodedLength(PRUint32 size, PRUint32 line_length)
 {
     PRUint32 tokens, tokens_per_line, full_lines, line_break_chars, remainder;
 
     tokens = (size + 2) / 3;
 
     if (line_length == 0)
-	return tokens * 4;
+        return tokens * 4;
 
-    if (line_length < 4)	/* too small! */
-	line_length = 4;
+    if (line_length < 4) /* too small! */
+        line_length = 4;
 
     tokens_per_line = line_length / 4;
     full_lines = tokens / tokens_per_line;
     remainder = (tokens - (full_lines * tokens_per_line)) * 4;
     line_break_chars = full_lines * 2;
     if (remainder == 0)
-	line_break_chars -= 2;
+        line_break_chars -= 2;
 
     return (full_lines * tokens_per_line * 4) + line_break_chars + remainder;
 }
 
-
 /*
  * A distinct internal creation function for the buffer version to use.
  * (It does not want to specify an output_fn, and we want the normal
  * Create function to require that.)  All common initialization of the
  * encoding context should be done *here*.
  *
  * Save "line_length", rounded down to nearest multiple of 4 (if not
  * already even multiple).  Allocate output_buffer, if not provided --
  * based on given size if specified, otherwise based on line_length.
  */
 static PLBase64Encoder *
-pl_base64_create_encoder (PRUint32 line_length, char *output_buffer,
-			  PRUint32 output_buflen)
+pl_base64_create_encoder(PRUint32 line_length, char *output_buffer,
+                         PRUint32 output_buflen)
 {
     PLBase64Encoder *data;
     PRUint32 line_tokens;
 
     data = PR_NEWZAP(PLBase64Encoder);
     if (data == NULL)
-	return NULL;
+        return NULL;
 
-    if (line_length > 0 && line_length < 4)	/* too small! */
-	line_length = 4;
+    if (line_length > 0 && line_length < 4) /* too small! */
+        line_length = 4;
 
     line_tokens = line_length / 4;
     data->line_length = line_tokens * 4;
 
     if (output_buffer == NULL) {
-	if (output_buflen == 0) {
-	    if (data->line_length > 0)	/* need to include room for CRLF */
-		output_buflen = data->line_length + 2;
-	    else
-		output_buflen = 64;		/* XXX what is a good size? */
-	}
+        if (output_buflen == 0) {
+            if (data->line_length > 0) /* need to include room for CRLF */
+                output_buflen = data->line_length + 2;
+            else
+                output_buflen = 64; /* XXX what is a good size? */
+        }
 
-	output_buffer = (char *) PR_Malloc(output_buflen);
-	if (output_buffer == NULL) {
-	    PR_Free(data);
-	    return NULL;
-	}
+        output_buffer = (char *)PR_Malloc(output_buflen);
+        if (output_buffer == NULL) {
+            PR_Free(data);
+            return NULL;
+        }
     }
 
     data->output_buffer = output_buffer;
     data->output_buflen = output_buflen;
     return data;
 }
 
 /*
  * Function to start a base64 encoding context.
  * An "output_fn" is required; the "output_arg" parameter to that is optional.
  * If linebreaks in the encoded output are desired, "line_length" specifies
  * where to place them -- it will be rounded down to the nearest multiple of 4
  * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
  * will be added.  (FYI, a linebreak is CRLF -- two characters.)
  */
 static PLBase64Encoder *
-PL_CreateBase64Encoder (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			void *output_arg, PRUint32 line_length)
+PL_CreateBase64Encoder(PRInt32 (*output_fn)(void *, const char *, PRInt32),
+                       void *output_arg, PRUint32 line_length)
 {
     PLBase64Encoder *data;
 
     if (output_fn == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return NULL;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return NULL;
     }
 
-    data = pl_base64_create_encoder (line_length, NULL, 0);
+    data = pl_base64_create_encoder(line_length, NULL, 0);
     if (data == NULL)
-	return NULL;
+        return NULL;
 
     data->output_fn = output_fn;
     data->output_arg = output_arg;
 
     return data;
 }
 
-
 /*
  * Push data through the encoder, causing the output_fn (provided to Create)
  * to be called with the encoded data.
  */
 static PRStatus
-PL_UpdateBase64Encoder (PLBase64Encoder *data, const unsigned char *buffer,
-			PRUint32 size)
+PL_UpdateBase64Encoder(PLBase64Encoder *data, const unsigned char *buffer,
+                       PRUint32 size)
 {
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL || buffer == NULL || size == 0) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return PR_FAILURE;
     }
 
