backing out c815269c99c8, bug 1245053, CLOSED TREE
authorKai Engert <kaie@kuix.de>
Thu, 25 Feb 2016 18:51:37 +0100
changeset 285594 e003524530f63bdbfb84fb4ab63dd0f6909effaf
parent 285593 29caf02c0eb04ae7703b6dc18a6949ab74fae102
child 285595 636081f1b33208ad8f8fa1a537db90911f1873e7
push id72426
push userkaie@kuix.de
push dateThu, 25 Feb 2016 17:51:45 +0000
treeherdermozilla-inbound@e003524530f6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1245053
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
backing out c815269c99c8, bug 1245053, CLOSED TREE
security/nss/.clang-format
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/lib/base/arena.c
security/nss/lib/base/error.c
security/nss/lib/base/hash.c
security/nss/lib/base/item.c
security/nss/lib/base/libc.c
security/nss/lib/base/list.c
security/nss/lib/base/utf8.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certv3.c
security/nss/lib/certdb/certxutl.c
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/certdb/polcyxtn.c
security/nss/lib/certdb/secname.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certdb/xauthkid.c
security/nss/lib/certdb/xbsconst.c
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/crlv2.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocspsig.c
security/nss/lib/ckfw/builtins/anchor.c
security/nss/lib/ckfw/builtins/bfind.c
security/nss/lib/ckfw/capi/anchor.c
security/nss/lib/ckfw/capi/cfind.c
security/nss/lib/ckfw/capi/cobject.c
security/nss/lib/ckfw/dbm/anchor.c
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/dbm/slot.c
security/nss/lib/ckfw/dbm/token.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/instance.c
security/nss/lib/ckfw/nssmkey/manchor.c
security/nss/lib/ckfw/nssmkey/mfind.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/ckfw/object.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/sessobj.c
security/nss/lib/ckfw/slot.c
security/nss/lib/ckfw/token.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/crmf/challcli.c
security/nss/lib/crmf/cmmfchal.c
security/nss/lib/crmf/cmmfrec.c
security/nss/lib/crmf/cmmfresp.c
security/nss/lib/crmf/crmfcont.c
security/nss/lib/crmf/crmfget.c
security/nss/lib/crmf/crmfpop.c
security/nss/lib/crmf/crmfreq.c
security/nss/lib/crmf/respcmn.c
security/nss/lib/crmf/servget.c
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/dbm/include/hash.h
security/nss/lib/dbm/src/dirent.c
security/nss/lib/dbm/src/dirent.h
security/nss/lib/dbm/src/h_bigkey.c
security/nss/lib/dbm/src/h_page.c
security/nss/lib/dbm/src/hash.c
security/nss/lib/dbm/src/hash_buf.c
security/nss/lib/dbm/src/memmove.c
security/nss/lib/dbm/src/mktemp.c
security/nss/lib/dbm/tests/lots.c
security/nss/lib/dev/ckhelper.c
security/nss/lib/dev/ckhelper.h
security/nss/lib/dev/devtoken.c
security/nss/lib/dev/devutil.c
security/nss/lib/ssl/authcert.c
security/nss/lib/ssl/cmpcert.c
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/dtlscon.c
security/nss/lib/ssl/os2_err.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslauth.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/ssldef.c
security/nss/lib/ssl/sslenum.c
security/nss/lib/ssl/sslgathr.c
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslmutex.h
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/ssltrace.c
security/nss/lib/ssl/tls13con.c
security/nss/lib/ssl/tls13hkdf.c
--- a/security/nss/.clang-format
+++ b/security/nss/.clang-format
@@ -56,10 +56,9 @@ SpacesInCStyleCastParentheses: false
 SpaceAfterCStyleCast: false
 SpacesInContainerLiterals: true
 SpaceBeforeAssignmentOperators: true
 ContinuationIndentWidth: 4
 CommentPragmas:  '^ IWYU pragma:'
 ForEachMacros:   [ foreach, Q_FOREACH, BOOST_FOREACH ]
 SpaceBeforeParens: ControlStatements
 DisableFormat:   false
-SortIncludes: false
 ...
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_23_BETA7
+NSS_3_23_BETA5
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/base/arena.c
+++ b/security/nss/lib/base/arena.c
@@ -525,17 +525,18 @@ nssArena_Mark(NSSArena *arena)
     }
     PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
     if ((PRThread *)NULL == arena->marking_thread) {
         /* Unmarked.  Store our thread ID */
         arena->marking_thread = PR_GetCurrentThread();
         /* This call never fails. */
-    } else {
+    }
+    else {
         /* Marked.  Verify it's the current thread */
         if (PR_GetCurrentThread() != arena->marking_thread) {
             PR_Unlock(arena->lock);
             nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
             return (nssArenaMark *)NULL;
         }
     }
 #endif /* ARENA_THREADMARK */
@@ -550,17 +551,18 @@ nssArena_Mark(NSSArena *arena)
         nss_SetError(NSS_ERROR_NO_MEMORY);
         return (nssArenaMark *)NULL;
     }
 
 #ifdef ARENA_THREADMARK
     if ((nssArenaMark *)NULL == arena->first_mark) {
         arena->first_mark = rv;
         arena->last_mark = rv;
-    } else {
+    }
+    else {
         arena->last_mark->next = rv;
         arena->last_mark = rv;
     }
 #endif /* ARENA_THREADMARK */
 
     rv->mark = p;
     rv->magic = MARK_MAGIC;
 
@@ -838,17 +840,18 @@ nss_ZAlloc(NSSArena *arenaOpt, PRUint32 
             return (void *)NULL;
         }
 
         h->arena = (NSSArena *)NULL;
         h->size = size;
         /* We used calloc: it's already zeroed */
 
         return (void *)((char *)h + sizeof(struct pointer_header));
-    } else {
+    }
+    else {
         void *rv;
 /* Arena allocation */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
             return (void *)NULL;
         }
 #endif /* NSSDEBUG */
 
@@ -932,17 +935,18 @@ nss_ZFreeIf(void *pointer)
 
     /* Check any magic here */
 
     if ((NSSArena *)NULL == h->arena) {
         /* Heap */
         (void)nsslibc_memset(pointer, 0, h->size);
         PR_Free(h);
         return PR_SUCCESS;
-    } else {
+    }
+    else {
 /* Arena */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(h->arena)) {
             return PR_FAILURE;
         }
 #endif /* NSSDEBUG */
 
         if ((PRLock *)NULL == h->arena->lock) {
@@ -1049,26 +1053,28 @@ nss_ZRealloc(void *pointer, PRUint32 new
         new_h->arena = (NSSArena *)NULL;
         new_h->size = newSize;
         rv = (void *)((char *)new_h + sizeof(struct pointer_header));
 
         if (newSize > h->size) {
             (void)nsslibc_memcpy(rv, pointer, h->size);
             (void)nsslibc_memset(&((char *)rv)[h->size], 0,
                                  (newSize - h->size));
-        } else {
+        }
+        else {
             (void)nsslibc_memcpy(rv, pointer, newSize);
         }
 
         (void)nsslibc_memset(pointer, 0, h->size);
         h->size = 0;
         PR_Free(h);
 
         return rv;
-    } else {
+    }
+    else {
         void *p;
 /* Arena */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
             return (void *)NULL;
         }
 #endif /* NSSDEBUG */
 
--- a/security/nss/lib/base/error.c
+++ b/security/nss/lib/base/error.c
@@ -90,21 +90,23 @@ error_get_my_stack(void)
             return (error_stack *)NULL;
         }
     }
 
     rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
     if ((error_stack *)NULL == rv) {
         /* Doesn't exist; create one */
         new_size = 16;
-    } else if (rv->header.count == rv->header.space &&
-               rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
+    }
+    else if (rv->header.count == rv->header.space &&
+             rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
         /* Too small, expand it */
         new_size = PR_MIN(rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
-    } else {
+    }
+    else {
         /* Okay, return it */
         return rv;
     }
 
     new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
     /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
     new_stack = PR_Calloc(1, new_bytes);
 
@@ -220,17 +222,18 @@ nss_SetError(PRUint32 error)
     es = error_get_my_stack();
     if ((error_stack *)NULL == es) {
         /* Oh, well. */
         return;
     }
 
     if (es->header.count < es->header.space) {
         es->stack[es->header.count++] = error;
-    } else {
+    }
+    else {
         memmove(es->stack, es->stack + 1,
                 (es->header.space - 1) * (sizeof es->stack[0]));
         es->stack[es->header.space - 1] = error;
     }
     return;
 }
 
 /*
--- a/security/nss/lib/base/hash.c
+++ b/security/nss/lib/base/hash.c
@@ -87,17 +87,18 @@ nssHash_Create(NSSArena *arenaOpt, PRUin
         nss_SetError(NSS_ERROR_INVALID_POINTER);
         return (nssHash *)NULL;
     }
 #endif /* NSSDEBUG */
 
     if (arenaOpt) {
         arena = arenaOpt;
         i_alloced = PR_FALSE;
-    } else {
+    }
+    else {
         arena = nssArena_Create();
         i_alloced = PR_TRUE;
     }
 
     rv = nss_ZNEW(arena, nssHash);
     if ((nssHash *)NULL == rv) {
         goto loser;
     }
@@ -164,17 +165,18 @@ nssHash_CreateItem(NSSArena *arenaOpt, P
  */
 NSS_IMPLEMENT void
 nssHash_Destroy(nssHash *hash)
 {
     (void)PZ_DestroyLock(hash->mutex);
     PL_HashTableDestroy(hash->plHashTable);
     if (hash->i_alloced_arena) {
         nssArena_Destroy(hash->arena);
-    } else {
+    }
+    else {
         nss_ZFreeIf(hash);
     }
 }
 
 /*
  * nssHash_Add
  *
  */
@@ -184,19 +186,21 @@ nssHash_Add(nssHash *hash, const void *k
     PRStatus error = PR_FAILURE;
     PLHashEntry *he;
 
     PZ_Lock(hash->mutex);
 
     he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
     if ((PLHashEntry *)NULL == he) {
         nss_SetError(NSS_ERROR_NO_MEMORY);
-    } else if (he->value != value) {
+    }
+    else if (he->value != value) {
         nss_SetError(NSS_ERROR_HASH_COLLISION);
-    } else {
+    }
+    else {
         hash->count++;
         error = PR_SUCCESS;
     }
 
     (void)PZ_Unlock(hash->mutex);
 
     return error;
 }
@@ -251,17 +255,18 @@ nssHash_Exists(nssHash *hash, const void
     PZ_Lock(hash->mutex);
 
     value = PL_HashTableLookup(hash->plHashTable, it);
 
     (void)PZ_Unlock(hash->mutex);
 
     if ((void *)NULL == value) {
         return PR_FALSE;
-    } else {
+    }
+    else {
         return PR_TRUE;
     }
 }
 
 /*
  * nssHash_Lookup
  *
  */
--- a/security/nss/lib/base/item.c
+++ b/security/nss/lib/base/item.c
@@ -49,17 +49,18 @@ nssItem_Create(NSSArena *arenaOpt, NSSIt
     }
 #endif /* DEBUG */
 
     if ((NSSItem *)NULL == rvOpt) {
         rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
         if ((NSSItem *)NULL == rv) {
             goto loser;
         }
-    } else {
+    }
+    else {
         rv = rvOpt;
     }
 
     rv->size = length;
     rv->data = nss_ZAlloc(arenaOpt, length);
     if ((void *)NULL == rv->data) {
         goto loser;
     }
--- a/security/nss/lib/base/libc.c
+++ b/security/nss/lib/base/libc.c
@@ -101,17 +101,18 @@ nsslibc_memequal(const void *a, const vo
 #endif /* NSSDEBUG */
 
     if ((PRStatus *)NULL != statusOpt) {
         *statusOpt = PR_SUCCESS;
     }
 
     if (0 == memcmp(a, b, len)) {
         return PR_TRUE;
-    } else {
+    }
+    else {
         return PR_FALSE;
     }
 }
 
 /*
  * nsslibc_memcmp
  */
 
--- a/security/nss/lib/base/list.c
+++ b/security/nss/lib/base/list.c
@@ -78,17 +78,18 @@ NSS_IMPLEMENT nssList *
 nssList_Create(NSSArena *arenaOpt, PRBool threadSafe)
 {
     NSSArena *arena;
     nssList *list;
     PRBool i_alloced;
     if (arenaOpt) {
         arena = arenaOpt;
         i_alloced = PR_FALSE;
-    } else {
+    }
+    else {
         arena = nssArena_Create();
         i_alloced = PR_TRUE;
     }
     if (!arena) {
         return (nssList *)NULL;
     }
     list = nss_ZNEW(arena, nssList);
     if (!list) {
@@ -97,17 +98,18 @@ nssList_Create(NSSArena *arenaOpt, PRBoo
         }
         return (nssList *)NULL;
     }
     if (threadSafe) {
         list->lock = PZ_NewLock(nssILockOther);
         if (!list->lock) {
             if (arenaOpt) {
                 nss_ZFreeIf(list);
-            } else {
+            }
+            else {
                 NSSArena_Destroy(arena);
             }
             return (nssList *)NULL;
         }
     }
     list->arena = arena;
     list->i_alloced_arena = i_alloced;
     list->compareFunc = pointer_compare;
@@ -198,21 +200,23 @@ nsslist_add_element(nssList *list, void 
                 }
                 if (link == PR_LIST_TAIL(&list->head->link)) {
                     /* reached end of list, append */
                     PR_INSERT_AFTER(&node->link, link);
                     break;
                 }
                 currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
             }
-        } else {
+        }
+        else {
             /* not sorting */
             PR_APPEND_LINK(&node->link, &list->head->link);
         }
-    } else {
+    }
+    else {
         list->head = node;
     }
     ++list->count;
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Add(nssList *list, void *data)
--- a/security/nss/lib/base/utf8.c
+++ b/security/nss/lib/base/utf8.c
@@ -56,17 +56,18 @@ nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a
 
     /*
      * XXX fgmr
      *
      * This is, like, so wrong!
      */
     if (0 == PL_strcasecmp((const char *)a, (const char *)b)) {
         return PR_TRUE;
-    } else {
+    }
+    else {
         return PR_FALSE;
     }
 }
 
 /*
  * nssUTF8_PrintableMatch
  *
  * Returns true if the two Printable strings pointed to by the
@@ -161,17 +162,18 @@ nssUTF8_PrintableMatch(const NSSUTF8 *a,
 
     while (' ' == *d) {
         d++;
     }
 
     if (*c == *d) {
         /* And both '\0', btw */
         return PR_TRUE;
-    } else {
+    }
+    else {
         return PR_FALSE;
     }
 }
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
@@ -317,27 +319,33 @@ nssUTF8_Length(const NSSUTF8 *s, PRStatu
      * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
      * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
      */
 
     while (0 != *c) {
         PRUint32 incr;
         if ((*c & 0x80) == 0) {
             incr = 1;
-        } else if ((*c & 0xE0) == 0xC0) {
+        }
+        else if ((*c & 0xE0) == 0xC0) {
             incr = 2;
-        } else if ((*c & 0xF0) == 0xE0) {
+        }
+        else if ((*c & 0xF0) == 0xE0) {
             incr = 3;
-        } else if ((*c & 0xF8) == 0xF0) {
+        }
+        else if ((*c & 0xF8) == 0xF0) {
             incr = 4;
-        } else if ((*c & 0xFC) == 0xF8) {
+        }
+        else if ((*c & 0xFC) == 0xF8) {
             incr = 5;
-        } else if ((*c & 0xFE) == 0xFC) {
+        }
+        else if ((*c & 0xFE) == 0xFC) {
             incr = 6;
-        } else {
+        }
+        else {
             nss_SetError(NSS_ERROR_INVALID_STRING);
             goto loser;
         }
 
         l += incr;
 
 #ifdef PEDANTIC
         if (l < incr) {
@@ -442,17 +450,18 @@ nssUTF8_Create(NSSArena *arenaOpt, nssSt
             /*
              * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
              * This is a subset of ASCII, which is a subset of UTF8.
              * So we can just duplicate the string over.
              */
 
             if (0 == size) {
                 rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-            } else {
+            }
+            else {
                 rv = nss_ZAlloc(arenaOpt, size + 1);
                 if ((NSSUTF8 *)NULL == rv) {
                     return (NSSUTF8 *)NULL;
                 }
 
                 (void)nsslibc_memcpy(rv, inputString, size);
             }
 
@@ -463,17 +472,18 @@ nssUTF8_Create(NSSArena *arenaOpt, nssSt
             break;
         case nssStringType_BMPString:
             /* Base Multilingual Plane of Unicode */
             nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
             break;
         case nssStringType_UTF8String:
             if (0 == size) {
                 rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-            } else {
+            }
+            else {
                 rv = nss_ZAlloc(arenaOpt, size + 1);
                 if ((NSSUTF8 *)NULL == rv) {
                     return (NSSUTF8 *)NULL;
                 }
 
                 (void)nsslibc_memcpy(rv, inputString, size);
             }
 
@@ -540,17 +550,18 @@ nssUTF8_GetEncoding(NSSArena *arenaOpt, 
             }
 
             if ((NSSItem *)NULL == rvOpt) {
                 rv = nss_ZNEW(arenaOpt, NSSItem);
                 if ((NSSItem *)NULL == rv) {
                     (void)nss_ZFreeIf(dup);
                     return (NSSItem *)NULL;
                 }
-            } else {
+            }
+            else {
                 rv = rvOpt;
             }
 
             rv->data = dup;
             dup = (NSSUTF8 *)NULL;
             rv->size = nssUTF8_Size(rv->data, &status);
             if ((0 == rv->size) && (PR_SUCCESS != status)) {
                 if ((NSSItem *)NULL == rvOpt) {
@@ -624,21 +635,23 @@ nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *str
             return PR_SUCCESS;
         }
 
         /* Too long.  We have to trim the last character */
         for (/*bs*/; bs != 0; bs--) {
             if ((buffer[bs - 1] & 0xC0) != 0x80) {
                 buffer[bs - 1] = pad;
                 break;
-            } else {
+            }
+            else {
                 buffer[bs - 1] = pad;
             }
         }
-    } else {
+    }
+    else {
         (void)nsslibc_memset(buffer, pad, bufferSize);
         (void)nsslibc_memcpy(buffer, string, stringSize);
     }
 
     return PR_SUCCESS;
 }
 
 /*
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -256,17 +256,18 @@ scanVal(const char** pbp, const char* en
 
     bp = *pbp;
 
     /* quoted? */
     if (*bp == C_DOUBLE_QUOTE) {
         isQuoted = PR_TRUE;
         /* skip over it */
         bp++;
-    } else {
+    }
+    else {
         isQuoted = PR_FALSE;
     }
 
     valBufp = valBuf;
     while (bp < endptr) {
         char c = *bp;
         if (c == C_BACKSLASH) {
             /* escape character */
@@ -276,22 +277,25 @@ scanVal(const char** pbp, const char* en
                 *pbp = bp;
                 return 0;
             }
             c = *bp;
             if (IS_HEX(c) && (endptr - bp) >= 2 && IS_HEX(bp[1])) {
                 bp++;
                 c = (char)((x2b[(PRUint8)c] << 4) | x2b[(PRUint8)*bp]);
             }
-        } else if (c == '#' && bp == *pbp) {
+        }
+        else if (c == '#' && bp == *pbp) {
             /* ignore leading #, quotation not required for it. */
-        } else if (!isQuoted && SPECIAL_CHAR(c)) {
+        }
+        else if (!isQuoted && SPECIAL_CHAR(c)) {
             /* unescaped special and not within quoted value */
             break;
-        } else if (c == C_DOUBLE_QUOTE) {
+        }
+        else if (c == C_DOUBLE_QUOTE) {
             /* reached unescaped double quote */
             break;
         }
         /* append character */
         vallen++;
         if (vallen >= valBufSize) {
             *pbp = bp;
             return 0;
@@ -395,17 +399,18 @@ ParseRFC1485AVA(PLArenaPool* arena, cons
     /* if we haven't finished, insist that we've stopped on a separator */
     if (sep && sep != ',' && sep != ';' && sep != '+') {
         goto loser;
     }
 
     /* is this a dotted decimal OID attribute type ? */
     if (!PL_strncasecmp("oid.", tagBuf, 4)) {
         rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf));
-    } else {
+    }
+    else {
         for (n2k = name2kinds; n2k->name; n2k++) {
             SECOidData* oidrec;
             if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
                 kind = n2k->kind;
                 vt = n2k->valueType;
                 oidrec = SECOID_FindOIDByTag(kind);
                 if (oidrec == NULL)
                     goto loser;
@@ -419,17 +424,18 @@ ParseRFC1485AVA(PLArenaPool* arena, cons
 
     /* Is this a hex encoding of a DER attribute value ? */
     if ('#' == valBuf[0]) {
         /* convert attribute value from hex to binary */
         rv = hexToBin(arena, &derVal, valBuf + 1, valLen - 1);
         if (rv)
             goto loser;
         a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal);
-    } else {
+    }
+    else {
         if (kind == SEC_OID_UNKNOWN)
             goto loser;
         if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2)
             goto loser;
         if (vt == SEC_ASN1_PRINTABLE_STRING &&
             !IsPrintable((unsigned char*)valBuf, valLen))
             goto loser;
         if (vt == SEC_ASN1_DS) {
@@ -472,17 +478,18 @@ ParseRFC1485Name(const char* buf, int le
         ava = ParseRFC1485AVA(name->arena, &bp, e);
         if (ava == 0)
             goto loser;
         if (!rdn) {
             rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA*)0);
             if (rdn == 0)
                 goto loser;
             rv = CERT_AddRDN(name, rdn);
-        } else {
+        }
+        else {
             rv = CERT_AddAVA(name->arena, rdn, ava);
         }
         if (rv)
             goto loser;
         if (bp[-1] != '+')
             rdn = NULL; /* done with this RDN */
         skipSpace(&bp, e);
     }
@@ -553,17 +560,18 @@ AppendStr(stringBuf* bufp, char* str)
     bufLen = bufp->offset;
     len = PORT_Strlen(str);
     bufSize = bufLen + len;
     if (!buf) {
         bufSize++;
         size = PR_MAX(DEFAULT_BUFFER_SIZE, bufSize * 2);
         buf = (char*)PORT_Alloc(size);
         bufp->size = size;
-    } else if (bufp->size < bufSize) {
+    }
+    else if (bufp->size < bufSize) {
         size = bufSize * 2;
         buf = (char*)PORT_Realloc(buf, size);
         bufp->size = size;
     }
     if (!buf) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
@@ -602,24 +610,27 @@ cert_RFC1485_GetRequiredLen(const char* 
     char lastC = 0;
 
     /* need to make an initial pass to determine if quoting is needed */
     for (i = 0; i < srclen; i++) {
         char c = src[i];
         reqLen++;
         if (NEEDS_HEX_ESCAPE(c)) { /* c -> \xx  */
             reqLen += 2;
-        } else if (NEEDS_ESCAPE(c)) { /* c -> \c   */
+        }
+        else if (NEEDS_ESCAPE(c)) { /* c -> \c   */
             reqLen++;
-        } else if (SPECIAL_CHAR(c)) {
+        }
+        else if (SPECIAL_CHAR(c)) {
             if (mode == minimalEscapeAndQuote) /* quoting is allowed */
                 needsQuoting = PR_TRUE;        /* entirety will need quoting */
             else if (mode == fullEscape)
                 reqLen++; /* MAY escape this character */
-        } else if (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)) {
+        }
+        else if (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)) {
             if (mode == minimalEscapeAndQuote) /* quoting is allowed */
                 needsQuoting = PR_TRUE;        /* entirety will need quoting */
         }
         lastC = c;
     }
     /* if it begins or ends in optional space it needs quoting */
     if (!needsQuoting && srclen > 0 && mode == minimalEscapeAndQuote &&
         (OPTIONAL_SPACE(src[srclen - 1]) || OPTIONAL_SPACE(src[0]))) {
@@ -651,17 +662,18 @@ escapeAndQuote(char* dst, int dstlen, ch
     if (mode == minimalEscapeAndQuote)
         *dst++ = C_DOUBLE_QUOTE;
     for (i = 0; i < srclen; i++) {
         char c = src[i];
         if (NEEDS_HEX_ESCAPE(c)) {
             *dst++ = C_BACKSLASH;
             *dst++ = hexChars[(c >> 4) & 0x0f];
             *dst++ = hexChars[c & 0x0f];
-        } else {
+        }
+        else {
             if (NEEDS_ESCAPE(c) || (SPECIAL_CHAR(c) && mode == fullEscape)) {
                 *dst++ = C_BACKSLASH;
             }
             *dst++ = c;
         }
     }
     if (mode == minimalEscapeAndQuote)
         *dst++ = C_DOUBLE_QUOTE;
@@ -749,21 +761,23 @@ CERT_GetOidString(const SECItem* oid)
                 goto unsupported;
 
             if (!rvString) {
                 /* This is the first number.. decompose it */
                 PRUint32 one = PR_MIN(n / 40, 2); /* never > 2 */
                 PRUint32 two = n - (one * 40);
 
                 rvString = PR_smprintf("OID.%lu.%lu", one, two);
-            } else {
+            }
+            else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.%lu", prefix, n);
             }
-        } else if (bytesBeforeLast <= 9U) { /* 29-64 bit number */
+        }
+        else if (bytesBeforeLast <= 9U) { /* 29-64 bit number */
             PRUint64 n = 0;
             PRUint64 c;
 
             switch (bytesBeforeLast) {
                 CASE(9, 0x01);
                 CASE(8, 0x7f);
                 CASE(7, 0x7f);
                 CASE(6, 0x7f);
@@ -779,21 +793,23 @@ CERT_GetOidString(const SECItem* oid)
                 goto unsupported;
 
             if (!rvString) {
                 /* This is the first number.. decompose it */
                 PRUint64 one = PR_MIN(n / 40, 2); /* never > 2 */
                 PRUint64 two = n - (one * 40);
 
                 rvString = PR_smprintf("OID.%llu.%llu", one, two);
-            } else {
+            }
+            else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.%llu", prefix, n);
             }
-        } else {
+        }
+        else {
         /* More than a 64-bit number, or not minimal encoding. */
         unsupported:
             if (!rvString)
                 rvString = PR_smprintf("OID.UNSUPPORTED");
             else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.UNSUPPORTED", prefix);
             }
@@ -924,17 +940,18 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
                                             : SEC_OID_AVA_POSTAL_ADDRESS;
     tag = CERT_GetAVATag(ava);
     while (pn2k->kind != tag && pn2k->kind != endKind) {
         ++pn2k;
     }
 
     if (pn2k->kind != endKind) {
         n2k = *pn2k;
-    } else if (strict != CERT_N2A_READABLE) {
+    }
+    else if (strict != CERT_N2A_READABLE) {
         useHex = PR_TRUE;
     }
     /* For invertable form, force Directory Strings to use hex form. */
     if (strict == CERT_N2A_INVERTIBLE && vt == SEC_ASN1_DS) {
         tagName = NULL;   /* must use OID.N form */
         useHex = PR_TRUE; /* must use hex string */
     }
     if (!useHex) {
@@ -969,36 +986,40 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
         (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen(
                                       (char*)avaValue->data, avaValue->len, &mode));
     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
 
     maxName = nameLen;
     maxValue = valueLen;
     if (len <= sizeof(tmpBuf)) {
         encodedAVA = tmpBuf;
-    } else if (strict != CERT_N2A_READABLE) {
+    }
+    else if (strict != CERT_N2A_READABLE) {
         encodedAVA = PORT_Alloc(len);
         if (!encodedAVA) {
             SECITEM_FreeItem(avaValue, PR_TRUE);
             if (unknownTag)
                 PR_smprintf_free(unknownTag);
             return SECFailure;
         }
-    } else {
+    }
+    else {
         /* Must make output fit in tmpbuf */
         unsigned int fair = (sizeof tmpBuf) / 2 - 1; /* for = and \0 */
 
         if (nameLen < fair) {
             /* just truncate the value */
             maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0",
                                                      and possibly '"' */
-        } else if (valueLen < fair) {
+        }
+        else if (valueLen < fair) {
             /* just truncate the name */
             maxName = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */
-        } else {
+        }
+        else {
             /* truncate both */
             maxName = maxValue = fair - 3; /* for "..." */
         }
         if (nameLen > maxName) {
             PORT_Assert(unknownTag && unknownTag == tagName);
             truncateName = PR_TRUE;
             nameLen = maxName;
         }
@@ -1030,20 +1051,22 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
         memcpy(encodedAVA + nameLen, (char*)avaValue->data, valueLen);
         end[0] = '\0';
         if (truncateValue) {
             end[-1] = '.';
             end[-2] = '.';
             end[-3] = '.';
         }
         rv = SECSuccess;
-    } else if (!truncateValue) {
+    }
+    else if (!truncateValue) {
         rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen,
                             (char*)avaValue->data, avaValue->len, &mode);
-    } else {
+    }
+    else {
         /* must truncate the escaped and quoted value */
         char bigTmpBuf[TMPBUF_LEN * 3 + 3];
         PORT_Assert(valueLen < sizeof tmpBuf);
         rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf, (char*)avaValue->data,
                             PR_MIN(avaValue->len, valueLen), &mode);
 
         bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
         /* See if we're in the middle of a multi-byte UTF8 character */
@@ -1108,17 +1131,18 @@ CERT_NameToAsciiInvertible(CERTName* nam
         while (avas && (ava = *avas++) != NULL) {
             SECStatus rv;
             /* Put in comma or plus separator */
             if (!first) {
                 /* Use of spaces is deprecated in RFC 2253. */
                 rv = AppendStr(&strBuf, newRDN ? "," : "+");
                 if (rv)
                     goto loser;
-            } else {
+            }
+            else {
                 first = PR_FALSE;
             }
 
             /* Add in tag type plus value into strBuf */
             rv = AppendAVA(&strBuf, ava, strict);
             if (rv)
                 goto loser;
             newRDN = PR_FALSE;
@@ -1182,17 +1206,18 @@ avaToString(PLArenaPool* arena, CERTAVA*
     avaValue = CERT_DecodeAVAValue(&ava->value);
     if (!avaValue) {
         return buf;
     }
     valueLen =
         cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL) + 1;
     if (arena) {
         buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
-    } else {
+    }
+    else {
         buf = (char*)PORT_ZAlloc(valueLen);
     }
     if (buf) {
         SECStatus rv =
             escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
         if (rv != SECSuccess) {
             if (!arena)
                 PORT_Free(buf);
@@ -1291,17 +1316,18 @@ CERT_GetCertificateEmailAddress(CERTCert
                         CERT_GetNameElement(cert->arena, &(current->name.directoryName),
                                             SEC_OID_PKCS9_EMAIL_ADDRESS);
                     if (rawEmailAddr ==
                         NULL) {
                         rawEmailAddr =
                             CERT_GetNameElement(cert->arena, &(current->name.directoryName),
                                                 SEC_OID_RFC1274_MAIL);
                     }
-                } else if (current->type == certRFC822Name) {
+                }
+                else if (current->type == certRFC822Name) {
                     rawEmailAddr =
                         (char*)PORT_ArenaZAlloc(cert->arena, current->name.other.len +
                                                                  1);
                     if (!rawEmailAddr) {
                         goto finish;
                     }
                     PORT_Memcpy(rawEmailAddr, current->name.other.data,
                                 current->name.other.len);
@@ -1371,17 +1397,18 @@ appendItemToBuf(char* dest, SECItem* src
                 PRUint8 c = src->data[i];
                 if (NEEDS_HEX_ESCAPE(c)) {
                     *dest++ =
                         C_BACKSLASH;
                     *dest++ =
                         hexChars[(c >> 4) & 0x0f];
                     *dest++ =
                         hexChars[c & 0x0f];
-                } else {
+                }
+                else {
                     *dest++ =
                         tolower(c);
                 }
             }
             *dest++ = '\0';
             *pRemaining -= reqLen;
         }
     }
@@ -1439,17 +1466,18 @@ cert_GetCertificateEmailAddresses(CERTCe
                     pBuf =
                         appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
 
                     rawEmailAddr =
                         CERT_GetNameElement(
                             tmpArena, &current->name.directoryName, SEC_OID_RFC1274_MAIL);
                     pBuf =
                         appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-                } else if (current->type == certRFC822Name) {
+                }
+                else if (current->type == certRFC822Name) {
                     pBuf =
                         appendItemToBuf(pBuf, &current->name.other, &maxLen);
                 }
                 current = CERT_GetNextGeneralName(current);
             } while (current != nameList);
         }
         SECITEM_FreeItem(&subAltName, PR_FALSE);
         /* Don't free nameList, it's part of the tmpArena. */
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -395,17 +395,18 @@ GetKeyUsage(CERTCertificate *cert)
     if (rv == SECSuccess) {
         /* remember the actual value of the extension */
         cert->rawKeyUsage = tmpitem.data[0];
         cert->keyUsagePresent = PR_TRUE;
         cert->keyUsage = tmpitem.data[0];
 
         PORT_Free(tmpitem.data);
         tmpitem.data = NULL;
-    } else {
+    }
+    else {
         /* if the extension is not present, then we allow all uses */
         cert->keyUsage = KU_ALL;
         cert->rawKeyUsage = KU_ALL;
         cert->keyUsagePresent = PR_FALSE;
     }
 
     if (CERT_GovtApprovedBitSet(cert)) {
         cert->keyUsage |= KU_NS_GOVT_APPROVED;
@@ -477,17 +478,18 @@ cert_ComputeCertType(CERTCertificate *ce
     }
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv == SECSuccess) {
         basicConstraintPresent = PR_TRUE;
     }
     if (tmpitem.data != NULL || extKeyUsage != NULL) {
         if (tmpitem.data == NULL) {
             nsCertType = 0;
-        } else {
+        }
+        else {
             nsCertType = tmpitem.data[0];
         }
 
         /* free tmpitem data pointer to avoid memory leak */
         PORT_Free(tmpitem.data);
         tmpitem.data = NULL;
 
         /*
@@ -510,66 +512,72 @@ cert_ComputeCertType(CERTCertificate *ce
          * to be used for email or as an email CA, if basic constraints
          * indicates that it is a CA.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
             SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-            } else {
+            }
+            else {
                 nsCertType |= NS_CERT_TYPE_EMAIL;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
+            }
+            else {
                 nsCertType |= NS_CERT_TYPE_SSL_SERVER;
             }
         }
         /*
          * Treat certs with step-up OID as also having SSL server type.
          * COMODO needs this behaviour until June 2020.  See Bug 737802.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
             SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
+            }
+            else {
                 nsCertType |= NS_CERT_TYPE_SSL_SERVER;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
+            }
+            else {
                 nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-            } else {
+            }
+            else {
                 nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
         }
         if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_OCSP_RESPONDER) ==
             SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         }
-    } else {
+    }
+    else {
         /* If no NS Cert Type extension and no EKU extension, then */
         nsCertType = 0;
         if (CERT_IsCACert(cert, &nsCertType))
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         /* if the basic constraint extension says the cert is a CA, then
            allow SSL CA and EMAIL CA and Status Responder */
         if (basicConstraintPresent && basicConstraint.isCA) {
             nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
@@ -661,17 +669,18 @@ cert_IsRootCert(CERTCertificate *cert)
             if (rv == SECSuccess) {
                 PRBool match;
                 /* also present, they MUST match for it to be a root */
                 match =
                     SECITEM_ItemsAreEqual(&cert->authKeyID->keyID, &tmpitem);
                 PORT_Free(tmpitem.data);
                 if (!match)
                     return PR_FALSE; /* else fall through */
-            } else {
+            }
+            else {
                 /* the subject key ID is required when AKI is present */
                 return PR_FALSE;
             }
         }
         if (cert->authKeyID->authCertIssuer) {
             SECItem *caName;
             caName = (SECItem *)CERT_GetGeneralNameByType(
                 cert->authKeyID->authCertIssuer, certDirectoryName, PR_TRUE);
@@ -729,17 +738,18 @@ CERT_DecodeDERCertificate(SECItem *derSi
         /* copy the DER data for the cert into this arena */
         data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
         if (!data) {
             goto loser;
         }
         cert->derCert.data = (unsigned char *)data;
         cert->derCert.len = derSignedCert->len;
         PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
-    } else {
+    }
+    else {
         /* point to passed in DER data */
         cert->derCert = *derSignedCert;
     }
 
     /* decode the certificate info */
     rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
                                 &cert->derCert);
 
@@ -756,17 +766,18 @@ CERT_DecodeDERCertificate(SECItem *derSi
                                  &cert->certKey);
     if (rv) {
         goto loser;
     }
 
     /* set the nickname */
     if (nickname == NULL) {
         cert->nickname = NULL;
-    } else {
+    }
+    else {
         /* copy and install the nickname */
         len = PORT_Strlen(nickname) + 1;
         cert->nickname = (char *)PORT_ArenaAlloc(arena, len);
         if (cert->nickname == NULL) {
             goto loser;
         }
 
         PORT_Memcpy(cert->nickname, nickname, len);
@@ -991,17 +1002,18 @@ SEC_GetCrlTimes(CERTCrl *date, PRTime *n
     }
 
     /* convert DER not-after time */
     if (date->nextUpdate.data) {
         rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate);
         if (rv) {
             return (SECFailure);
         }
-    } else {
+    }
+    else {
         LL_I2L(*notAfter, 0L);
     }
     return (SECSuccess);
 }
 