-    return pl_base64_encode_buffer (data, buffer, size);
+    return pl_base64_encode_buffer(data, buffer, size);
 }
 
-
 /*
  * When you're done encoding, call this to free the data.  If "abort_p"
  * is false, then calling this may cause the output_fn to be called
  * one last time (as the last buffered data is flushed out).
  */
 static PRStatus
-PL_DestroyBase64Encoder (PLBase64Encoder *data, PRBool abort_p)
+PL_DestroyBase64Encoder(PLBase64Encoder *data, PRBool abort_p)
 {
     PRStatus status = PR_SUCCESS;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PR_SetError (PR_INVALID_ARGUMENT_ERROR, 0);
-	return PR_FAILURE;
+        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
+        return PR_FAILURE;
     }
 
     /* Flush out the last few buffered characters. */
     if (!abort_p)
-	status = pl_base64_encode_flush (data);
+        status = pl_base64_encode_flush(data);
 
     if (data->output_buffer != NULL)
-	PR_Free(data->output_buffer);
+        PR_Free(data->output_buffer);
     PR_Free(data);
 
     return status;
 }
 
-
 /*
  * Perform base64 encoding from an input buffer to an output buffer.
  * The output buffer can be provided (as "dest"); you can also pass in
  * a NULL and this function will allocate a buffer large enough for you,
  * and return it.  If you do provide the output buffer, you must also
  * provide the maximum length of that buffer (as "maxdestlen").
  * The actual encoded length of output will be returned to you in
  * "output_destlen".
@@ -440,74 +433,74 @@ PL_DestroyBase64Encoder (PLBase64Encoder
  * where to place them -- it will be rounded down to the nearest multiple of 4
  * (if it is not already an even multiple of 4).  If it is zero, no linebreaks
  * will be added.  (FYI, a linebreak is CRLF -- two characters.)
  *
  * Return value is NULL on error, the output buffer (allocated or provided)
  * otherwise.
  */
 static char *
-PL_Base64EncodeBuffer (const unsigned char *src, PRUint32 srclen,
-		       PRUint32 line_length, char *dest, PRUint32 maxdestlen,
-		       PRUint32 *output_destlen)
+PL_Base64EncodeBuffer(const unsigned char *src, PRUint32 srclen,
+                      PRUint32 line_length, char *dest, PRUint32 maxdestlen,
+                      PRUint32 *output_destlen)
 {
     PRUint32 need_length;
     PLBase64Encoder *data = NULL;
     PRStatus status;
 
     PR_ASSERT(srclen > 0);
     if (srclen == 0)
-	return dest;
+        return dest;
 
     /*
      * How much space could we possibly need for encoding this input?
      */
-    need_length = PL_Base64MaxEncodedLength (srclen, line_length);
+    need_length = PL_Base64MaxEncodedLength(srclen, line_length);
 
     /*
      * Make sure we have at least that much, if output buffer provided.
      */
     if (dest != NULL) {
-	PR_ASSERT(maxdestlen >= need_length);
-	if (maxdestlen < need_length) {
-	    PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
-	    return NULL;
-	}
+        PR_ASSERT(maxdestlen >= need_length);
+        if (maxdestlen < need_length) {
+            PR_SetError(PR_BUFFER_OVERFLOW_ERROR, 0);
+            return NULL;
+        }
     } else {
-	maxdestlen = need_length;
+        maxdestlen = need_length;
     }
 
     data = pl_base64_create_encoder(line_length, dest, maxdestlen);
     if (data == NULL)
-	return NULL;
+        return NULL;
 
-    status = pl_base64_encode_buffer (data, src, srclen);
+    status = pl_base64_encode_buffer(data, src, srclen);
 
     /*
      * We do not wait for Destroy to flush, because Destroy will also
      * get rid of our encoder context, which we need to look at first!
      */
     if (status == PR_SUCCESS)
-	status = pl_base64_encode_flush (data);
+        status = pl_base64_encode_flush(data);
 
     if (status != PR_SUCCESS) {
-	(void) PL_DestroyBase64Encoder (data, PR_TRUE);
-	return NULL;
+        (void)PL_DestroyBase64Encoder(data, PR_TRUE);
+        return NULL;
     }
 
     dest = data->output_buffer;
 
     /* Must clear this or Destroy will free it. */
     data->output_buffer = NULL;
 
     *output_destlen = data->output_length;
-    status = PL_DestroyBase64Encoder (data, PR_FALSE);
+    status = PL_DestroyBase64Encoder(data, PR_FALSE);
     if (status == PR_FAILURE) {
-	PR_Free(dest);
-	return NULL;
+        PR_Free(dest);
+        return NULL;
     }
 
     return dest;
 }
 
 /*
  * XXX End of base64 encoding code to be moved into NSPR.
  ********************************************************
@@ -515,106 +508,101 @@ PL_Base64EncodeBuffer (const unsigned ch
 
 /*
  * This is the beginning of the NSS cover functions.  These will
  * provide the interface we want to expose as NSS-ish.  For example,
  * they will operate on our Items, do any special handling or checking
  * we want to do, etc.
  */
 
-
 PR_BEGIN_EXTERN_C
 
 /*
  * A boring cover structure for now.  Perhaps someday it will include
  * some more interesting fields.
  */
 struct NSSBase64EncoderStr {
     PLBase64Encoder *pl_data;
 };
 
 PR_END_EXTERN_C
 
-
 /*
  * Function to start a base64 encoding context.
  */
 NSSBase64Encoder *
-NSSBase64Encoder_Create (PRInt32 (*output_fn) (void *, const char *, PRInt32),
-			 void *output_arg)
+NSSBase64Encoder_Create(PRInt32 (*output_fn)(void *, const char *, PRInt32),
+                        void *output_arg)
 {
     PLBase64Encoder *pl_data;
     NSSBase64Encoder *nss_data;
 
     nss_data = PORT_ZNew(NSSBase64Encoder);
     if (nss_data == NULL)
-	return NULL;
+        return NULL;
 
-    pl_data = PL_CreateBase64Encoder (output_fn, output_arg, 64);
+    pl_data = PL_CreateBase64Encoder(output_fn, output_arg, 64);
     if (pl_data == NULL) {
-	PORT_Free(nss_data);
-	return NULL;
+        PORT_Free(nss_data);
+        return NULL;
     }
 
     nss_data->pl_data = pl_data;
     return nss_data;
 }
 
-
 /*
  * Push data through the encoder, causing the output_fn (provided to Create)
  * to be called with the encoded data.
  */
 SECStatus
-NSSBase64Encoder_Update (NSSBase64Encoder *data, const unsigned char *buffer,
-			 PRUint32 size)
+NSSBase64Encoder_Update(NSSBase64Encoder *data, const unsigned char *buffer,
+                        PRUint32 size)
 {
     PRStatus pr_status;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
-    pr_status = PL_UpdateBase64Encoder (data->pl_data, buffer, size);
+    pr_status = PL_UpdateBase64Encoder(data->pl_data, buffer, size);
     if (pr_status == PR_FAILURE)
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
 
-
 /*
  * When you're done encoding, call this to free the data.  If "abort_p"
  * is false, then calling this may cause the output_fn to be called
  * one last time (as the last buffered data is flushed out).
  */
 SECStatus
-NSSBase64Encoder_Destroy (NSSBase64Encoder *data, PRBool abort_p)
+NSSBase64Encoder_Destroy(NSSBase64Encoder *data, PRBool abort_p)
 {
     PRStatus pr_status;
 
     /* XXX Should we do argument checking only in debug build? */
     if (data == NULL) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
-    pr_status = PL_DestroyBase64Encoder (data->pl_data, abort_p);
+    pr_status = PL_DestroyBase64Encoder(data->pl_data, abort_p);
 
     PORT_Free(data);
 
     if (pr_status == PR_FAILURE)
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
 