 /* These routines should probably be combined with the cert
  * routines using an common extraction routine.
  */
@@ -1115,17 +1127,18 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
                                    NS_CERT_TYPE_EMAIL_CA | NS_CERT_TYPE_SSL_CA;
                 break;
             default:
                 PORT_Assert(0);
                 goto loser;
         }
-    } else {
+    }
+    else {
         switch (usage) {
             case certUsageSSLClient:
                 /*
                  * RFC 5280 lists digitalSignature and keyAgreement for
                  * id-kp-clientAuth.  NSS does not support the *_fixed_dh and
                  * *_fixed_ecdh client certificate types.
                  */
                 requiredKeyUsage = KU_DIGITAL_SIGNATURE;
@@ -1338,39 +1351,42 @@ cert_TestHostName(char *cn, const char *
         int regvalid = PORT_RegExpValid(cn);
         if (regvalid != NON_SXP) {
             SECStatus rv;
             /* cn is a regular expression, try to match the shexp */
             int match = PORT_RegExpCaseSearch(hn, cn);
 
             if (match == 0) {
                 rv = SECSuccess;
-            } else {
+            }
+            else {
                 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
                 rv = SECFailure;
             }
             return rv;
         }
-    } else {
+    }
+    else {
         /* New approach conforms to RFC 6125. */
         char *wildcard = PORT_Strchr(cn, '*');
         char *firstcndot = PORT_Strchr(cn, '.');
         char *secondcndot =
             firstcndot ? PORT_Strchr(firstcndot + 1, '.') : NULL;
         char *firsthndot = PORT_Strchr(hn, '.');
 
         /* For a cn pattern to be considered valid, the wildcard character...
          * - may occur only in a DNS name with at least 3 components, and
          * - may occur only as last character in the first component, and
          * - may be preceded by additional characters, and
          * - must not be preceded by an IDNA ACE prefix (xn--)
          */
         if (wildcard && secondcndot && secondcndot[1] && firsthndot &&
-            firstcndot - wildcard == 1           /* wildcard is last char in first component */
-            && secondcndot - firstcndot > 1      /* second component is non-empty */
+            firstcndot - wildcard ==
+                1 /* wildcard is last char in first component */
+            && secondcndot - firstcndot > 1 /* second component is non-empty */
             && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
             && !PORT_Strncasecmp(cn, hn, wildcard - cn) &&
             !PORT_Strcasecmp(firstcndot, firsthndot)
             /* If hn starts with xn--, then cn must start with wildcard */
             && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
             /* valid wildcard pattern match */
             return SECSuccess;
         }
@@ -1452,30 +1468,33 @@ cert_VerifySubjectAltName(const CERTCert
             case certIPAddress:
                 if (isIPaddr) {
                     int match = 0;
                     PRIPv6Addr v6Addr;
                     if (current->name.other.len == 4 && /* IP v4 address */
                         netAddr.inet.family == PR_AF_INET) {
                         match = !memcmp(&netAddr.inet.ip,
                                         current->name.other.data, 4);
-                    } else if (current->name.other.len ==
-                                   16 && /* IP v6 address */
-                               netAddr.ipv6.family == PR_AF_INET6) {
+                    }
+                    else if (current->name.other.len ==
+                                 16 && /* IP v6 address */
+                             netAddr.ipv6.family == PR_AF_INET6) {
                         match = !memcmp(&netAddr.ipv6.ip,
                                         current->name.other.data, 16);
-                    } else if (current->name.other.len ==
-                                   16 && /* IP v6 address */
-                               netAddr.inet.family == PR_AF_INET) {
+                    }
+                    else if (current->name.other.len ==
+                                 16 && /* IP v6 address */
+                             netAddr.inet.family == PR_AF_INET) {
                         /* convert netAddr to ipv6, then compare. */
                         /* ipv4 must be in Network Byte Order on input. */
                         PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr);
                         match = !memcmp(&v6Addr, current->name.other.data, 16);
-                    } else if (current->name.other.len == 4 && /* IP v4 address */
-                               netAddr.inet.family == PR_AF_INET6) {
+                    }
+                    else if (current->name.other.len == 4 && /* IP v4 address */
+                             netAddr.inet.family == PR_AF_INET6) {
                         /* convert netAddr to ipv6, then compare. */
                         PRUint32 ipv4 = (current->name.other.data[0] << 24) |
                                         (current->name.other.data[1] << 16) |
                                         (current->name.other.data[2] << 8) |
                                         current->name.other.data[3];
                         /* ipv4 must be in Network Byte Order on input. */
                         PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr);
                         match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16);
@@ -1493,17 +1512,18 @@ cert_VerifySubjectAltName(const CERTCert
         current = CERT_GetNextGeneralName(current);
     } while (current != nameList);
 
 fail:
 
     if (!(isIPaddr ? IPextCount : DNSextCount)) {
         /* no relevant value in the extension was found. */
         PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-    } else {
+    }
+    else {
         PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     }
     rv = SECFailure;
 
 finish:
 
     /* Don't free nameList, it's part of the arena. */
     if (arena) {
@@ -1623,17 +1643,18 @@ cert_GetDNSPatternsFromGeneralNames(CERT
                             currentInput->name.other.len);
                 cn[currentInput->name.other.len] = 0;
                 break;
             case certIPAddress:
                 if (currentInput->name.other.len == 4) {
                     addr.inet.family = PR_AF_INET;
                     memcpy(&addr.inet.ip, currentInput->name.other.data,
                            currentInput->name.other.len);
-                } else if (currentInput->name.other.len == 16) {
+                }
+                else if (currentInput->name.other.len == 16) {
                     addr.ipv6.family = PR_AF_INET6;
                     memcpy(&addr.ipv6.ip, currentInput->name.other.data,
                            currentInput->name.other.len);
                 }
                 if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) ==
                     PR_FAILURE)
                     return SECFailure;
                 cn = PORT_ArenaStrdup(nickNames->arena, ipbuf);
@@ -1761,38 +1782,42 @@ CERT_VerifyCertName(const CERTCertificat
         return rv;
 
     cn = CERT_GetCommonName(&cert->subject);
     if (cn) {
         PRBool isIPaddr = cert_IsIPAddr(hn);
         if (isIPaddr) {
             if (PORT_Strcasecmp(hn, cn) == 0) {
                 rv = SECSuccess;
-            } else {
+            }
+            else {
                 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
                 rv = SECFailure;
             }
-        } else {
+        }
+        else {
             rv = cert_TestHostName(cn, hn);
         }
         PORT_Free(cn);
-    } else
+    }
+    else
         PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     return rv;
 }
 
 PRBool
 CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2)
 {
     SECComparison comp;
 
     comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
     if (comp == SECEqual) { /* certs are the same */
         return (PR_TRUE);
-    } else {
+    }
+    else {
         return (PR_FALSE);
     }
 }
 
 static SECStatus
 StringsEqual(char *s1, char *s2)
 {
     if ((s1 == NULL) || (s2 == NULL)) {
@@ -1936,17 +1961,18 @@ CERT_MakeCANickname(CERTCertificate *cer
 
     org = CERT_GetOrgName(&cert->issuer);
     if (org == NULL) {
         org = CERT_GetDomainComponentName(&cert->issuer);
         if (org == NULL) {
             if (firstname) {
                 org = firstname;
                 firstname = NULL;
-            } else {
+            }
+            else {
                 org = PORT_Strdup("Unknown CA");
             }
         }
     }
 
     /* can only fail if PORT_Strdup fails, in which case
      * we're having memory problems. */
     if (org == NULL) {
@@ -1954,23 +1980,26 @@ CERT_MakeCANickname(CERTCertificate *cer
     }
 
     count = 1;
     while (1) {
 
         if (firstname) {
             if (count == 1) {
                 nickname = PR_smprintf("%s - %s", firstname, org);
-            } else {
+            }
+            else {
                 nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
             }
-        } else {
+        }
+        else {
             if (count == 1) {
                 nickname = PR_smprintf("%s", org);
-            } else {
+            }
+            else {
                 nickname = PR_smprintf("%s #%d", org, count);
             }
         }
         if (nickname == NULL) {
             goto done;
         }
 
         /* look up the nickname to make sure it isn't in use already */
@@ -2070,17 +2099,18 @@ PRBool
 CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
 {
     unsigned int cType = cert->nsCertType;
     PRBool ret = PR_FALSE;
 
     if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                  NS_CERT_TYPE_OBJECT_SIGNING_CA)) {
         ret = PR_TRUE;
-    } else {
+    }
+    else {
         SECStatus rv;
         CERTBasicConstraints constraints;
 
         rv = CERT_FindBasicConstraintExten(cert, &constraints);
         if (rv == SECSuccess && constraints.isCA) {
             ret = PR_TRUE;
             cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
         }
@@ -2219,17 +2249,18 @@ CERT_IsNewer(CERTCertificate *certa, CER
 
     if (newerbefore) {
         /* cert A was issued after cert B, but expires sooner */
         /* if A is expired, then pick B */
         if (LL_CMP(notAfterA, <, now)) {
             return (PR_FALSE);
         }
         return (PR_TRUE);
-    } else {
+    }
+    else {
         /* cert B was issued after cert A, but expires sooner */
         /* if B is expired, then pick A */
         if (LL_CMP(notAfterB, <, now)) {
             return (PR_TRUE);
         }
         return (PR_FALSE);
     }
 }
@@ -2335,17 +2366,18 @@ CERT_DecodeTrustString(CERTCertTrust *tr
                 break;
             case 'g':
                 *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
                 break;
 
             case ',':
                 if (pflags == &trust->sslFlags) {
                     pflags = &trust->emailFlags;
-                } else {
+                }
+                else {
                     pflags = &trust->objectSigningFlags;
                 }
                 break;
             default:
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 return SECFailure;
         }
     }
@@ -2452,30 +2484,32 @@ CERT_ImportCerts(CERTCertDBHandle *certd
                     /* if we are importing only a single cert and specifying
                      * a nickname, we want to use that nickname if it a CA,
                      * otherwise if there are more than one cert, we don't
                      * know which cert it belongs to. But we still may try
                      * the individual canickname from the cert itself.
                      */
                     /* Bug 1192442 - propagate errors from these calls. */
                     (void)CERT_AddTempCertToPerm(certs[i], canickname, NULL);
-                } else {
+                }
+                else {
                     (void)CERT_AddTempCertToPerm(
                         certs[i], nickname ? nickname : canickname, NULL);
                 }
 
                 PORT_Free(canickname);
                 /* don't care if it fails - keep going */
             }
         }
     }
 
     if (retCerts) {
         *retCerts = certs;
-    } else {
+    }
+    else {
         if (certs) {
             CERT_DestroyCertArray(certs, fcerts);
         }
     }
 
     return (fcerts || !ncerts) ? SECSuccess : SECFailure;
 }
 
@@ -2661,17 +2695,18 @@ CERT_SortCBValidity(CERTCertificate *cer
 
     if ((!newerbefore) && (!newerafter)) {
         return (PR_FALSE);
     }
 
     if (newerbefore) {
         /* cert A was issued after cert B, but expires sooner */
         return (PR_TRUE);
-    } else {
+    }
+    else {
         /* cert B was issued after cert A, but expires sooner */
         return (PR_FALSE);
     }
 }
 
 SECStatus
 CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
                          CERTSortCallback f, void *arg)
@@ -2760,30 +2795,32 @@ CERT_FilterCertListByUsage(CERTCertList 
         if (!bad) {
             unsigned int certType = 0;
             if (ca) {
                 /* This function returns a more comprehensive cert type that
                  * takes trust flags into consideration.  Should probably
                  * fix the cert decoding code to do this.
                  */
                 (void)CERT_IsCACert(node->cert, &certType);
-            } else {
+            }
+            else {
                 certType = node->cert->nsCertType;
             }
             if (!(certType & requiredCertType)) {
                 bad = PR_TRUE;
             }
         }
 
         if (bad) {
             /* remove the node if it is bad */
             savenode = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(node);
             node = savenode;
-        } else {
+        }
+        else {
             node = CERT_LIST_NEXT(node);
         }
     }
     return (SECSuccess);
 
 loser:
     return (SECFailure);
 }
@@ -2794,17 +2831,18 @@ CERT_IsUserCert(CERTCertificate *cert)
     CERTCertTrust trust;
     SECStatus rv = SECFailure;
 
     rv = CERT_GetCertTrust(cert, &trust);
     if (rv == SECSuccess &&
         ((trust.sslFlags & CERTDB_USER) || (trust.emailFlags & CERTDB_USER) ||
          (trust.objectSigningFlags & CERTDB_USER))) {
         return PR_TRUE;
-    } else {
+    }
+    else {
         return PR_FALSE;
     }
 }
 
 SECStatus
 CERT_FilterCertListForUserCerts(CERTCertList *certList)
 {
     CERTCertListNode *node, *freenode;
@@ -2818,17 +2856,18 @@ CERT_FilterCertListForUserCerts(CERTCert
 
     while (!CERT_LIST_END(node, certList)) {
         cert = node->cert;
         if (PR_TRUE != CERT_IsUserCert(cert)) {
             /* Not a User Cert, so remove this cert from the list */
             freenode = node;
             node = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(freenode);
-        } else {
+        }
+        else {
             /* Is a User cert, so leave it in the list */
             node = CERT_LIST_NEXT(node);
         }
     }
 
     return (SECSuccess);
 }
 
@@ -2910,25 +2949,27 @@ SECStatus
 cert_DestroyLocks(void)
 {
     SECStatus rv = SECSuccess;
 
     PORT_Assert(certRefCountLock != NULL);
     if (certRefCountLock) {
         PZ_DestroyLock(certRefCountLock);
         certRefCountLock = NULL;
-    } else {
+    }
+    else {
         rv = SECFailure;
     }
 
     PORT_Assert(certTrustLock != NULL);
     if (certTrustLock) {
         PZ_DestroyLock(certTrustLock);
         certTrustLock = NULL;
-    } else {
+    }
+    else {
         rv = SECFailure;
     }
     return rv;
 }
 
 /*
  * Free the cert trust lock
  */
--- a/security/nss/lib/certdb/certv3.c
+++ b/security/nss/lib/certdb/certv3.c
@@ -133,17 +133,18 @@ CERT_FindSubjectKeyIDExtension(CERTCerti
         if (tmpArena) {
             rv = SEC_QuickDERDecodeItem(tmpArena, &decodedValue,
                                         SEC_ASN1_GET(SEC_OctetStringTemplate),
                                         &encodedValue);
             if (rv == SECSuccess) {
                 rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
             }
             PORT_FreeArena(tmpArena, PR_FALSE);
-        } else {
+        }
+        else {
             rv = SECFailure;
         }
     }
     SECITEM_FreeItem(&encodedValue, PR_FALSE);
     return rv;
 }
 
 SECStatus
@@ -211,15 +212,16 @@ CERT_CheckCertUsage(CERTCertificate *cer
     /* This code formerly ignored the Key Usage extension if it was
     ** marked non-critical.  That was wrong.  Since we do understand it,
     ** we are obligated to honor it, whether or not it is critical.
     */
     rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
     if (rv == SECFailure) {
         rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
                                                                 : SECFailure;
-    } else if (!(keyUsage.data[0] & usage)) {
+    }
+    else if (!(keyUsage.data[0] & usage)) {
         PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
         rv = SECFailure;
     }
     PORT_Free(keyUsage.data);
     return (rv);
 }
--- a/security/nss/lib/certdb/certxutl.c
+++ b/security/nss/lib/certdb/certxutl.c
@@ -197,17 +197,18 @@ CERT_AddExtensionByOID(void *exthandle, 
     }
 
     /* set the value */
     if (copyData) {
         rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
         if (rv) {
             return (SECFailure);
         }
-    } else {
+    }
+    else {
         ext->value = *value;
     }
 
     handle->count++;
 
     return (SECSuccess);
 }
 
@@ -356,17 +357,18 @@ CERT_MergeExtensions(void *exthandle, CE
         return SECFailure;
     }
     while ((ext = *extensions++) != NULL) {
         tag = SECOID_FindOIDTag(&ext->id);
         for (node = handle->head; node != NULL; node = node->next) {
             if (tag == 0) {
                 if (SECITEM_ItemsAreEqual(&ext->id, &node->ext->id))
                     break;
-            } else {
+            }
+            else {
                 if (SECOID_FindOIDTag(&node->ext->id) == tag) {
                     break;
                 }
             }
         }
         if (node == NULL) {
             PRBool critical = (ext->critical.len != 0 &&
                                ext->critical.data[ext->critical.len - 1] != 0);
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -269,17 +269,18 @@ CERT_KeyFromDERCrl(PLArenaPool* arena, S
     SECStatus rv;
     CERTSignedData sd;
     CERTCrlKey crlkey;
     PLArenaPool* myArena;
 
     if (!arena) {
         /* arena needed for QuickDER */
         myArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    } else {
+    }
+    else {
         myArena = arena;
     }
     PORT_Memset(&sd, 0, sizeof(sd));
     rv = SEC_QuickDERDecodeItem(myArena, &sd, CERT_SignedDataTemplate, derCrl);
     if (SECSuccess == rv) {
         PORT_Memset(&crlkey, 0, sizeof(crlkey));
         rv = SEC_QuickDERDecodeItem(myArena, &crlkey, cert_CrlKeyTemplate,
                                     &sd.data);
@@ -305,17 +306,18 @@ CERT_CompleteCRLDecodeEntries(CERTSigned
 {
     SECStatus rv = SECSuccess;
     SECItem* crldata = NULL;
     OpaqueCRLFields* extended = NULL;
 
     if ((!crl) || (!(extended = (OpaqueCRLFields*)crl->opaque)) ||
         (PR_TRUE == extended->decodingError)) {
         rv = SECFailure;
-    } else {
+    }
+    else {
         if (PR_FALSE == extended->partial) {
             /* the CRL has already been fully decoded */
             return SECSuccess;
         }
         if (PR_TRUE == extended->badEntries) {
             /* the entries decoding already failed */
             return SECFailure;
         }
@@ -326,17 +328,18 @@ CERT_CompleteCRLDecodeEntries(CERTSigned
     }
 
     if (SECSuccess == rv) {
         rv = SEC_QuickDERDecodeItem(crl->arena, &crl->crl,
                                     CERT_CrlTemplateEntriesOnly, crldata);
         if (SECSuccess == rv) {
             extended->partial = PR_FALSE; /* successful decode, avoid
                 decoding again */
-        } else {
+        }
+        else {
             extended->decodingError = PR_TRUE;
             extended->badEntries = PR_TRUE;
             /* cache the decoding failure. If it fails the first time,
                it will fail again, which will grow the arena and leak
                memory, so we want to avoid it */
         }
         rv = cert_check_crl_entries(&crl->crl);
         if (rv != SECSuccess) {
@@ -379,17 +382,18 @@ CERT_DecodeDERCrlWithFlags(PLArenaPool* 
     }
 
     /* make a new arena if needed */
     if (narena == NULL) {
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (!arena) {
             return NULL;
         }
-    } else {
+    }
+    else {
         arena = narena;
     }
 
     /* allocate the CRL structure */
     crl = (CERTSignedCrl*)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
     if (!crl) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
@@ -405,17 +409,18 @@ CERT_DecodeDERCrlWithFlags(PLArenaPool* 
     extended = (OpaqueCRLFields*)crl->opaque;
     if (options & CRL_DECODE_ADOPT_HEAP_DER) {
         extended->heapDER = PR_TRUE;
     }
     if (options & CRL_DECODE_DONT_COPY_DER) {
         crl->derCrl = derSignedCrl; /* DER is not copied . The application
                                        must keep derSignedCrl until it
                                        destroys the CRL */
-    } else {
+    }
+    else {
         crl->derCrl = (SECItem*)PORT_ArenaZAlloc(arena, sizeof(SECItem));
         if (crl->derCrl == NULL) {
             goto loser;
         }
         rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
         if (rv != SECSuccess) {
             goto loser;
         }
@@ -551,17 +556,18 @@ SEC_FindCrlByKeyOnSlot(PK11SlotInfo* slo
     if (crl) {
         crl->slot = slot;
         slot = NULL;   /* adopt it */
         derCrl = NULL; /* adopted by the crl struct */
         crl->pkcs11ID = crlHandle;
         if (url) {
             crl->url = PORT_ArenaStrdup(crl->arena, url);
         }
-    } else {
+    }
+    else {
         rv = SECFailure;
     }
 
     if (url) {
         PORT_Free(url);
     }
 
     if (slot) {
@@ -724,17 +730,18 @@ SEC_DestroyCrl(CERTSignedCrl* crl)
                 PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) {
                 SECITEM_FreeItem(crl->derCrl, PR_TRUE);
             }
             if (crl->arena) {
                 PORT_FreeArena(crl->arena, PR_FALSE);
             }
         }
         return SECSuccess;
-    } else {
+    }
+    else {
         return SECFailure;
     }
 }
 
 SECStatus
 SEC_LookupCrls(CERTCertDBHandle* handle, CERTCrlHeadNode** nodes, int type)
 {
     CERTCrlHeadNode* head;
@@ -1003,23 +1010,25 @@ InitCRLCache(void)
                 PL_HashTableDestroy(namedCRLCache.entries);
                 namedCRLCache.entries = NULL;
             }
 
             return SECFailure;
         }
         crlcache_initialized = PR_TRUE;
         return SECSuccess;
-    } else {
+    }
+    else {
         PORT_Assert(crlcache.lock);
         PORT_Assert(crlcache.issuers);
         if ((NULL == crlcache.lock) || (NULL == crlcache.issuers)) {
             /* CRL cache not fully initialized */
             return SECFailure;
-        } else {
+        }
+        else {
             /* CRL cache already initialized */
             return SECSuccess;
         }
     }
 }
 
 /* destructor for CRL DPCache object */
 static SECStatus
@@ -1033,17 +1042,18 @@ DPCache_Destroy(CRLDPCache* cache)
         return SECFailure;
     }
     if (cache->lock) {
 #ifdef DPC_RWLOCK
         NSSRWLock_Destroy(cache->lock);
 #else
         PR_DestroyLock(cache->lock);
 #endif
-    } else {
+    }
+    else {
         PORT_Assert(0);
         return SECFailure;
     }
     /* destroy all our CRL objects */
     for (i = 0; i < cache->ncrls; i++) {
         if (!cache->crls || !cache->crls[i] ||
             SECSuccess != CachedCrl_Destroy(cache->crls[i])) {
             return SECFailure;
@@ -1077,17 +1087,18 @@ IssuerCache_Destroy(CRLIssuerCache* cach
     if (!cache) {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 #ifdef XCRL
     if (cache->lock) {
         NSSRWLock_Destroy(cache->lock);
-    } else {
+    }
+    else {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     if (cache->issuer) {
         CERT_DestroyCertificate(cache->issuer);
     }
 #endif
@@ -1391,30 +1402,31 @@ TokenCRLStillExists(CERTSignedCrl* crl)
 
     arena = NSSArena_Create();
     PORT_Assert(arena);
     if (!arena) {
         return PR_FALSE;
     }
 
     status =
-        nssCryptokiCRL_GetAttributes(&instance, NULL,          /* XXX sessionOpt */
+        nssCryptokiCRL_GetAttributes(&instance, NULL, /* XXX sessionOpt */
                                      arena, NULL, &newsubject, /* subject */
                                      &crl_class,               /* class */
                                      NULL, NULL);
     if (PR_SUCCESS == status) {
         subject.data = newsubject.data;
         subject.len = newsubject.size;
         if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual) {
             xstatus = PR_FALSE;
         }
         if (CKO_NETSCAPE_CRL != crl_class) {
             xstatus = PR_FALSE;
         }
-    } else {
+    }
+    else {
         xstatus = PR_FALSE;
     }
     NSSArena_Destroy(arena);
     return xstatus;
 }
 
 /* verify the signature of a CRL against its issuer at a given date */
 static SECStatus
@@ -1447,17 +1459,18 @@ CachedCrl_Verify(CRLDPCache* cache, Cach
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError) {
         crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
             with bogus DER. Mark it checked so we won't try again */
         PORT_SetError(SEC_ERROR_BAD_DER);
         return SECSuccess;
-    } else {
+    }
+    else {
         SECStatus signstatus = SECFailure;
         if (cache->issuerDERCert) {
             CERTCertificate* issuer = CERT_NewTempCertificate(
                 cache->dbHandle, cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
 
             if (issuer) {
                 signstatus =
                     CERT_VerifyCRL(crlobject->crl, issuer, vfdate, wincx);
@@ -1466,22 +1479,24 @@ CachedCrl_Verify(CRLDPCache* cache, Cach
         }
         if (SECSuccess != signstatus) {
             if (!cache->issuerDERCert) {
                 /* we tried to verify without an issuer cert . This is
                    because this CRL came through a call to SEC_FindCrlByName.
                    So, we don't cache this verification failure. We'll try
                    to verify the CRL again when a certificate from that issuer
                    becomes available */
-            } else {
+            }
+            else {
                 crlobject->sigChecked = PR_TRUE;
             }
             PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
             return SECSuccess;
-        } else {
+        }
+        else {
             crlobject->sigChecked = PR_TRUE;
             crlobject->sigValid = PR_TRUE;
         }
     }
 
     return SECSuccess;
 }
 
@@ -1502,17 +1517,18 @@ DPCache_FetchFromTokens(CRLDPCache* cach
     rv = pk11_RetrieveCrls(&head, cache->subject, wincx);
 
     /* if this function fails, something very wrong happened, such as an out
        of memory error during CRL decoding. We don't want to proceed and must
        mark the cache object invalid */
     if (SECFailure == rv) {
         /* fetch failed, add error bit */
         cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
-    } else {
+    }
+    else {
         /* fetch was successful, clear this error bit */
         cache->invalid &= (~CRL_CACHE_LAST_FETCH_FAILED);
     }
 
     /* add any CRLs found to our array */
     if (SECSuccess == rv) {
         CERTCrlNode* crlNode = NULL;
 
@@ -1525,20 +1541,22 @@ DPCache_FetchFromTokens(CRLDPCache* cach
             }
             rv = CachedCrl_Create(&returned, crlobject, CRL_OriginToken);
             if (SECSuccess == rv) {
                 PRBool added = PR_FALSE;
                 rv = DPCache_AddCRL(cache, returned, &added);
                 if (PR_TRUE != added) {
                     rv = CachedCrl_Destroy(returned);
                     returned = NULL;
-                } else if (vfdate) {
+                }
+                else if (vfdate) {
                     rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
                 }
-            } else {
+            }
+            else {
                 /* not enough memory to add the CRL to the cache. mark it
                    invalid so we will try again . */
                 cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
             }
             if (SECFailure == rv) {
                 break;
             }
         }
@@ -1572,17 +1590,18 @@ CachedCrl_GetEntry(CachedCrl* crl, const
     PORT_Assert(returned);
     if (!crl || !sn || !returned || !crl->entries) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     acrlEntry = PL_HashTableLookup(crl->entries, (void*)sn);
     if (acrlEntry) {
         *returned = acrlEntry;
-    } else {
+    }
+    else {
         *returned = NULL;
     }
     return SECSuccess;
 }
 
 /* check if a particular SN is in the CRL cache and return its entry */
 dpcacheStatus
 DPCache_Lookup(CRLDPCache* cache, const SECItem* sn, CERTCrlEntry** returned)
@@ -1602,20 +1621,22 @@ DPCache_Lookup(CRLDPCache* cache, const 
     if (!cache->selected) {
         /* no CRL means no entry to return. This is OK, except for
          * NIST policy */
         return dpcacheEmpty;
     }
     rv = CachedCrl_GetEntry(cache->selected, sn, returned);
     if (SECSuccess != rv) {
         return dpcacheLookupError;
-    } else {
+    }
+    else {
         if (*returned) {
             return dpcacheFoundEntry;
-        } else {
+        }
+        else {
             return dpcacheNoEntry;
         }
     }
 }
 
 #if defined(DPC_RWLOCK)
 
 #define DPCache_LockWrite()                                                    \
@@ -1882,17 +1903,18 @@ SortImperfectCRLs(const void* arg1, cons
     CachedCrl *a, *b;
 
     a = *(CachedCrl**)arg1;
     b = *(CachedCrl**)arg2;
 
     if (!a || !b) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         PORT_Assert(0);
-    } else {
+    }
+    else {
         PRBool aDecoded = PR_FALSE, bDecoded = PR_FALSE;
         if ((PR_TRUE == a->sigValid) && (PR_TRUE == b->sigValid)) {
             /* both CRLs have been validated, choose the latest one */
             return SortCRLsByThisUpdate(arg1, arg2);
         }
         if (PR_TRUE == a->sigValid) {
             return 1; /* a is greater than b */
         }
@@ -1939,17 +1961,18 @@ DPCache_SelectCRL(CRLDPCache* cache)
             !cache->crls[i]->sigValid) {
             valid = PR_FALSE;
             break;
         }
     }
     if (PR_TRUE == valid) {
         /* all CRLs are valid, clear this error */
         cache->invalid &= (~CRL_CACHE_INVALID_CRLS);
-    } else {
+    }
+    else {
         /* some CRLs are invalid, set this error */
         cache->invalid |= CRL_CACHE_INVALID_CRLS;
     }
 
     if (cache->invalid) {
         /* cache is in an invalid state, so reset it */
         if (cache->selected) {
             cache->selected = NULL;
@@ -2070,17 +2093,18 @@ IssuerCache_AddDP(CRLIssuerCache* cache,
     }
     if (!dp) {
         /* default distribution point */
         SECStatus rv = DPCache_Create(&cache->dpp, issuer, subject, NULL);
         if (SECSuccess == rv) {
             *newdpc = cache->dpp;
             return SECSuccess;
         }
-    } else {
+    }
+    else {
         /* we should never hit this until we support multiple DPs */
         PORT_Assert(dp);
         /* XCRL allocate a new distribution point cache object, initialize it,
            and add it to the hash table of DPs */
     }
     return SECFailure;
 }
 
@@ -2265,32 +2289,34 @@ AcquireDPCache(CERTCertificate* issuer, 
             if (!existing) {
 #endif
                 rv = CRLCache_AddIssuer(issuercache);
                 if (SECSuccess != rv) {
                     /* failure */
                     rv = SECFailure;
                 }
 #ifdef GLOBAL_RWLOCK
-            } else {
+            }
+            else {
                 /* somebody else updated before we did */
                 IssuerCache_Destroy(issuercache); /* destroy the new object */
                 issuercache = existing;           /* use the existing one */
                 *dpcache = IssuerCache_GetDPCache(issuercache, dp);
             }
 #endif
         }
 
 /* now unlock the global cache. We only want to lock the issuer hash
    table addition. Holding it longer would hurt scalability */
 #ifdef GLOBAL_RWLOCK
         if (PR_TRUE == globalwrite) {
             NSSRWLock_UnlockWrite(crlcache.lock);
             globalwrite = PR_FALSE;
-        } else {
+        }
+        else {
             NSSRWLock_UnlockRead(crlcache.lock);
         }
 #else
         PR_Unlock(crlcache.lock);
 #endif
 
         /* if there was a failure adding an issuer cache object, destroy it */
         if (SECSuccess != rv && issuercache) {
@@ -2303,17 +2329,18 @@ AcquireDPCache(CERTCertificate* issuer, 
             }
             IssuerCache_Destroy(issuercache);
             issuercache = NULL;
         }
 
         if (SECSuccess != rv) {
             return SECFailure;
         }
-    } else {
+    }
+    else {
 #ifdef GLOBAL_RWLOCK
         NSSRWLock_UnlockRead(crlcache.lock);
 #else
         PR_Unlock(crlcache.lock);
 #endif
         *dpcache = IssuerCache_GetDPCache(issuercache, dp);
     }
     /* we now have a DPCache that we can use for lookups */
@@ -2328,17 +2355,18 @@ AcquireDPCache(CERTCertificate* issuer, 
 
     if (SECSuccess == rv) {
         /* currently there is always one and only one DPCache per issuer */
         PORT_Assert(*dpcache);
         if (*dpcache) {
             /* make sure the DP cache is up to date before using it */
             rv = DPCache_GetUpToDate(*dpcache, issuer, PR_FALSE == *writeLocked,
                                      t, wincx);
-        } else {
+        }
+        else {
             rv = SECFailure;
         }
     }
     return rv;
 }
 
 /* unlock access to the DPCache */
 void
@@ -2346,17 +2374,18 @@ ReleaseDPCache(CRLDPCache* dpcache, PRBo
 {
     if (!dpcache) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return;
     }
 #ifdef DPC_RWLOCK
     if (PR_TRUE == writeLocked) {
         NSSRWLock_UnlockWrite(dpcache->lock);
-    } else {
+    }
+    else {
         NSSRWLock_UnlockRead(dpcache->lock);
     }
 #else
     PR_Unlock(dpcache->lock);
 #endif
 }
 
 SECStatus
@@ -2412,25 +2441,28 @@ cert_CheckCertRevocationStatus(CERTCerti
                 if (SECSuccess ==
                     DER_DecodeTimeChoice(&revocationDate,
                                          &entry->revocationDate)) {
                     /* we got a good revocation date, only consider the
                        certificate revoked if the time we are inquiring about
                        is past the revocation date */
                     if (t >= revocationDate) {
                         rv = SECFailure;
-                    } else {
+                    }
+                    else {
                         status = certRevocationStatusValid;
                     }
-                } else {
+                }
+                else {
                     /* invalid revocation date, consider the certificate
                        permanently revoked */
                     rv = SECFailure;
                 }
-            } else {
+            }
+            else {
                 /* no revocation date, certificate is permanently revoked */
                 rv = SECFailure;
             }
             if (SECFailure == rv) {
                 (void)CERT_FindCRLEntryReasonExten(entry, &reason);
                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
             }
             break;
@@ -2724,17 +2756,18 @@ addCRLToCache(CERTCertDBHandle* dbhandle
         rv = NamedCRLCacheEntry_Destroy(entry); /* destroys CRL too */
         PORT_Assert(SECSuccess == rv);
         return SECFailure;
     }
     /* now, attempt to insert CRL into CRL cache */
     if (SECSuccess == CERT_CacheCRL(dbhandle, entry->crl)) {
         entry->inCRLCache = PR_TRUE;
         entry->successfulInsertionTime = entry->lastAttemptTime;
-    } else {
+    }
+    else {
         switch (PR_GetError()) {
             case SEC_ERROR_CRL_ALREADY_EXISTS:
                 entry->dupe = PR_TRUE;
                 break;
 
             case SEC_ERROR_BAD_DER:
                 entry->badDER = PR_TRUE;
                 break;
@@ -2791,67 +2824,73 @@ cert_CacheCRLByGeneralName(CERTCertDBHan
             /* add new good entry to the hash table */
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 NamedCRLCacheEntry_Destroy(newEntry);
                 rv = SECFailure;
             }
-        } else {
+        }
+        else {
             PRBool removed;
             /* remove the old CRL from the cache if needed */
             if (oldEntry->inCRLCache) {
                 rv = CERT_UncacheCRL(dbhandle, oldEntry->crl);
                 PORT_Assert(SECSuccess == rv);
             }
             removed = PL_HashTableRemove(namedCRLCache.entries,
                                          (void*)oldEntry->canonicalizedName);
             PORT_Assert(removed);
             if (!removed) {
                 rv = SECFailure;
                 /* leak old entry since we couldn't remove it from the hash
                  * table */
-            } else {
+            }
+            else {
                 PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
             }
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 rv = SECFailure;
             }
         }
-    } else {
+    }
+    else {
         /* error adding new CRL to cache */
         if (!oldEntry) {
             /* no old cache entry, use the new one even though it's bad */
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 rv = SECFailure;
             }
-        } else {
+        }
+        else {
             if (oldEntry->inCRLCache) {
                 /* previous cache entry was good, keep it and update time */
                 oldEntry->lastAttemptTime = newEntry->lastAttemptTime;
                 /* throw away new bad entry */
                 rv = NamedCRLCacheEntry_Destroy(newEntry);
                 PORT_Assert(SECSuccess == rv);
-            } else {
+            }
+            else {
                 /* previous cache entry was bad, just replace it */
                 PRBool removed = PL_HashTableRemove(
                     namedCRLCache.entries, (void*)oldEntry->canonicalizedName);
                 PORT_Assert(removed);
                 if (!removed) {
                     /* leak old entry since we couldn't remove it from the hash
                      * table */
                     rv = SECFailure;
-                } else {
+                }
+                else {
                     PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
                 }
                 if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                             (void*)newEntry->canonicalizedName,
                                             (void*)newEntry)) {
                     PORT_Assert(0);
                     rv = SECFailure;
                 }
@@ -3020,17 +3059,18 @@ CachedCrl_Compare(CachedCrl* a, CachedCr
            to truly be a dupe */
         if ((b->crl->slot == a->crl->slot) &&
             (b->crl->pkcs11ID == a->crl->pkcs11ID)) {
             /* ASN.1 DER needs to match for dupe check */
             /* could optimize by just checking a few fields like thisUpdate */
             if (SECEqual ==
                 SECITEM_CompareItem(b->crl->derCrl, a->crl->derCrl)) {
                 *isDupe = PR_TRUE;
-            } else {
+            }
+            else {
                 *isUpdated = PR_TRUE;
             }
         }
         return SECSuccess;
     }
     if (CRL_OriginExplicit == b->origin) {
         /* We need to make sure this is the same object that the user provided
            to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
--- a/security/nss/lib/certdb/genname.c
+++ b/security/nss/lib/certdb/genname.c
@@ -194,17 +194,18 @@ cert_CopyOneGeneralName(PLArenaPool *are
             break;
 
         default:
             rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other);
             break;
     }
     if (rv != SECSuccess) {
         PORT_ArenaRelease(arena, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 
 void
 CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
 {
@@ -212,17 +213,18 @@ CERT_DestroyGeneralNameList(CERTGeneralN
 
     if (list != NULL) {
         lock = list->lock;
         PZ_Lock(lock);
         if (--list->refCount <= 0 && list->arena != NULL) {
             PORT_FreeArena(list->arena, PR_FALSE);
             PZ_Unlock(lock);
             PZ_DestroyLock(lock);
-        } else {
+        }
+        else {
             PZ_Unlock(lock);
         }
     }
     return;
 }
 
 CERTGeneralNameList *
 CERT_CreateGeneralNameList(CERTGeneralName *name)
@@ -431,17 +433,18 @@ CERT_DecodeGeneralName(PLArenaPool *reqA
         return NULL;
     }
     /* TODO: mark arena */
     genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
     if (genName == NULL) {
         genName = CERT_NewGeneralName(reqArena, genNameType);
         if (!genName)
             goto loser;
-    } else {
+    }
+    else {
         genName->type = genNameType;
         genName->l.prev = genName->l.next = &genName->l;
     }
 
     switch (genNameType) {
         case certURI:
             template = CERT_URITemplate;
             break;
@@ -698,17 +701,18 @@ cert_DecodeNameConstraintSubTree(PLArena
     /* TODO: mark arena */
     while (subTree[i] != NULL) {
         current = cert_DecodeNameConstraint(arena, subTree[i]);
         if (current == NULL) {
             goto loser;
         }
         if (first == NULL) {
             first = current;
-        } else {
+        }
+        else {
             current->l.prev = &(last->l);
             last->l.next = &(current->l);
         }
         last = current;
         i++;
     }
     first->l.prev = &(last->l);
     last->l.next = &(first->l);
@@ -807,17 +811,18 @@ CERT_CopyGeneralName(PLArenaPool *arena,
                 temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
                 if (!temp)
                     goto loser;
                 temp->l.next = &destHead->l;
                 temp->l.prev = &dest->l;
                 destHead->l.prev = &temp->l;
                 dest->l.next = &temp->l;
                 dest = temp;
-            } else {
+            }
+            else {
                 dest = CERT_GetNextGeneralName(dest);
             }
         }
     } while (src != srcHead && rv == SECSuccess);
     /* TODO: unmark arena */
     return rv;
 loser:
     /* TODO: release back to mark */
@@ -879,19 +884,21 @@ cert_CombineNamesLists(CERTGeneralName *
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
 
     if (list1 == NULL) {
         return list2;
-    } else if (list2 == NULL) {
+    }
+    else if (list2 == NULL) {
         return list1;
-    } else {
+    }
+    else {
         begin1 = &list1->l;
         begin2 = &list2->l;
         end1 = list1->l.prev;
         end2 = list2->l.prev;
         end1->next = begin2;
         end2->next = begin1;
         begin1->prev = end2;
         begin2->prev = end1;
@@ -905,19 +912,21 @@ cert_CombineConstraintsLists(CERTNameCon
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
 
     if (list1 == NULL) {
         return list2;
-    } else if (list2 == NULL) {
+    }
+    else if (list2 == NULL) {
         return list1;
-    } else {
+    }
+    else {
         begin1 = &list1->l;
         begin2 = &list2->l;
         end1 = list1->l.prev;
         end2 = list2->l.prev;
         end1->next = begin2;
         end2->next = begin1;
         begin1->prev = end2;
         begin2->prev = end1;
@@ -1534,24 +1543,26 @@ CERT_AddNameConstraintByGeneralName(PLAr
         goto done;
     }
 
     current->name.l.prev = current->name.l.next = &(current->name.l);
 
     if (first == NULL) {
         *constraints = current;
         PR_INIT_CLIST(&current->l);
-    } else {
+    }
+    else {
         PR_INSERT_BEFORE(&current->l, &first->l);
     }
 
 done:
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 
 /*
  * Here we define a list of name constraints to be imposed on
  * certain certificates, most importantly root certificates.
@@ -1678,17 +1689,18 @@ CERT_FindNameConstraintsExten(PLArenaPoo
     *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
     if (*constraints == NULL) { /* decode failed */
         rv = SECFailure;
     }
     PORT_Free(constraintsExtension.data);
 
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(arena, mark);
     }
 
     return rv;
 }
 
 /* Verify name against all the constraints relevant to that type of
 ** the name.
--- a/security/nss/lib/certdb/polcyxtn.c
+++ b/security/nss/lib/certdb/polcyxtn.c
@@ -286,24 +286,26 @@ CERT_DecodePolicyConstraintsExtension(
                                     encodedValue);
 
         if (rv != SECSuccess) {
             break;
         }
 
         if (decodeContext.explicitPolicySkipCerts.len == 0) {
             *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1;
-        } else {
+        }
+        else {
             *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data =
                 DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
         }
 
         if (decodeContext.inhibitMappingSkipCerts.len == 0) {
             *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1;
-        } else {
+        }
+        else {
             *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data =
                 DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
         }
 
         if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
              PR_INT32_MIN) ||
             (*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
              PR_INT32_MAX) ||
@@ -468,17 +470,18 @@ stringFromUserNotice(SECItem *noticeItem
             while (*noticeNumbers != NULL) {
                 /* XXX - only one byte integers right now*/
                 strnum = (*noticeNumbers)->data[0];
                 policystr =
                     (*policyStringCB)(stringbuf, strnum, policyStringCBArg);
                 if (policystr != NULL) {
                     if (retstr != NULL) {
                         retstr = PR_sprintf_append(retstr, "\n%s", policystr);
-                    } else {
+                    }
+                    else {
                         retstr = PR_sprintf_append(retstr, "%s", policystr);
                     }
 
                     PORT_Free(policystr);
                 }
 
                 noticeNumbers++;
             }
--- a/security/nss/lib/certdb/secname.c
+++ b/security/nss/lib/certdb/secname.c
@@ -49,17 +49,18 @@ AddToArray(PLArenaPool *arena, void **ar
             count++;
         }
     }
 
     if (array) {
         array =
             (void **)PORT_ArenaGrow(arena, array, (count + 1) * sizeof(void *),
                                     (count + 2) * sizeof(void *));
-    } else {
+    }
+    else {
         array = (void **)PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
     }
     if (array) {
         array[count] = element;
         array[count + 1] = 0;
     }
     return array;
 }
@@ -340,17 +341,18 @@ CERT_CreateName(CERTRDN *rdn0, ...)
 
     name = (CERTName *)PORT_ArenaAlloc(arena, sizeof(CERTName));
     if (name) {
         name->arena = arena;
 
         /* Count number of RDNs going into the Name */
         if (!rdn0) {
             count = 0;
-        } else {
+        }
+        else {
             count = 1;
             va_start(ap, rdn0);
             while ((rdn = va_arg(ap, CERTRDN *)) != 0) {
                 count++;
             }
             va_end(ap);
         }
 
@@ -461,17 +463,18 @@ canonicalize(SECItem *foo)
     dest = 0;
     lastch = ' ';
     while (src < len) {
         ch = foo->data[src++];
         if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
             ch = ' ';
             if (ch == lastch)
                 continue;
-        } else if (ch >= 'A' && ch <= 'Z') {
+        }
+        else if (ch >= 'A' && ch <= 'Z') {
             ch |= 0x20; /* downshift */
         }
         foo->data[dest++] = lastch = ch;
     }
     foo->len = dest;
 }
 
 /* SECItems a and b contain DER-encoded printable strings. */
@@ -514,17 +517,18 @@ CERT_CompareAVA(const CERTAVA *a, const 
             SECItem *aVal = CERT_DecodeAVAValue(&a->value);
             SECItem *bVal = CERT_DecodeAVAValue(&b->value);
             if (aVal && aVal->len && aVal->data && bVal && bVal->len &&
                 bVal->data) {
                 rv = SECITEM_CompareItem(aVal, bVal);
             }
             SECITEM_FreeItem(aVal, PR_TRUE);
             SECITEM_FreeItem(bVal, PR_TRUE);
-        } else if (a->value.data[0] == 0x13) { /* both are printable strings. */
+        }
+        else if (a->value.data[0] == 0x13) { /* both are printable strings. */
             /* printable strings */
             rv = CERT_CompareDERPrintableStrings(&a->value, &b->value);
         }
     }
     return rv;
 }
 
 SECComparison
--- a/security/nss/lib/certdb/stanpcertdb.c
+++ b/security/nss/lib/certdb/stanpcertdb.c
@@ -88,17 +88,18 @@ SEC_DeletePermCertificate(CERTCertificat
 
 SECStatus
 CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust)
 {
     SECStatus rv;
     CERT_LockCertTrust(cert);
     if (cert->trust == NULL) {
         rv = SECFailure;
-    } else {
+    }
+    else {
         *trust = *cert->trust;
         rv = SECSuccess;
     }
     CERT_UnlockCertTrust(cert);
     return (rv);
 }
 
 extern const NSSError NSS_ERROR_NO_ERROR;
@@ -353,17 +354,18 @@ CERT_NewTempCertificate(CERTCertDBHandle
              * so it is still possible to return a cert with the same
              * issuer/serial but a different encoding, and we're
              * going to reject that
              */
             if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
                 nssCertificate_Destroy(c);
                 PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
                 cc = NULL;
-            } else {
+            }
+            else {
                 cc = STAN_GetCERTCertificateOrRelease(c);
                 if (cc == NULL) {
                     CERT_MapStanError();
                 }
             }
             return cc;
         }
     }
@@ -377,17 +379,18 @@ CERT_NewTempCertificate(CERTCertDBHandle
         CERT_MapStanError();
         nssPKIObject_Destroy(pkio);
         return NULL;
     }
     c->object = *pkio;
     if (copyDER) {
         nssItem_Create(c->object.arena, &c->encoding, derCert->len,
                        derCert->data);
-    } else {
+    }
+    else {
         NSSITEM_FROM_SECITEM(&c->encoding, derCert);
     }
     /* Forces a decoding of the cert in order to obtain the parts used
      * below
      */
     /* 'c' is not adopted here, if we fail loser frees what has been
      * allocated so far for 'c' */
     cc = STAN_GetCERTCertificate(c);
@@ -473,17 +476,18 @@ CERT_FindCertByIssuerAndSN(CERTCertDBHan
 
 static NSSCertificate *
 get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
 {
     NSSUsage usage;
     NSSCertificate *arr[3];
     if (!ct) {
         return nssCertificate_AddRef(cp);
-    } else if (!cp) {
+    }
+    else if (!cp) {
         return nssCertificate_AddRef(ct);
     }
     arr[0] = ct;
     arr[1] = cp;
     arr[2] = NULL;
     usage.anyUsage = PR_TRUE;
     return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
 }
@@ -556,17 +560,18 @@ CERT_FindCertByNickname(CERTCertDBHandle
     cert = PK11_FindCertFromNickname(nickname, NULL);
     c = NULL;
     if (cert) {
         c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
         CERT_DestroyCertificate(cert);
         if (ct) {
             CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
         }
-    } else {
+    }
+    else {
         c = ct;
     }
     return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
 }
 
 CERTCertificate *
 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
 {
@@ -617,17 +622,18 @@ common_FindCertByNicknameOrEmailAddrForU
             ct = NSSCryptoContext_FindBestCertificateByEmail(
                 cc, lowercaseName, NULL, &usage, NULL);
             PORT_Free(lowercaseName);
         }
     }
 
     if (anyUsage) {
         cert = PK11_FindCertFromNickname(name, NULL);
-    } else {
+    }
+    else {
         if (ct) {
             /* Does ct really have the required usage? */
             nssDecodedCert *dc;
             dc = nssCertificate_GetDecoding(ct);
             if (!dc->matchUsage(dc, &usage)) {
                 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
                 ct = NULL;
             }
@@ -646,17 +652,18 @@ common_FindCertByNicknameOrEmailAddrForU
     }
 
     if (cert) {
         c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
         CERT_DestroyCertificate(cert);
         if (ct) {
             CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
         }
-    } else {
+    }
+    else {
         c = ct;
     }
     return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
 }
 
 CERTCertificate *
 CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
 {
@@ -681,17 +688,18 @@ add_to_subject_list(CERTCertList *certLi
     if (!validOnly ||
         CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) ==
             secCertTimeValid) {
         secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity,
                                          (void *)&sorttime);
         if (secrv != SECSuccess) {
             CERT_DestroyCertificate(cert);
         }
-    } else {
+    }
+    else {
         CERT_DestroyCertificate(cert);
     }
 }
 
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
                            const SECItem *name, PRTime sorttime,
                            PRBool validOnly)
@@ -763,17 +771,18 @@ CERT_DestroyCertificate(CERTCertificate 
          * go to the trouble of translating the CERTCertificate into
          * an NSSCertificate just to destroy it.  If it hasn't been done
          * yet, don't do it at all.
          */
         NSSCertificate *tmp = cert->nssCertificate;
         if (tmp) {
             /* delete the NSSCertificate */
             NSSCertificate_Destroy(tmp);
-        } else if (cert->arena) {
+        }
+        else if (cert->arena) {
             PORT_FreeArena(cert->arena, PR_FALSE);
         }
     }
     return;
 }
 
 int
 CERT_GetDBContentVersion(CERTCertDBHandle *handle)
@@ -807,89 +816,97 @@ certdb_SaveSingleProfile(CERTCertificate
         stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
         if (stanProfile) {
             PORT_Assert(stanProfile->profileData);
             SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
             oldProfile = &oldprof;
             SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
             oldProfileTime = &oldproftime;
         }
-    } else {
+    }
+    else {
         oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr,
                                            &cert->derSubject, &oldProfileTime);
         freeOldProfile = PR_TRUE;
     }
 
     saveit = PR_FALSE;
 
     /* both profileTime and emailProfile have to exist or not exist */
     if (emailProfile == NULL) {
         profileTime = NULL;
-    } else if (profileTime == NULL) {
+    }
+    else if (profileTime == NULL) {
         emailProfile = NULL;
     }
 
     if (oldProfileTime == NULL) {
         saveit = PR_TRUE;
-    } else {
+    }
+    else {
         /* there was already a profile for this email addr */
         if (profileTime) {
             /* we have an old and new profile - save whichever is more recent*/
             if (oldProfileTime->len == 0) {
                 /* always replace if old entry doesn't have a time */
                 oldtime = LL_MININT;
-            } else {
+            }
+            else {
                 rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
                 if (rv != SECSuccess) {
                     goto loser;
                 }
             }
 
             rv = DER_UTCTimeToTime(&newtime, profileTime);
             if (rv != SECSuccess) {
                 goto loser;
             }
 
             if (LL_CMP(newtime, >, oldtime)) {
                 /* this is a newer profile, save it and cert */
                 saveit = PR_TRUE;
             }
-        } else {
+        }
+        else {
             saveit = PR_TRUE;
         }
     }
 
     if (saveit) {
         if (cc) {
             if (stanProfile) {
                 /* stanProfile is already stored in the crypto context,
                  * overwrite the data
                  */
                 NSSArena *arena = stanProfile->object.arena;
                 stanProfile->profileTime = nssItem_Create(
                     arena, NULL, profileTime->len, profileTime->data);
                 stanProfile->profileData = nssItem_Create(
                     arena, NULL, emailProfile->len, emailProfile->data);
-            } else if (profileTime && emailProfile) {
+            }
+            else if (profileTime && emailProfile) {
                 PRStatus nssrv;
                 NSSItem profTime, profData;
                 NSSITEM_FROM_SECITEM(&profTime, profileTime);
                 NSSITEM_FROM_SECITEM(&profData, emailProfile);
                 stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData);
                 if (!stanProfile)
                     goto loser;
                 nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
                 rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
             }
-        } else {
+        }
+        else {
             rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr,
                                        &cert->derSubject, emailProfile,
                                        profileTime);
         }
-    } else {
+    }
+    else {
         rv = SECSuccess;
     }
 
 loser:
     if (oldProfile && freeOldProfile) {
         SECITEM_FreeItem(oldProfile, PR_TRUE);
     }
     if (oldProfileTime && freeOldProfile) {
--- a/security/nss/lib/certdb/xauthkid.c
+++ b/security/nss/lib/certdb/xauthkid.c
@@ -57,17 +57,18 @@ CERT_EncodeAuthKeyID(PLArenaPool *arena,
             }
 
             value->DERAuthCertIssuer =
                 cert_EncodeGeneralNames(arena, value->authCertIssuer);
             if (!value->DERAuthCertIssuer) {
                 PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
                 break;
             }
-        } else if (value->authCertSerialNumber.data) {
+        }
+        else if (value->authCertSerialNumber.data) {
             PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
             break;
         }
 
         if (SEC_ASN1EncodeItem(arena, encodedValue, value,
                                CERTAuthKeyIDTemplate) == NULL)
             break;
         rv = SECSuccess;
--- a/security/nss/lib/certdb/xbsconst.c
+++ b/security/nss/lib/certdb/xbsconst.c
@@ -121,24 +121,26 @@ CERT_DecodeBasicConstraintValue(CERTBasi
         if (decodeContext.pathLenConstraint.data == NULL) {
             /* if the pathLenConstraint is not encoded, and the current setting
               is CA, then the pathLenConstraint should be set to a negative
               number
               for unlimited certificate path.
              */
             if (value->isCA)
                 value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-        } else if (value->isCA) {
+        }
+        else if (value->isCA) {
             long len = DER_GetInteger(&decodeContext.pathLenConstraint);
             if (len < 0 || len == LONG_MAX) {
                 PORT_SetError(SEC_ERROR_BAD_DER);
                 GEN_BREAK(SECFailure);
             }
             value->pathLenConstraint = len;
-        } else {
+        }
+        else {
             /* here we get an error where the subject is not a CA, but
                the pathLenConstraint is set */
             PORT_SetError(SEC_ERROR_BAD_DER);
             GEN_BREAK(SECFailure);
             break;
         }
 
     } while (0);
--- a/security/nss/lib/certhigh/certhigh.c
+++ b/security/nss/lib/certhigh/certhigh.c
@@ -35,17 +35,18 @@ CERT_MatchNickname(char *name1, char *na
     token2 = PORT_Strchr(name2, ':');
     if ((token1 && token2) || (!token1 && !token2)) {
         /* either both token names are specified or neither are, not match */
         return PR_FALSE;
     }
     if (token1) {
         nickname1 = token1;
         nickname2 = name2;
-    } else {
+    }
+    else {
         nickname1 = token2;
         nickname2 = name1;
     }
     nickname1++;
     if (PORT_Strcmp(nickname1, nickname2) != 0) {
         return PR_FALSE;
     }
     /* Bug 1192443 - compare the other token with the internal slot here */
@@ -161,17 +162,18 @@ CERT_FindUserCertsByUsage(CERTCertDBHand
 		     */
                     if (flags[n]) {
                         /* We have already seen a cert with this nickname,
 			 * so delete this one.
 			 */
                         freenode = node;
                         node = CERT_LIST_NEXT(node);
                         CERT_RemoveCertListNode(freenode);
-                    } else {
+                    }
+                    else {
                         /* keep the first cert for each nickname, but set the
 			 * flag so we know to delete any others with the same
 			 * nickname.
 			 */
                         flags[n] = PR_TRUE;
                         node = CERT_LIST_NEXT(node);
                     }
                     break;
@@ -901,17 +903,18 @@ cert_ImportCAChain(SECItem *certs, int n
 
         if (!isca) {
             if (!trusted) {
                 goto endloop;
             }
             trust.sslFlags = CERTDB_VALID_CA;
             trust.emailFlags = CERTDB_VALID_CA;
             trust.objectSigningFlags = CERTDB_VALID_CA;
-        } else {
+        }
+        else {
             /* SSL ca's must have the ssl bit set */
             if ((certUsage == certUsageSSLCA) &&
                 ((certtype & NS_CERT_TYPE_SSL_CA) != NS_CERT_TYPE_SSL_CA)) {
                 goto endloop;
             }
 
             /* it passed all of the tests, so lets add it to the database */
             /* mark it as a CA */
@@ -951,17 +954,18 @@ cert_ImportCAChain(SECItem *certs, int n
             nickname = CERT_MakeCANickname(cert);
 
             rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
 
             /* free the nickname */
             if (nickname) {
                 PORT_Free(nickname);
             }
-        } else {
+        }
+        else {
             rv = SECSuccess;
         }
 
         CERT_DestroyCertificate(cert);
         cert = NULL;
 
         if (rv != SECSuccess) {
             goto loser;
@@ -1084,17 +1088,18 @@ CERT_CertChainFromCert(CERTCertificate *
 	     * not a root.  Don't discard it.
 	     */
             includeRoot = PR_TRUE;
         }
         CERT_DestroyCertificate(cCert);
     }
     if (!includeRoot && len > 1) {
         chain->len = len - 1;
-    } else {
+    }
+    else {
         chain->len = len;
     }
 
     chain->arena = arena;
     nss_ZFreeIf(stanChain);
     return chain;
 loser:
     i = 0;
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -56,20 +56,22 @@ checkKeyParams(const SECAlgorithmID *sig
             }
 
             curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams);
             if (curve != 0) {
                 if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
                     !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
                     PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
                     return SECFailure;
-                } else {
+                }
+                else {
                     return SECSuccess;
                 }
-            } else {
+            }
+            else {
                 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
                 return SECFailure;
             }
             return SECSuccess;
         case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
@@ -336,29 +338,32 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
         node->depth = depth;
         node->arg = arg;
 
         if (log->tail == NULL) {
             /* empty list */
             log->head = log->tail = node;
             node->prev = NULL;
             node->next = NULL;
-        } else if (depth >= log->tail->depth) {
+        }
+        else if (depth >= log->tail->depth) {
             /* add to tail */
             node->prev = log->tail;
             log->tail->next = node;
             log->tail = node;
             node->next = NULL;
-        } else if (depth < log->head->depth) {
+        }
+        else if (depth < log->head->depth) {
             /* add at head */
             node->prev = NULL;
             node->next = log->head;
             log->head->prev = node;
             log->head = node;
-        } else {
+        }
+        else {
             /* add in middle */
             tnode = log->tail;
             while (tnode != NULL) {
                 if (depth >= tnode->depth) {
                     /* insert after tnode */
                     node->prev = tnode;
                     node->next = tnode->next;
                     tnode->next->prev = node;
@@ -379,17 +384,18 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
     if (log == NULL) {           \
         goto loser;              \
     }
 
 #define LOG_ERROR_OR_EXIT(log, cert, depth, arg)               \
     if (log != NULL) {                                         \
         cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
                             (void *)(PRWord)arg);              \
-    } else {                                                   \
+    }                                                          \
+    else {                                                     \
         goto loser;                                            \
     }
 
 #define LOG_ERROR(log, cert, depth, arg)                       \
     if (log != NULL) {                                         \
         cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
                             (void *)(PRWord)arg);              \
     }
@@ -447,35 +453,35 @@ cert_VerifyCertChainOld(CERTCertDBHandle
         case certUsageVerifyCA:
         case certUsageAnyCA:
         case certUsageStatusResponder:
             if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
                                               &trustType) != SECSuccess) {
                 PORT_Assert(0);
                 EXIT_IF_NOT_LOGGING(log);
                 /* XXX continuing with requiredFlags = 0 seems wrong.  It'll
-                 * cause the following test to be true incorrectly:
-                 *   flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
-                 *   if (( flags & requiredFlags ) == requiredFlags) {
-                 *       rv = rvFinal;
-                 *       goto done;
-                 *   }
-                 * There are three other instances of this problem.
-                 */
+        	     * cause the following test to be true incorrectly:
+        	     *   flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+        	     *   if (( flags & requiredFlags ) == requiredFlags) {
+        	     *       rv = rvFinal;
+        	     *       goto done;
+        	     *   }
+        	     * There are three other instances of this problem.
+        	     */
                 requiredFlags = 0;
                 trustType = trustSSL;
             }
             break;
         default:
             PORT_Assert(0);
             EXIT_IF_NOT_LOGGING(log);
             requiredFlags = 0;
             trustType = trustSSL; /* This used to be 0, but we need something
-                                   * that matches the enumeration type.
-                                   */
+			      * that matches the enumeration type.
+			      */
             caCertType = 0;
     }
 
     subjectCert = CERT_DupCertificate(cert);
     if (subjectCert == NULL) {
         goto loser;
     }
 
@@ -492,20 +498,20 @@ cert_VerifyCertChainOld(CERTCertDBHandle
     ** in the leaf (EE) cert, whether it is self issued or not, so
     ** we pretend that it is not.
     */
     subjectCertIsSelfIssued = PR_FALSE;
     for (count = 0; count < CERT_MAX_CERT_CHAIN; count++) {
         PRBool validCAOverride = PR_FALSE;
 
         /* Construct a list of names for the current and all previous
-         * certifcates (except leaf (EE) certs, root CAs, and self-issued
-         * intermediate CAs) to be verified against the name constraints
-         * extension of the issuer certificate.
-         */
+    	 * certifcates (except leaf (EE) certs, root CAs, and self-issued
+    	 * intermediate CAs) to be verified against the name constraints
+    	 * extension of the issuer certificate.
+    	 */
         if (subjectCertIsSelfIssued == PR_FALSE) {
             CERTGeneralName *subjectNameList;
             int subjectNameListLen;
             int i;
             PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
             subjectNameList =
                 CERT_GetConstrainedCertificateNames(subjectCert, arena,
                                                     getSubjectCN);
@@ -554,44 +560,46 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 
             if (rv != SECSuccess) {
                 if (sigerror) {
                     *sigerror = PR_TRUE;
                 }
                 if (PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE) {
                     PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
                     LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
-                } else {
+                }
+                else {
                     if (PORT_GetError() !=
                         SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
                         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
                     }
                     LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
                 }
             }
         }
 
         /* If the basicConstraint extension is included in an immediate CA
-         * certificate, make sure that the isCA flag is on.  If the
-         * pathLenConstraint component exists, it must be greater than the
-         * number of CA certificates we have seen so far.  If the extension
-         * is omitted, we will assume that this is a CA certificate with
-         * an unlimited pathLenConstraint (since it already passes the
-         * netscape-cert-type extension checking).
-         */
+    	 * certificate, make sure that the isCA flag is on.  If the
+    	 * pathLenConstraint component exists, it must be greater than the
+    	 * number of CA certificates we have seen so far.  If the extension
+    	 * is omitted, we will assume that this is a CA certificate with
+    	 * an unlimited pathLenConstraint (since it already passes the
+    	 * netscape-cert-type extension checking).
+    	 */
 
         rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
         if (rv != SECSuccess) {
             if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
             pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
             /* no basic constraints found, we aren't (yet) a CA. */
             isca = PR_FALSE;
-        } else {
+        }
+        else {
             if (basicConstraint.isCA == PR_FALSE) {
                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
             pathLengthLimit = basicConstraint.pathLenConstraint;
             isca = PR_TRUE;
         }
         /* make sure that the path len constraint is properly set.*/
@@ -607,57 +615,60 @@ cert_VerifyCertChainOld(CERTCertDBHandle
                                    arena, &badCert);
         if (rv != SECSuccess || badCert != NULL) {
             PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
             LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
             goto loser;
         }
 
         /* XXX - the error logging may need to go down into CRL stuff at some
-         * point
-         */
+    	 * point
+    	 */
         /* check revoked list (issuer) */
         rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
         if (rv == SECFailure) {
             if (revoked) {
                 *revoked = PR_TRUE;
             }
             LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
-        } else if (rv == SECWouldBlock) {
+        }
+        else if (rv == SECWouldBlock) {
             /* We found something fishy, so we intend to issue an
              * error to the user, but the user may wish to continue
              * processing, in which case we better make sure nothing
              * worse has happened... so keep cranking the loop */
             rvFinal = SECFailure;
             if (revoked) {
                 *revoked = PR_TRUE;
             }
             LOG_ERROR(log, subjectCert, count, 0);
         }
 
         if (CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
             /* we have some trust info, but this does NOT imply that this
-             * cert is actually trusted for any purpose.  The cert may be
-             * explicitly UNtrusted.  We won't know until we examine the
-             * trust bits.
-             */
+    	     * cert is actually trusted for any purpose.  The cert may be
+    	     * explicitly UNtrusted.  We won't know until we examine the
+    	     * trust bits.
+    	     */
             unsigned int flags;
 
             if (certUsage != certUsageAnyCA &&
                 certUsage != certUsageStatusResponder) {
 
                 /*
-                 * XXX This choice of trustType seems arbitrary.
-                 */
+    	         * XXX This choice of trustType seems arbitrary.
+    	         */
                 if (certUsage == certUsageVerifyCA) {
                     if (subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
                         trustType = trustEmail;
-                    } else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
+                    }
+                    else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
                         trustType = trustSSL;
-                    } else {
+                    }
+                    else {
                         trustType = trustObjectSigning;
                     }
                 }
 
                 flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                 if ((flags & requiredFlags) == requiredFlags) {
                     /* we found a trusted one, so return */
                     rv = rvFinal;
@@ -665,62 +676,63 @@ cert_VerifyCertChainOld(CERTCertDBHandle
                 }
                 if (flags & CERTDB_VALID_CA) {
                     validCAOverride = PR_TRUE;
                 }
                 /* is it explicitly distrusted? */
                 if ((flags & CERTDB_TERMINAL_RECORD) &&
                     ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
                     /* untrusted -- the cert is explicitly untrusted, not
-                     * just that it doesn't chain to a trusted cert */
+		             * just that it doesn't chain to a trusted cert */
                     PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
                     LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
                 }
-            } else {
+            }
+            else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                     if ((flags & requiredFlags) == requiredFlags) {
                         rv = rvFinal;
                         goto done;
                     }
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
                 /* We have 2 separate loops because we want any single trust
-                 * bit to allow this usage to return trusted. Only if none of
-                 * the trust bits are on do we check to see if the cert is
-                 * untrusted */
+        		 * bit to allow this usage to return trusted. Only if none of
+        		 * the trust bits are on do we check to see if the cert is
+        		 * untrusted */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                     /* is it explicitly distrusted? */
                     if ((flags & CERTDB_TERMINAL_RECORD) &&
                         ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
                         /* untrusted -- the cert is explicitly untrusted, not
-                         * just that it doesn't chain to a trusted cert */
+			             * just that it doesn't chain to a trusted cert */
                         PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
                         LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
                     }
                 }
             }
         }
 
         if (!validCAOverride) {
             /*
-             * Make sure that if this is an intermediate CA in the chain that
-             * it was given permission by its signer to be a CA.
-             */
+    	     * Make sure that if this is an intermediate CA in the chain that
+    	     * it was given permission by its signer to be a CA.
+    	     */
             /*
-             * if basicConstraints says it is a ca, then we check the
-             * nsCertType.  If the nsCertType has any CA bits set, then
-             * it must have the right one.
-             */
+    	     * if basicConstraints says it is a ca, then we check the
+    	     * nsCertType.  If the nsCertType has any CA bits set, then
+    	     * it must have the right one.
+    	     */
             if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
                 isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
             }
 
             if (!isca) {
                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
@@ -728,36 +740,36 @@ cert_VerifyCertChainOld(CERTCertDBHandle
             /* make sure key usage allows cert signing */
             if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, requiredCAKeyUsage);
             }
         }
 
         /* make sure that the issuer is not self signed.  If it is, then
-         * stop here to prevent looping.
-         */
+    	 * stop here to prevent looping.
+    	 */
         if (issuerCert->isRoot) {
             PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
             LOG_ERROR(log, issuerCert, count + 1, 0);
             goto loser;
         }
         /* The issuer cert will be the subject cert in the next loop.
-         * A cert is self-issued if its subject and issuer are equal and
-         * both are of non-zero length.
-         */
+    	 * A cert is self-issued if its subject and issuer are equal and
+    	 * both are of non-zero length.
+    	 */
         subjectCertIsSelfIssued = (PRBool)
                                       SECITEM_ItemsAreEqual(&issuerCert->derIssuer,
                                                             &issuerCert->derSubject) &&
                                   issuerCert->derSubject.len >
                                       0;
         if (subjectCertIsSelfIssued == PR_FALSE) {
             /* RFC 3280 says only non-self-issued intermediate CA certs
-             * count in path length.
-             */
+    	     * count in path length.
+    	     */
             ++currentPathLen;
         }
 
         CERT_DestroyCertificate(subjectCert);
         subjectCert = issuerCert;
         issuerCert = NULL;
     }
 
@@ -854,18 +866,18 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
                 trustType = trustSSL;
             }
             break;
         default:
             PORT_Assert(0);
             EXIT_IF_NOT_LOGGING(log);
             requiredFlags = 0;
             trustType = trustSSL; /* This used to be 0, but we need something
-                                   * that matches the enumeration type.
-                                   */
+                			       * that matches the enumeration type.
+                			       */
             caCertType = 0;
     }
 
     /* If the basicConstraint extension is included in an intermmediate CA
      * certificate, make sure that the isCA flag is on.  If the
      * pathLenConstraint component exists, it must be greater than the
      * number of CA certificates we have seen so far.  If the extension
      * is omitted, we will assume that this is a CA certificate with
@@ -875,83 +887,84 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv != SECSuccess) {
         if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
         /* no basic constraints found, we aren't (yet) a CA. */
         isca = PR_FALSE;
-    } else {
+    }
+    else {
         if (basicConstraint.isCA == PR_FALSE) {
             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
 
         /* can't check path length if we don't know the previous path */
         isca = PR_TRUE;
     }
 
     if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
         /* we have some trust info, but this does NOT imply that this
-         * cert is actually trusted for any purpose.  The cert may be
-         * explicitly UNtrusted.  We won't know until we examine the
-         * trust bits.
-         */
+    	 * cert is actually trusted for any purpose.  The cert may be
+    	 * explicitly UNtrusted.  We won't know until we examine the
+    	 * trust bits.
+    	 */
         if (certUsage == certUsageStatusResponder) {
             /* Check the special case of certUsageStatusResponder */
             issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
             if (issuerCert) {
                 if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) !=
                     SECSuccess) {
                     PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
                     CERT_DestroyCertificate(issuerCert);
                     goto loser;
                 }
                 CERT_DestroyCertificate(issuerCert);
             }
             /* XXX We have NOT determined that this cert is trusted.
-             * For years, NSS has treated this as trusted,
-             * but it seems incorrect.
-             */
+    	     * For years, NSS has treated this as trusted,
+    	     * but it seems incorrect.
+    	     */
             rv = rvFinal;
             goto done;
         }
 
         /*
-         * check the trust params of the issuer
-         */
+    	 * check the trust params of the issuer
+    	 */
         flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
         if ((flags & requiredFlags) == requiredFlags) {
             /* we found a trusted one, so return */
             rv = rvFinal;
             goto done;
         }
         if (flags & CERTDB_VALID_CA) {
             validCAOverride = PR_TRUE;
         }
         /* is it explicitly distrusted? */
         if ((flags & CERTDB_TERMINAL_RECORD) &&
             ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
             /* untrusted -- the cert is explicitly untrusted, not
-             * just that it doesn't chain to a trusted cert */
+	         * just that it doesn't chain to a trusted cert */
             PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
             LOG_ERROR_OR_EXIT(log, cert, 0, flags);
         }
     }
     if (!validCAOverride) {
         /*
-         * Make sure that if this is an intermediate CA in the chain that
-         * it was given permission by its signer to be a CA.
-         */
+    	 * Make sure that if this is an intermediate CA in the chain that
+    	 * it was given permission by its signer to be a CA.
+    	 */
         /*
-         * if basicConstraints says it is a ca, then we check the
-         * nsCertType.  If the nsCertType has any CA bits set, then
-         * it must have the right one.
-         */
+    	 * if basicConstraints says it is a ca, then we check the
+    	 * nsCertType.  If the nsCertType has any CA bits set, then
+    	 * it must have the right one.
+    	 */
         if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
             isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
         }
 
         if (!isca) {
             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
@@ -1023,73 +1036,76 @@ cert_CheckLeafTrust(CERTCertificate *cer
     if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
         switch (certUsage) {
             case certUsageSSLClient:
             case certUsageSSLServer:
                 flags = trust.sslFlags;
 
                 /* is the cert directly trusted or not trusted ? */
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                            * authoritative */
+						    * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    } else { /* don't trust this cert */
+                    }
+                    else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageSSLServerWithStepUp:
                 /* XXX - step up certs can't be directly trusted, only distrust */
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                                                       * authoritative */
+						                               * authoritative */
                     if ((flags & CERTDB_TRUSTED) == 0) {
                         /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageSSLCA:
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                                                       * authoritative */
+						                               * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageEmailSigner:
             case certUsageEmailRecipient:
                 flags = trust.emailFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                                                       * authoritative */
+						                               * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    } else { /* don't trust this cert */
+                    }
+                    else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
 
                 break;
             case certUsageObjectSigner:
                 flags = trust.objectSigningFlags;
 
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                                                       * authoritative */
+						                               * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    } else { /* don't trust this cert */
+                    }
+                    else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageVerifyCA:
             case certUsageStatusResponder:
                 flags = trust.sslFlags;
@@ -1114,35 +1130,35 @@ cert_CheckLeafTrust(CERTCertificate *cer
                     return SECSuccess;
                 }
                 /* fall through to test distrust */
             case certUsageAnyCA:
             case certUsageUserCertImport:
                 /* do we distrust these certs explicitly */
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                            * authoritative */
+						    * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 flags = trust.emailFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                            * authoritative */
+						    * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 /* fall through */
             case certUsageProtectedObjectSigner:
                 flags = trust.objectSigningFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-                                                       * authoritative */
+						                               * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
         }
     }
@@ -1186,17 +1202,18 @@ CERT_VerifyCertificate(CERTCertDBHandle 
     if (!requiredUsages) {
         /* there are no required usages, so the user probably wants to
            get status for all usages */
         checkAllUsages = PR_TRUE;
     }
 
     if (returnedUsages) {
         *returnedUsages = 0;
-    } else {
+    }
+    else {
         /* we don't have a place to return status for all usages,
            so we can skip checks for usages that aren't required */
         checkAllUsages = PR_FALSE;
     }
     valid = SECSuccess; /* start off assuming cert is valid */
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
@@ -1271,17 +1288,18 @@ CERT_VerifyCertificate(CERTCertDBHandle 
 
         rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
         if (rv == SECFailure) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
             }
             LOG_ERROR(log, cert, 0, flags);
             INVALID_USAGE();
-        } else if (trusted) {
+        }
+        else if (trusted) {
             VALID_USAGE();
         }
 
         if (PR_TRUE == revoked || PR_TRUE == sigerror) {
             INVALID_USAGE();
         }
 
         rv = cert_VerifyCertChain(handle, cert,
@@ -1411,17 +1429,18 @@ cert_VerifyCertWithFlags(CERTCertDBHandl
         PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
         LOG_ERROR_OR_EXIT(log, cert, 0, requiredCertType);
     }
 
     rv = cert_CheckLeafTrust(cert, certUsage, &failedFlags, &trusted);
     if (rv == SECFailure) {
         PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
         LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags);
-    } else if (trusted) {
+    }
+    else if (trusted) {
         goto done;
     }
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
                               t, wincx, log);
     if (rv != SECSuccess) {
         EXIT_IF_NOT_LOGGING(log);
     }
@@ -1478,22 +1497,22 @@ CERT_VerifyCertNow(CERTCertDBHandle *han
 {
     return (CERT_VerifyCert(handle, cert, checkSig,
                             certUsage, PR_Now(), wincx, NULL));
 }
 