-
 /*
  * Perform base64 encoding of binary data "inItem" to an ascii string.
  * The output buffer may be provided (as "outStrOpt"); you can also pass
  * in a NULL and the buffer will be allocated for you.  The result will
  * be null-terminated, and if the buffer is provided, "maxOutLen" must
  * specify the maximum length of the buffer and will be checked to
  * supply sufficient space space for the encoded result.  (If "outStrOpt"
  * is NULL, "maxOutLen" is ignored.)
@@ -622,75 +610,73 @@ NSSBase64Encoder_Destroy (NSSBase64Encod
  * If "outStrOpt" is NULL, allocation will happen out of the passed-in
  * "arenaOpt", if *it* is non-NULL, otherwise standard allocation (heap)
  * will be used.
  *
  * Return value is NULL on error, the output buffer (allocated or provided)
  * otherwise.
  */
 char *
-NSSBase64_EncodeItem (PLArenaPool *arenaOpt, char *outStrOpt,
-		      unsigned int maxOutLen, SECItem *inItem)
+NSSBase64_EncodeItem(PLArenaPool *arenaOpt, char *outStrOpt,
+                     unsigned int maxOutLen, SECItem *inItem)
 {
     char *out_string = outStrOpt;
     PRUint32 max_out_len;
     PRUint32 out_len = 0;
     void *mark = NULL;
     char *dummy;
 
     PORT_Assert(inItem != NULL && inItem->data != NULL && inItem->len != 0);
     if (inItem == NULL || inItem->data == NULL || inItem->len == 0) {
-	PORT_SetError (SEC_ERROR_INVALID_ARGS);
-	return NULL;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return NULL;
     }
 
-    max_out_len = PL_Base64MaxEncodedLength (inItem->len, 64);
+    max_out_len = PL_Base64MaxEncodedLength(inItem->len, 64);
 
     if (arenaOpt != NULL)
-	mark = PORT_ArenaMark (arenaOpt);
+        mark = PORT_ArenaMark(arenaOpt);
 
     if (out_string == NULL) {
-	if (arenaOpt != NULL)
-	    out_string = PORT_ArenaAlloc (arenaOpt, max_out_len + 1);
-	else
-	    out_string = PORT_Alloc (max_out_len + 1);
+        if (arenaOpt != NULL)
+            out_string = PORT_ArenaAlloc(arenaOpt, max_out_len + 1);
+        else
+            out_string = PORT_Alloc(max_out_len + 1);
 
-	if (out_string == NULL) {
-	    if (arenaOpt != NULL)
-		PORT_ArenaRelease (arenaOpt, mark);
-	    return NULL;
-	}
+        if (out_string == NULL) {
+            if (arenaOpt != NULL)
+                PORT_ArenaRelease(arenaOpt, mark);
+            return NULL;
+        }
     } else {
-	if ((max_out_len + 1) > maxOutLen) {
-	    PORT_SetError (SEC_ERROR_OUTPUT_LEN);
-	    return NULL;
-	}
-	max_out_len = maxOutLen;
+        if ((max_out_len + 1) > maxOutLen) {
+            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+            return NULL;
+        }
+        max_out_len = maxOutLen;
     }
 
-
-    dummy = PL_Base64EncodeBuffer (inItem->data, inItem->len, 64,
-				   out_string, max_out_len, &out_len);
+    dummy = PL_Base64EncodeBuffer(inItem->data, inItem->len, 64,
+                                  out_string, max_out_len, &out_len);
     if (dummy == NULL) {
-	if (arenaOpt != NULL) {
-	    PORT_ArenaRelease (arenaOpt, mark);
-	} else {
-	    PORT_Free (out_string);
-	}
-	return NULL;
+        if (arenaOpt != NULL) {
+            PORT_ArenaRelease(arenaOpt, mark);
+        } else {
+            PORT_Free(out_string);
+        }
+        return NULL;
     }
 
     if (arenaOpt != NULL)
-	PORT_ArenaUnmark (arenaOpt, mark);
+        PORT_ArenaUnmark(arenaOpt, mark);
 
     out_string[out_len] = '\0';
     return out_string;
 }
 
-
 /*
  * XXX Everything below is deprecated.  If you add new stuff, put it
  * *above*, not below.
  */
 
 /*
  * XXX The following "BTOA" functions are provided for backward compatibility
  * with current code.  They should be considered strongly deprecated.
@@ -713,19 +699,19 @@ NSSBase64_EncodeItem (PLArenaPool *arena
 char *
 BTOA_DataToAscii(const unsigned char *data, unsigned int len)
 {
     SECItem binary_item;
 
     binary_item.data = (unsigned char *)data;
     binary_item.len = len;
 