 /* [ FROM pcertdb.c ] */
 /*
  * Supported usage values and types:
- *  certUsageSSLClient
- *  certUsageSSLServer
- *  certUsageSSLServerWithStepUp
- *  certUsageEmailSigner
- *  certUsageEmailRecipient
- *  certUsageObjectSigner
+ *	certUsageSSLClient
+ *	certUsageSSLServer
+ *	certUsageSSLServerWithStepUp
+ *	certUsageEmailSigner
+ *	certUsageEmailRecipient
+ *	certUsageObjectSigner
  */
 
 CERTCertificate *
 CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
                       CERTCertOwner owner, SECCertUsage usage,
                       PRBool preferTrusted, PRTime validTime, PRBool validOnly)
 {
     CERTCertList *certList = NULL;
@@ -1537,25 +1556,26 @@ CERT_FindMatchingCert(CERTCertDBHandle *
             cert = node->cert;
 
             /* looking for a trusted CA cert */
             if ((owner == certOwnerCA) && preferTrusted &&
                 (requiredTrustType != trustTypeNone)) {
 
                 if (CERT_GetCertTrust(cert, &certTrust) != SECSuccess) {
                     flags = 0;
-                } else {
+                }
+                else {
                     flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
                 }
 
                 if ((flags & requiredTrustFlags) != requiredTrustFlags) {
                     /* cert is not trusted */
                     /* if this is the first cert to get this far, then save
-                     * it, so we can use it if we can't find a trusted one
-                     */
+		     * it, so we can use it if we can't find a trusted one
+		     */
                     if (saveUntrustedCA == NULL) {
                         saveUntrustedCA = cert;
                     }
                     goto endloop;
                 }
             }
             /* if we got this far, then this cert meets all criteria */
             break;
@@ -1589,21 +1609,21 @@ loser:
     return (NULL);
 }
 
 /* [ From certdb.c ] */
 /*
  * Filter a list of certificates, removing those certs that do not have
  * one of the named CA certs somewhere in their cert chain.
  *
- *  "certList" - the list of certificates to filter
- *  "nCANames" - number of CA names
- *  "caNames" - array of CA names in string(rfc 1485) form
- *  "usage" - what use the certs are for, this is used when
- *      selecting CA certs
+ *	"certList" - the list of certificates to filter
+ *	"nCANames" - number of CA names
+ *	"caNames" - array of CA names in string(rfc 1485) form
+ *	"usage" - what use the certs are for, this is used when
+ *		selecting CA certs
  */
 SECStatus
 CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
                              char **caNames, SECCertUsage usage)
 {
     CERTCertificate *issuerCert = NULL;
     CERTCertificate *subjectCert;
     CERTCertListNode *node, *freenode;
@@ -1658,85 +1678,91 @@ CERT_FilterCertListByCANames(CERTCertLis
             subjectCert = issuerCert;
         }
         CERT_DestroyCertificate(subjectCert);
         if (!found) {
             /* CA was not found, so remove this cert from the list */
             freenode = node;
             node = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(freenode);
-        } else {
+        }
+        else {
             /* CA was found, so leave it in the list */
             node = CERT_LIST_NEXT(node);
         }
     }
 
     return (SECSuccess);
 }
 
 /*
  * Given a certificate, return a string containing the nickname, and possibly
  * one of the validity strings, based on the current validity state of the
  * certificate.
  *
  * "arena" - arena to allocate returned string from.  If NULL, then heap
- *  is used.
+ *	is used.
  * "cert" - the cert to get nickname from
  * "expiredString" - the string to append to the nickname if the cert is
- *      expired.
+ *		expired.
  * "notYetGoodString" - the string to append to the nickname if the cert is
- *      not yet good.
+ *		not yet good.
  */
 char *
 CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
                                  char *expiredString, char *notYetGoodString)
 {
     SECCertTimeValidity validity;
     char *nickname = NULL, *tmpstr = NULL;
 
     validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
 
     /* if the cert is good, then just use the nickname directly */
     if (validity == secCertTimeValid) {
         if (arena == NULL) {
             nickname = PORT_Strdup(cert->nickname);
-        } else {
+        }
+        else {
             nickname = PORT_ArenaStrdup(arena, cert->nickname);
         }
 
         if (nickname == NULL) {
             goto loser;
         }
-    } else {
+    }
+    else {
 
         /* if the cert is not valid, then tack one of the strings on the
-         * end
-         */
+    	 * end
+    	 */
         if (validity == secCertTimeExpired) {
             tmpstr = PR_smprintf("%s%s", cert->nickname,
                                  expiredString);
-        } else if (validity == secCertTimeNotValidYet) {
+        }
+        else if (validity == secCertTimeNotValidYet) {
             /* not yet valid */
             tmpstr = PR_smprintf("%s%s", cert->nickname,
                                  notYetGoodString);
-        } else {
+        }
+        else {
             /* undetermined */
             tmpstr = PR_smprintf("%s",
                                  "(NULL) (Validity Unknown)");
         }
 
         if (tmpstr == NULL) {
             goto loser;
         }
 
         if (arena) {
             /* copy the string into the arena and free the malloc'd one */
             nickname = PORT_ArenaStrdup(arena, tmpstr);
             PORT_Free(tmpstr);
-        } else {
+        }
+        else {
             nickname = tmpstr;
         }
         if (nickname == NULL) {
             goto loser;
         }
     }
     return (nickname);
 
@@ -1746,17 +1772,17 @@ loser:
 
 /*
  * Collect the nicknames from all certs in a CertList.  If the cert is not
  * valid, append a string to that nickname.
  *
  * "certList" - the list of certificates
  * "expiredString" - the string to append to the nickname of any expired cert
  * "notYetGoodString" - the string to append to the nickname of any cert
- *      that is not yet valid
+ *		that is not yet valid
  */
 CERTCertNicknames *
 CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
                                  char *notYetGoodString)
 {
     CERTCertNicknames *names;
     PLArenaPool *arena;
     CERTCertListNode *node;
@@ -1828,20 +1854,20 @@ loser:
     return (NULL);
 }
 
 /*
  * Extract the nickname from a nickmake string that may have either
  * expiredString or notYetGoodString appended.
  *
  * Args:
- *  "namestring" - the string containing the nickname, and possibly
- *      one of the validity label strings
- *  "expiredString" - the expired validity label string
- *  "notYetGoodString" - the not yet good validity label string
+ *	"namestring" - the string containing the nickname, and possibly
+ *		one of the validity label strings
+ *	"expiredString" - the expired validity label string
+ *	"notYetGoodString" - the not yet good validity label string
  *
  * Returns the raw nickname
  */
 char *
 CERT_ExtractNicknameString(char *namestring, char *expiredString,
                            char *notYetGoodString)
 {
     int explen, nyglen, namelen;
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@@ -691,17 +691,18 @@ cert_PkixToNssCertsChain(
     }
 
     *pvalidChain = validChain;
 
 cleanup:
     if (PKIX_ERROR_RECEIVED) {
         if (validChain) {
             CERT_DestroyCertList(validChain);
-        } else if (arena) {
+        }
+        else if (arena) {
             PORT_FreeArena(arena, PR_FALSE);
         }
         if (nssCert) {
             CERT_DestroyCertificate(nssCert);
         }
     }
     PKIX_DECREF(certItem);
 
@@ -832,17 +833,18 @@ cert_PkixErrorToNssCode(
 #endif /* PKIX_ERROR_DESCRIPTION */
         }
         errPtr = errPtr->cause;
         errLevel += 1;
     }
     PORT_Assert(nssErr);
     if (!nssErr) {
         *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
-    } else {
+    }
+    else {
         *pNssErr = nssErr;
     }
 
     PKIX_RETURN(CERTVFYPKIX);
 }
 
 /*
  * FUNCTION: cert_GetLogFromVerifyNode
@@ -891,17 +893,18 @@ cert_GetLogFromVerifyNode(
                     cert_PkixErrorToNssCode(node->error, &nssErrorCode,
                                             plContext),
                     PKIX_GETPKIXERRORCODEFAILED);
 
                 cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
             }
         }
         PKIX_RETURN(CERTVFYPKIX);
-    } else {
+    }
+    else {
         PRUint32 i = 0;
         PKIX_UInt32 length = 0;
 
         PKIX_CHECK(
             PKIX_List_GetLength(children, &length, plContext),
             PKIX_LISTGETLENGTHFAILED);
 
         for (i = 0; i < length; i++) {
@@ -1129,18 +1132,19 @@ cert_VerifyCertChainPkix(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 2;
     fnStackNameArr[0] = "cert_VerifyCertChainPkix";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
-                                                                         : PKIX_TRUE;
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+                                                                   PKIX_FALSE
+                                                                   : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
     do {
         rv = SECFailure;
@@ -1492,17 +1496,18 @@ cert_pkixSetParam(PKIX_ProcessingParams 
 
         case cert_pi_date:
             if (param->value.scalar.time == 0) {
                 error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
                 if (error != NULL) {
                     errCode = SEC_ERROR_INVALID_TIME;
                     break;
                 }
-            } else {
+            }
+            else {
                 error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
                                                       &date, plContext);
                 if (error != NULL) {
                     errCode = SEC_ERROR_INVALID_TIME;
                     break;
                 }
             }
 
@@ -2009,18 +2014,19 @@ CERT_PKIXVerifyCert(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 1;
     fnStackNameArr[0] = "CERT_PKIXVerifyCert";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
-                                                                         : PKIX_TRUE;
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
+                                                                   PKIX_FALSE
+                                                                   : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
     do {
         r = SECFailure;
@@ -2138,17 +2144,18 @@ CERT_PKIXVerifyCert(
             goto cleanup;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
         oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
         if (oparam != NULL) {
             if (trustAnchorCert != NULL) {
                 oparam->value.pointer.cert =
                     cert_NSSCertFromPKIXCert(trustAnchorCert);
-            } else {
+            }
+            else {
                 oparam->value.pointer.cert = NULL;
             }
         }
 
         error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList,
                                               plContext);
         if (error != NULL) {
             goto cleanup;
--- a/security/nss/lib/certhigh/crlv2.c
+++ b/security/nss/lib/certhigh/crlv2.c
@@ -75,24 +75,26 @@ CERT_FindCRLNumberExten(PLArenaPool *are
 
     mark = PORT_ArenaMark(arena);
 
     tmpItem = SECITEM_ArenaDupItem(arena, &encodedExtenValue);
     if (tmpItem) {
         rv = SEC_QuickDERDecodeItem(arena, value,
                                     SEC_ASN1_GET(SEC_IntegerTemplate),
                                     tmpItem);
-    } else {
+    }
+    else {
         rv = SECFailure;
     }
 
     PORT_Free(encodedExtenValue.data);
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(arena, mark);
     }
     return (rv);
 }
 
 SECStatus
 CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry,
                              CERTCRLEntryReasonCode *value)
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -201,17 +201,18 @@ static void
 printHexString(const char *prefix, SECItem *hexval)
 {
     unsigned int i;
     char *hexbuf = NULL;
 
     for (i = 0; i < hexval->len; i++) {
         if (i != hexval->len - 1) {
             hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]);
-        } else {
+        }
+        else {
             hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]);
         }
     }
     if (hexbuf) {
         ocsp_Trace("%s %s\n", prefix, hexbuf);
         PR_smprintf_free(hexbuf);
     }
 }
@@ -352,17 +353,18 @@ ocsp_CopyRevokedInfo(PLArenaPool *arena,
     }
 
     if (src->revocationReason) {
         dest->certStatusInfo.revokedInfo->revocationReason =
             SECITEM_ArenaDupItem(arena, src->revocationReason);
         if (!dest->certStatusInfo.revokedInfo->revocationReason) {
             goto loser;
         }
-    } else {
+    }
+    else {
         dest->certStatusInfo.revokedInfo->revocationReason = NULL;
     }
 
     PORT_ArenaUnmark(arena, mark);
     return SECSuccess;
 
 loser:
     PORT_ArenaRelease(arena, mark);
@@ -454,23 +456,25 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPC
 
     if (item == cache->LRUitem) {
         PORT_Assert(item != cache->MRUitem);
         PORT_Assert(item->lessRecent == NULL);
         PORT_Assert(item->moreRecent != NULL);
         PORT_Assert(item->moreRecent->lessRecent == item);
         cache->LRUitem = item->moreRecent;
         cache->LRUitem->lessRecent = NULL;
-    } else if (item == cache->MRUitem) {
+    }
+    else if (item == cache->MRUitem) {
         PORT_Assert(item->moreRecent == NULL);
         PORT_Assert(item->lessRecent != NULL);
         PORT_Assert(item->lessRecent->moreRecent == item);
         cache->MRUitem = item->lessRecent;
         cache->MRUitem->moreRecent = NULL;
-    } else {
+    }
+    else {
         /* remove an entry in the middle of the list */
         PORT_Assert(item->moreRecent != NULL);
         PORT_Assert(item->lessRecent != NULL);
         PORT_Assert(item->lessRecent->moreRecent == item);
         PORT_Assert(item->moreRecent->lessRecent == item);
         item->moreRecent->lessRecent = item->lessRecent;
         item->lessRecent->moreRecent = item->moreRecent;
     }
@@ -673,17 +677,18 @@ ocsp_SetCacheItemResponse(OCSPCacheItem 
         item->missingResponseError = 0;
         rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
                                        &response->thisUpdate);
         item->haveThisUpdate = (rv == SECSuccess);
         if (response->nextUpdate) {
             rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
                                            response->nextUpdate);
             item->haveNextUpdate = (rv == SECSuccess);
-        } else {
+        }
+        else {
             item->haveNextUpdate = PR_FALSE;
         }
     }
     return SECSuccess;
 }
 
 static void
 ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem)
@@ -701,17 +706,18 @@ ocsp_FreshenCacheItemNextFetchAttemptTim
 
     if (cacheItem->haveThisUpdate) {
         OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
         latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
                                                   OCSP_Global.maximumSecondsToNextFetchAttempt *
                                                       MICROSECONDS_PER_SECOND;
         OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
                         latestTimeWhenResponseIsConsideredFresh);
-    } else {
+    }
+    else {
         latestTimeWhenResponseIsConsideredFresh = now +
                                                   OCSP_Global.minimumSecondsToNextFetchAttempt *
                                                       MICROSECONDS_PER_SECOND;
         OCSP_TRACE_TIME("no thisUpdate, "
                         "latestTimeWhenResponseIsConsideredFresh:",
                         latestTimeWhenResponseIsConsideredFresh);
     }
 
@@ -809,17 +815,18 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheD
         return SECSuccess;
     }
 
     if (!cacheItem) {
         CERTOCSPCertID *myCertID;
         if (certIDWasConsumed) {
             myCertID = certID;
             *certIDWasConsumed = PR_TRUE;
-        } else {
+        }
+        else {
             myCertID = cert_DupOCSPCertID(certID);
             if (!myCertID) {
                 PR_ExitMonitor(OCSP_Global.monitor);
                 PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
                 return SECFailure;
             }
         }
 
@@ -837,21 +844,23 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheD
         if (!cacheItem->haveThisUpdate ||
             (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) {
             rv = ocsp_SetCacheItemResponse(cacheItem, single);
             if (rv != SECSuccess) {
                 ocsp_RemoveCacheItem(cache, cacheItem);
                 PR_ExitMonitor(OCSP_Global.monitor);
                 return rv;
             }
-        } else {
+        }
+        else {
             OCSP_TRACE(("Not caching response because the response is not "
                         "newer than the cache"));
         }
-    } else {
+    }
+    else {
         cacheItem->missingResponseError = PORT_GetError();
         if (cacheItem->certStatusArena) {
             PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE);
             cacheItem->certStatusArena = NULL;
         }
     }
     ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem);
     ocsp_CheckCacheSize(cache);
@@ -888,19 +897,21 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheE
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     PR_EnterMonitor(OCSP_Global.monitor);
 
     if (maxCacheEntries < 0) {
         OCSP_Global.maxCacheEntries = -1; /* disable cache */
-    } else if (maxCacheEntries == 0) {
+    }
+    else if (maxCacheEntries == 0) {
         OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */
-    } else {
+    }
+    else {
         OCSP_Global.maxCacheEntries = maxCacheEntries;
     }
 
     if (minimumSecondsToNextFetchAttempt <
             OCSP_Global.minimumSecondsToNextFetchAttempt ||
         maximumSecondsToNextFetchAttempt <
             OCSP_Global.maximumSecondsToNextFetchAttempt) {
         /*
@@ -948,17 +959,18 @@ OCSP_InitGlobal(void)
                             ocsp_CacheKeyCompareFunction,
                             PL_CompareValues,
                             NULL,
                             NULL);
         OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure;
         OCSP_Global.cache.numberOfEntries = 0;
         OCSP_Global.cache.MRUitem = NULL;
         OCSP_Global.cache.LRUitem = NULL;
-    } else {
+    }
+    else {
         /*
          * NSS might call this function twice while attempting to init.
          * But it's not allowed to call this again after any activity.
          */
         PORT_Assert(OCSP_Global.cache.numberOfEntries == 0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     }
     if (OCSP_Global.cache.entries)
@@ -1606,17 +1618,18 @@ ocsp_DigestValue(PLArenaPool *arena, SEC
     }
 
     if (fill == NULL || fill->data == NULL) {
         result = SECITEM_AllocItem(arena, fill, digestObject->length);
         if (result == NULL) {
             goto loser;
         }
         digestBuff = result->data;
-    } else {
+    }
+    else {
         if (fill->len < digestObject->length) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             goto loser;
         }
         digestBuff = fill->data;
     }
 
     if (PK11_HashBuf(digestAlg, digestBuff,
@@ -1631,17 +1644,18 @@ ocsp_DigestValue(PLArenaPool *arena, SEC
     if (result == NULL) {
         result = fill;
     }
     return result;
 
 loser:
     if (arena != NULL) {
         PORT_ArenaRelease(arena, mark);
-    } else {
+    }
+    else {
         if (result != NULL) {
             SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
         }
     }
     return (NULL);
 }
 
 /*
@@ -2890,17 +2904,18 @@ ocsp_ParseURL(const char *url, char **pH
             c = *url;
         }
         len = url - save;
         path = PORT_Alloc(len + 1);
         if (path == NULL)
             goto loser;
         PORT_Memcpy(path, save, len);
         path[len] = '\0';
-    } else {
+    }
+    else {
         path = PORT_Strdup("/");
         if (path == NULL)
             goto loser;
     }
 
     *pHostname = hostname;
     *pPort = port;
     *pPath = path;
@@ -2955,17 +2970,18 @@ ocsp_ConnectToHost(const char *host, PRU
         hostIndex = 0;
         do {
             hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
             if (hostIndex <= 0)
                 goto loser;
         } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
 
         PORT_Free(netdbbuf);
-    } else {
+    }
+    else {
         /*
 	 * First put the port into the address, then connect.
 	 */
         if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
             goto loser;
         if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
             goto loser;
     }
@@ -3033,17 +3049,18 @@ ocsp_SendEncodedRequest(const char *loca
             goto loser;
 
         /*
          * The NSPR documentation promises that if it can, it will write the full
          * amount; this will not return a partial value expecting us to loop.
          */
         if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
             goto loser;
-    } else {
+    }
+    else {
         header = PR_smprintf("POST %s HTTP/1.0\r\n"
                              "Host: %s%s\r\n"
                              "Content-Type: application/ocsp-request\r\n"
                              "Content-Length: %u\r\n\r\n",
                              path, hostname, portstr, encodedRequest->len);
         if (header == NULL)
             goto loser;
 
@@ -3089,17 +3106,18 @@ ocsp_read(PRFileDesc *fd, char *buf, int
         PRInt32 got;
 
         got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout);
         if (got < 0) {
             if (0 == total) {
                 total = -1; /* report the error if we didn't read anything yet */
             }
             break;
-        } else if (got == 0) { /* EOS */
+        }
+        else if (got == 0) { /* EOS */
             break;
         }
 
         total += got;
     }
 
     return total;
 }
@@ -3165,17 +3183,18 @@ ocsp_GetEncodedResponse(PLArenaPool *are
             offset += bytesRead;
             *(inBuffer + offset) = '\0'; /* NULL termination */
             headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark);
             if (bytesRead < bufSizeIncrement) {
                 /* we read less data than requested, therefore we are at
                    EOS or there was a read error */
                 EOS = PR_TRUE;
             }
-        } else {
+        }
+        else {
             /* recv error or EOS */
             EOS = PR_TRUE;
         }
     } while ((!headerEnd) && (PR_FALSE == EOS) &&
              (inBufsize < maxBufSize));
 
     if (!headerEnd) {
         AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
@@ -3236,23 +3255,25 @@ ocsp_GetEncodedResponse(PLArenaPool *are
         value++;
         thisHeaderEnd = strstr(value, CRLF);
         if (thisHeaderEnd) {
             *thisHeaderEnd = '\0';
         }
 
         if (0 == PORT_Strcasecmp(nextHeader, "content-type")) {
             contenttype = value;
-        } else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
+        }
+        else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
             contentlength = atoi(value);
         }
 
         if (thisHeaderEnd) {
             nextHeader = thisHeaderEnd + CRLFlen;
-        } else {
+        }
+        else {
             nextHeader = NULL;
         }
 
     } while (nextHeader && (nextHeader < (headerEnd + CRLFlen)));
 
     /* check content-type */
     if (!contenttype ||
         (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) {
@@ -3282,17 +3303,18 @@ ocsp_GetEncodedResponse(PLArenaPool *are
                               ocsptimeout);
         if (bytesRead > 0) {
             offset += bytesRead;
             if (bytesRead < bufSizeIncrement) {
                 /* we read less data than requested, therefore we are at
                    EOS or there was a read error */
                 EOS = PR_TRUE;
             }
-        } else {
+        }
+        else {
             /* recv error or EOS */
             EOS = PR_TRUE;
         }
     }
 
     if (0 == offset) {
         AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
     }
@@ -3616,19 +3638,21 @@ ocsp_GetEncodedOCSPResponseFromRequest(P
         goto loser;
 
     encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
     if (encodedRequest == NULL)
         goto loser;
 
     if (!strcmp(method, "GET")) {
         encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
-    } else if (!strcmp(method, "POST")) {
+    }
+    else if (!strcmp(method, "POST")) {
         encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
-    } else {
+    }
+    else {
         goto loser;
     }
 
     if (encodedResponse != NULL && pRequest != NULL) {
         *pRequest = request;
         request = NULL; /* avoid destroying below */
     }
 
@@ -3682,17 +3706,18 @@ cert_GetOCSPResponse(PLArenaPool *arena,
     urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
     getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
 
     /* urlEncodedBufLength already contains room for the zero terminator.
      * Add another if we must add the '/' char.
      */
     if (arena) {
         fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength);
-    } else {
+    }
+    else {
         fullGetPath = (char *)PORT_Alloc(getURLLength);
     }
     if (!fullGetPath) {
         return NULL;
     }
 
     strcpy(fullGetPath, location);
     walkOutput = fullGetPath + pathLength;
@@ -3727,17 +3752,18 @@ cert_FetchOCSPResponse(PLArenaPool *aren
     registeredHttpClient = SEC_GetRegisteredHttpClient();
 
     if (registeredHttpClient && registeredHttpClient->version == 1) {
         encodedResponse = fetchOcspHttpClientV1(
             arena,
             &registeredHttpClient->fcnTable.ftable1,
             location,
             encodedRequest);
-    } else {
+    }
+    else {
         /* use internal http client */
         PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
         if (sock) {
             encodedResponse = ocsp_GetEncodedResponse(arena, sock);
             PR_Close(sock);
         }
     }
 
@@ -3937,33 +3963,36 @@ ocsp_GetSignerCertificate(CERTCertDBHand
         if (arena != NULL) {
 
             rv = SEC_QuickDERDecodeItem(arena, &encodedName,
                                         ocsp_ResponderIDDerNameTemplate,
                                         crIndex);
             if (rv != SECSuccess) {
                 if (PORT_GetError() == SEC_ERROR_BAD_DER)
                     PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-            } else {
+            }
+            else {
                 signerCert = CERT_FindCertByName(handle, &encodedName);
             }
             PORT_FreeArena(arena, PR_FALSE);
         }
-    } else {
+    }
+    else {
         /*
     	 * The signer is either 1) a known issuer CA we passed in,
     	 * 2) the default OCSP responder, or 3) an intermediate CA
     	 * passed in the cert list to use. Figure out which it is.
     	 */
         int i;
         CERTCertificate *responder =
             ocsp_CertGetDefaultResponder(handle, NULL);
         if (responder && ocsp_matchcert(certIndex, responder)) {
             signerCert = CERT_DupCertificate(responder);
-        } else if (issuer && ocsp_matchcert(certIndex, issuer)) {
+        }
+        else if (issuer && ocsp_matchcert(certIndex, issuer)) {
             signerCert = CERT_DupCertificate(issuer);
         }
         for (i = 0; (signerCert == NULL) && (i < certCount); i++) {
             if (ocsp_matchcert(certIndex, certs[i])) {
                 signerCert = CERT_DupCertificate(certs[i]);
             }
         }
         if (signerCert == NULL) {
@@ -4077,17 +4106,18 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
     /*
      * If this signature has already gone through verification, just
      * return the cached result.
      */
     if (signature->wasChecked) {
         if (signature->status == SECSuccess) {
             if (pSignerCert != NULL)
                 *pSignerCert = CERT_DupCertificate(signature->cert);
-        } else {
+        }
+        else {
             PORT_SetError(signature->failureReason);
         }
         return signature->status;
     }
 
     signerCert = ocsp_GetSignerCertificate(handle, tbsData,
                                            signature, issuer);
     if (signerCert == NULL) {
@@ -4118,21 +4148,23 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
         goto finish;
 
     /*
      * Just because we have a cert does not mean it is any good; check
      * it for validity, trust and usage.
      */
     if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
         rv = SECSuccess;
-    } else {
+    }
+    else {
         SECCertUsage certUsage;
         if (CERT_IsCACert(signerCert, NULL)) {
             certUsage = certUsageAnyCA;
-        } else {
+        }
+        else {
             certUsage = certUsageStatusResponder;
         }
         rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage,
                                       producedAt, CERT_VERIFYCERT_SKIP_OCSP,
                                       pwArg, NULL);
         if (rv != SECSuccess) {
             PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
             goto finish;
@@ -4146,17 +4178,18 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
 finish:
     if (signature->wasChecked)
         signature->status = rv;
 
     if (rv != SECSuccess) {
         signature->failureReason = PORT_GetError();
         if (signerCert != NULL)
             CERT_DestroyCertificate(signerCert);
-    } else {
+    }
+    else {
         /*
     	 * Save signer's certificate in signature.
     	 */
         signature->cert = signerCert;
         if (pSignerCert != NULL) {
             /*
     	     * Pass pointer to signer's certificate back to our caller,
     	     * who is also now responsible for destroying it.
@@ -4634,17 +4667,18 @@ ocsp_VerifySingleResponse(CERTOCSPSingle
     if (single->nextUpdate != NULL) {
         rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
         if (rv != SECSuccess)
             return rv;
 
         LL_ADD(tmp, tmp, nextUpdate);
         if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
             return ocsp_HandleOldSingleResponse(single, now);
-    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
+    }
+    else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
         return ocsp_HandleOldSingleResponse(single, now);
     }
 
     return SECSuccess;
 }
 
 /*
  * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
@@ -4916,17 +4950,18 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCS
         *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
                                                            : ocspStale;
         /* having an arena means, we have a cached certStatus */
         if (cacheItem->certStatusArena) {
             *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
             if (*rvOcsp != SECSuccess) {
                 *missingResponseError = PORT_GetError();
             }
-        } else {
+        }
+        else {
             /*
              * No status cached, the previous attempt failed.
              * If OCSP is required, we never decide based on a failed attempt
              * However, if OCSP is optional, a recent OCSP failure is
              * an allowed good state.
              */
             if (*cacheFreshness == ocspFresh &&
                 !ignoreGlobalOcspFailureSetting &&
@@ -5038,29 +5073,31 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *h
     rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
                                        &certIDWasConsumed,
                                        &rvOcsp);
     if (rv != SECSuccess) {
         PRErrorCode err = PORT_GetError();
         if (ocsp_FetchingFailureIsVerificationFailure()) {
             PORT_SetError(err);
             rvOcsp = SECFailure;
-        } else if (cachedResponseFreshness == ocspStale &&
-                   (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
-                    cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+        }
+        else if (cachedResponseFreshness == ocspStale &&
+                 (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+                  cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
             /* If we couldn't get a response for a certificate that the OCSP
              * responder previously told us was bad, then assume it is still
              * bad until we hear otherwise, as it is very unlikely that the
              * certificate status has changed from "revoked" to "good" and it
              * is also unlikely that the certificate status has changed from
              * "unknown" to "good", except for some buggy OCSP responders.
              */
             PORT_SetError(cachedErrorCode);
             rvOcsp = SECFailure;
-        } else {
+        }
+        else {
             rvOcsp = SECSuccess;
         }
     }
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
     }
     return rvOcsp;
 }
@@ -5225,17 +5262,18 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
 
     if (!OCSP_Global.monitor) {
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return SECFailure;
     }
     PR_EnterMonitor(OCSP_Global.monitor);
     if (OCSP_Global.forcePost) {
         currentStage = stagePOST;
-    } else {
+    }
+    else {
         currentStage = stageGET;
     }
     PR_ExitMonitor(OCSP_Global.monitor);
 
     /*
      * The first thing we need to do is find the location of the responder.
      * This will be the value of the default responder (if enabled), else
      * it will come out of the AIA extension in the cert (if present).
@@ -5284,17 +5322,18 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
     do {
         const char *method;
         PRBool validResponseWithAccurateInfo = PR_FALSE;
         retry = PR_FALSE;
         *rv_ocsp = SECFailure;
 
         if (currentStage == stageGET) {
             method = "GET";
-        } else {
+        }
+        else {
             PORT_Assert(currentStage == stagePOST);
             method = "POST";
         }
 
         encodedResponse =
             ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
                                                      location, method,
                                                      time, locationIsDefault,
@@ -5319,25 +5358,28 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
             }
         }
 
         if (currentStage == stageGET) {
             /* only accept GET response if good or revoked */
             if (validResponseWithAccurateInfo) {
                 ocsp_CacheSingleResponse(certID, singleResponse,
                                          certIDWasConsumed);
-            } else {
+            }
+            else {
                 retry = PR_TRUE;
                 currentStage = stagePOST;
             }
-        } else {
+        }
+        else {
             /* cache the POST respone, regardless of status */
             if (!singleResponse) {
                 cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
-            } else {
+            }
+            else {
                 ocsp_CacheSingleResponse(certID, singleResponse,
                                          certIDWasConsumed);
             }
         }
 
         if (encodedResponse) {
             SECITEM_FreeItem(encodedResponse, PR_TRUE);
             encodedResponse = NULL;
@@ -5901,17 +5943,18 @@ CERT_SetOCSPDefaultResponder(CERTCertDBH
      * it will get re-found and set whenever use of a default responder is
      * enabled.
      */
     if (statusContext->defaultResponderCert != NULL) {
         CERT_DestroyCertificate(statusContext->defaultResponderCert);
         statusContext->defaultResponderCert = cert;
         /*OCSP enabled, switching responder: clear cache*/
         CERT_ClearOCSPCache();
-    } else {
+    }
+    else {
         PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
         CERT_DestroyCertificate(cert);
         /*OCSP currently not enabled, no need to clear cache*/
     }
 
     return SECSuccess;
 
 loser:
--- a/security/nss/lib/certhigh/ocspsig.c
+++ b/security/nss/lib/certhigh/ocspsig.c
@@ -455,24 +455,26 @@ CERT_CreateEncodedOCSPSuccessResponse(
 
         /* match the regular signature code, which doesn't use the arena */
         if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1))
             goto done;
         PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1);
 
         /* convert len-in-bytes to len-in-bits */
         br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
-    } else {
+    }
+    else {
         rid->responderIDType = responderIDType;
         if (responderIDType == ocspResponderID_byName) {
             responderIDTemplate = ocsp_ResponderIDByNameTemplate;
             if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
                               &responderCert->subject) != SECSuccess)
                 goto done;
-        } else {
+        }
+        else {
             responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
             if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
                                                 SEC_OID_SHA1, &rid->responderIDValue.keyHash))
                 goto done;
         }
 
         if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
                                 responderIDTemplate))
--- a/security/nss/lib/ckfw/builtins/anchor.c
+++ b/security/nss/lib/ckfw/builtins/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "builtins.h"
 
 #define MODULE_NAME builtins
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *) & nss_builtins_mdInstance
 #include "nssck.api"
--- a/security/nss/lib/ckfw/builtins/bfind.c
+++ b/security/nss/lib/ckfw/builtins/bfind.c
@@ -121,17 +121,18 @@ builtins_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    } else {
+    }
+    else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 builtins_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -141,17 +142,18 @@ builtins_match(
 
     for (i = 0; i < ulAttributeCount; i++) {
         CK_ULONG j;
 
         for (j = 0; j < o->n; j++) {
             if (o->types[j] == pTemplate[i].type) {
                 if (CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j])) {
                     return CK_FALSE;
-                } else {
+                }
+                else {
                     break;
                 }
             }
         }
 
         if (j == o->n) {
             /* Loop ran to the end: no matching attribute */
             return CK_FALSE;
--- a/security/nss/lib/ckfw/capi/anchor.c
+++ b/security/nss/lib/ckfw/capi/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckcapi.h"
 
 #define MODULE_NAME ckcapi
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *) & nss_ckcapi_mdInstance
 #include "nssck.api"
--- a/security/nss/lib/ckfw/capi/cfind.c
+++ b/security/nss/lib/ckfw/capi/cfind.c
@@ -104,17 +104,18 @@ ckcapi_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    } else {
+    }
+    else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 ckcapi_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -129,33 +130,35 @@ ckcapi_match(
     }
 
     /* Every attribute passed */
     return CK_TRUE;
 }
 
 #define CKAPI_ITEM_CHUNK 20
 
-#define PUT_Object(obj, err)                                                    \
-    {                                                                           \
-        if (count >= size) {                                                    \
-            *listp = *listp ? nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
-                                                (size +                         \
-                                                 CKAPI_ITEM_CHUNK))             \
-                            : nss_ZNEWARRAY(NULL, ckcapiInternalObject *,       \
-                                            (size +                             \
-                                             CKAPI_ITEM_CHUNK));                \
-            if ((ckcapiInternalObject **)NULL == *listp) {                      \
-                err = CKR_HOST_MEMORY;                                          \
-                goto loser;                                                     \
-            }                                                                   \
-            size += CKAPI_ITEM_CHUNK;                                           \
-        }                                                                       \
-        (*listp)[count] = (obj);                                                \
-        count++;                                                                \
+#define PUT_Object(obj, err)                                                  \
+    {                                                                         \
+        if (count >= size) {                                                  \
+            *listp = *listp ?                                                 \
+                            nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
+                                              (size +                         \
+                                               CKAPI_ITEM_CHUNK))             \
+                            :                                                 \
+                            nss_ZNEWARRAY(NULL, ckcapiInternalObject *,       \
+                                          (size +                             \
+                                           CKAPI_ITEM_CHUNK));                \
+            if ((ckcapiInternalObject **)NULL == *listp) {                    \
+                err = CKR_HOST_MEMORY;                                        \
+                goto loser;                                                   \
+            }                                                                 \
+            size += CKAPI_ITEM_CHUNK;                                         \
+        }                                                                     \
+        (*listp)[count] = (obj);                                              \
+        count++;                                                              \
     }
 
 /*
  * pass parameters back through the callback.
  */
 typedef struct BareCollectParamsStr {
     CK_OBJECT_CLASS objClass;
     CK_ATTRIBUTE_PTR pTemplate;
@@ -330,17 +333,18 @@ collect_class(
                         nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
                     nss_ZFreeIf(keyProvInfo);
 
                     if (provName &&
                         (strncmp(provName, "Microsoft", sizeof("Microsoft") -
                                                             1) != 0)) {
                         continue;
                     }
-                } else {
+                }
+                else {
                     int reason =
                         GetLastError();
                     /* we only care if it exists, we don't really need to fetch it yet */
                     nss_ZFreeIf(keyProvInfo);
                     if (reason ==
                         CRYPT_E_NOT_FOUND) {
                         continue;
                     }
@@ -366,17 +370,18 @@ collect_class(
             /* get a 'permanent' context */
             next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
             next->objClass = objClass;
             next->u.cert.certContext = certContext;
             next->u.cert.hasID = hasID;
             next->u.cert.certStore = storeStr;
             PUT_Object(next, *pError);
             next = NULL; /* need to allocate a new one now */
-        } else {
+        }
+        else {
             /* don't cache the values we just loaded */
             memset(&next->u.cert, 0, sizeof(next->u.cert));
         }
     }
 loser:
     CertCloseStore(hStore, 0);
     nss_ZFreeIf(next);
     *sizep = size;
--- a/security/nss/lib/ckfw/capi/cobject.c
+++ b/security/nss/lib/ckfw/capi/cobject.c
@@ -466,17 +466,18 @@ nss_ckcapi_FetchKeyContainer(
                 rc =
                     CryptAcquireContext(hProv,
                                         ko->containerName,
                                         ko->provName,
                                         ko->provInfo.dwProvType, 0);
                 if (!rc) {
                     goto loser;
                 }
-            } else {
+            }
+            else {
                 *hProv =
                     ko->hProv;
             }
             *keySpec = ko->provInfo.dwKeySpec;
             break;
     }
 
     /* and get the crypto handle */
@@ -678,17 +679,18 @@ loser:
 }
 
 void
 ckcapi_PopulateModulusExponent(
     ckcapiInternalObject *io)
 {
     if (ckcapiCert == io->type) {
         ckcapi_CertPopulateModulusExponent(io);
-    } else {
+    }
+    else {
         ckcapi_FetchPublicKey(io);
     }
     return;
 }
 
 /*
  * fetch the friendly name attribute.
  * can only be called with ckcapiCert type objects!
@@ -706,17 +708,18 @@ ckcapi_FetchLabel(
     BOOL rv;
 
     rv = CertGetCertificateContextProperty(certContext,
                                            CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
     if (rv) {
         co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16);
         if ((CHAR *)NULL == co->labelData) {
             rv = 0;
-        } else {
+        }
+        else {
             size = strlen(co->labelData);
         }
     }
     label = co->labelData;
     /* we are presuming a user cert, make sure it has a nickname, even if
      * Microsoft never gave it one */
     if (!rv && co->hasID) {
         DWORD mserror = GetLastError();
@@ -854,17 +857,18 @@ ckcapi_KeyFetchHashKey(
  * fetch the hash key.
  */
 void
 ckcapi_FetchHashKey(
     ckcapiInternalObject *io)
 {
     if (ckcapiCert == io->type) {
         ckcapi_CertFetchHashKey(io);
-    } else {
+    }
+    else {
         ckcapi_KeyFetchHashKey(io);
     }
     return;
 }
 
 const NSSItem *
 ckcapi_FetchCertAttribute(
     ckcapiInternalObject *io,
@@ -1327,33 +1331,35 @@ ckcapi_mdObject_Destroy(
         }
         certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0,
                                                  CERT_FIND_EXISTING, io->u.cert.certContext, NULL);
         if ((PCCERT_CONTEXT)NULL == certContext) {
             rc = 0;
             goto loser;
         }
         rc = CertDeleteCertificateFromStore(certContext);
-    } else {
+    }
+    else {
         char *provName = NULL;
         char *containerName = NULL;
         HCRYPTPROV hProv;
         CRYPT_HASH_BLOB msKeyID;
 
         if (0 == io->id.size) {
             ckcapi_FetchID(io);
         }
 
         if (isCertType) {
             CRYPT_KEY_PROV_INFO *provInfo = ckcapi_cert_getProvInfo(io);
             provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName);
             containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName);
             provType = provInfo->dwProvType;
             nss_ZFreeIf(provInfo);
-        } else {
+        }
+        else {
             provName = io->u.key.provName;
             containerName = io->u.key.containerName;
             provType = io->u.key.provInfo.dwProvType;
             io->u.key.provName = NULL;
             io->u.key.containerName = NULL;
         }
         /* first remove the key id pointer */
         msKeyID.cbData = io->id.size;
@@ -1450,17 +1456,18 @@ ckcapi_mdObject_GetAttributeTypes(
         mdObject, fwObject, mdSession, fwSession,
         mdToken, fwToken, mdInstance, fwInstance, &error);
 
     if (size != ulCount) {
         return CKR_BUFFER_TOO_SMALL;
     }
     if (io->type == ckcapiRaw) {
         attrs = io->u.raw.types;
-    } else
+    }
+    else
         switch (io->objClass) {
             case CKO_CERTIFICATE:
                 attrs =
                     certAttrs;
                 break;
             case CKO_PUBLIC_KEY:
                 attrs =
                     pubKeyAttrs;
@@ -1601,17 +1608,18 @@ nss_ckcapi_CreateMDObject(
 
         if (key->size == 0) {
             ckcapi_FetchHashKey(io);
         }
         old_o = (ckcapiInternalObject *)
             nssHash_Lookup(ckcapiInternalObjectHash, key);
         if (!old_o) {
             nssHash_Add(ckcapiInternalObjectHash, key, io);
-        } else if (old_o != io) {
+        }
+        else if (old_o != io) {
             nss_ckcapi_DestroyInternalObject(io);
             io = old_o;
         }
     }
 
     if ((void *)NULL == io->mdObject.etc) {
         (void)nsslibc_memcpy(&io->mdObject, &ckcapi_prototype_mdObject,
                              sizeof(ckcapi_prototype_mdObject));
@@ -1738,22 +1746,25 @@ nss_ckcapi_CreateCertificate(
                                                0, &msKeyID);
         if (!rc) {
             msError = GetLastError();
             *pError = CKR_DEVICE_ERROR;
             goto loser;
         }
 
         /* does it look like a CA */
-    } else if (ckcapi_cert_isCA(certContext)) {
+    }
+    else if (ckcapi_cert_isCA(certContext)) {
         storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root";
         /* does it look like an S/MIME cert */
-    } else if (ckcapi_cert_hasEmail(certContext)) {
+    }
+    else if (ckcapi_cert_hasEmail(certContext)) {
         storeStr = "AddressBook";
-    } else {
+    }
+    else {
         /* just pick a store */
         storeStr = "CA";
     }
 
     /* get the nickname, not an error if we can't find it */
     nickname = nss_ckcapi_GetStringAttribute(CKA_LABEL, pTemplate,
                                              ulAttributeCount, &dummy);
     if (nickname) {
@@ -2207,20 +2218,22 @@ nss_ckcapi_CreateObject(
     if (objClass == CKO_PUBLIC_KEY) {
         return CKR_OK; /* fake public key creation, happens as a side effect of
                         * private key creation */
     }
 #endif
     if (objClass == CKO_CERTIFICATE) {
         io = nss_ckcapi_CreateCertificate(fwSession, pTemplate,
                                           ulAttributeCount, pError);
-    } else if (objClass == CKO_PRIVATE_KEY) {
+    }
+    else if (objClass == CKO_PRIVATE_KEY) {
         io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate,
                                          ulAttributeCount, pError);
-    } else {
+    }
+    else {
         *pError = CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     if ((ckcapiInternalObject *)NULL == io) {
         return (NSSCKMDObject *)NULL;
     }
     return nss_ckcapi_CreateMDObject(NULL, io, pError);
 }
--- a/security/nss/lib/ckfw/dbm/anchor.c
+++ b/security/nss/lib/ckfw/dbm/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckdbm.h"
 
 #define MODULE_NAME dbm
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *) & nss_dbm_mdInstance
 #include "nssck.api"
--- a/security/nss/lib/ckfw/dbm/db.c
+++ b/security/nss/lib/ckfw/dbm/db.c
@@ -89,25 +89,27 @@ nss_dbm_db_get_format_version(
         }
 
         dbrv = db->db->get(db->db, &k, &v, 0);
         if (dbrv == 0) {
             CK_ULONG major = 0, minor = 0;
             (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
             rv.major = major;
             rv.minor = minor;
-        } else if (dbrv > 0) {
+        }
+        else if (dbrv > 0) {
             (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
                               nss_dbm_db_format_version.minor);
             v.data = buffer;
             v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
             dbrv = db->db->put(db->db, &k, &v, 0);
             (void)db->db->sync(db->db, 0);
             rv = nss_dbm_db_format_version;
-        } else {
+        }
+        else {
             /* No error return.. */
             ;
         }
 
         (void)NSSCKFWMutex_Unlock(db->crustylock);
     }
 
     return rv;
@@ -170,20 +172,22 @@ nss_dbm_db_get_label(
         }
 
         dbrv = db->db->get(db->db, &k, &v, 0);
         if (0 == dbrv) {
             rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
             if ((NSSUTF8 *)NULL == rv) {
                 *pError = CKR_HOST_MEMORY;
             }
-        } else if (dbrv > 0) {
+        }
+        else if (dbrv > 0) {
             /* Just return null */
             ;
-        } else {
+        }
+        else {
             *pError = CKR_DEVICE_ERROR;
             ;
         }
 
         (void)NSSCKFWMutex_Unlock(db->crustylock);
     }
 
     return rv;
@@ -247,19 +251,21 @@ nss_dbm_db_new_handle(
         k.data = PREFIX_METADATA "LastID";
         k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
         (void)memset(&v, 0, sizeof(v));
 
         rv = db->db->get(db->db, &k, &v, 0);
         if (0 == rv) {
             (void)memcpy(&align, v.data, sizeof(CK_ULONG));
             id = ntohl(align);
-        } else if (rv > 0) {
+        }
+        else if (rv > 0) {
             id = 0;
-        } else {
+        }
+        else {
             goto done;
         }
 
         myid = id;
         id++;
         align = htonl(id);
         v.data = &align;
         v.size = sizeof(CK_ULONG);
@@ -751,17 +757,18 @@ nss_dbm_db_object_still_exists(
     ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
     if (CKR_OK != ckrv) {
         return CK_FALSE;
     }
 
     dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
     if (0 == dbrv) {
         rv = CK_TRUE;
-    } else {
+    }
+    else {
         rv = CK_FALSE;
     }
 
     (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
 
     return rv;
 }
 
@@ -780,20 +787,22 @@ nss_dbm_db_get_object_attribute_count(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        } else if (*pdbrv > 0) {
+        }
+        else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        } else {
+        }
+        else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         rv = ntohl(pulData[0]);
 
     done:
@@ -820,20 +829,22 @@ nss_dbm_db_get_object_attribute_types(
         rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != rv) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        } else if (*pdbrv > 0) {
+        }
+        else if (*pdbrv > 0) {
             rv = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        } else {
+        }
+        else {
             rv = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         n = ntohl(pulData[0]);
 
         if (ulCount < n) {
@@ -869,30 +880,33 @@ nss_dbm_db_get_object_attribute_size(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        } else if (*pdbrv > 0) {
+        }
+        else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        } else {
+        }
+        else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         n = ntohl(pulData[0]);
 
         for (i = 0; i < n; i++) {
             if (type == ntohl(pulData[1 + i * 3])) {
-                rv = ntohl(pulData[2 + i * 3]);
+                rv = ntohl(pulData[2 + i *
+                                           3]);
             }
         }
 
         if (i == n) {
             *pError = CKR_ATTRIBUTE_TYPE_INVALID;
             goto done;
         }
 
@@ -923,20 +937,22 @@ nss_dbm_db_get_object_attribute(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             goto loser;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        } else if (*pdbrv > 0) {
+        }
+        else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        } else {
+        }
+        else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
         if (CKR_OK != *pError) {
             goto done;
         }
@@ -996,20 +1012,22 @@ nss_dbm_db_set_object_attribute(
         rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != rv) {
             goto loser;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        } else if (*pdbrv > 0) {
+        }
+        else if (*pdbrv > 0) {
             rv = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        } else {
+        }
+        else {
             rv = CKR_DEVICE_ERROR;
             goto done;
         }
 
         rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
         if (CKR_OK != rv) {
             goto done;
         }
--- a/security/nss/lib/ckfw/dbm/slot.c
+++ b/security/nss/lib/ckfw/dbm/slot.c
@@ -70,17 +70,18 @@ nss_dbm_mdSlot_GetTokenPresent(
     NSSCKFWSlot *fwSlot,
     NSSCKMDInstance *mdInstance,
     NSSCKFWInstance *fwInstance)
 {
     nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
 
     if ((nss_dbm_db_t *)NULL == slot->token_db) {
         return CK_FALSE;
-    } else {
+    }
+    else {
         return CK_TRUE;
     }
 }
 
 static CK_BBOOL
 nss_dbm_mdSlot_GetRemovableDevice(
     NSSCKMDSlot *mdSlot,
     NSSCKFWSlot *fwSlot,
--- a/security/nss/lib/ckfw/dbm/token.c
+++ b/security/nss/lib/ckfw/dbm/token.c
@@ -145,17 +145,18 @@ nss_dbm_mdToken_GetIsWriteProtected(
     NSSCKFWToken *fwToken,
     NSSCKMDInstance *mdInstance,
     NSSCKFWInstance *fwInstance)
 {
     nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
 
     if (token->slot->flags & O_RDWR) {
         return CK_FALSE;
-    } else {
+    }
+    else {
         return CK_TRUE;
     }
 }
 
 /* GetLoginRequired defaults to CK_FALSE */
 /* GetUserPinInitialized defaults to CK_FALSE */
 /* GetRestoreKeyNotNeeded is irrelevant */
 /* GetHasClockOnToken defaults to CK_FALSE */
--- a/security/nss/lib/ckfw/find.c
+++ b/security/nss/lib/ckfw/find.c
@@ -265,17 +265,18 @@ nssCKFWFindObjects_Next(
                 }
 
                 /* All done. */
                 fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
                                             fwFindObjects->mdSession, fwFindObjects->fwSession,
                                             fwFindObjects->mdToken, fwFindObjects->fwToken,
                                             fwFindObjects->mdInstance, fwFindObjects->fwInstance);
                 fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
-            } else {
+            }
+            else {
                 goto wrap;
             }
         }
     }
 
     if (fwFindObjects->mdfo2) {
         if (fwFindObjects->mdfo2->Next) {
             fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
@@ -290,17 +291,18 @@ nssCKFWFindObjects_Next(
                 }
 
                 /* All done. */
                 fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
                                             fwFindObjects->mdSession, fwFindObjects->fwSession,
                                             fwFindObjects->mdToken, fwFindObjects->fwToken,
                                             fwFindObjects->mdInstance, fwFindObjects->fwInstance);
                 fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
-            } else {
+            }
+            else {
                 goto wrap;
             }
         }
     }
 
     /* No more objects */
     *pError = CKR_OK;
     goto done;
--- a/security/nss/lib/ckfw/hash.c
+++ b/security/nss/lib/ckfw/hash.c
@@ -130,17 +130,18 @@ nssCKFWHash_Add(
     error = nssCKFWMutex_Lock(hash->mutex);
     if (CKR_OK != error) {
         return error;
     }
 
     he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
     if (!he) {
         error = CKR_HOST_MEMORY;
-    } else {
+    }
+    else {
         hash->count++;
     }
 
     (void)nssCKFWMutex_Unlock(hash->mutex);
 
     return error;
 }
 
@@ -205,17 +206,18 @@ nssCKFWHash_Exists(
     }
 
     value = PL_HashTableLookup(hash->plHashTable, it);
 
     (void)nssCKFWMutex_Unlock(hash->mutex);
 
     if (!value) {
         return CK_FALSE;
-    } else {
+    }
+    else {
         return CK_TRUE;
     }
 }
 
 /*
  * nssCKFWHash_Lookup
  *
  */
--- a/security/nss/lib/ckfw/instance.c
+++ b/security/nss/lib/ckfw/instance.c
@@ -185,21 +185,23 @@ nssCKFWInstance_Create(
     fwInstance->mdInstance = mdInstance;
 
     fwInstance->LockingState = LockingState;
     if ((CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs) {
         fwInstance->initArgs = *pInitArgs;
         fwInstance->pInitArgs = &fwInstance->initArgs;
         if (pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
             fwInstance->mayCreatePthreads = CK_FALSE;
-        } else {
+        }
+        else {
             fwInstance->mayCreatePthreads = CK_TRUE;
         }
         fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
-    } else {
+    }
+    else {
         fwInstance->mayCreatePthreads = CK_TRUE;
     }
 
     fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena,
                                             pError);
     if (!fwInstance->mutex) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
@@ -214,17 +216,18 @@ nssCKFWInstance_Create(
         }
 
         called_Initialize = CK_TRUE;
     }
 
     if (mdInstance->ModuleHandlesSessionObjects) {
         fwInstance->moduleHandlesSessionObjects =
             mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
-    } else {
+    }
+    else {
         fwInstance->moduleHandlesSessionObjects = CK_FALSE;
     }
 
     if (!mdInstance->GetNSlots) {
         /* That routine is required */
         *pError = CKR_GENERAL_ERROR;
         goto loser;
     }
@@ -871,17 +874,18 @@ nssCKFWInstance_GetCryptokiVersion(
         (0 != fwInstance->cryptokiVersion.minor)) {
         rv = fwInstance->cryptokiVersion;
         goto done;
     }
 
     if (fwInstance->mdInstance->GetCryptokiVersion) {
         fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
             fwInstance->mdInstance, fwInstance);
-    } else {
+    }
+    else {
         fwInstance->cryptokiVersion.major = 2;
         fwInstance->cryptokiVersion.minor = 1;
     }
 
     rv = fwInstance->cryptokiVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwInstance->mutex);
@@ -917,17 +921,18 @@ nssCKFWInstance_GetManufacturerID(
 
     if (!fwInstance->manufacturerID) {
         if (fwInstance->mdInstance->GetManufacturerID) {
             fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
                 fwInstance->mdInstance, fwInstance, &error);
             if ((!fwInstance->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwInstance->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -982,17 +987,18 @@ nssCKFWInstance_GetLibraryDescription(
 
     if (!fwInstance->libraryDescription) {
         if (fwInstance->mdInstance->GetLibraryDescription) {
             fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
                 fwInstance->mdInstance, fwInstance, &error);
             if ((!fwInstance->libraryDescription) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwInstance->libraryDescription = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -1026,17 +1032,18 @@ nssCKFWInstance_GetLibraryVersion(
         (0 != fwInstance->libraryVersion.minor)) {
         rv = fwInstance->libraryVersion;
         goto done;
     }
 
     if (fwInstance->mdInstance->GetLibraryVersion) {
         fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
             fwInstance->mdInstance, fwInstance);
-    } else {
+    }
+    else {
         fwInstance->libraryVersion.major = 0;
         fwInstance->libraryVersion.minor = 3;
     }
 
     rv = fwInstance->libraryVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwInstance->mutex);
     return rv;
--- a/security/nss/lib/ckfw/nssmkey/manchor.c
+++ b/security/nss/lib/ckfw/nssmkey/manchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckmk.h"
 
 #define MODULE_NAME ckmk
-#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckmk_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *) & nss_ckmk_mdInstance
 #include "nssck.api"
--- a/security/nss/lib/ckfw/nssmkey/mfind.c
+++ b/security/nss/lib/ckfw/nssmkey/mfind.c
@@ -105,17 +105,18 @@ ckmk_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    } else {
+    }
+    else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 ckmk_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -130,33 +131,35 @@ ckmk_match(
     }
 
     /* Every attribute passed */
     return CK_TRUE;
 }
 
 #define CKMK_ITEM_CHUNK 20
 
-#define PUT_OBJECT(obj, err, size, count, list)                             \
-    {                                                                       \
-        if (count >= size) {                                                \
-            (list) = (list) ? nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
-                                                ((size) +                   \
-                                                 CKMK_ITEM_CHUNK))          \
-                            : nss_ZNEWARRAY(NULL, ckmkInternalObject *,     \
-                                            ((size) +                       \
-                                             CKMK_ITEM_CHUNK));             \
-            if ((ckmkInternalObject **)NULL == list) {                      \
-                err = CKR_HOST_MEMORY;                                      \
-                goto loser;                                                 \
-            }                                                               \
-            (size) += CKMK_ITEM_CHUNK;                                      \
-        }                                                                   \
-        (list)[count] = (obj);                                              \
-        count++;                                                            \
+#define PUT_OBJECT(obj, err, size, count, list)                           \
+    {                                                                     \
+        if (count >= size) {                                              \
+            (list) = (list) ?                                             \
+                            nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
+                                              ((size) +                   \
+                                               CKMK_ITEM_CHUNK))          \
+                            :                                             \
+                            nss_ZNEWARRAY(NULL, ckmkInternalObject *,     \
+                                          ((size) +                       \
+                                           CKMK_ITEM_CHUNK));             \
+            if ((ckmkInternalObject **)NULL == list) {                    \
+                err = CKR_HOST_MEMORY;                                    \
+                goto loser;                                               \
+            }                                                             \
+            (size) += CKMK_ITEM_CHUNK;                                    \
+        }                                                                 \
+        (list)[count] = (obj);                                            \
+        count++;                                                          \
     }
 
 /* find all the certs that represent the appropriate object (cert, priv key, or
  *  pub key) in the cert store.
  */
 static PRUint32
 collect_class(
     CK_OBJECT_CLASS objClass,
@@ -193,17 +196,18 @@ collect_class(
         next->u.item.itemRef = itemRef;
         next->u.item.itemClass = itemClass;
 
         /* see if this is one of the objects we are looking for */
         if (CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next)) {
             /* yes, put it on the list */
             PUT_OBJECT(next, *pError, *sizep, count, *listp);
             next = NULL; /* this one is on the list, need to allocate a new one now */
-        } else {
+        }
+        else {
             /* no , release the current item and clear out the structure for reuse */
             CFRelease(itemRef);
             /* don't cache the values we just loaded */
             nsslibc_memset(next, 0, sizeof(*next));
         }
     }
 loser:
     if (searchRef) {
--- a/security/nss/lib/ckfw/nssmkey/mobject.c
+++ b/security/nss/lib/ckfw/nssmkey/mobject.c
@@ -317,17 +317,18 @@ ckmk_encodeInt(NSSItem *dest, void *src,
     encLen = 1 + lenLen + dataLen;
     data = nss_ZNEWARRAY(NULL, unsigned char, encLen);
     if ((unsigned char *)NULL == data) {
         return CKR_HOST_MEMORY;
     }
     data[0] = DER_INTEGER;
     if (1 == lenLen) {
         data[1] = dataLen;
-    } else {
+    }
+    else {
         data[1] = 0x80 + lenLen;
         for (i = 0; i < lenLen; i++) {
             data[i + 1] = ((dataLen >> ((lenLen -
                                          i - 1) *
                                         8)) &
                            0xff);
         }
     }
@@ -499,17 +500,17 @@ loser:
 #define CKMK_HANDLE_ITEM(func, io, type, loc, item, error, str) \
     if (0 == (item)->loc.size) {                                \
         error = func(io, type, &(item)->loc, str);              \
     }                                                           \
     return (CKR_OK == (error)) ? &(item)->loc : NULL;
 
 #define CKMK_HANDLE_OPT_ITEM(func, io, type, loc, item, error, str) \
     if (0 == (item)->loc.size) {                                    \
-        (void)func(io, type, &(item)->loc, str);                    \
+        (void) func(io, type, &(item)->loc, str);                   \
     }                                                               \
     return &(item)->loc;
 
 #define CKMK_HANDLE_BOOL_ITEM(io, type, loc, item, error, str) \
     CKMK_HANDLE_ITEM(ckmk_GetBoolAttribute, io, type, loc, item, error, str)
 #define CKMK_HANDLE_DATA_ITEM(io, type, loc, item, error, str) \
     CKMK_HANDLE_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
 #define CKMK_HANDLE_OPT_DATA_ITEM(io, type, loc, item, error, str) \
@@ -522,17 +523,18 @@ static void
 ckmk_FetchHashKey(
     ckmkInternalObject *io)
 {
     NSSItem *key = &io->hashKey;
 
     if (io->objClass == CKO_CERTIFICATE) {
         ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr,
                                 PR_TRUE, key, "Fetching HashKey (cert)");
-    } else {
+    }
+    else {
         ckmk_GetCommonAttribute(io, kSecKeyLabel,
                                 PR_FALSE, key, "Fetching HashKey (key)");
     }
 }
 
 /*
  * Apple mucks with the actual subject and issuer, so go fetch
  * the real ones ourselves.
@@ -985,17 +987,18 @@ ckmk_mdObject_GetAttributeTypes(
         mdObject, fwObject, mdSession, fwSession,
         mdToken, fwToken, mdInstance, fwInstance, &error);
 
     if (size != ulCount) {
         return CKR_BUFFER_TOO_SMALL;
     }
     if (io->type == ckmkRaw) {
         attrs = io->u.raw.types;
-    } else
+    }
+    else
         switch (io->objClass) {
             case CKO_CERTIFICATE:
                 attrs =
                     certAttrs;
                 break;
             case CKO_PUBLIC_KEY:
                 attrs =
                     pubKeyAttrs;
@@ -1176,17 +1179,18 @@ nss_ckmk_CreateMDObject(
 
         if (key->size == 0) {
             ckmk_FetchHashKey(io);
         }
         old_o = (ckmkInternalObject *)
             nssHash_Lookup(ckmkInternalObjectHash, key);
         if (!old_o) {
             nssHash_Add(ckmkInternalObjectHash, key, io);
-        } else if (old_o != io) {
+        }
+        else if (old_o != io) {
             nss_ckmk_DestroyInternalObject(io);
             io = old_o;
         }
     }
 
     if ((void *)NULL == io->mdObject.etc) {
         (void)nsslibc_memcpy(&io->mdObject, &ckmk_prototype_mdObject,
                              sizeof(ckmk_prototype_mdObject));
@@ -1776,17 +1780,18 @@ nss_ckmk_CreatePrivateKey(
         itemdump("key id: ", keyID.data, keyID.size, error);
 #endif
     }
     nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate,
                                            ulAttributeCount, &error);
     if (nickname) {
         ckmk_updateAttribute(itemRef, kSecKeyPrintName, nickname,
                              strlen(nickname) + 1, "Modify Key Label");
-    } else {
+    }
+    else {
 #define DEFAULT_NICKNAME "NSS Imported Key"
         ckmk_updateAttribute(itemRef, kSecKeyPrintName, DEFAULT_NICKNAME,
                              sizeof(DEFAULT_NICKNAME), "Modify Key Label");
     }
 
     io = nss_ckmk_NewInternalObject(CKO_PRIVATE_KEY, itemRef,
                                     CSSM_DL_DB_RECORD_PRIVATE_KEY, pError);
     if ((ckmkInternalObject *)NULL == io) {
@@ -1842,20 +1847,22 @@ nss_ckmk_CreateObject(
     if (objClass == CKO_PUBLIC_KEY) {
         return CKR_OK; /* fake public key creation, happens as a side effect of
                         * private key creation */
     }
 #endif
     if (objClass == CKO_CERTIFICATE) {
         io = nss_ckmk_CreateCertificate(fwSession, pTemplate,
                                         ulAttributeCount, pError);
-    } else if (objClass == CKO_PRIVATE_KEY) {
+    }
+    else if (objClass == CKO_PRIVATE_KEY) {
         io = nss_ckmk_CreatePrivateKey(fwSession, pTemplate,
                                        ulAttributeCount, pError);
-    } else {
+    }
+    else {
         *pError = CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     if ((ckmkInternalObject *)NULL == io) {
         return (NSSCKMDObject *)NULL;
     }
     return nss_ckmk_CreateMDObject(NULL, io, pError);
 }
--- a/security/nss/lib/ckfw/object.c
+++ b/security/nss/lib/ckfw/object.c
@@ -579,35 +579,38 @@ nssCKFWObject_GetAttribute(
     }
 
     if (!itemOpt) {
         rv = nss_ZNEW(arenaOpt, NSSItem);
         if (!rv) {
             *pError = CKR_HOST_MEMORY;
             goto done;
         }
-    } else {
+    }
+    else {
         rv = itemOpt;
     }
 
     if (!rv->data) {
         rv->size = mdItem.item->size;
         rv->data = nss_ZAlloc(arenaOpt, rv->size);
         if (!rv->data) {
             *pError = CKR_HOST_MEMORY;
             if (!itemOpt) {
                 nss_ZFreeIf(rv);
             }
             rv = (NSSItem *)NULL;
             goto done;
         }
-    } else {
+    }
+    else {
         if (rv->size >= mdItem.item->size) {
             rv->size = mdItem.item->size;
-        } else {
+        }
+        else {
             *pError = CKR_BUFFER_TOO_SMALL;
             /* Should we set rv->size to mdItem->size? */
             /* rv can't have been allocated */
             rv = (NSSItem *)NULL;
             goto done;
         }
     }
 
@@ -706,33 +709,35 @@ nssCKFWObject_SetAttribute(
          */
 
         if (CK_FALSE == *(CK_BBOOL *)value->data) {
             /*
              * New one is a session object, except since we "stole" the fwObject, it's
              * not in the list.  Add it.
              */
             nssCKFWSession_RegisterSessionObject(fwSession, fwObject);
-        } else {
+        }
+        else {
             /*
              * New one is a token object, except since we "stole" the fwObject, it's
              * in the list.  Remove it.
              */
             if (fwObject->fwSession) {
                 nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
             }
         }
 
         /*
          * Now delete the old object.  Remember the names have changed.
          */
         nssCKFWObject_Destroy(newFwObject);
 
         return CKR_OK;
-    } else {
+    }
+    else {
         /*
          * An "ordinary" change.
          */
         if (!fwObject->mdObject->SetAttribute) {
             /* We could fake it with copying, like above.. later */
             return CKR_ATTRIBUTE_READ_ONLY;
         }
 
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -691,17 +691,18 @@ nssCKFWSession_Login(
                 break;
             case CKS_RW_USER_FUNCTIONS:
                 return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
             case CKS_RW_SO_FUNCTIONS:
                 return CKR_USER_ALREADY_LOGGED_IN;
             default:
                 return CKR_GENERAL_ERROR;
         }
-    } else /* CKU_USER == userType */ {
+    }
+    else /* CKU_USER == userType */ {
         switch (oldState) {
             case CKS_RO_PUBLIC_SESSION:
                 newState =
                     CKS_RO_USER_FUNCTIONS;
                 break;
             case CKS_RO_USER_FUNCTIONS:
                 return CKR_USER_ALREADY_LOGGED_IN;
             case CKS_RW_PUBLIC_SESSION:
@@ -726,17 +727,18 @@ nssCKFWSession_Login(
      */
 
     if (!fwSession->mdSession->Login) {
         /*
          * The Module doesn't want to be informed (or check the pin)
          * it'll just rely on the Framework as needed.
          */
         ;
-    } else {
+    }
+    else {
         error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
                                             fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                             fwSession->fwInstance, userType, pin, oldState, newState);
         if (CKR_OK != error) {
             return error;
         }
     }
 
@@ -795,17 +797,18 @@ nssCKFWSession_Logout(
      * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
      */
 
     if (!fwSession->mdSession->Logout) {
         /*
          * The Module doesn't want to be informed.  Okay.
          */
         ;
-    } else {
+    }
+    else {
         error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
                                              fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                              fwSession->fwInstance, oldState, newState);
         if (CKR_OK != error) {
             /*
              * Now what?!  A failure really should end up with the Framework
              * considering it logged out, right?
              */
@@ -1115,23 +1118,25 @@ nssCKFWSession_SetOperationState(
         return CKR_GENERAL_ERROR;
     }
 
     s.size = state->size - 2 * sizeof(CK_ULONG);
     s.data = (void *)&ulBuffer[2];
 
     if (encryptionKey) {
         mdek = nssCKFWObject_GetMDObject(encryptionKey);
-    } else {
+    }
+    else {
         mdek = (NSSCKMDObject *)NULL;
     }
 
     if (authenticationKey) {
         mdak = nssCKFWObject_GetMDObject(authenticationKey);
-    } else {
+    }
+    else {
         mdak = (NSSCKMDObject *)NULL;
     }
 
     error = fwSession->mdSession->SetOperationState(fwSession->mdSession,
                                                     fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                                     fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
 
     if (CKR_OK != error) {
@@ -1154,17 +1159,18 @@ nss_attributes_form_token_object(
     CK_BBOOL rv;
 
     for (i = 0; i < ulAttributeCount; i++) {
         if (CKA_TOKEN == pTemplate[i].type) {
             /* If we sanity-check, we can remove this sizeof check */
             if (sizeof(CK_BBOOL) == pTemplate[i].ulValueLen) {
                 (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
                 return rv;
-            } else {
+            }
+            else {
                 return CK_FALSE;
             }
         }
     }
 
     return CK_FALSE;
 }
 
@@ -1222,17 +1228,18 @@ nssCKFWSession_CreateObject(
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
 
         goto callmdcreateobject;
-    } else {
+    }
+    else {
         /* === SESSION OBJECT === */
 
         arena = nssCKFWSession_GetArena(fwSession, pError);
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
@@ -1243,17 +1250,18 @@ nssCKFWSession_CreateObject(
             /* --- module handles the session object -- */
 
             if (!fwSession->mdSession->CreateObject) {
                 *pError = CKR_GENERAL_ERROR;
                 return (NSSCKFWObject *)NULL;
             }
 
             goto callmdcreateobject;
-        } else {
+        }
+        else {
             /* --- framework handles the session object -- */
             mdObject = nssCKMDSessionObject_Create(fwSession->fwToken,
                                                    arena, pTemplate, ulAttributeCount, pError);
             goto gotmdobject;
         }
     }
 
 callmdcreateobject:
@@ -1266,18 +1274,20 @@ gotmdobject:
     if (!mdObject) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
         }
         return (NSSCKFWObject *)NULL;
     }
 
     fwObject = nssCKFWObject_Create(arena, mdObject,
-                                    isTokenObject ? NULL
-                                                  : fwSession,
+                                    isTokenObject ?
+                                                  NULL
+                                                  :
+                                                  fwSession,
                                     fwSession->fwToken, fwSession->fwInstance, pError);
     if (!fwObject) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
         }
 
         if (mdObject->Destroy) {
             (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
@@ -1372,17 +1382,18 @@ nssCKFWSession_CopyObject(
         NSSArena *arena;
         NSSCKMDObject *mdOldObject;
         NSSCKMDObject *mdObject;
 
         mdOldObject = nssCKFWObject_GetMDObject(fwObject);
 
         if (CK_TRUE == newIsToken) {
             arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-        } else {
+        }
+        else {
             arena = nssCKFWSession_GetArena(fwSession, pError);
         }
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
@@ -1394,32 +1405,35 @@ nssCKFWSession_CopyObject(
         if (!mdObject) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
 
         rv = nssCKFWObject_Create(arena, mdObject,
-                                  newIsToken ? NULL
-                                             : fwSession,
+                                  newIsToken ?
+                                             NULL
+                                             :
+                                             fwSession,
                                   fwSession->fwToken, fwSession->fwInstance, pError);
 
         if (CK_FALSE == newIsToken) {
             if (CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv)) {
                 *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
                 if (CKR_OK != *pError) {
                     nssCKFWObject_Finalize(rv, PR_TRUE);
                     return (NSSCKFWObject *)NULL;
                 }
             }
         }
 
         return rv;
-    } else {
+    }
+    else {
         /* use create object */
         NSSArena *tmpArena;
         CK_ATTRIBUTE_PTR newTemplate;
         CK_ULONG i, j, n, newLength, k;
         CK_ATTRIBUTE_TYPE_PTR oldTypes;
         NSSCKFWObject *rv;
 
         n = nssCKFWObject_GetAttributeCount(fwObject, pError);
@@ -1474,17 +1488,18 @@ nssCKFWSession_CopyObject(
         k = 0;
         for (j = 0; j < n; j++) {
             for (i = 0; i < ulAttributeCount; i++) {
                 if (oldTypes[j] == pTemplate[i].type) {
                     if ((CK_VOID_PTR)NULL ==
                         pTemplate[i].pValue) {
                         /* This attribute is being deleted */
                         ;
-                    } else {
+                    }
+                    else {
                         /* This attribute is being replaced */
                         newTemplate[k].type =
                             pTemplate[i].type;
                         newTemplate[k].pValue =
                             pTemplate[i].pValue;
                         newTemplate[k].ulValueLen =
                             pTemplate[i].ulValueLen;
                         k++;
@@ -1591,17 +1606,18 @@ nssCKFWSession_FindObjectsInit(
                         goto wrap;
                     }
 
                     mdfo1 =
                         fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                                                               fwSession, fwSession->mdToken, fwSession->fwToken,
                                                               fwSession->mdInstance, fwSession->fwInstance,
                                                               pTemplate, ulAttributeCount, pError);
-                } else {
+                }
+                else {
                     /* Do the search ourselves */
                     mdfo1 =
                         nssCKMDFindSessionObjects_Create(fwSession->fwToken,
                                                          pTemplate, ulAttributeCount, pError);
                 }
 
                 if (!mdfo1) {
                     if (CKR_OK ==
@@ -1644,17 +1660,18 @@ nssCKFWSession_FindObjectsInit(
                                  fwSession->mdInstance, fwSession->fwInstance);
                 }
                 return (NSSCKFWFindObjects *)NULL;
             }
 
             goto wrap;
         }
         /*NOTREACHED*/
-    } else {
+    }
+    else {
         /* Module handles all its own objects.  Pass on to module's search */
         mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                                                       fwSession, fwSession->mdToken, fwSession->fwToken,
                                                       fwSession->mdInstance, fwSession->fwInstance,
                                                       pTemplate, ulAttributeCount, pError);
 
         if (!mdfo1) {
             if (CKR_OK == *pError) {
@@ -1744,17 +1761,18 @@ nssCKFWSession_GetRandom(
     if (!fwSession->mdSession) {
         return CKR_GENERAL_ERROR;
     }
 #endif /* NSSDEBUG */
 
     if (!fwSession->mdSession->GetRandom) {
         if (CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken)) {
             return CKR_GENERAL_ERROR;
-        } else {
+        }
+        else {
             return CKR_RANDOM_NO_RNG;
         }
     }
 
     if (0 == buffer->size) {
         return CKR_OK;
     }
 
@@ -1857,17 +1875,18 @@ nssCKFWSession_Final(
     }
 
     /* handle buffer issues, note for Verify, the type is an input buffer. */
     if (NSSCKFWCryptoOperationType_Verify == type) {
         if ((CK_BYTE_PTR)NULL == outBuf) {
             error = CKR_ARGUMENTS_BAD;
             goto done;
         }
-    } else {
+    }
+    else {
         CK_ULONG len = nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
         CK_ULONG maxBufLen = *outBufLen;
 
         if (CKR_OK != error) {
             goto done;
         }
         *outBufLen = len;
         if ((CK_BYTE_PTR)NULL == outBuf) {
@@ -2103,23 +2122,26 @@ nssCKFWSession_UpdateFinal(
                                 (NSSCKFWCryptoOperationType_Decrypt == type));
 