-    return NSSBase64_EncodeItem (NULL, NULL, 0, &binary_item);
+    return NSSBase64_EncodeItem(NULL, NULL, 0, &binary_item);
 }
 
 /*
 ** Convert from binary encoding of an item to ascii.
 */
 char *
-BTOA_ConvertItemToAscii (SECItem *binary_item)
+BTOA_ConvertItemToAscii(SECItem *binary_item)
 {
-    return NSSBase64_EncodeItem (NULL, NULL, 0, binary_item);
+    return NSSBase64_EncodeItem(NULL, NULL, 0, binary_item);
 }
--- a/security/nss/lib/util/nssilckt.h
+++ b/security/nss/lib/util/nssilckt.h
@@ -8,18 +8,18 @@
 ** Description:
 **    nssilock provides instrumentation for locks and monitors in
 **    the NSS libraries. The instrumentation, when enabled, causes
 **    each call to the instrumented function to record data about
 **    the call to an external file. The external file
 **    subsequently used to extract performance data and other
 **    statistical information about the operation of locks used in
 **    the nss library.
-**     
-**    To enable compilation with instrumentation, build NSS with 
+**
+**    To enable compilation with instrumentation, build NSS with
 **    the compile time switch NEED_NSS_ILOCK defined.
 **
 **    say:  "gmake OS_CFLAGS+=-DNEED_NSS_ILOCK" at make time.
 **
 **    At runtime, to enable recording from nssilock, one or more
 **    environment variables must be set. For each nssILockType to
 **    be recorded, an environment variable of the form NSS_ILOCK_x
 **    must be set to 1. For example:
@@ -51,52 +51,52 @@
 ** File Format:
 **    The format of the external file is implementation
 **    dependent. Where NSPR's PR_LOG() function is used, the file
 **    contains data defined for PR_LOG() plus the data written by
 **    the wrapped function. On some platforms and under some
 **    circumstances, platform dependent logging or
 **    instrumentation probes may be used. In any case, the
 **    relevant data provided by the lock instrumentation is:
-**    
+**
 **      lockType, func, address, duration, line, file [heldTime]
-** 
+**
 **    where:
-**    
+**
 **       lockType: a character representation of nssILockType for the
 **       call. e.g. ... "cert"
-**    
+**
 **       func: the function doing the tracing. e.g. "NewLock"
-**    
+**
 **       address: address of the instrumented lock or monitor
-**    
+**
 **       duration: is how long was spent in the instrumented function,
 **       in PRIntervalTime "ticks".
-**    
+**
 **       line: the line number within the calling function
-**    
+**
 **       file: the file from which the call was made
-**    
+**
 **       heldTime: how long the lock/monitor was held. field
 **       present only for PZ_Unlock() and PZ_ExitMonitor().
-**    
+**
 ** Design Notes:
 **    The design for lock instrumentation was influenced by the
 **    need to gather performance data on NSS 3.x. It is intended
 **    that the effort to modify NSS to use lock instrumentation
 **    be minimized. Existing calls to locking functions need only
 **    have their names changed to the instrumentation function
 **    names.
-**    
+**
 ** Private NSS Interface:
 **    nssilock.h defines a private interface for use by NSS.
 **    nssilock.h is experimental in nature and is subject to
 **    change or revocation without notice. ... Don't mess with
 **    it.
-**    
+**
 */
 
 /*
  * $Id:
  */
 
 #ifndef _NSSILCKT_H_
 #define _NSSILCKT_H_
@@ -117,34 +117,34 @@ typedef enum {
     nssILockDBM = 6,
     nssILockCache = 7,
     nssILockSSL = 8,
     nssILockList = 9,
     nssILockSlot = 10,
     nssILockFreelist = 11,
     nssILockOID = 12,
     nssILockAttribute = 13,
-    nssILockPK11cxt = 14,  /* pk11context */
+    nssILockPK11cxt = 14, /* pk11context */
     nssILockRWLock = 15,
     nssILockOther = 16,
     nssILockSelfServ = 17,
     nssILockKeyDB = 18,
-    nssILockLast  /* don't use this one! */
+    nssILockLast /* don't use this one! */
 } nssILockType;
 