     /* handle buffer issues, note for Verify, the type is an input buffer. */
     if (NSSCKFWCryptoOperationType_Verify == type) {
         if ((CK_BYTE_PTR)NULL == outBuf) {
             error = CKR_ARGUMENTS_BAD;
             goto done;
         }
-    } else {
+    }
+    else {
         CK_ULONG maxBufLen = *outBufLen;
         CK_ULONG len;
 
-        len = (isEncryptDecrypt) ? nssCKFWCryptoOperation_GetOperationLength(fwOperation,
-                                                                             &inputBuffer, &error)
-                                 : nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
+        len = (isEncryptDecrypt) ?
+                                 nssCKFWCryptoOperation_GetOperationLength(fwOperation,
+                                                                           &inputBuffer, &error)
+                                 :
+                                 nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
 
         if (CKR_OK != error) {
             goto done;
         }
 
         *outBufLen = len;
         if ((CK_BYTE_PTR)NULL == outBuf) {
             return CKR_OK;
@@ -2132,18 +2154,20 @@ nssCKFWSession_UpdateFinal(
     outputBuffer.data = outBuf;
     outputBuffer.size = *outBufLen;
 
     error = nssCKFWCryptoOperation_UpdateFinal(fwOperation,
                                                &inputBuffer, &outputBuffer);
 
     /* UpdateFinal isn't support, manually use Update and Final */
     if (CKR_FUNCTION_FAILED == error) {
-        error = isEncryptDecrypt ? nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer)
-                                 : nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
+        error = isEncryptDecrypt ?
+                                 nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer)
+                                 :
+                                 nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
 
         if (CKR_OK == error) {
             error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
         }
     }
 
 done:
     if (CKR_BUFFER_TOO_SMALL == error) {
--- a/security/nss/lib/ckfw/sessobj.c
+++ b/security/nss/lib/ckfw/sessobj.c
@@ -789,17 +789,18 @@ items_match(
     CK_ULONG ulValueLen)
 {
     if (a->size != ulValueLen) {
         return CK_FALSE;
     }
 
     if (PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL)) {
         return CK_TRUE;
-    } else {
+    }
+    else {
         return CK_FALSE;
     }
 }
 
 /*
  * Our hashtable iterator
  */
 static void
@@ -820,17 +821,18 @@ findfcn(
 
     for (i = 0; i < mdfso->ulCount; i++) {
         CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
 
         for (j = 0; j < mdso->n; j++) {
             if (mdso->types[j] == p->type) {
                 if (!items_match(&mdso->attributes[j], p->pValue, p->ulValueLen)) {
                     return;
-                } else {
+                }
+                else {
                     break;
                 }
             }
         }
 
         if (j == mdso->n) {
             /* Attribute not found */
             return;
--- a/security/nss/lib/ckfw/slot.c
+++ b/security/nss/lib/ckfw/slot.c
@@ -331,17 +331,18 @@ nssCKFWSlot_GetSlotDescription(
     if (!fwSlot->slotDescription) {
         if (fwSlot->mdSlot->GetSlotDescription) {
             fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
                 fwSlot->mdSlot, fwSlot, fwSlot->mdInstance,
                 fwSlot->fwInstance, &error);
             if ((!fwSlot->slotDescription) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwSlot->slotDescription = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
     error = CKR_OK;
 
 done:
@@ -379,17 +380,18 @@ nssCKFWSlot_GetManufacturerID(
     if (!fwSlot->manufacturerID) {
         if (fwSlot->mdSlot->GetManufacturerID) {
             fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
                 fwSlot->mdSlot, fwSlot, fwSlot->mdInstance,
                 fwSlot->fwInstance, &error);
             if ((!fwSlot->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwSlot->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -489,17 +491,18 @@ nssCKFWSlot_GetHardwareVersion(
         (0 != fwSlot->hardwareVersion.minor)) {
         rv = fwSlot->hardwareVersion;
         goto done;
     }
 
     if (fwSlot->mdSlot->GetHardwareVersion) {
         fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
             fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-    } else {
+    }
+    else {
         fwSlot->hardwareVersion.major = 0;
         fwSlot->hardwareVersion.minor = 1;
     }
 
     rv = fwSlot->hardwareVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return rv;
@@ -531,17 +534,18 @@ nssCKFWSlot_GetFirmwareVersion(
         (0 != fwSlot->firmwareVersion.minor)) {
         rv = fwSlot->firmwareVersion;
         goto done;
     }
 
     if (fwSlot->mdSlot->GetFirmwareVersion) {
         fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
             fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-    } else {
+    }
+    else {
         fwSlot->firmwareVersion.major = 0;
         fwSlot->firmwareVersion.minor = 1;
     }
 
     rv = fwSlot->firmwareVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return rv;
@@ -588,17 +592,18 @@ nssCKFWSlot_GetToken(
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWToken *)NULL;
         }
 
         fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
         fwSlot->fwToken = fwToken;
-    } else {
+    }
+    else {
         fwToken = fwSlot->fwToken;
     }
 
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return fwToken;
 }
 
--- a/security/nss/lib/ckfw/token.c
+++ b/security/nss/lib/ckfw/token.c
@@ -493,17 +493,18 @@ nssCKFWToken_InitToken(
     if (!fwToken->mdToken->InitToken) {
         error = CKR_DEVICE_ERROR;
         goto done;
     }
 
     if (!pin) {
         if (nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken)) {
             ; /* okay */
-        } else {
+        }
+        else {
             error = CKR_PIN_INCORRECT;
             goto done;
         }
     }
 
     if (!label) {
         label = (NSSUTF8 *)"";
     }
@@ -545,17 +546,18 @@ nssCKFWToken_GetLabel(
 
     if (!fwToken->label) {
         if (fwToken->mdToken->GetLabel) {
             fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
                                                         fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->label) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwToken->label = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -592,17 +594,18 @@ nssCKFWToken_GetManufacturerID(
 
     if (!fwToken->manufacturerID) {
         if (fwToken->mdToken->GetManufacturerID) {
             fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
                                                                           fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwToken->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -639,17 +642,18 @@ nssCKFWToken_GetModel(
 
     if (!fwToken->model) {
         if (fwToken->mdToken->GetModel) {
             fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
                                                         fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->model) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwToken->model = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
     error = CKR_OK;
 
 done:
@@ -686,17 +690,18 @@ nssCKFWToken_GetSerialNumber(
 
     if (!fwToken->serialNumber) {
         if (fwToken->mdToken->GetSerialNumber) {
             fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken,
                                                                       fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->serialNumber) && (CKR_OK != error)) {
                 goto done;
             }
-        } else {
+        }
+        else {
             fwToken->serialNumber = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
     error = CKR_OK;
 
 done:
@@ -1082,17 +1087,18 @@ nssCKFWToken_GetHardwareVersion(
         (0 != fwToken->hardwareVersion.minor)) {
         rv = fwToken->hardwareVersion;
         goto done;
     }
 
     if (fwToken->mdToken->GetHardwareVersion) {
         fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
             fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    } else {
+    }
+    else {
         fwToken->hardwareVersion.major = 0;
         fwToken->hardwareVersion.minor = 1;
     }
 
     rv = fwToken->hardwareVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwToken->mutex);
@@ -1125,17 +1131,18 @@ nssCKFWToken_GetFirmwareVersion(
         (0 != fwToken->firmwareVersion.minor)) {
         rv = fwToken->firmwareVersion;
         goto done;
     }
 
     if (fwToken->mdToken->GetFirmwareVersion) {
         fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
             fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    } else {
+    }
+    else {
         fwToken->firmwareVersion.major = 0;
         fwToken->firmwareVersion.minor = 1;
     }
 
     rv = fwToken->firmwareVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwToken->mutex);
@@ -1206,17 +1213,18 @@ nssCKFWToken_GetUTCTime(
             goto badtime; /* Y3K problem.  heh heh heh */
         if ((M < 1) || (M > 12))
             goto badtime;
         if ((D < 1) || (D > 31))
             goto badtime;
 
         if (D > dims[M - 1])
             goto badtime; /* per-month check */
-        if ((2 == M) && (((Y % 4) || !(Y % 100)) &&
+        if ((2 == M) && (((Y % 4) || !(Y %
+                                       100)) &&
                          (Y % 400)) &&
             (D > 28))
             goto badtime; /* leap years */
 
         if ((h < 0) || (h > 23))
             goto badtime;
         if ((m < 0) || (m > 60))
             goto badtime;
@@ -1279,17 +1287,18 @@ nssCKFWToken_OpenSession(
     }
 
     if (CK_TRUE == rw) {
         /* Read-write session desired */
         if (CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken)) {
             *pError = CKR_TOKEN_WRITE_PROTECTED;
             goto done;
         }
-    } else {
+    }
+    else {
         /* Read-only session desired */
         if (CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken)) {
             *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
             goto done;
         }
     }
 
     /* We could compare sesion counts to any limits we know of, I guess.. */
--- a/security/nss/lib/ckfw/wrap.c
+++ b/security/nss/lib/ckfw/wrap.c
@@ -360,17 +360,18 @@ NSSCKFWC_GetSlotList(
      * A purify error here indicates caller error.
      */
     (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
 
     if (*pulCount < nSlots) {
         *pulCount = nSlots;
         error = CKR_BUFFER_TOO_SMALL;
         goto loser;
-    } else {
+    }
+    else {
         CK_ULONG i;
         *pulCount = nSlots;
 
         /*
          * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
          * just index one when we need it.
          */
 
@@ -797,17 +798,18 @@ NSSCKFWC_GetMechanismList(
      * A purify error here indicates caller error.
      */
     (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
 
     *pulCount = count;
 
     if (0 != count) {
         error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
-    } else {
+    }
+    else {
         error = CKR_OK;
     }
 
     if (CKR_OK == error) {
         return CKR_OK;
     }
 
 loser:
@@ -1091,17 +1093,18 @@ NSSCKFWC_InitPIN(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
         arg = (NSSItem *)NULL;
-    } else {
+    }
+    else {
         arg = &pin;
         pin.size = (PRUint32)ulPinLen;
         pin.data = (void *)pPin;
     }
 
     error = nssCKFWSession_InitPIN(fwSession, arg);
     if (CKR_OK != error) {
         goto loser;
@@ -1165,25 +1168,27 @@ NSSCKFWC_SetPIN(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pOldPin) {
         oldArg = (NSSItem *)NULL;
-    } else {
+    }
+    else {
         oldArg = &oldPin;
         oldPin.size = (PRUint32)ulOldLen;
         oldPin.data = (void *)pOldPin;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pNewPin) {
         newArg = (NSSItem *)NULL;
-    } else {
+    }
+    else {
         newArg = &newPin;
         newPin.size = (PRUint32)ulNewLen;
         newPin.data = (void *)pNewPin;
     }
 
     error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
     if (CKR_OK != error) {
         goto loser;
@@ -1256,23 +1261,25 @@ NSSCKFWC_OpenSession(
 
     if ((slotID < 1) || (slotID > nSlots)) {
         error = CKR_SLOT_ID_INVALID;
         goto loser;
     }
 
     if (flags & CKF_RW_SESSION) {
         rw = CK_TRUE;
-    } else {
+    }
+    else {
         rw = CK_FALSE;
     }
 
     if (flags & CKF_SERIAL_SESSION) {
         ;
-    } else {
+    }
+    else {
         error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
         goto loser;
     }
 
     if (flags & ~(CKF_RW_SESSION | CKF_SERIAL_SESSION)) {
         error = CKR_ARGUMENTS_BAD;
         goto loser;
     }
@@ -1687,27 +1694,29 @@ NSSCKFWC_SetOperationState(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_OBJECT_HANDLE)0 == hEncryptionKey) {
         eKey = (NSSCKFWObject *)NULL;
-    } else {
+    }
+    else {
         eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
         if (!eKey) {
             error = CKR_KEY_HANDLE_INVALID;
             goto loser;
         }
     }
 
     if ((CK_OBJECT_HANDLE)0 == hAuthenticationKey) {
         aKey = (NSSCKFWObject *)NULL;
-    } else {
+    }
+    else {
         aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
         if (!aKey) {
             error = CKR_KEY_HANDLE_INVALID;
             goto loser;
         }
     }
 
     state.data = pOperationState;
@@ -1773,17 +1782,18 @@ NSSCKFWC_Login(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
         arg = (NSSItem *)NULL;
-    } else {
+    }
+    else {
         arg = &pin;
         pin.size = (PRUint32)ulPinLen;
         pin.data = (void *)pPin;
     }
 
     error = nssCKFWSession_Login(fwSession, userType, arg);
     if (CKR_OK != error) {
         goto loser;
@@ -2262,17 +2272,18 @@ NSSCKFWC_GetAttributeValue(
                     break;
                 default:
                     goto loser;
             }
         }
 
         if ((CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue) {
             pTemplate[i].ulValueLen = size;
-        } else {
+        }
+        else {
             NSSItem it, *p;
 
             if (pTemplate[i].ulValueLen < size) {
                 tooSmall = CK_TRUE;
                 continue;
             }
 
             it.size = (PRUint32)pTemplate[i].ulValueLen;
@@ -2301,20 +2312,22 @@ NSSCKFWC_GetAttributeValue(
 
             pTemplate[i].ulValueLen = size;
         }
     }
 
     if (sensitive) {
         error = CKR_ATTRIBUTE_SENSITIVE;
         goto loser;
-    } else if (invalid) {
+    }
+    else if (invalid) {
         error = CKR_ATTRIBUTE_TYPE_INVALID;
         goto loser;
-    } else if (tooSmall) {
+    }
+    else if (tooSmall) {
         error = CKR_BUFFER_TOO_SMALL;
         goto loser;
     }
 
     return CKR_OK;
 
 loser:
     switch (error) {
--- a/security/nss/lib/crmf/challcli.c
+++ b/security/nss/lib/crmf/challcli.c
@@ -177,17 +177,18 @@ loser:
 SECStatus
 CMMF_POPODecKeyChallContentGetRandomNumber(CMMFPOPODecKeyChallContent *inKeyChallCont,
                                            int inIndex,
                                            long *inDest)
 {
     CMMFChallenge *challenge;
 
     PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= inKeyChallCont->numChallenges) {
+    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >=
+                                                     inKeyChallCont->numChallenges) {
         return SECFailure;
     }
     challenge = inKeyChallCont->challenges[inIndex];
     if (challenge->randomNumber.data == NULL) {
         /* There is no random number here, nothing to see. */
         return SECFailure;
     }
     *inDest = DER_GetInteger(&challenge->randomNumber);
--- a/security/nss/lib/crmf/cmmfchal.c
+++ b/security/nss/lib/crmf/cmmfchal.c
@@ -209,17 +209,18 @@ CMMF_POPODecKeyChallContentSetNextChalle
     if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
         rv = SECFailure;
         goto loser;
     }
 
     if (inDecKeyChall->numChallenges == 0) {
         rv = cmmf_create_first_challenge(inDecKeyChall, inRandom,
                                          genNameDER, inPubKey, passwdArg);
-    } else {
+    }
+    else {
         curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
         if (curChallenge == NULL) {
             rv = SECFailure;
             goto loser;
         }
         rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom,
                                                genNameDER, inPubKey,
                                                passwdArg);
--- a/security/nss/lib/crmf/cmmfrec.c
+++ b/security/nss/lib/crmf/cmmfrec.c
@@ -102,17 +102,18 @@ CMMF_KeyRecRepContentSetCACerts(CMMFKeyR
     if (inKeyRecRep == NULL || inCACerts == NULL) {
         return SECFailure;
     }
     mark = PORT_ArenaMark(inKeyRecRep->poolp);
     rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
                                    &inKeyRecRep->caCerts);
     if (rv != SECSuccess) {
         PORT_ArenaRelease(inKeyRecRep->poolp, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
     }
     return rv;
 }
 
 SECStatus
 CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
                                          CERTCertificate *inCert,
--- a/security/nss/lib/crmf/cmmfresp.c
+++ b/security/nss/lib/crmf/cmmfresp.c
@@ -47,31 +47,33 @@ cmmf_CertOrEncCertSetCertificate(CMMFCer
     SECStatus rv = SECFailure;
 
     if (inCert->derCert.data == NULL) {
         derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert,
                                      CMMFCertOrEncCertCertificateTemplate);
         if (derDest == NULL) {
             goto loser;
         }
-    } else {
+    }
+    else {
         derDest = SECITEM_DupItem(&inCert->derCert);
         if (derDest == NULL) {
             goto loser;
         }
     }
     PORT_Assert(certOrEncCert->cert.certificate == NULL);
     certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
     certOrEncCert->choice = cmmfCertificate;
     if (poolp != NULL) {
         rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
         if (rv != SECSuccess) {
             goto loser;
         }
-    } else {
+    }
+    else {
         certOrEncCert->derValue = *derDest;
     }
     PORT_Free(derDest);
     return SECSuccess;
 loser:
     if (derDest != NULL) {
         SECITEM_FreeItem(derDest, PR_TRUE);
     }
@@ -211,17 +213,18 @@ CMMF_CertResponseSetCertificate(CMMFCert
 
     PORT_Assert(inCertResp != NULL && inCertificate != NULL);
     if (inCertResp == NULL || inCertificate == NULL) {
         return SECFailure;
     }
     if (inCertResp->certifiedKeyPair == NULL) {
         keyPair = inCertResp->certifiedKeyPair =
             PORT_ZNew(CMMFCertifiedKeyPair);
-    } else {
+    }
+    else {
         keyPair = inCertResp->certifiedKeyPair;
     }
     if (keyPair == NULL) {
         goto loser;
     }
     rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
                                           inCertificate);
     if (rv != SECSuccess) {
@@ -258,17 +261,18 @@ CMMF_CertRepContentSetCAPubs(CMMFCertRep
     poolp = inCertRepContent->poolp;
     mark = PORT_ArenaMark(poolp);
 
     rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
                                    &inCertRepContent->caPubs);
 
     if (rv != SECSuccess) {
         PORT_ArenaRelease(poolp, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(poolp, mark);
     }
     return rv;
 }
 
 CERTCertificate *
 CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
                                     CERTCertDBHandle *inCertdb)
--- a/security/nss/lib/crmf/crmfcont.c
+++ b/security/nss/lib/crmf/crmfcont.c
@@ -14,17 +14,18 @@ crmf_modify_control_array(CRMFCertReques
 {
     if (count > 0) {
         void *dummy = PORT_Realloc(inCertReq->controls,
                                    sizeof(CRMFControl *) * (count + 2));
         if (dummy == NULL) {
             return SECFailure;
         }
         inCertReq->controls = dummy;
-    } else {
+    }
+    else {
         inCertReq->controls = PORT_ZNewArray(CRMFControl *, 2);
     }
     return (inCertReq->controls == NULL) ? SECFailure : SECSuccess;
 }
 
 static SECStatus
 crmf_add_new_control(CRMFCertRequest *inCertReq, SECOidTag inTag,
                      CRMFControl **destControl)
@@ -587,17 +588,18 @@ crmf_get_public_value(SECKEYPublicKey *p
         return NULL;
     }
 
     if (dest != NULL) {
         SECStatus rv = SECITEM_CopyItem(NULL, dest, src);
         if (rv != SECSuccess) {
             dest = NULL;
         }
-    } else {
+    }
+    else {
         dest = SECITEM_ArenaDupItem(NULL, src);
     }
     return dest;
 }
 
 static SECItem *
 crmf_decode_params(SECItem *inParams)
 {
@@ -666,17 +668,18 @@ crmf_encrypted_value_unwrap_priv_key(PLA
     oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
     wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
     keySize = crmf_get_key_size_from_mech(wrapMechType);
     wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey,
                                        wrapMechType, CKA_UNWRAP, keySize);
     if (wrappingKey == NULL) {
         goto loser;
     } /* Make the length a byte length instead of bit length*/
-    params = (encValue->symmAlg != NULL) ? crmf_decode_params(&encValue->symmAlg->parameters)
+    params = (encValue->symmAlg != NULL) ?
+                                         crmf_decode_params(&encValue->symmAlg->parameters)
                                          : NULL;
     origLen = encValue->encValue.len;
     encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
     publicValue = crmf_get_public_value(newPubKey, NULL);
     switch (newPubKey->keyType) {
         default:
         case rsaKey:
             keyType = CKK_RSA;
--- a/security/nss/lib/crmf/crmfget.c
+++ b/security/nss/lib/crmf/crmfget.c
@@ -38,18 +38,20 @@ crmf_destroy_validity(CRMFOptionalValidi
 static SECStatus
 crmf_copy_cert_request_validity(PLArenaPool *poolp,
                                 CRMFOptionalValidity **destValidity,
                                 CRMFOptionalValidity *srcValidity)
 {
     CRMFOptionalValidity *myValidity = NULL;
     SECStatus rv;
 
-    *destValidity = myValidity = (poolp == NULL) ? PORT_ZNew(CRMFOptionalValidity)
-                                                 : PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    *destValidity = myValidity = (poolp == NULL) ?
+                                                 PORT_ZNew(CRMFOptionalValidity)
+                                                 :
+                                                 PORT_ArenaZNew(poolp, CRMFOptionalValidity);
     if (myValidity == NULL) {
         goto loser;
     }
     if (srcValidity->notBefore.data != NULL) {
         rv = SECITEM_CopyItem(poolp, &myValidity->notBefore,
                               &srcValidity->notBefore);
         if (rv != SECSuccess) {
             goto loser;
--- a/security/nss/lib/crmf/crmfpop.c
+++ b/security/nss/lib/crmf/crmfpop.c
@@ -198,17 +198,18 @@ crmf_create_poposignkey(PLArenaPool *poo
         goto loser;
     }
     certReq = inCertReqMsg->certReq;
     useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq, crmfSubject) &&
                         CRMF_DoesRequestHaveField(certReq, crmfPublicKey));
 
     if (useSignKeyInput) {
         goto loser;
-    } else {
+    }
+    else {
         rv = crmf_sign_certreq(poolp, signKey, certReq, inPrivKey, inAlgID);
         if (rv != SECSuccess) {
             goto loser;
         }
     }
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
--- a/security/nss/lib/crmf/crmfreq.c
+++ b/security/nss/lib/crmf/crmfreq.c
@@ -346,17 +346,18 @@ crmf_template_add_extensions(PLArenaPool
     SECStatus rv;
     CRMFCertExtension **extArray;
     CRMFCertExtension *newExt, *currExt;
 
     mark = PORT_ArenaMark(poolp);
     if (inTemplate->extensions == NULL) {
         newSize = extensions->numExtensions;
         extArray = PORT_ZNewArray(CRMFCertExtension *, newSize + 1);
-    } else {
+    }
+    else {
         newSize = inTemplate->numExtensions + extensions->numExtensions;
         extArray = PORT_Realloc(inTemplate->extensions,
                                 sizeof(CRMFCertExtension *) * (newSize + 1));
     }
     if (extArray == NULL) {
         goto loser;
     }
     oldSize = inTemplate->numExtensions;
@@ -453,17 +454,18 @@ CRMF_CertRequestSetTemplateField(CRMFCer
             break;
         case crmfExtension:
             rv = crmf_template_add_extensions(poolp, certTemplate,
                                               (CRMFCertExtCreationInfo *)data);
             break;
     }
     if (rv != SECSuccess) {
         PORT_ArenaRelease(poolp, mark);
-    } else {
+    }
+    else {
         PORT_ArenaUnmark(poolp, mark);
     }
     return rv;
 }
 
 SECStatus
 CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg *inCertReqMsg,
                               CRMFCertRequest *inCertReq)
@@ -544,18 +546,20 @@ crmf_create_cert_extension(PLArenaPool *
     }
 
     rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
     if (rv != SECSuccess) {
         goto loser;
     }
 
     if (isCritical) {
-        newExt->critical.data = (poolp == NULL) ? PORT_New(unsigned char)
-                                                : PORT_ArenaNew(poolp, unsigned char);
+        newExt->critical.data = (poolp == NULL) ?
+                                                PORT_New(unsigned char)
+                                                :
+                                                PORT_ArenaNew(poolp, unsigned char);
         if (newExt->critical.data == NULL) {
             goto loser;
         }
         newExt->critical.data[0] = hexTrue;
         newExt->critical.len = 1;
     }
     return newExt;
 loser:
--- a/security/nss/lib/crmf/respcmn.c
+++ b/security/nss/lib/crmf/respcmn.c
@@ -213,17 +213,18 @@ cmmf_DestroyCertOrEncCert(CMMFCertOrEncC
 
 SECStatus
 cmmf_copy_secitem(PLArenaPool *poolp, SECItem *dest, SECItem *src)
 {
     SECStatus rv;
 
     if (src->data != NULL) {
         rv = SECITEM_CopyItem(poolp, dest, src);
-    } else {
+    }
+    else {
         dest->data = NULL;
         dest->len = 0;
         rv = SECSuccess;
     }
     return rv;
 }
 
 SECStatus
--- a/security/nss/lib/crmf/servget.c
+++ b/security/nss/lib/crmf/servget.c
@@ -351,18 +351,20 @@ crmf_copy_poposigningkey(PLArenaPool *po
 
     /* We don't support use of the POPOSigningKeyInput, so we'll only
      * store away the DER encoding.
      */
     if (inPopoSignKey->derInput.data != NULL) {
         rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput,
                               &inPopoSignKey->derInput);
     }
-    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? PORT_ZNew(SECAlgorithmID)
-                                                           : PORT_ArenaZNew(poolp, SECAlgorithmID);
+    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ?
+                                                           PORT_ZNew(SECAlgorithmID)
+                                                           :
+                                                           PORT_ArenaZNew(poolp, SECAlgorithmID);
 
     if (destPopoSignKey->algorithmIdentifier == NULL) {
         goto loser;
     }
     rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
                                 inPopoSignKey->algorithmIdentifier);
     if (rv != SECSuccess) {
         goto loser;
@@ -627,17 +629,18 @@ CRMF_CertReqMsgGetPOPOSigningKey(CRMFCer
 static SECStatus
 crmf_copy_name(CERTName *destName, CERTName *srcName)
 {
     PLArenaPool *poolp = NULL;
     SECStatus rv;
 
     if (destName->arena != NULL) {
         poolp = destName->arena;
-    } else {
+    }
+    else {
         poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
     }
     if (poolp == NULL) {
         return SECFailure;
     }
     /* Need to do this so that CERT_CopyName doesn't free out
      * the arena from underneath us.
      */
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -343,17 +343,18 @@ seckey_UpdateCertPQGChain(CERTCertificat
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
 
             return SECSuccess;
         }
-    } else {
+    }
+    else {
         return SECFailure; /* return failure if oid is NULL */
     }
 
     /* if cert has PQG parameters, return success */
 
     subjectSpki = &subjectCert->subjectPublicKeyInfo;
 
     if (subjectSpki->algorithm.parameters.len != 0) {
@@ -387,17 +388,18 @@ seckey_UpdateCertPQGChain(CERTCertificat
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
             rv = SECFailure;
             goto loser;
         }
-    } else {
+    }
+    else {
         rv = SECFailure; /* return failure if oid is NULL */
         goto loser;
     }
 
     /* at this point the subject cert has no pqg parameters and the
      * issuer cert has a DSA public key.  Update the issuer's
      * pqg parameters with a recursive call to this same function. */
 
@@ -474,17 +476,18 @@ seckey_DSADecodePQG(PLArenaPool *arena, 
 
         if (SECSuccess == rv) {
             /* PQG params are in the standard format */
             prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
             rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params,
                                         SECKEY_PQGParamsTemplate,
                                         &newparams);
         }
-    } else {
+    }
+    else {
 
         if (SECSuccess == rv) {
             /* else the old fortezza-only wrapped format is used. */
             PORT_SetError(SEC_ERROR_BAD_DER);
             rv = SECFailure;
         }
     }
     return rv;
@@ -1072,24 +1075,26 @@ SECKEY_CopyPrivateKey(const SECKEYPrivat
         /* if the key we're referencing was a temparary key we have just
          * created, that we want to go away when we're through, we need
          * to make a copy of it */
         if (privk->pkcs11IsTemp) {
             copyk->pkcs11ID =
                 PK11_CopyKey(privk->pkcs11Slot, privk->pkcs11ID);
             if (copyk->pkcs11ID == CK_INVALID_HANDLE)
                 goto fail;
-        } else {
+        }
+        else {
             copyk->pkcs11ID = privk->pkcs11ID;
         }
         copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
         copyk->wincx = privk->wincx;
         copyk->staticflags = privk->staticflags;
         return copyk;
-    } else {
+    }
+    else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
 fail:
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
@@ -1114,17 +1119,18 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
     }
 
     copyk->arena = arena;
     copyk->keyType = pubk->keyType;
     if (pubk->pkcs11Slot &&
         PK11_IsPermObject(pubk->pkcs11Slot, pubk->pkcs11ID)) {
         copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot);
         copyk->pkcs11ID = pubk->pkcs11ID;
-    } else {
+    }
+    else {
         copyk->pkcs11Slot = NULL; /* go get own reference */
         copyk->pkcs11ID = CK_INVALID_HANDLE;
     }
     switch (pubk->keyType) {
         case rsaKey:
             rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
                                   &pubk->u.rsa.modulus);
             if (rv == SECSuccess) {
@@ -1347,17 +1353,18 @@ seckey_CreateSubjectPublicKeyInfo_helper
                 }
                 break;
             case dhKey: /* later... */
 
                 break;
             default:
                 break;
         }
-    } else {
+    }
+    else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
 CERTSubjectPublicKeyInfo *
@@ -1433,17 +1440,18 @@ SECKEY_DecodeDERSubjectPublicKeyInfo(con
            into the DER input, which may get freed by the caller */
         rv = SECITEM_CopyItem(arena, &newSpkider, spkider);
         if (rv == SECSuccess) {
             rv = SEC_QuickDERDecodeItem(arena, spki,
                                         CERT_SubjectPublicKeyInfoTemplate, &newSpkider);
         }
         if (rv == SECSuccess)
             return spki;
-    } else {
+    }
+    else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
 /*
@@ -1580,20 +1588,22 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPriva
             poolp = pvk->arena;
             /* zero structure since PORT_FreeArena does not support
              * this yet.
              */
             PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
             PORT_Memset(pvk, 0, sizeof(*pvk));
             if (freeit == PR_TRUE) {
                 PORT_FreeArena(poolp, PR_TRUE);
-            } else {
+            }
+            else {
                 pvk->arena = poolp;
             }
-        } else {
+        }
+        else {
             SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
             SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
             SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
             PORT_Memset(pvk, 0, sizeof(*pvk));
             if (freeit == PR_TRUE) {
                 PORT_Free(pvk);
             }
         }
@@ -1611,20 +1621,22 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SE
             poolp = epki->arena;
             /* zero structure since PORT_FreeArena does not support
              * this yet.
              */
             PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
             PORT_Memset(epki, 0, sizeof(*epki));
             if (freeit == PR_TRUE) {
                 PORT_FreeArena(poolp, PR_TRUE);
-            } else {
+            }
+            else {
                 epki->arena = poolp;
             }
-        } else {
+        }
+        else {
             SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
             SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
             PORT_Memset(epki, 0, sizeof(*epki));
             if (freeit == PR_TRUE) {
                 PORT_Free(epki);
             }
         }
     }
@@ -1895,17 +1907,18 @@ SECKEY_AddPublicKeyToListTail(SECKEYPubl
 
 loser:
     return (SECFailure);
 }
 
 #define SECKEY_CacheAttribute(key, attribute)                                                   \
     if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \
         key->staticflags |= SECKEY_##attribute;                                                 \
-    } else {                                                                                    \
+    }                                                                                           \
+    else {                                                                                      \
         key->staticflags &= (~SECKEY_##attribute);                                              \
     }
 
 SECStatus
 SECKEY_CacheStaticFlags(SECKEYPrivateKey *key)
 {
     SECStatus rv = SECFailure;
     if (key && key->pkcs11Slot && key->pkcs11ID) {
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -172,17 +172,18 @@ SGN_End(SGNContext *cx, SECItem *result)
         }
 
         /* Der encode the digest as a DigestInfo */
         rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
                         di);
         if (rv != SECSuccess) {
             goto loser;
         }
-    } else {
+    }
+    else {
         digder.data = digest;
         digder.len = part1;
     }
 
     /*
     ** Encrypt signature after constructing appropriate PKCS#1 signature
     ** block
     */
@@ -209,17 +210,18 @@ SGN_End(SGNContext *cx, SECItem *result)
 
     if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
         (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
         /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */
         rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len);
         PORT_Free(sigitem.data);
         if (rv != SECSuccess)
             goto loser;
-    } else {
+    }
+    else {
         result->len = sigitem.len;
         result->data = sigitem.data;
     }
 
 loser:
     SGN_DestroyDigestInfo(di);
     if (arena != NULL) {
         PORT_FreeArena(arena, PR_FALSE);
@@ -389,17 +391,18 @@ SGN_Digest(SECKEYPrivateKey *privKey,
         }
 
         /* Der encode the digest as a DigestInfo */
         rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
                         di);
         if (rv != SECSuccess) {
             goto loser;
         }
-    } else {
+    }
+    else {
         digder.data = digest->data;
         digder.len = digest->len;
     }
 
     /*
     ** Encrypt signature after constructing appropriate PKCS#1 signature
     ** block
     */
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -100,17 +100,18 @@ recoverPKCS1DigestInfo(SECOidTag givenDi
 
     if (di) {
         SGN_DestroyDigestInfo(di);
     }
 
     if (rv == SECSuccess) {
         *digestInfoLen = it.len;
         *digestInfo = (unsigned char *)it.data;
-    } else {
+    }
+    else {
         if (it.data) {
             PORT_Free(it.data);
         }
         *digestInfo = NULL;
         *digestInfoLen = 0;
         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
     }
 
@@ -189,17 +190,18 @@ decodeECorDSASignature(SECOidTag algid, 
             PORT_SetError(SEC_ERROR_BAD_DER);
             return SECFailure;
         }
     }
     dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
 
     if ((dsasig == NULL) || (dsasig->len != len)) {
         rv = SECFailure;
-    } else {
+    }
+    else {
         PORT_Memcpy(dsig, dsasig->data, dsasig->len);
     }
 
     if (dsasig != NULL)
         SECITEM_FreeItem(dsasig, PR_TRUE);
     if (rv == SECFailure)
         PORT_SetError(SEC_ERROR_BAD_DER);
     return rv;
@@ -289,23 +291,27 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
             /* This is an EC algorithm. Recommended means the largest
              * hash algorithm that is not reduced by the keysize of
              * the EC algorithm. Note that key strength is in bytes and
              * algorithms are specified in bits. Never use an algorithm
              * weaker than sha1. */
             len = SECKEY_PublicKeyStrength(key);
             if (len < 28) { /* 28 bytes == 224 bits */
                 *hashalg = SEC_OID_SHA1;
-            } else if (len < 32) { /* 32 bytes == 256 bits */
+            }
+            else if (len < 32) { /* 32 bytes == 256 bits */
                 *hashalg = SEC_OID_SHA224;
-            } else if (len < 48) { /* 48 bytes == 384 bits */
+            }
+            else if (len < 48) { /* 48 bytes == 384 bits */
                 *hashalg = SEC_OID_SHA256;
-            } else if (len < 64) { /* 48 bytes == 512 bits */
+            }
+            else if (len < 64) { /* 48 bytes == 512 bits */
                 *hashalg = SEC_OID_SHA384;
-            } else {
+            }
+            else {
                 /* use the largest in this case */
                 *hashalg = SEC_OID_SHA512;
             }
             break;
         case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
             if (param == NULL) {
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                 return SECFailure;
@@ -656,17 +662,18 @@ vfy_VerifyDigest(const SECItem *digest, 
                 dsasig.data = cx->u.buffer;
                 dsasig.len = SECKEY_SignatureLen(cx->key);
                 if (dsasig.len == 0) {
                     break;
                 }
                 if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
                     SECSuccess) {
                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                } else {
+                }
+                else {
                     rv = SECSuccess;
                 }
                 break;
             default:
                 break;
         }
         VFY_DestroyContext(cx, PR_TRUE);
     }
--- a/security/nss/lib/dbm/include/hash.h
+++ b/security/nss/lib/dbm/include/hash.h
@@ -158,18 +158,19 @@ typedef struct htab { /* Memory resident
 #define NUMKEY 1038583l
 #define BYTE_SHIFT 3
 #define INT_TO_BYTE 2
 #define INT_BYTE_SHIFT 5
 #define ALL_SET ((uint32)0xFFFFFFFF)
 #define ALL_CLEAR 0
 
 #define PTROF(X) ((ptrdiff_t)(X) == BUF_DISK ? 0 : (X))
-#define ISDISK(X) ((X) ? ((ptrdiff_t)(X) == BUF_DISK ? BUF_DISK      \
-                                                     : (X)->is_disk) \
+#define ISDISK(X) ((X) ? ((ptrdiff_t)(X) == BUF_DISK ? BUF_DISK    \
+                                                     :             \
+                                                     (X)->is_disk) \
                        : 0)
 