 /*
 ** conditionally compile in nssilock features
 */
 #if defined(NEED_NSS_ILOCK)
 
 /*
 ** Declare operation type enumerator
 ** enumerations identify the function being performed
 */
-typedef enum  {
+typedef enum {
     FlushTT = 0,
     NewLock = 1,
     Lock = 2,
     Unlock = 3,
     DestroyLock = 4,
     NewCondVar = 5,
     WaitCondVar = 6,
     NotifyCondVar = 7,
@@ -158,34 +158,34 @@ typedef enum  {
     Wait = 15,
     DestroyMonitor = 16
 } nssILockOp;
 
 /*
 ** Declare the trace record
 */
 struct pzTrace_s {
-    PRUint32        threadID; /* PR_GetThreadID() */
-    nssILockOp      op;       /* operation being performed */
-    nssILockType    ltype;    /* lock type identifier */
-    PRIntervalTime  callTime; /* time spent in function */
-    PRIntervalTime  heldTime; /* lock held time, or -1 */
-    void            *lock;    /* address of lock structure */    
-    PRIntn          line;     /* line number */
-    char            file[24]; /* filename */
+    PRUint32 threadID;       /* PR_GetThreadID() */
+    nssILockOp op;           /* operation being performed */
+    nssILockType ltype;      /* lock type identifier */
+    PRIntervalTime callTime; /* time spent in function */
+    PRIntervalTime heldTime; /* lock held time, or -1 */
+    void *lock;              /* address of lock structure */
+    PRIntn line;             /* line number */
+    char file[24];           /* filename */
 };
 
 /*
 ** declare opaque types. See: nssilock.c
 */
 typedef struct pzlock_s PZLock;
 typedef struct pzcondvar_s PZCondVar;
 typedef struct pzmonitor_s PZMonitor;
 
 #else /* NEED_NSS_ILOCK */
 
-#define PZLock                  PRLock
-#define PZCondVar               PRCondVar
-#define PZMonitor               PRMonitor
-    
+#define PZLock PRLock
+#define PZCondVar PRCondVar
+#define PZMonitor PRMonitor
+
 #endif /* NEED_NSS_ILOCK */
 
 #endif /* _NSSILCKT_H_ */
--- a/security/nss/lib/util/nssilock.c
+++ b/security/nss/lib/util/nssilock.c
@@ -23,476 +23,457 @@
 #include "prcvar.h"
 #include "prio.h"
 
 #if defined(NEED_NSS_ILOCK)
 #include "prlog.h"
 #include "nssilock.h"
 
 /*
-** Declare the instrumented PZLock 
+** Declare the instrumented PZLock
 */
 struct pzlock_s {
-    PRLock *lock;  /* the PZLock to be instrumented */
+    PRLock *lock;        /* the PZLock to be instrumented */
     PRIntervalTime time; /* timestamp when the lock was aquired */
     nssILockType ltype;
 };
 
 /*
-** Declare the instrumented PZMonitor 
+** Declare the instrumented PZMonitor
 */
 struct pzmonitor_s {
-    PRMonitor *mon;   /* the PZMonitor to be instrumented */
+    PRMonitor *mon;      /* the PZMonitor to be instrumented */
     PRIntervalTime time; /* timestamp when the monitor was aquired */
     nssILockType ltype;
 };
 
 /*
 ** Declare the instrumented PZCondVar
 */
-struct pzcondvar_s  {
-    PRCondVar   *cvar;  /* the PZCondVar to be instrumented */
+struct pzcondvar_s {
+    PRCondVar *cvar; /* the PZCondVar to be instrumented */
     nssILockType ltype;
 };
 
-
 /*
 ** Define a CallOnce type to ensure serialized self-initialization
 */
-static PRCallOnceType coNssILock;     /* CallOnce type */
-static PRIntn  nssILockInitialized;   /* initialization done when 1 */
-static PRLogModuleInfo *nssILog;      /* Log instrumentation to this handle */
-
+static PRCallOnceType coNssILock;  /* CallOnce type */
+static PRIntn nssILockInitialized; /* initialization done when 1 */
+static PRLogModuleInfo *nssILog;   /* Log instrumentation to this handle */
 
 #define NUM_TT_ENTRIES 6000000
-static PRInt32  traceIndex = -1;      /* index into trace table */
-static struct pzTrace_s *tt;          /* pointer to trace table */
-static PRInt32  ttBufSize = (NUM_TT_ENTRIES * sizeof(struct pzTrace_s ));
+static PRInt32 traceIndex = -1; /* index into trace table */
+static struct pzTrace_s *tt;    /* pointer to trace table */
+static PRInt32 ttBufSize = (NUM_TT_ENTRIES * sizeof(struct pzTrace_s));
 static PRCondVar *ttCVar;
-static PRLock    *ttLock;
-static PRFileDesc *ttfd;              /* trace table file */
+static PRLock *ttLock;
+static PRFileDesc *ttfd; /* trace table file */
 
 /*
 ** Vtrace() -- Trace events, write events to external media
 **
 ** Vtrace() records traced events in an in-memory trace table
 ** when the trace table fills, Vtrace writes the entire table
 ** to a file.
 **
 ** data can be lost!
 **
 */
-static void Vtrace(
-    nssILockOp      op,
-    nssILockType    ltype,
-    PRIntervalTime  callTime,
-    PRIntervalTime  heldTime,
-    void            *lock,
-    PRIntn          line,
-    char            *file
-)  {
+static void
+Vtrace(
+    nssILockOp op,
+    nssILockType ltype,
+    PRIntervalTime callTime,
+    PRIntervalTime heldTime,
+    void *lock,
+    PRIntn line,
+    char *file)
+{
     PRInt32 idx;
     struct pzTrace_s *tp;
 
 RetryTrace:
-    idx = PR_ATOMIC_INCREMENT( &traceIndex );
-    while( NUM_TT_ENTRIES <= idx || op == FlushTT ) {
-        if( NUM_TT_ENTRIES == idx  || op == FlushTT )  {
+    idx = PR_ATOMIC_INCREMENT(&traceIndex);
+    while (NUM_TT_ENTRIES <= idx || op == FlushTT) {
+        if (NUM_TT_ENTRIES == idx || op == FlushTT) {
             int writeSize = idx * sizeof(struct pzTrace_s);
             PR_Lock(ttLock);
-            PR_Write( ttfd, tt, writeSize );
+            PR_Write(ttfd, tt, writeSize);
             traceIndex = -1;
-            PR_NotifyAllCondVar( ttCVar );
+            PR_NotifyAllCondVar(ttCVar);
             PR_Unlock(ttLock);
             goto RetryTrace;
         } else {
             PR_Lock(ttLock);
-            while( NUM_TT_ENTRIES < idx )
+            while (NUM_TT_ENTRIES < idx)
                 PR_WaitCondVar(ttCVar, PR_INTERVAL_NO_WAIT);
             PR_Unlock(ttLock);
             goto RetryTrace;
         }
     } /* end while() */
 
     /* create the trace entry */
     tp = tt + idx;
     tp->threadID = PR_GetThreadID(PR_GetCurrentThread());
     tp->op = op;
     tp->ltype = ltype;
     tp->callTime = callTime;
     tp->heldTime = heldTime;
     tp->lock = lock;
-    tp ->line = line;
-    strcpy(tp->file, file );
+    tp->line = line;
+    strcpy(tp->file, file);
     return;
 } /* --- end Vtrace() --- */
 
 /*
 ** pz_TraceFlush() -- Force trace table write to file
 **
 */
-extern void pz_TraceFlush( void )
+extern void
+pz_TraceFlush(void)
 {
-    Vtrace( FlushTT, nssILockSelfServ, 0, 0, NULL, 0, "" );
+    Vtrace(FlushTT, nssILockSelfServ, 0, 0, NULL, 0, "");
     return;
 } /* --- end pz_TraceFlush() --- */
 
 /*
 ** nssILockInit() -- Initialization for nssilock
 **
 ** This function is called from the CallOnce mechanism.
 */
 static PRStatus
-    nssILockInit( void ) 
-{   
+nssILockInit(void)
+{
     int i;
     nssILockInitialized = 1;
 
     /* new log module */
     nssILog = PR_NewLogModule("nssilock");
-    if ( NULL == nssILog )  {
-        return(PR_FAILURE);
+    if (NULL == nssILog) {
+        return (PR_FAILURE);
     }
 