 #define BITS_PER_MAP 32
 
 /* Given the address of the beginning of a big map, clear/set the nth bit */
 #define CLRBIT(A, N) ((A)[(N) / BITS_PER_MAP] &= ~(1 << ((N) % BITS_PER_MAP)))
 #define SETBIT(A, N) ((A)[(N) / BITS_PER_MAP] |= (1 << ((N) % BITS_PER_MAP)))
 #define ISSET(A, N) ((A)[(N) / BITS_PER_MAP] & (1 << ((N) % BITS_PER_MAP)))
--- a/security/nss/lib/dbm/src/dirent.c
+++ b/security/nss/lib/dbm/src/dirent.c
@@ -76,17 +76,18 @@ getFSType(const char *path)
     static char cache[1 + 26];
     char drive[3], info[512];
     Word unit, infolen;
     char r;
 
     if (isalpha(path[0]) && path[1] == ':') {
         unit = toupper(path[0]) - '@';
         path += 2;
-    } else {
+    }
+    else {
         ULONG driveMap;
 #if OS2 >= 2
         if (DosQueryCurrentDisk(&unit, &driveMap))
 #else
         if (DosQCurDisk(&unit, &driveMap))
 #endif
             return 0;
     }
@@ -103,25 +104,27 @@ getFSType(const char *path)
     drive[2] = '\0';
     infolen = sizeof info;
 #if OS2 >= 2
     if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
         return 0;
     if (infolen >= sizeof(FSQBUFFER2)) {
         FSQBUFFER2 *p = (FSQBUFFER2 *)info;
         r = p->szFSDName[p->cbName];
-    } else
+    }
+    else
 #else
     if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
         return 0;
     if (infolen >= 9) {
         char *p = info + sizeof(USHORT);
         p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
         r = *p;
-    } else
+    }
+    else
 #endif
         r = 0;
     return cache[unit] = r;
 }
 
 char *
 abs_path(const char *name, char *buffer, int len)
 {
--- a/security/nss/lib/dbm/src/dirent.h
+++ b/security/nss/lib/dbm/src/dirent.h
@@ -56,17 +56,17 @@ struct dirent {
     char d_name[MAXNAMLEN + 1];
     unsigned long d_size;
     unsigned short d_attribute; /* attributes (see above) */
     unsigned short d_time;      /* modification time */
     unsigned short d_date;      /* modification date */
 #else
     char d_name[MAXNAMLEN + 1]; /* garentee null termination */
     char d_attribute;           /* .. extension .. */
-    unsigned long d_size; /* .. extension .. */
+    unsigned long d_size;       /* .. extension .. */
 #endif
 };
 
 typedef struct _dirdescr DIR;
 /* the structs do not have to be defined here */
 
 extern DIR *opendir(const char *);
 extern DIR *openxdir(const char *, unsigned);
--- a/security/nss/lib/dbm/src/h_bigkey.c
+++ b/security/nss/lib/dbm/src/h_bigkey.c
@@ -124,17 +124,18 @@ extern int
                 off = OFFSET(p) - move_bytes;
                 p[n] = off;
                 memmove(cp + off, val_data, move_bytes);
                 val_data += move_bytes;
                 val_size -= move_bytes;
                 p[n - 2] = FULL_KEY_DATA;
                 FREESPACE(p) = FREESPACE(p) - move_bytes;
                 OFFSET(p) = off;
-            } else
+            }
+            else
                 p[n - 2] = FULL_KEY;
         }
         p = (uint16 *)bufp->page;
         cp = bufp->page;
         bufp->flags |= BUF_MOD;
     }
 
     /* Now move the data */
@@ -158,17 +159,18 @@ extern int
         OFFSET(p) = off;
         if (val_size) {
             p[n] = FULL_KEY;
             bufp = __add_ovflpage(hashp, bufp);
             if (!bufp)
                 return (-1);
             cp = bufp->page;
             p = (uint16 *)cp;
-        } else
+        }
+        else
             p[n] = FULL_KEY_DATA;
         bufp->flags |= BUF_MOD;
     }
     return (0);
 }
 
 /*
  * Called when bufp's page  contains a partial key (index should be 1)
@@ -229,17 +231,18 @@ extern int
 
     /* Now, bp is the first page of the pair. */
     bp = (uint16 *)bufp->page;
     if (n > 2) {
         /* There is an overflow page. */
         bp[1] = pageno;
         bp[2] = OVFLPAGE;
         bufp->ovfl = rbufp->ovfl;
-    } else
+    }
+    else
         /* This is the last page. */
         bufp->ovfl = NULL;
     n -= 2;
     bp[0] = n;
     FREESPACE(bp) = hashp->BSIZE - PAGE_META(n);
     OFFSET(bp) = hashp->BSIZE - 1;
 
     bufp->flags |= BUF_MOD;
@@ -287,17 +290,18 @@ extern int
         ndx = 1;
     }
 
     if (bytes != ksize || memcmp(p + bp[ndx], kkey, bytes)) {
 #ifdef HASH_STATISTICS
         ++hash_collisions;
 #endif
         return (-2);
-    } else
+    }
+    else
         return (ndx);
 }
 
 /*
  * Given the buffer pointer of the first overflow page of a big pair,
  * find the end of the big pair
  *
  * This will set bpp to the buffer header of the last page of the big pair.
@@ -375,45 +379,48 @@ extern int
         bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!bufp)
             return (-1);
         bp = (uint16 *)bufp->page;
         save_p = bufp;
         save_addr = save_p->addr;
         off = bp[1];
         len = 0;
-    } else if (!FREESPACE(bp)) {
+    }
+    else if (!FREESPACE(bp)) {
         /*
              * This is a hack.  We can't distinguish between
              * FULL_KEY_DATA that contains complete data or
              * incomplete data, so we require that if the data
              * is complete, there is at least 1 byte of free
              * space left.
              */
         off = bp[bp[0]];
         len = bp[1] - off;
         save_p = bufp;
         save_addr = bufp->addr;
         bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!bufp)
             return (-1);
         bp = (uint16 *)bufp->page;
-    } else {
+    }
+    else {
         /* The data is all on one page. */
         tp = (char *)bp;
         off = bp[bp[0]];
         val->data = (uint8 *)tp + off;
         val->size = bp[1] - off;
         if (set_current) {
             if (bp[0] == 2) { /* No more buckets in
                              * chain */
                 hashp->cpage = NULL;
                 hashp->cbucket++;
                 hashp->cndx = 1;
-            } else {
+            }
+            else {
                 hashp->cpage = __get_buf(hashp,
                                          bp[bp[0] - 1], bufp, 0);
                 if (!hashp->cpage)
                     return (-1);
                 hashp->cndx = 1;
                 if (!((uint16 *)
                           hashp->cpage->page)[0]) {
                     hashp->cbucket++;
@@ -516,17 +523,18 @@ collect_data(
     save_bufp->flags = save_flags;
 
     /* update the database cursor */
     if (set) {
         hashp->cndx = 1;
         if (bp[0] == 2) { /* No more buckets in chain */
             hashp->cpage = NULL;
             hashp->cbucket++;
-        } else {
+        }
+        else {
             hashp->cpage = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!hashp->cpage)
                 return (-1);
             else if (!((uint16 *)hashp->cpage->page)[0]) {
                 hashp->cbucket++;
                 hashp->cpage = NULL;
             }
         }
@@ -576,17 +584,18 @@ collect_key(
     totlen = len + mylen;
     if (bp[2] == FULL_KEY || bp[2] == FULL_KEY_DATA) { /* End of Key. */
         if (hashp->tmp_key != NULL)
             free(hashp->tmp_key);
         if ((hashp->tmp_key = (char *)malloc((size_t)totlen)) == NULL)
             return (-1);
         if (__big_return(hashp, bufp, 1, val, set))
             return (-1);
-    } else {
+    }
+    else {
         xbp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!xbp || ((totlen =
                           collect_key(hashp, xbp, totlen, val, set)) < 1))
             return (-1);
     }
     if (bufp->addr != save_addr) {
         errno = EINVAL; /* MIS -- OUT OF BUFFERS */
         return (-1);
@@ -625,17 +634,18 @@ extern int
         return (-1);
     change = (__call_hash(hashp, (char *)key.data, key.size) != obucket);
 
     if ((ret->next_addr = __find_last_page(hashp, &big_keyp))) {
         if (!(ret->nextp =
                   __get_buf(hashp, ret->next_addr, big_keyp, 0)))
             return (-1);
         ;
-    } else
+    }
+    else
         ret->nextp = NULL;
 
 /* Now make one of np/op point to the big key/data pair */
 #ifdef DEBUG
     assert(np->ovfl == NULL);
 #endif
     if (change)
         tmpp = np;
@@ -691,17 +701,18 @@ extern int
         off = OFFSET(tp);
         tp[0] -= 2;
         FREESPACE(tp) = free_space + OVFLSIZE;
         OFFSET(tp) = off;
         tmpp = __add_ovflpage(hashp, big_keyp);
         if (!tmpp)
             return (-1);
         tp[4] = n;
-    } else
+    }
+    else
         tmpp = big_keyp;
 
     if (change)
         ret->newp = tmpp;
     else
         ret->oldp = tmpp;
     return (0);
 }
--- a/security/nss/lib/dbm/src/h_page.c
+++ b/security/nss/lib/dbm/src/h_page.c
@@ -251,17 +251,18 @@ extern int
 
         memmove(dst, src, length);
 
         /* Now adjust the pointers */
         for (i = ndx + 2; i <= n; i += 2) {
             if (bp[i + 1] == OVFLPAGE) {
                 bp[i - 2] = bp[i];
                 bp[i - 1] = bp[i + 1];
-            } else {
+            }
+            else {
                 bp[i - 2] = bp[i] + pairlen;
                 bp[i - 1] = bp[i + 1] + pairlen;
             }
         }
     }
     /* Finally adjust the page data */
     bp[n] = OFFSET(bp) + pairlen;
     bp[n - 1] = bp[n + 1] + pairlen + 2 * sizeof(uint16);
@@ -335,20 +336,22 @@ extern int
             /* Don't switch page */
             diff = copyto - off;
             if (diff) {
                 copyto = ino[n + 1] + diff;
                 memmove(op + copyto, op + ino[n + 1],
                         off - ino[n + 1]);
                 ino[ndx] = copyto + ino[n] - ino[n + 1];
                 ino[ndx + 1] = copyto;
-            } else
+            }
+            else
                 copyto = ino[n + 1];
             ndx += 2;
-        } else {
+        }
+        else {
             /* Switch page */
             val.data = (uint8 *)op + ino[n + 1];
             val.size = ino[n] - ino[n + 1];
 
             /* if the pair doesn't fit something is horribly
              * wrong.  LJM
              */
             tmp_uint16_array = (uint16 *)np;
@@ -452,17 +455,18 @@ ugly_split(HTAB *hashp, uint32 obucket, 
                 return (-1);
             np = (uint16 *)new_bufp->page;
             bufp = ret.nextp;
             if (!bufp)
                 return (0);
             cino = (char *)bufp->page;
             ino = (uint16 *)cino;
             last_bfp = ret.nextp;
-        } else if (ino[n + 1] == OVFLPAGE) {
+        }
+        else if (ino[n + 1] == OVFLPAGE) {
             ov_addr = ino[n];
             /*
              * Fix up the old page -- the extra 2 are the fields
              * which contained the overflow information.
              */
             ino[0] -= (moved + 2);
             FREESPACE(ino) =
                 scopyto - sizeof(uint16) * (ino[0] + 3);
@@ -499,17 +503,18 @@ ugly_split(HTAB *hashp, uint32 obucket, 
                     old_bufp =
                         __add_ovflpage(hashp, old_bufp);
                     if (!old_bufp)
                         return (-1);
                     op = (uint16 *)old_bufp->page;
                     putpair((char *)op, &key, &val);
                 }
                 old_bufp->flags |= BUF_MOD;
-            } else {
+            }
+            else {
                 /* Move to new page */
                 if (PAIRFITS(np, (&key), (&val)))
                     putpair((char *)np, &key, &val);
                 else {
                     new_bufp =
                         __add_ovflpage(hashp, new_bufp);
                     if (!new_bufp)
                         return (-1);
@@ -550,31 +555,33 @@ extern int
             bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!bufp) {
 #ifdef DEBUG
                 assert(0);
 #endif
                 return (-1);
             }
             bp = (uint16 *)bufp->page;
-        } else
+        }
+        else
             /* Try to squeeze key on this page */
             if (FREESPACE(bp) > PAIRSIZE(key, val)) {
             {
                 squeeze_key(bp, key, val);
 
                 /* LJM: I added this because I think it was
                  * left out on accident.
                  * if this isn't incremented nkeys will not
                  * be the actual number of keys in the db.
                  */
                 hashp->NKEYS++;
                 return (0);
             }
-        } else {
+        }
+        else {
             bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!bufp) {
 #ifdef DEBUG
                 assert(0);
 #endif
                 return (-1);
             }
             bp = (uint16 *)bufp->page;
@@ -704,26 +711,28 @@ extern int
         bp[0] = 0; /* We hit the EOF, so initialize a new page */
     else if ((unsigned)rsize != size) {
         errno = EFTYPE;
         return (-1);
     }
 
     if (!is_bitmap && !bp[0]) {
         PAGE_INIT(p);
-    } else {
+    }
+    else {
 
         if (hashp->LORDER != BYTE_ORDER) {
             register int i, max;
 
             if (is_bitmap) {
                 max = hashp->BSIZE >> 2; /* divide by 4 */
                 for (i = 0; i < max; i++)
                     M_32_SWAP(((int *)p)[i]);
-            } else {
+            }
+            else {
                 M_16_SWAP(bp[0]);
                 max = bp[0] + 2;
 
                 /* bound the size of max by
                  * the maximum number of entries
                  * in the array
                  */
                 if ((unsigned)max > (size / sizeof(uint16)))
@@ -765,17 +774,18 @@ extern int
             for (i = 1; i <= num_keys; i += 2) {
                 /* ignore overflow pages etc. */
                 if (bp[i + 1] >= REAL_KEY) {
 
                     if (bp[i] > offset || bp[i + 1] > bp[i])
                         return (DATABASE_CORRUPTED_ERROR);
 
                     offset = bp[i + 1];
-                } else {
+                }
+                else {
                     /* there are no other valid keys after
                      * seeing a non REAL_KEY
                      */
                     break;
                 }
             }
         }
     }
@@ -805,17 +815,18 @@ extern int
     if (hashp->LORDER != BYTE_ORDER) {
         register int i;
         register int max;
 
         if (is_bitmap) {
             max = hashp->BSIZE >> 2; /* divide by 4 */
             for (i = 0; i < max; i++)
                 M_32_SWAP(((int *)p)[i]);
-        } else {
+        }
+        else {
             max = ((uint16 *)p)[0] + 2;
 
             /* bound the size of max by
              * the maximum number of entries
              * in the array
              */
             if ((unsigned)max > (size / sizeof(uint16)))
                 return (DATABASE_CORRUPTED_ERROR);
@@ -849,17 +860,18 @@ extern int
     if (hashp->LORDER != BYTE_ORDER) {
         register int i;
         register int max;
 
         if (is_bitmap) {
             max = hashp->BSIZE >> 2; /* divide by 4 */
             for (i = 0; i < max; i++)
                 M_32_SWAP(((int *)p)[i]);
-        } else {
+        }
+        else {
             uint16 *bp = (uint16 *)p;
 
             M_16_SWAP(bp[0]);
             max = bp[0] + 2;
 
             /* no need to bound the size if max again
              * since it was done already above
              */
@@ -942,17 +954,18 @@ overflow_page(HTAB *hashp)
         else
             in_use_bits = (hashp->BSIZE << BYTE_SHIFT) - 1;
 
         if (i == (unsigned)first_page) {
             bit = hashp->LAST_FREED &
                   ((hashp->BSIZE << BYTE_SHIFT) - 1);
             j = bit / BITS_PER_MAP;
             bit = bit & ~(BITS_PER_MAP - 1);
-        } else {
+        }
+        else {
             bit = 0;
             j = 0;
         }
         for (; bit <= in_use_bits; j++, bit += BITS_PER_MAP)
             if (freep[j] != ALL_SET)
                 goto found;
     }
 
@@ -1011,17 +1024,18 @@ overflow_page(HTAB *hashp)
 #endif
                 return (0);
             }
             hashp->OVFL_POINT = splitnum;
             hashp->SPARES[splitnum] = hashp->SPARES[splitnum - 1];
             hashp->SPARES[splitnum - 1]--;
             offset = 0;
         }
-    } else {
+    }
+    else {
         /*
          * Free_bit addresses the last used bit.  Bump it to address
          * the first available bit.
          */
         free_bit++;
         SETBIT(freep, free_bit);
     }
 
--- a/security/nss/lib/dbm/src/hash.c
+++ b/security/nss/lib/dbm/src/hash.c
@@ -168,17 +168,18 @@ extern DB *
      */
     hashp->flags = flags;
 
     new_table = 0;
     if (!file || (flags & O_TRUNC) || (stat(file, &statbuf) && (errno == ENOENT))) {
         if (errno == ENOENT)
             errno = 0; /* Just in case someone looks at errno */
         new_table = 1;
-    } else if (statbuf.st_mtime && statbuf.st_size == 0) {
+    }
+    else if (statbuf.st_mtime && statbuf.st_size == 0) {
         /* check for a zero length file and delete it
          * if it exists
          */
         new_table = 1;
     }
     hashp->file_size = statbuf.st_size;
 
     if (file) {
@@ -189,17 +190,18 @@ extern DB *
         if ((hashp->fp = open(file, flags, mode)) == -1)
             RETURN_ERROR(errno, error1);
         (void)fcntl(hashp->fp, F_SETFD, 1);
 #endif
     }
     if (new_table) {
         if (!init_hash(hashp, file, (HASHINFO *)info))
             RETURN_ERROR(errno, error1);
-    } else {
+    }
+    else {
         /* Table already exists */
         if (info && info->hash)
             hashp->hash = info->hash;
         else
             hashp->hash = __default_hash;
 
         hdrsize = read(hashp->fp, (char *)&hashp->hdr, sizeof(HASHHDR));
         if (hdrsize == -1)
@@ -699,18 +701,20 @@ hash_put(
         hashp->dbmerrno = errno = EINVAL;
         return (DBM_ERROR);
     }
     if ((hashp->flags & O_ACCMODE) == O_RDONLY) {
         hashp->dbmerrno = errno = EPERM;
         return (DBM_ERROR);
     }
 
-    rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW
-                                                  : HASH_PUT,
+    rv = hash_access(hashp, flag == R_NOOVERWRITE ?
+                                                  HASH_PUTNEW
+                                                  :
+                                                  HASH_PUT,
                      (DBT *)key, (DBT *)data);
 
     if (rv == DATABASE_CORRUPTED_ERROR) {
 #if defined(unix) && defined(DEBUG)
         printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
 #endif
         __remove_database((DB *)dbp);
     }
@@ -793,17 +797,18 @@ hash_access(
                 memcmp(kp, rbufp->page + *bp, size) == 0)
                 goto found;
             off = bp[1];
 #ifdef HASH_STATISTICS
             hash_collisions++;
 #endif
             bp += 2;
             ndx += 2;
-        } else if (bp[1] == OVFLPAGE) {
+        }
+        else if (bp[1] == OVFLPAGE) {
 
             /* database corruption: overflow loop detection */
             if (last_overflow_page_no == (int32)*bp)
                 return (DATABASE_CORRUPTED_ERROR);
 
             last_overflow_page_no = *bp;
 
             rbufp = __get_buf(hashp, *bp, rbufp, 0);
@@ -816,17 +821,18 @@ hash_access(
             if (ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
                 return (DATABASE_CORRUPTED_ERROR);
 
             /* FOR LOOP INIT */
             bp = (uint16 *)rbufp->page;
             n = *bp++;
             ndx = 1;
             off = hashp->BSIZE;
-        } else if (bp[1] < REAL_KEY) {
+        }
+        else if (bp[1] < REAL_KEY) {
             if ((ndx =
                      __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0)
                 goto found;
             if (ndx == -2) {
                 bufp = rbufp;
                 if (!(pageno =
                           __find_last_page(hashp, &bufp))) {
                     ndx = 0;
@@ -838,31 +844,33 @@ hash_access(
                     save_bufp->flags &= ~BUF_PIN;
                     return (DBM_ERROR);
                 }
                 /* FOR LOOP INIT */
                 bp = (uint16 *)rbufp->page;
                 n = *bp++;
                 ndx = 1;
                 off = hashp->BSIZE;
-            } else {
+            }
+            else {
                 save_bufp->flags &= ~BUF_PIN;
                 return (DBM_ERROR);
             }
         }
     }
 
     /* Not found */
     switch (action) {
         case HASH_PUT:
         case HASH_PUTNEW:
             if (__addel(hashp, rbufp, key, val)) {
                 save_bufp->flags &= ~BUF_PIN;
                 return (DBM_ERROR);
-            } else {
+            }
+            else {
                 save_bufp->flags &= ~BUF_PIN;
                 return (SUCCESS);
             }
         case HASH_GET:
         case HASH_DELETE:
         default:
             save_bufp->flags &= ~BUF_PIN;
             return (ABNORMAL);
@@ -873,17 +881,18 @@ found:
         case HASH_PUTNEW:
             save_bufp->flags &= ~BUF_PIN;
             return (ABNORMAL);
         case HASH_GET:
             bp = (uint16 *)rbufp->page;
             if (bp[ndx + 1] < REAL_KEY) {
                 if (__big_return(hashp, rbufp, ndx, val, 0))
                     return (DBM_ERROR);
-            } else {
+            }
+            else {
                 val->data = (uint8 *)rbufp->page + (int)bp[ndx + 1];
                 val->size = bp[ndx] - bp[ndx + 1];
             }
             break;
         case HASH_PUT:
             if ((__delpair(hashp, rbufp, ndx)) ||
                 (__addel(hashp, rbufp, key, val))) {
                 save_bufp->flags &= ~BUF_PIN;
@@ -942,17 +951,18 @@ hash_seq(
                 if (bp[0])
                     break;
             }
             hashp->cbucket = bucket;
             if (hashp->cbucket > hashp->MAX_BUCKET) {
                 hashp->cbucket = -1;
                 return (ABNORMAL);
             }
-        } else
+        }
+        else
             bp = (uint16 *)hashp->cpage->page;
 
 #ifdef DEBUG
         assert(bp);
         assert(bufp);
 #endif
         while (bp[hashp->cndx + 1] == OVFLPAGE) {
             bufp = hashp->cpage =
@@ -966,27 +976,29 @@ hash_seq(
             hashp->cpage = NULL;
             ++hashp->cbucket;
         }
     }
     ndx = hashp->cndx;
     if (bp[ndx + 1] < REAL_KEY) {
         if (__big_keydata(hashp, bufp, key, data, 1))
             return (DBM_ERROR);
-    } else {
+    }
+    else {
         key->data = (uint8 *)hashp->cpage->page + bp[ndx];
         key->size = (ndx > 1 ? bp[ndx - 1] : hashp->BSIZE) - bp[ndx];
         data->data = (uint8 *)hashp->cpage->page + bp[ndx + 1];
         data->size = bp[ndx] - bp[ndx + 1];
         ndx += 2;
         if (ndx > bp[0]) {
             hashp->cpage = NULL;
             hashp->cbucket++;
             hashp->cndx = 1;
-        } else
+        }
+        else
             hashp->cndx = ndx;
     }
     return (SUCCESS);
 }
 
 /********************************* UTILITIES ************************/
 
 /*
--- a/security/nss/lib/dbm/src/hash_buf.c
+++ b/security/nss/lib/dbm/src/hash_buf.c
@@ -115,17 +115,18 @@ extern BUFHEAD *
     is_disk = 0;
     is_disk_mask = 0;
     if (prev_bp) {
         bp = prev_bp->ovfl;
         if (!bp || (bp->addr != addr))
             bp = NULL;
         if (!newpage)
             is_disk = BUF_DISK;
-    } else {
+    }
+    else {
         /* Grab buffer out of directory */
         segment_ndx = addr & (hashp->SGSIZE - 1);
 
         /* valid segment ensured by __call_hash() */
         segp = hashp->dir[addr >> hashp->SSHIFT];
 #ifdef DEBUG
         assert(segp != NULL);
 #endif
@@ -167,17 +168,18 @@ extern BUFHEAD *
                 (BUFHEAD *)((ptrdiff_t)bp | is_disk_mask);
 #else
             /* set the is_disk thing inside the structure
              */
             bp->is_disk = is_disk_mask;
             segp[segment_ndx] = bp;
 #endif
         }
-    } else {
+    }
+    else {
         BUF_REMOVE(bp);
         MRU_INSERT(bp);
     }
     return (bp);
 }
 
 /*
  * We need a buffer for this page. Either allocate one, or evict a resident
@@ -218,17 +220,18 @@ newbuf(HTAB *hashp, uint32 addr, BUFHEAD
 
         /* this memset is supposedly unnecessary but lets add
          * it anyways.
          */
         memset(bp->page, 0xff, (size_t)hashp->BSIZE);
 
         if (hashp->nbufs)
             hashp->nbufs--;
-    } else {
+    }
+    else {
         /* Kick someone out */
         BUF_REMOVE(bp);
         /*
          * If this is an overflow page with addr 0, it's already been
          * flushed back in an overflow chain and initialized.
          */
         if ((bp->addr != 0) || (bp->flags & BUF_BUCKET)) {
             /*
@@ -323,17 +326,18 @@ newbuf(HTAB *hashp, uint32 addr, BUFHEAD
          */
 #ifdef DEBUG1
         (void)fprintf(stderr, "NEWBUF2: %d->ovfl was %d is now %d\n",
                       prev_bp->addr, (prev_bp->ovfl ? bp->ovfl->addr : 0),
                       (bp ? bp->addr : 0));
 #endif
         prev_bp->ovfl = bp;
         bp->flags = 0;
-    } else
+    }
+    else
         bp->flags = BUF_BUCKET;
     MRU_INSERT(bp);
     return (bp);
 }
 
 extern void
 __buf_init(HTAB *hashp, int32 nbytes)
 {
@@ -385,17 +389,18 @@ extern int
         }
         /* Check if we are freeing stuff */
         if (do_free) {
             if (bp->page)
                 free(bp->page);
             BUF_REMOVE(bp);
             free(bp);
             bp = LRU;
-        } else
+        }
+        else
             bp = bp->prev;
     }
     return (0);
 }
 
 extern void
 __reclaim_buf(HTAB *hashp, BUFHEAD *bp)
 {
--- a/security/nss/lib/dbm/src/memmove.c
+++ b/security/nss/lib/dbm/src/memmove.c
@@ -106,17 +106,18 @@ register size_t length;
         }
         /*
          * Copy whole words, then mop up any trailing bytes.
          */
         t = length / wsize;
         TLOOP(*(word *)dst = *(word *)src; src += wsize; dst += wsize);
         t = length & wmask;
         TLOOP(*dst++ = *src++);
-    } else {
+    }
+    else {
         /*
          * Copy backwards.  Otherwise essentially the same.
          * Alignment works as before, except that it takes
          * (t&wmask) bytes to align, not wsize-(t&wmask).
          */
         src += length;
         dst += length;
         t = (int)src;
--- a/security/nss/lib/dbm/src/mktemp.c
+++ b/security/nss/lib/dbm/src/mktemp.c
@@ -122,17 +122,18 @@ static int
 
     for (;;) {
         if (doopen) {
             if ((*doopen =
                      open(path, O_CREAT | O_EXCL | O_RDWR | extraFlags, 0600)) >= 0)
                 return (1);
             if (errno != EEXIST)
                 return (0);
-        } else if (stat(path, &sbuf))
+        }
+        else if (stat(path, &sbuf))
             return (errno == ENOENT ? 1 : 0);
 
         /* tricky little algorithm for backward compatibility */
         for (trv = start;;) {
             if (!*trv)
                 return (0);
             if (*trv == 'z')
                 *trv++ = 'a';
--- a/security/nss/lib/dbm/tests/lots.c
+++ b/security/nss/lib/dbm/tests/lots.c
@@ -244,26 +244,29 @@ VerifyRange(int32 low, int32 high, int32
         key = GenKey(num, key_type);
 
         status = (*database->get)(database, key, &data, 0);
 
         if (status == 0) {
             /* got the item */
             if (!should_exist) {
                 ReportError("Item exists but shouldn't: %ld", num);
-            } else {
+            }
+            else {
                 /* else verify the data */
                 VerifyData(&data, num, key_type);
             }
-        } else if (status > 0) {
+        }
+        else if (status > 0) {
             /* item not found */
             if (should_exist) {
                 ReportError("Item not found but should be: %ld", num);
             }
-        } else {
+        }
+        else {
             /* database error */
             ReportError("Database error");
             return (-1);
         }
     }
 
     TraceMe(1, ("Correctly verified: %ld to %ld", low, high));
 
@@ -277,17 +280,18 @@ GenData(int32 num)
     static DBT *data = 0;
     int32 *int32_array;
     size_t size;
 
     if (!data) {
         data = (DBT *)malloc(sizeof(DBT));
         data->size = 0;
         data->data = 0;
-    } else if (data->data) {
+    }
+    else if (data->data) {
         free(data->data);
     }
 
     n = rand();
 
     n = n % 512; /* bound to a 2K size */
 
     size = sizeof(int32) * (n + 1);
@@ -319,41 +323,45 @@ AddOrDelRange(int32 low, int32 high, int
     int status;
 
     if (action != ADD_RANGE && action != DELETE_RANGE)
         assert(0);
 
     if (action == ADD_RANGE) {
         TraceMe(1, ("Adding: %ld to %ld: %s keys", low, high,
                     key_type == USE_SMALL_KEY ? "SMALL" : "LARGE"));
-    } else {
+    }
+    else {
         TraceMe(1, ("Deleting: %ld to %ld: %s keys", low, high,
                     key_type == USE_SMALL_KEY ? "SMALL" : "LARGE"));
     }
 
     for (num = low; num <= high; num++) {
 
         key = GenKey(num, key_type);
 
         if (action == ADD_RANGE) {
             data = GenData(num);
             status = (*database->put)(database, key, data, 0);
-        } else {
+        }
+        else {
             status = (*database->del)(database, key, 0);
         }
 
         if (status < 0) {
             ReportError("Database error %s item: %ld",
                         action == ADD_RANGE ? "ADDING" : "DELETING",
                         num);
-        } else if (status > 0) {
+        }
+        else if (status > 0) {
             ReportError("Could not %s item: %ld",
                         action == ADD_RANGE ? "ADD" : "DELETE",
                         num);
-        } else if (action == ADD_RANGE) {
+        }
+        else if (action == ADD_RANGE) {
 #define SYNC_EVERY_TIME
 #ifdef SYNC_EVERY_TIME
             status = (*database->sync)(database, 0);
             if (status != 0)
                 ReportError("Database error syncing after add");
 #endif
 
 #if 0 /* only do this if your really analy checking the puts */
@@ -375,17 +383,18 @@ AddOrDelRange(int32 low, int32 high, int
 				VerifyRange(low, num, SHOULD_EXIST, key_type);
 			  }
 #endif
         }
     }
 
     if (action == ADD_RANGE) {
         TraceMe(1, ("Successfully added: %ld to %ld", low, high));
-    } else {
+    }
+    else {
         TraceMe(1, ("Successfully deleted: %ld to %ld", low, high));
     }
 
     return (0);
 }
 
 int
 TestRange(int32 low, int32 range, key_type_enum key_type)
@@ -510,17 +519,18 @@ main(int argc, char **argv)
         (*database->close)(database);
         exit(0);
     }
 
     for (i = 100; i < 10000000; i += 200) {
         if (1 || j) {
             TestRange(START_RANGE, i, USE_LARGE_KEY);
             j = 0;
-        } else {
+        }
+        else {
             TestRange(START_RANGE, i, USE_SMALL_KEY);
             j = 1;
         }
 
         if (1 == rand() % 3) {
             (*database->sync)(database, 0);
         }
 
@@ -530,17 +540,18 @@ main(int argc, char **argv)
             database = dbopen("test.db", O_RDWR | O_CREAT, 0644, DB_HASH, 0);
             if (!database) {
                 ReportError("Could not reopen database");
 #ifdef unix
                 perror("");
 #endif
                 exit(1);
             }
-        } else {
+        }
+        else {
             /* reopen database without closeing the other */
             database = dbopen("test.db", O_RDWR | O_CREAT, 0644, DB_HASH, 0);
             if (!database) {
                 ReportError("Could not reopen database "
                             "after not closing the other");
 #ifdef unix
                 perror("");
 #endif
--- a/security/nss/lib/dev/ckhelper.c
+++ b/security/nss/lib/dev/ckhelper.c
@@ -140,17 +140,18 @@ nssCKObject_GetAttributes(
         }
     }
     return PR_SUCCESS;
 loser:
     if (alloced) {
         if (arenaOpt) {
             /* release all arena memory allocated before the failure. */
             (void)nssArena_Release(arenaOpt, mark);
-        } else {
+        }
+        else {
             CK_ULONG j;
             /* free each heap object that was allocated before the failure. */
             for (j = 0; j < i; j++) {
                 nss_ZFreeIf(obj_template[j].pValue);
             }
         }
     }
     return PR_FAILURE;
@@ -216,17 +217,18 @@ nssCKObject_SetAttributes(
     CK_RV ckrv;
     void *epv = nssSlot_GetCryptokiEPV(slot);
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, object,
                                            obj_template, count);
     nssSession_ExitMonitor(session);
     if (ckrv == CKR_OK) {
         return PR_SUCCESS;
-    } else {
+    }
+    else {
         return PR_FAILURE;
     }
 }
 
 NSS_IMPLEMENT PRBool
 nssCKObject_IsTokenObjectTemplate(
     CK_ATTRIBUTE_PTR objectTemplate,
     CK_ULONG otsize)
@@ -304,18 +306,20 @@ nssCryptokiCertificate_GetAttributes(
         return PR_SUCCESS;
     }
 
     status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
                                                 certObject, CKO_CERTIFICATE,
                                                 cert_template, template_size);
     if (status != PR_SUCCESS) {
 
-        session = sessionOpt ? sessionOpt
-                             : nssToken_GetDefaultSession(certObject->token);
+        session = sessionOpt ?
+                             sessionOpt
+                             :
+                             nssToken_GetDefaultSession(certObject->token);
         if (!session) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(certObject->token);
         status = nssCKObject_GetAttributes(certObject->handle,
                                            cert_template, template_size,
@@ -420,18 +424,20 @@ nssCryptokiTrust_GetAttributes(
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, sha1_hash);
     NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
 
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject,
                                                 CKO_NSS_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
-        session = sessionOpt ? sessionOpt
-                             : nssToken_GetDefaultSession(trustObject->token);
+        session = sessionOpt ?
+                             sessionOpt
+                             :
+                             nssToken_GetDefaultSession(trustObject->token);
         if (!session) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(trustObject->token);
         status = nssCKObject_GetAttributes(trustObject->handle,
                                            trust_template, trust_size,
@@ -492,18 +498,20 @@ nssCryptokiCRL_GetAttributes(
     }
     NSS_CK_TEMPLATE_FINISH(crl_template, attr, crl_size);
 
     status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
                                                 crlObject,
                                                 CKO_NSS_CRL,
                                                 crl_template, crl_size);
     if (status != PR_SUCCESS) {
-        session = sessionOpt ? sessionOpt
-                             : nssToken_GetDefaultSession(crlObject->token);
+        session = sessionOpt ?
+                             sessionOpt
+                             :
+                             nssToken_GetDefaultSession(crlObject->token);
         if (session == NULL) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(crlObject->token);
         status = nssCKObject_GetAttributes(crlObject->handle,
                                            crl_template, crl_size,
@@ -562,19 +570,21 @@ nssCryptokiPrivateKey_SetCertificate(
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
 
     if (sessionOpt) {
         if (!nssSession_IsReadWrite(sessionOpt)) {
             return PR_FAILURE;
         }
         session = sessionOpt;
-    } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
+    }
+    else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
         session = defaultSession;
-    } else {
+    }
+    else {
         NSSSlot *slot = nssToken_GetSlot(token);
         session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
         nssSlot_Destroy(slot);
         if (!session) {
             return PR_FAILURE;
         }
         createdSession = PR_TRUE;
     }
--- a/security/nss/lib/dev/ckhelper.h
+++ b/security/nss/lib/dev/ckhelper.h
@@ -63,26 +63,28 @@ NSS_EXTERN_DATA const NSSItem g_ck_class
 /* NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)
  *
  * Convert a CK_ATTRIBUTE to an NSSItem.
  */
 #define NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)         \
     if ((CK_LONG)(attrib)->ulValueLen > 0) {           \
         (item)->data = (void *)(attrib)->pValue;       \
         (item)->size = (PRUint32)(attrib)->ulValueLen; \
-    } else {                                           \
+    }                                                  \
+    else {                                             \
         (item)->data = 0;                              \
         (item)->size = 0;                              \
     }
 
 #define NSS_CK_ATTRIBUTE_TO_BOOL(attrib, boolvar)         \
     if ((attrib)->ulValueLen > 0) {                       \
         if (*((CK_BBOOL *)(attrib)->pValue) == CK_TRUE) { \
             boolvar = PR_TRUE;                            \
-        } else {                                          \
+        }                                                 \
+        else {                                            \
             boolvar = PR_FALSE;                           \
         }                                                 \
     }
 