-    tt = PR_Calloc( NUM_TT_ENTRIES, sizeof(struct pzTrace_s));
-    if (NULL == tt ) {
+    tt = PR_Calloc(NUM_TT_ENTRIES, sizeof(struct pzTrace_s));
+    if (NULL == tt) {
         fprintf(stderr, "nssilock: can't allocate trace table\n");
         exit(1);
     }
 
-    ttfd = PR_Open( "xxxTTLog", PR_CREATE_FILE | PR_WRONLY, 0666 );
-    if ( NULL == ttfd )  {
-        fprintf( stderr, "Oh Drat! Can't open 'xxxTTLog'\n");
+    ttfd = PR_Open("xxxTTLog", PR_CREATE_FILE | PR_WRONLY, 0666);
+    if (NULL == ttfd) {
+        fprintf(stderr, "Oh Drat! Can't open 'xxxTTLog'\n");
         exit(1);
     }
 
     ttLock = PR_NewLock();
     ttCVar = PR_NewCondVar(ttLock);
 
-    return(PR_SUCCESS);
+    return (PR_SUCCESS);
 } /* --- end nssILockInit() --- */
 
-extern PZLock * pz_NewLock( 
+extern PZLock *
+pz_NewLock(
     nssILockType ltype,
-    char *file,  
-    PRIntn line )
+    char *file,
+    PRIntn line)
 {
     PRStatus rc;
-    PZLock  *lock;
-    
+    PZLock *lock;
+
     /* Self Initialize the nssILock feature */
-    if (!nssILockInitialized)  {
-        rc = PR_CallOnce( &coNssILock, nssILockInit );
-        if ( PR_FAILURE == rc ) {
-            PR_SetError( PR_UNKNOWN_ERROR, 0 );
-            return( NULL );
+    if (!nssILockInitialized) {
+        rc = PR_CallOnce(&coNssILock, nssILockInit);
+        if (PR_FAILURE == rc) {
+            PR_SetError(PR_UNKNOWN_ERROR, 0);
+            return (NULL);
         }
     }
 
-    lock = PR_NEWZAP( PZLock );
-    if ( NULL != lock )  {
+    lock = PR_NEWZAP(PZLock);
+    if (NULL != lock) {
         lock->ltype = ltype;
         lock->lock = PR_NewLock();
-        if ( NULL == lock->lock )  {
-            PR_DELETE( lock );
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-        }
-    } else {
-            PORT_SetError(SEC_ERROR_NO_MEMORY);
-    }
-
-    Vtrace( NewLock, ltype, 0, 0, lock, line, file );
-    return(lock);
-} /* --- end pz_NewLock() --- */
-
-extern void
-    pz_Lock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{            
-    PRIntervalTime callTime;
-
-    callTime = PR_IntervalNow();
-    PR_Lock( lock->lock );
-    lock->time = PR_IntervalNow();
-    callTime = lock->time - callTime;
-
-    Vtrace( Lock, lock->ltype, callTime, 0, lock, line, file );
-    return;
-} /* --- end  pz_Lock() --- */
-
-extern PRStatus
-    pz_Unlock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    ) 
-{
-    PRStatus rc;
-    PRIntervalTime callTime, now, heldTime;
-
-    callTime = PR_IntervalNow();
-    rc = PR_Unlock( lock->lock );
-    now = PR_IntervalNow(); 
-    callTime = now - callTime;
-    heldTime = now - lock->time;
-    Vtrace( Unlock, lock->ltype, callTime, heldTime, lock, line, file );
-    return( rc );
-} /* --- end  pz_Unlock() --- */
-
-extern void
-    pz_DestroyLock(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{
-    Vtrace( DestroyLock, lock->ltype, 0, 0, lock, line, file );
-    PR_DestroyLock( lock->lock );
-    PR_DELETE( lock );
-    return;
-} /* --- end  pz_DestroyLock() --- */
-
-
-
-extern PZCondVar *
-    pz_NewCondVar(
-        PZLock *lock,
-        char *file,
-        PRIntn line
-    )
-{
-    PZCondVar *cvar;
-
-    cvar = PR_NEWZAP( PZCondVar );