 #define NSS_CK_ATTRIBUTE_TO_ULONG(attrib, ulongvar) \
     if ((attrib)->ulValueLen > 0) {                 \
         ulongvar = *((CK_ULONG *)(attrib)->pValue); \
     }
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -130,17 +130,18 @@ nssToken_DeleteStoredObject(
     void *epv = nssToken_GetCryptokiEPV(instance->token);
     if (token->cache) {
         nssTokenObjectCache_RemoveObject(token->cache, instance);
     }
     if (instance->isTokenObject) {
         if (token->defaultSession &&
             nssSession_IsReadWrite(token->defaultSession)) {
             session = token->defaultSession;
-        } else {
+        }
+        else {
             session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
             createdSession = PR_TRUE;
         }
     }
     if (session == NULL) {
         return PR_FAILURE;
     }
     nssSession_EnterMonitor(session);
@@ -174,38 +175,42 @@ import_object(
     void *epv = nssToken_GetCryptokiEPV(tok);
     if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
         if (sessionOpt) {
             if (!nssSession_IsReadWrite(sessionOpt)) {
                 nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
                 return NULL;
             }
             session = sessionOpt;
-        } else if (tok->defaultSession &&
-                   nssSession_IsReadWrite(tok->defaultSession)) {
+        }
+        else if (tok->defaultSession &&
+                 nssSession_IsReadWrite(tok->defaultSession)) {
             session = tok->defaultSession;
-        } else {
+        }
+        else {
             session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
             createdSession = PR_TRUE;
         }
-    } else {
+    }
+    else {
         session = (sessionOpt) ? sessionOpt : tok->defaultSession;
     }
     if (session == NULL) {
         nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
         return NULL;
     }
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_CreateObject(session->handle,
                                       objectTemplate, otsize,
                                       &handle);
     nssSession_ExitMonitor(session);
     if (ckrv == CKR_OK) {
         object = nssCryptokiObject_Create(tok, session, handle);
-    } else {
+    }
+    else {
         nss_SetError(ckrv);
         nss_SetError(NSS_ERROR_PKCS11);
     }
     if (createdSession) {
         nssSession_Destroy(session);
     }
     return object;
 }
@@ -258,23 +263,25 @@ find_objects(
     if (!session || session->handle == CK_INVALID_SESSION) {
         ckrv = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     /* the arena is only for the array of object handles */
     if (maximumOpt > 0) {
         arraySize = maximumOpt;
-    } else {
+    }
+    else {
         arraySize = OBJECT_STACK_SIZE;
     }
     numHandles = 0;
     if (arraySize <= OBJECT_STACK_SIZE) {
         objectHandles = staticObjects;
-    } else {
+    }
+    else {
         objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
     }
     if (!objectHandles) {
         ckrv = CKR_HOST_MEMORY;
         goto loser;
     }
     nssSession_EnterMonitor(session); /* ==== session lock === */
     /* Initialize the find with the template */
@@ -306,17 +313,18 @@ find_objects(
         /* the array is filled, double it and continue */
         arraySize *= 2;
         if (objectHandles == staticObjects) {
             objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
             if (objectHandles) {
                 PORT_Memcpy(objectHandles, staticObjects,
                             OBJECT_STACK_SIZE * sizeof(objectHandles[1]));
             }
-        } else {
+        }
+        else {
             objectHandles = nss_ZREALLOCARRAY(objectHandles,
                                               CK_OBJECT_HANDLE,
                                               arraySize);
         }
         if (!objectHandles) {
             nssSession_ExitMonitor(session);
             ckrv = CKR_HOST_MEMORY;
             goto loser;
@@ -325,17 +333,18 @@ find_objects(
     ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
     nssSession_ExitMonitor(session); /* ==== end session lock === */
     if (ckrv != CKR_OK) {
         goto loser;
     }
     if (numHandles > 0) {
         objects = create_objects_from_handles(tok, session,
                                               objectHandles, numHandles);
-    } else {
+    }
+    else {
         nss_SetError(NSS_ERROR_NOT_FOUND);
         objects = NULL;
     }
     if (objectHandles && objectHandles != staticObjects) {
         nss_ZFreeIf(objectHandles);
     }
     if (statusOpt)
         *statusOpt = PR_SUCCESS;
@@ -354,17 +363,18 @@ loser:
         (ckrv == CKR_DATA_LEN_RANGE) ||
         (ckrv == CKR_FUNCTION_NOT_SUPPORTED) ||
         (ckrv == CKR_TEMPLATE_INCOMPLETE) ||
         (ckrv == CKR_TEMPLATE_INCONSISTENT)) {
 
         nss_SetError(NSS_ERROR_NOT_FOUND);
         if (statusOpt)
             *statusOpt = PR_SUCCESS;
-    } else {
+    }
+    else {
         nss_SetError(ckrv);
         nss_SetError(NSS_ERROR_PKCS11);
         if (statusOpt)
             *statusOpt = PR_FAILURE;
     }
     return (nssCryptokiObject **)NULL;
 }
 
@@ -448,24 +458,26 @@ nssToken_ImportCertificate(
     nssCryptokiObject *rvObject = NULL;
 
     if (!tok) {
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return NULL;
     }
     if (certType == NSSCertificateType_PKIX) {
         cert_type = CKC_X_509;
-    } else {
+    }
+    else {
         return (nssCryptokiObject *)NULL;
     }
     NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
         searchType = nssTokenSearchType_TokenOnly;
-    } else {
+    }
+    else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
         searchType = nssTokenSearchType_SessionOnly;
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CERTIFICATE_TYPE, cert_type);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding);
@@ -529,17 +541,18 @@ nssToken_ImportCertificate(
         nssCKObject_SetAttributes(rvObject->handle,
                                   cert_tmpl, ctsize,
                                   session, slot);
         if (!rvObject->label && nickname) {
             rvObject->label = nssUTF8_Duplicate(nickname, NULL);
         }
         nssSession_Destroy(session);
         nssSlot_Destroy(slot);
-    } else {
+    }
+    else {
         /* Import the certificate onto the token */
         rvObject = import_object(tok, sessionOpt, cert_tmpl, ctsize);
     }
     if (rvObject && tok->cache) {
         /* The cache will overwrite the attributes if the object already
          * exists.
          */
         nssTokenObjectCache_ImportObject(tok->cache, rvObject,
@@ -564,28 +577,30 @@ nssToken_FindObjects(
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE obj_template[2];
     CK_ULONG obj_size;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(obj_template, attr, obj_size);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly ||
+             searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, objclass);
     NSS_CK_TEMPLATE_FINISH(obj_template, attr, obj_size);
 
     if (searchType == nssTokenSearchType_TokenForced) {
         objects = find_objects(token, sessionOpt,
                                obj_template, obj_size,
                                maximumOpt, statusOpt);
-    } else {
+    }
+    else {
         objects = find_objects_by_template(token, sessionOpt,
                                            obj_template, obj_size,
                                            maximumOpt, statusOpt);
     }
     return objects;
 }
 
 NSS_IMPLEMENT nssCryptokiObject **
@@ -600,17 +615,18 @@ nssToken_FindCertificatesBySubject(
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE subj_template[3];
     CK_ULONG stsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        subj_template, stsize,
@@ -631,17 +647,18 @@ nssToken_FindCertificatesByNickname(
     CK_ATTRIBUTE nick_template[3];
     CK_ULONG ntsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        nick_template, ntsize,
                                        maximumOpt, statusOpt);
@@ -679,17 +696,18 @@ nssToken_FindCertificatesByEmail(
     CK_ATTRIBUTE email_template[3];
     CK_ULONG etsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(email_template, attr, etsize);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
     /* now locate the token certs matching this template */
     objects = find_objects(token, sessionOpt,
                            email_template, etsize,
                            maximumOpt, statusOpt);
@@ -721,17 +739,18 @@ nssToken_FindCertificatesByID(
     CK_ATTRIBUTE id_template[3];
     CK_ULONG idtsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(id_template, attr, idtsize);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(id_template, attr, idtsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        id_template, idtsize,
                                        maximumOpt, statusOpt);
@@ -801,32 +820,34 @@ nssToken_FindCertificateByIssuerAndSeria
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         if (statusOpt)
             *statusOpt = PR_FAILURE;
         return NULL;
     }
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if ((searchType == nssTokenSearchType_TokenOnly) ||
-               (searchType == nssTokenSearchType_TokenForced)) {
+    }
+    else if ((searchType == nssTokenSearchType_TokenOnly) ||
+             (searchType == nssTokenSearchType_TokenForced)) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     /* Set the unique id */
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, issuer);
     serialAttr = attr;
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, serial);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
     /* get the object handle */
     if (searchType == nssTokenSearchType_TokenForced) {
         objects = find_objects(token, sessionOpt,
                                cert_template, ctsize,
                                1, statusOpt);
-    } else {
+    }
+    else {
         objects = find_objects_by_template(token, sessionOpt,
                                            cert_template, ctsize,
                                            1, statusOpt);
     }
     if (objects) {
         rvObject = objects[0];
         nss_ZFreeIf(objects);
     }
@@ -843,17 +864,18 @@ nssToken_FindCertificateByIssuerAndSeria
         if (status != PR_SUCCESS) {
             return NULL;
         }
         NSS_CK_SET_ATTRIBUTE_ITEM(serialAttr, CKA_SERIAL_NUMBER, &serialDecode);
         if (searchType == nssTokenSearchType_TokenForced) {
             objects = find_objects(token, sessionOpt,
                                    cert_template, ctsize,
                                    1, statusOpt);
-        } else {
+        }
+        else {
             objects = find_objects_by_template(token, sessionOpt,
                                                cert_template, ctsize,
                                                1, statusOpt);
         }
         if (objects) {
             rvObject = objects[0];
             nss_ZFreeIf(objects);
         }
@@ -873,17 +895,18 @@ nssToken_FindCertificateByEncodedCertifi
     CK_ATTRIBUTE cert_template[3];
     CK_ULONG ctsize;
     nssCryptokiObject **objects;
     nssCryptokiObject *rvObject = NULL;
     NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
     /* get the object handle */
     objects = find_objects_by_template(token, sessionOpt,
                                        cert_template, ctsize,
@@ -907,17 +930,18 @@ nssToken_FindPrivateKeys(
     CK_ATTRIBUTE key_template[2];
     CK_ULONG ktsize;
     nssCryptokiObject **objects;
 
     NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
 
     objects = find_objects_by_template(token, sessionOpt,
                                        key_template, ktsize,
                                        maximumOpt, statusOpt);
     return objects;
@@ -1065,33 +1089,35 @@ nssToken_ImportTrust(
     md5_hash(certEncoding, &md5_result);
     ckSA = get_ck_trust(serverAuth);
     ckCA = get_ck_trust(clientAuth);
     ckCS = get_ck_trust(codeSigning);
     ckEP = get_ck_trust(emailProtection);
     NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    } else {
+    }
+    else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, tobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, certSerial);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH, &md5_result);
     /* now set the trust values */
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH, ckSA);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH, ckCA);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, ckCS);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, ckEP);
     if (stepUpApproved) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED,
                                   &g_ck_true);
-    } else {
+    }
+    else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED,
                                   &g_ck_false);
     }
     NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
     /* import the trust object onto the token */
     object = import_object(tok, sessionOpt, trust_tmpl, tsize);
     if (object && tok->cache) {
         nssTokenObjectCache_ImportObject(tok->cache, object, tobjc,
@@ -1154,26 +1180,28 @@ nssToken_ImportCRL(
     CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE crl_tmpl[6];
     CK_ULONG crlsize;
 
     NSS_CK_TEMPLATE_START(crl_tmpl, attr, crlsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    } else {
+    }
+    else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, crlobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_URL, url);
     if (isKRL) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_true);
-    } else {
+    }
+    else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_false);
     }
     NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
 
     /* import the crl object onto the token */
     object = import_object(token, sessionOpt, crl_tmpl, crlsize);
     if (object && token->cache) {
         nssTokenObjectCache_ImportObject(token->cache, object, crlobjc,
@@ -1202,18 +1230,19 @@ nssToken_FindCRLsBySubject(
     if (!session || session->handle == CK_INVALID_SESSION) {
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return objects;
     }
 
     NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly ||
+             searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, crlobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
 
     objects = find_objects_by_template(token, session,
                                        crlobj_template, crlobj_size,
@@ -1454,18 +1483,19 @@ nssToken_TraverseCertificates(
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return PR_FAILURE;
     }
 
     /* template for all certs */
     NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    } else if (searchType == nssTokenSearchType_TokenOnly ||
-               searchType == nssTokenSearchType_TokenForced) {
+    }
+    else if (searchType == nssTokenSearchType_TokenOnly ||
+             searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
 
     /* the arena is only for the array of object handles */
     arena = nssArena_Create();
     if (!arena) {
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -168,17 +168,17 @@ nssCryptokiObjectArray_Destroy(
         }
         nss_ZFreeIf(objects);
     }
 }
 
 /* object cache for token */
 
 typedef struct
-{
+    {
     NSSArena *arena;
     nssCryptokiObject *object;
     CK_ATTRIBUTE_PTR attributes;
     CK_ULONG numAttributes;
 } nssCryptokiObjectAndAttributes;
 
 enum {
     cachedCerts = 0,
@@ -310,17 +310,18 @@ create_object_array(
     if (*numObjects >= MAX_LOCAL_CACHE_OBJECTS) {
         /* Hit the maximum allowed, so don't use a cache (there are
          * too many objects to make caching worthwhile, presumably, if
          * the token can handle that many objects, it can handle searching.
          */
         *doObjects = PR_FALSE;
         *status = PR_FAILURE;
         *numObjects = 0;
-    } else {
+    }
+    else {
         rvOandA = nss_ZNEWARRAY(NULL,
                                 nssCryptokiObjectAndAttributes *,
                                 *numObjects + 1);
         *status = rvOandA ? PR_SUCCESS : PR_FAILURE;
     }
     return rvOandA;
 }
 
@@ -431,24 +432,26 @@ search_for_objects(
     PRBool doSearch = PR_FALSE;
     NSSSlot *slot = nssToken_GetSlot(cache->token);
     /* Handle non-friendly slots (slots which require login for objects) */
     if (!nssSlot_IsFriendly(slot)) {
         if (nssSlot_IsLoggedIn(slot)) {
             /* Either no state change, or went from !logged in -> logged in */
             cache->loggedIn = PR_TRUE;
             doSearch = PR_TRUE;
-        } else {
+        }
+        else {
             if (cache->loggedIn) {
                 /* went from logged in -> !logged in, destroy cached objects */
                 clear_cache(cache);
                 cache->loggedIn = PR_FALSE;
             } /* else no state change, still not logged in, so exit */
         }
-    } else {
+    }
+    else {
         /* slot is friendly, thus always available for search */
         doSearch = PR_TRUE;
     }
     nssSlot_Destroy(slot);
     return doSearch;
 }
 
 static nssCryptokiObjectAndAttributes *
@@ -570,17 +573,18 @@ get_token_objects_for_cache(
                                                               objectType,
                                                               &status);
         if (status != PR_SUCCESS) {
             break;
         }
     }
     if (status == PR_SUCCESS) {
         nss_ZFreeIf(objects);
-    } else {
+    }
+    else {
         PRUint32 j;
         for (j = 0; j < i; j++) {
             /* sigh */
             nssToken_AddRef(cache->objects[objectType][j]->object->token);
             nssArena_Destroy(cache->objects[objectType][j]->arena);
         }
         nss_ZFreeIf(cache->objects[objectType]);
         cache->objects[objectType] = NULL;
@@ -815,17 +819,18 @@ nssTokenObjectCache_GetObjectAttributes(
                     cachedOA->attributes[j].ulValueLen == (CK_ULONG)-1) {
                     break; /* invalid attribute */
                 }
                 if (atemplate[i].ulValueLen > 0) {
                     if (atemplate[i].pValue == NULL ||
                         atemplate[i].ulValueLen < attr->ulValueLen) {
                         goto loser;
                     }
-                } else {
+                }
+                else {
                     atemplate[i].pValue = nss_ZAlloc(arena, attr->ulValueLen);
                     if (!atemplate[i].pValue) {
                         goto loser;
                     }
                 }
                 nsslibc_memcpy(atemplate[i].pValue,
                                attr->pValue, attr->ulValueLen);
                 atemplate[i].ulValueLen = attr->ulValueLen;
@@ -896,31 +901,34 @@ nssTokenObjectCache_ImportObject(
         count++;
         oa++;
     }
     if (haveIt) {
         /* Destroy the old entry */
         (*oa)->object->token = NULL;
         nssCryptokiObject_Destroy((*oa)->object);
         nssArena_Destroy((*oa)->arena);
-    } else {
+    }
+    else {
         /* Create space for a new entry */
         if (count > 0) {
             *otype = nss_ZREALLOCARRAY(*otype,
                                        nssCryptokiObjectAndAttributes *,
                                        count + 2);
-        } else {
+        }
+        else {
             *otype = nss_ZNEWARRAY(NULL, nssCryptokiObjectAndAttributes *, 2);
         }
     }
     if (*otype) {
         nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
         (*otype)[count] = create_object_of_type(copyObject, objectType,
                                                 &status);
-    } else {
+    }
+    else {
         status = PR_FAILURE;
     }
     PZ_Unlock(cache->lock);
     return status;
 }
 
 NSS_IMPLEMENT void
 nssTokenObjectCache_RemoveObject(
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -40,21 +40,23 @@ NSS_GetClientAuthData(void *arg,
     if (chosenNickName) {
         cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
                                         chosenNickName, certUsageSSLClient,
                                         PR_FALSE, proto_win);
         if (cert) {
             privkey = PK11_FindKeyByAnyCert(cert, proto_win);
             if (privkey) {
                 rv = SECSuccess;
-            } else {
+            }
+            else {
                 CERT_DestroyCertificate(cert);
             }
         }
-    } else { /* no name given, automatically find the right cert. */
+    }
+    else { /* no name given, automatically find the right cert. */
         CERTCertNicknames *names;
         int i;
 
         names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
                                       SEC_CERT_NICKNAMES_USER, proto_win);
         if (names != NULL) {
             for (i = 0; i < names->numnicknames; i++) {
                 cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
--- a/security/nss/lib/ssl/cmpcert.c
+++ b/security/nss/lib/ssl/cmpcert.c
@@ -47,42 +47,45 @@ NSS_CmpCertChainWCANames(CERTCertificate
         /* compute an alternate issuer name for compatibility with 2.0
          * enterprise server, which send the CA names without
          * the outer layer of DER header
          */
         rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
         if (rv == SECSuccess) {
             compatIssuerName.data = &issuerName.data[headerlen];
             compatIssuerName.len = issuerName.len - headerlen;
-        } else {
+        }
+        else {
             compatIssuerName.data = NULL;
             compatIssuerName.len = 0;
         }
 
         for (j = 0; j < caNames->nnames; j++) {
             caname = &caNames->names[j];
             if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
-            } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
+            }
+            else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
             }
         }
         if ((depth <= 20) &&
             (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) !=
              SECEqual)) {
             oldcert = curcert;
             curcert = CERT_FindCertByName(curcert->dbhandle,
                                           &curcert->derIssuer);
             CERT_DestroyCertificate(oldcert);
             depth++;
-        } else {
+        }
+        else {
             CERT_DestroyCertificate(curcert);
             curcert = NULL;
         }
     }
     rv = SECFailure;
 
 done:
     return rv;
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@@ -155,25 +155,27 @@ ssl3_KeyAndMacDeriveBypass(
 
         keyblk.type = siBuffer;
         keyblk.data = key_block;
         keyblk.len = block_needed;
 
         if (isTLS12) {
             status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem,
                                 "key expansion", &srcr, &keyblk, isFIPS);
-        } else {
+        }
+        else {
             status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
                              isFIPS);
         }
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
         block_bytes = keyblk.len;
-    } else {
+    }
+    else {
        /* key_block =
         *     MD5(master_secret + SHA('A' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     MD5(master_secret + SHA('BB' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     MD5(master_secret + SHA('CCC' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     [...];
@@ -208,143 +210,147 @@ ssl3_KeyAndMacDeriveBypass(
      */
     key_block2 = key_block + block_bytes;
     i = 0; /* now shows how much consumed */
 
     /*
      * The key_block is partitioned as follows:
      * client_write_MAC_secret[CipherSpec.hash_size]
      */
-    buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item,
+    buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item, \
                 "Client Write MAC Secret");
     i += macSize;
 
     /*
      * server_write_MAC_secret[CipherSpec.hash_size]
      */
-    buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item,
+    buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item, \
                 "Server Write MAC Secret");
     i += macSize;
 
     if (!keySize) {
         /* only MACing */
-        buildSSLKey(NULL, 0, &pwSpec->client.write_key_item,
+        buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, \
                     "Client Write Key (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->server.write_key_item,
+        buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, \
                     "Server Write Key (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item,
+        buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, \
                     "Client Write IV (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item,
+        buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, \
                     "Server Write IV (MAC only)");
-    } else if (!isExport) {
+    }
+    else if (!isExport) {
         /*
         ** Generate Domestic write keys and IVs.
         ** client_write_key[CipherSpec.key_material]
         */
-        buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item,
+        buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, \
                     "Domestic Client Write Key");
         i += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         */
-        buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item,
+        buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, \
                     "Domestic Server Write Key");
         i += keySize;
 
         if (IVSize > 0) {
             if (explicitIV) {
                 static unsigned char zero_block[32];
                 PORT_Assert(IVSize <= sizeof zero_block);
-                buildSSLKey(&zero_block[0], IVSize,
-                            &pwSpec->client.write_iv_item,
+                buildSSLKey(&zero_block[0], IVSize, \
+                            &pwSpec->client.write_iv_item, \
                             "Domestic Client Write IV");
-                buildSSLKey(&zero_block[0], IVSize,
-                            &pwSpec->server.write_iv_item,
+                buildSSLKey(&zero_block[0], IVSize, \
+                            &pwSpec->server.write_iv_item, \
                             "Domestic Server Write IV");
-            } else {
+            }
+            else {
                 /*
                 ** client_write_IV[CipherSpec.IV_size]
                 */
-                buildSSLKey(&key_block[i], IVSize,
-                            &pwSpec->client.write_iv_item,
+                buildSSLKey(&key_block[i], IVSize, \
+                            &pwSpec->client.write_iv_item, \
                             "Domestic Client Write IV");
                 i += IVSize;
 
                 /*
                 ** server_write_IV[CipherSpec.IV_size]
                 */
-                buildSSLKey(&key_block[i], IVSize,
-                            &pwSpec->server.write_iv_item,
+                buildSSLKey(&key_block[i], IVSize, \
+                            &pwSpec->server.write_iv_item, \
                             "Domestic Server Write IV");
                 i += IVSize;
             }
         }
         PORT_Assert(i <= block_bytes);
-    } else if (!isTLS) {
+    }
+    else if (!isTLS) {
         /*
         ** Generate SSL3 Export write keys and IVs.
         */
         unsigned int outLen;
 
         /*
         ** client_write_key[CipherSpec.key_material]
         ** final_client_write_key = MD5(client_write_key +
         **                   ClientHello.random + ServerHello.random);
         */
         MD5_Begin(md5Ctx);
         MD5_Update(md5Ctx, &key_block[i], effKeySize);
         MD5_Update(md5Ctx, crsr.data, crsr.len);
         MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
         i += effKeySize;
-        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item,
+        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
                     "SSL3 Export Client Write Key");
         key_block2 += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         ** final_server_write_key = MD5(server_write_key +
         **                    ServerHello.random + ClientHello.random);
         */
         MD5_Begin(md5Ctx);
         MD5_Update(md5Ctx, &key_block[i], effKeySize);
         MD5_Update(md5Ctx, srcr.data, srcr.len);
         MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
         i += effKeySize;
-        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item,
+        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
                     "SSL3 Export Server Write Key");
         key_block2 += keySize;
         PORT_Assert(i <= block_bytes);
 
         if (IVSize) {
             /*
             ** client_write_IV =
             **  MD5(ClientHello.random + ServerHello.random);
             */
             MD5_Begin(md5Ctx);
             MD5_Update(md5Ctx, crsr.data, crsr.len);
             MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-            buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item,
+            buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item, \
                         "SSL3 Export Client Write IV");
             key_block2 += IVSize;
 
             /*
             ** server_write_IV =
             **  MD5(ServerHello.random + ClientHello.random);
             */
             MD5_Begin(md5Ctx);
             MD5_Update(md5Ctx, srcr.data, srcr.len);
             MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-            buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item,
+            buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item, \
                         "SSL3 Export Server Write IV");
             key_block2 += IVSize;
         }
 
         PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
-    } else {
+    }
+    else {
         /*
         ** Generate TLS Export write keys and IVs.
         */
         SECItem secret;
         SECItem keyblk;
 
         secret.type = siBuffer;
         keyblk.type = siBuffer;
@@ -358,17 +364,17 @@ ssl3_KeyAndMacDeriveBypass(
         secret.len = effKeySize;
         i += effKeySize;
         keyblk.data = key_block2;
         keyblk.len = keySize;
         status = TLS_PRF(&secret, "client write key", &crsr, &keyblk, isFIPS);
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
-        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item,
+        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
                     "TLS Export Client Write Key");
         key_block2 += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         ** final_server_write_key = PRF(server_write_key,
         **                              "server write key",
         **                              client_random + server_random);
@@ -377,17 +383,17 @@ ssl3_KeyAndMacDeriveBypass(
         secret.len = effKeySize;
         i += effKeySize;
         keyblk.data = key_block2;
         keyblk.len = keySize;
         status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS);
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
-        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item,
+        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
                     "TLS Export Server Write Key");
         key_block2 += keySize;
 
         /*
         ** iv_block = PRF("", "IV block", client_random + server_random);
         ** client_write_IV[SecurityParameters.IV_size]
         ** server_write_IV[SecurityParameters.IV_size]
         */
@@ -395,21 +401,21 @@ ssl3_KeyAndMacDeriveBypass(
             secret.data = NULL;
             secret.len = 0;
             keyblk.data = key_block2;
             keyblk.len = 2 * IVSize;
             status = TLS_PRF(&secret, "IV block", &crsr, &keyblk, isFIPS);
             if (status != SECSuccess) {
                 goto key_and_mac_derive_fail;
             }
-            buildSSLKey(key_block2, IVSize,
-                        &pwSpec->client.write_iv_item,
+            buildSSLKey(key_block2, IVSize, \
+                        &pwSpec->client.write_iv_item, \
                         "TLS Export Client Write IV");
-            buildSSLKey(key_block2 + IVSize, IVSize,
-                        &pwSpec->server.write_iv_item,
+            buildSSLKey(key_block2 + IVSize, IVSize, \
+                        &pwSpec->server.write_iv_item, \
                         "TLS Export Server Write IV");
             key_block2 += 2 * IVSize;
         }
         PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
     }
     rv = SECSuccess;
 
 key_and_mac_derive_fail:
@@ -474,23 +480,25 @@ ssl3_MasterSecretDeriveBypass(
         SECItem master = { siBuffer, NULL, 0 };
 
         master.data = key_block;
         master.len = SSL3_MASTER_SECRET_LENGTH;
 
         if (isTLS12) {
             rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr,
                             &master, isFIPS);
-        } else {
+        }
+        else {
             rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
         }
         if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         }
-    } else {
+    }
+    else {
         int i;
         unsigned int made = 0;
         for (i = 0; i < 3; i++) {
             unsigned int outLen;
             unsigned char sha_out[SHA1_LENGTH];
 
             SHA1_Begin(shaCtx);
             SHA1_Update(shaCtx, (unsigned char *)mixers[i], i + 1);
@@ -539,17 +547,18 @@ ssl_canExtractMS(PK11SymKey *pms, PRBool
 
     if (isTLS) {
         if (isDH)
             master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
         else
             master_derive = CKM_TLS_MASTER_KEY_DERIVE;
         key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
         keyFlags = CKF_SIGN | CKF_VERIFY;
-    } else {
+    }
+    else {
         if (isDH)
             master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
         else
             master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
         key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
         keyFlags = 0;
     }
 
@@ -675,27 +684,29 @@ SSL_CanBypass(CERTCertificate *cert, SEC
      * exhausted or when the first MS extract--not derive--fails.
      */
     privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey);
     protocolmask &= SSL_CBP_SSL3 | SSL_CBP_TLS1_0;
     while (protocolmask) {
         if (protocolmask & SSL_CBP_SSL3) {
             isTLS = PR_FALSE;
             protocolmask ^= SSL_CBP_SSL3;
-        } else {
+        }
+        else {
             isTLS = PR_TRUE;
             protocolmask ^= SSL_CBP_TLS1_0;
         }
 
         if (privKeytype == rsaKey && testrsa_export) {
             if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
                 *pcanbypass = PR_FALSE;
                 rv = SECSuccess;
                 break;
-            } else
+            }
+            else
                 testrsa = PR_TRUE;
         }
         for (; privKeytype == rsaKey && testrsa;) {
             /* TLS_RSA */
             unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
             unsigned int outLen = 0;
             CK_MECHANISM_TYPE target;
             SECStatus irv;
@@ -765,17 +776,18 @@ SSL_CanBypass(CERTCertificate *cert, SEC
             SECKEYPrivateKey *keapriv;
             SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */
             SECKEYPrivateKey *cpriv = NULL;
             SECKEYECParams *pecParams = NULL;
 
             if (privKeytype == ecKey && testecdhe) {
                 /* TLS_ECDHE_ECDSA */
                 pecParams = &srvPubkey->u.ec.DEREncodedParams;
-            } else if (privKeytype == rsaKey && testecdhe) {
+            }
+            else if (privKeytype == rsaKey && testecdhe) {
                 /* TLS_ECDHE_RSA */
                 ECName ec_curve;
                 int serverKeyStrengthInBits;
                 int signatureKeyStrength;
                 int requiredECCbits;
 
                 /* find a curve of equivalent strength to the RSA key's */
                 requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey);
@@ -813,17 +825,18 @@ SSL_CanBypass(CERTCertificate *cert, SEC
                     if (keapriv)
                         SECKEY_DestroyPrivateKey(keapriv);
                     if (keapub)
                         SECKEY_DestroyPublicKey(keapub);
                     PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
                     rv = SECFailure;
                     break;
                 }
-            } else {
+            }
+            else {
                 /* TLS_ECDH_ECDSA */
                 keapub = srvPubkey;
                 keapriv = srvPrivkey;
                 pecParams = &srvPubkey->u.ec.DEREncodedParams;
             }
 
             /* perform client side ops */
             /* generate a pair of ephemeral keys using server's parms */
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -282,24 +282,26 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
             }
 
             rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len);
             if (rv == SECFailure) {
                 /* Do not attempt to process rest of messages in this record */
                 break;
             }
-        } else {
+        }
+        else {
             if (message_seq < ss->ssl3.hs.recvMessageSeq) {
                 /* Case 3: we do an immediate retransmit if we're
                  * in a waiting state*/
                 if (ss->ssl3.hs.rtTimerCb == NULL) {
                     /* Ignore */
-                } else if (ss->ssl3.hs.rtTimerCb ==
-                           dtls_RetransmitTimerExpiredCb) {
+                }
+                else if (ss->ssl3.hs.rtTimerCb ==
+                         dtls_RetransmitTimerExpiredCb) {
                     SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected",
                                  SSL_GETPID(), ss->fd));
                     /* Check to see if we retransmitted recently. If so,
                      * suppress the triggered retransmit. This avoids
                      * retransmit wars after packet loss.
                      * This is not in RFC 5346 but should be
                      */
                     if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) >
@@ -309,48 +311,52 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                                  SSL_GETPID(), ss->fd));
 
                         /* Cancel the timer and call the CB,
                          * which re-arms the timer */
                         dtls_CancelTimer(ss);
                         dtls_RetransmitTimerExpiredCb(ss);
                         rv = SECSuccess;
                         break;
-                    } else {
+                    }
+                    else {
                         SSL_TRC(30,
                                 ("%d: SSL3[%d]: We just retransmitted. Ignoring.",
                                  SSL_GETPID(), ss->fd));
                         rv = SECSuccess;
                         break;
                     }
-                } else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
+                }
+                else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
                     /* Retransmit the messages and re-arm the timer
                      * Note that we are not backing off the timer here.
                      * The spec isn't clear and my reasoning is that this
                      * may be a re-ordered packet rather than slowness,
                      * so let's be aggressive. */
                     dtls_CancelTimer(ss);
                     rv = dtls_TransmitMessageFlight(ss);
                     if (rv == SECSuccess) {
                         rv = dtls_StartTimer(ss, dtls_FinishedTimerCb);
                     }
                     if (rv != SECSuccess)
                         return rv;
                     break;
                 }
-            } else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
+            }
+            else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
                 /* Case 2
                  *
                  * Ignore this message. This means we don't handle out of
                  * order complete messages that well, but we're still
                  * compliant and this probably does not happen often
                  *
                  * XXX OK for now. Maybe do something smarter at some point?
                  */
-            } else {
+            }
+            else {
                 /* Case 1
                  *
                  * Buffer the fragment for reassembly
                  */
                 /* Make room for the message */
                 if (ss->ssl3.hs.recvdHighWater == -1) {
                     PRUint32 map_length = OFFSET_BYTE(message_length) + 1;
 
@@ -399,17 +405,18 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                  * This avoids having to fill in the bitmask in the common
                  * case of adjacent fragments received in sequence
                  */
                 if (fragment_offset <= (unsigned int)ss->ssl3.hs.recvdHighWater) {
                     /* Either this is the adjacent fragment or an overlapping
                      * fragment */
                     ss->ssl3.hs.recvdHighWater = fragment_offset +
                                                  fragment_length;
-                } else {
+                }
+                else {
                     for (offset = fragment_offset;
                          offset < fragment_offset + fragment_length;
                          offset++) {
                         ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] |=
                             OFFSET_MASK(offset);
                     }
                 }
 
@@ -417,17 +424,18 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                 for (offset = ss->ssl3.hs.recvdHighWater;
                      offset < ss->ssl3.hs.msg_len; offset++) {
                     /* Note that this loop is not efficient, since it counts
                      * bit by bit. If we have a lot of out-of-order packets,
                      * we should optimize this */
                     if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] &
                         OFFSET_MASK(offset)) {
                         ss->ssl3.hs.recvdHighWater++;
-                    } else {
+                    }
+                    else {
                         break;
                     }
                 }
 
                 /* If we have all the bytes, then we are good to go */
                 if (ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) {
                     ss->ssl3.hs.recvdHighWater = -1;
 
@@ -478,17 +486,18 @@ dtls_QueueMessage(sslSocket *ss, SSL3Con
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     msg = dtls_AllocQueuedMessage(ss->ssl3.cwSpec->epoch, type, pIn, nIn);
 
     if (!msg) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         rv = SECFailure;
-    } else {
+    }
+    else {
         PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight);
     }
 
     return rv;
 }
 
 /* Add DTLS handshake message to the pending queue
  * Empty the sendBuf buffer.
@@ -645,17 +654,18 @@ dtls_TransmitMessageFlight(sslSocket *ss
                 rv = SECFailure;
                 if (sent != -1) {
                     PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
                 }
                 break;
             }
 
             room_left = ss->ssl3.mtu - ss->pendingBuf.len;
-        } else {
+        }
+        else {
             /* The message will not fit, so fragment.
              *
              * XXX OK for now. Arrange to coalesce the last fragment
              * of this message with the next message if possible.
              * That would be more efficient.
              */
             PRUint32 fragment_offset = 0;
             unsigned char fragment[DTLS_MAX_MTU]; /* >= than largest
@@ -810,29 +820,32 @@ dtls_CompressMACEncryptRecord(sslSocket 
      */
     if (use_epoch) {
         if (ss->ssl3.cwSpec->epoch == epoch)
             cwSpec = ss->ssl3.cwSpec;
         else if (ss->ssl3.pwSpec->epoch == epoch)
             cwSpec = ss->ssl3.pwSpec;
         else
             cwSpec = NULL;
-    } else {
+    }
+    else {
         cwSpec = ss->ssl3.cwSpec;
     }
 
     if (cwSpec) {
         if (ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_3) {
             rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE,
                                                PR_FALSE, type, pIn, contentLen,
                                                wrBuf);
-        } else {
+        }
+        else {
             rv = tls13_ProtectRecord(ss, type, pIn, contentLen, wrBuf);
         }
-    } else {
+    }
+    else {
         PR_NOT_REACHED("Couldn't find a cipher spec matching epoch");
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     }
     ssl_ReleaseSpecReadLock(ss); /************************************/
 
     return rv;
 }
 
@@ -1142,17 +1155,18 @@ DTLS_GetHandshakeTimeout(PRFileDesc *soc
     if (!ss->ssl3.hs.rtTimerCb)
         return SECFailure;
 
     elapsed = PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted;
     desired = PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs);
     if (elapsed > desired) {
         /* Timer expired */
         *timeout = PR_INTERVAL_NO_WAIT;
-    } else {
+    }
+    else {
         *timeout = desired - elapsed;
     }
 
     return SECSuccess;
 }
 
 /*
  * DTLS relevance checks:
--- a/security/nss/lib/ssl/os2_err.c
+++ b/security/nss/lib/ssl/os2_err.c
@@ -143,17 +143,17 @@ nss_MD_os2_map_recvfrom_error(PRInt32 er
     nss_MD_os2_map_default_error(err);
 }
 
 void
 nss_MD_os2_map_send_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-        //     case WSAEMSGSIZE:  prError = PR_INVALID_ARGUMENT_ERROR; break;
+      //     case WSAEMSGSIZE:  prError = PR_INVALID_ARGUMENT_ERROR; break;
         default:
             nss_MD_os2_map_default_error(err);
             return;
     }
     PR_SetError(prError, err);
 }
 
 void
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -90,48 +90,37 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
  * Important: See bug 946147 before enabling, reordering, or adding any cipher
  * suites to this list.
  */
 /* clang-format off */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                     policy       enabled   isPresent */
 
 #ifndef NSS_DISABLE_ECC
-#ifdef __arm__
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-#endif /* __arm__ */
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-#ifndef __arm__
- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-#endif /* __arm__ */
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
 
-#ifdef __arm__
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-#endif /* __arm__ */
- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-#ifndef __arm__
- { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-#endif /* __arm__ */
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AE