Bug 1228410, land NSS 3.22 Beta 2, r=nss-confcall
authorKai Engert <kaie@kuix.de>
Mon, 25 Jan 2016 16:14:18 +0100
changeset 281486 7e763694e778c1b772f037ee567285aa99ad8347
parent 281485 7c02451fb069110be2981cf1ea4be345ac221166
child 281487 ee5f9f94e2117a328f5b719ce735ac3262c73096
push id29943
push userkwierso@gmail.com
push dateMon, 25 Jan 2016 21:17:15 +0000
treeherdermozilla-central@914dae86b192 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnss-confcall
bugs1228410
milestone46.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1228410, land NSS 3.22 Beta 2, r=nss-confcall
security/nss/.clang-format
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/checkcert/Makefile
security/nss/cmd/checkcert/checkcert.c
security/nss/cmd/checkcert/manifest.mn
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/lib/derprint.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/libpkix/pkixutil/pkixutil.c
security/nss/cmd/makepqg/makepqg.c
security/nss/cmd/manifest.mn
security/nss/cmd/modutil/install-ds.c
security/nss/cmd/modutil/install-ds.h
security/nss/cmd/pk1sign/pk1sign.c
security/nss/cmd/platlibs.mk
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/coreconf/WIN32.mk
security/nss/coreconf/Werror.mk
security/nss/coreconf/coreconf.dep
security/nss/external_tests/README
security/nss/external_tests/common/gtest.mk
security/nss/external_tests/common/scoped_ptrs.h
security/nss/external_tests/google_test/Makefile
security/nss/external_tests/manifest.mn
security/nss/external_tests/pk11_gtest/Makefile
security/nss/external_tests/pk11_gtest/manifest.mn
security/nss/external_tests/pk11_gtest/pk11_gtest.cc
security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
security/nss/external_tests/ssl_gtest/Makefile
security/nss/external_tests/ssl_gtest/databuffer.h
security/nss/external_tests/ssl_gtest/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/lib/Makefile
security/nss/lib/base/arena.c
security/nss/lib/base/base.h
security/nss/lib/base/baset.h
security/nss/lib/base/error.c
security/nss/lib/base/errorval.c
security/nss/lib/base/hash.c
security/nss/lib/base/hashops.c
security/nss/lib/base/item.c
security/nss/lib/base/libc.c
security/nss/lib/base/list.c
security/nss/lib/base/nssbase.h
security/nss/lib/base/nssbaset.h
security/nss/lib/base/tracker.c
security/nss/lib/base/utf8.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/certv3.c
security/nss/lib/certdb/certxutl.c
security/nss/lib/certdb/certxutl.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/certdb/genname.h
security/nss/lib/certdb/polcyxtn.c
security/nss/lib/certdb/secname.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certdb/xauthkid.c
security/nss/lib/certdb/xbsconst.c
security/nss/lib/certdb/xconst.c
security/nss/lib/certdb/xconst.h
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certhtml.c
security/nss/lib/certhigh/certreq.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/crlv2.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspi.h
security/nss/lib/certhigh/ocspsig.c
security/nss/lib/certhigh/ocspt.h
security/nss/lib/certhigh/ocspti.h
security/nss/lib/certhigh/xcrldist.c
security/nss/lib/ckfw/builtins/anchor.c
security/nss/lib/ckfw/builtins/bfind.c
security/nss/lib/ckfw/builtins/binst.c
security/nss/lib/ckfw/builtins/bobject.c
security/nss/lib/ckfw/builtins/bsession.c
security/nss/lib/ckfw/builtins/bslot.c
security/nss/lib/ckfw/builtins/btoken.c
security/nss/lib/ckfw/builtins/builtins.h
security/nss/lib/ckfw/builtins/ckbiver.c
security/nss/lib/ckfw/builtins/constants.c
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/capi/anchor.c
security/nss/lib/ckfw/capi/cfind.c
security/nss/lib/ckfw/capi/cinst.c
security/nss/lib/ckfw/capi/ckcapi.h
security/nss/lib/ckfw/capi/ckcapiver.c
security/nss/lib/ckfw/capi/cobject.c
security/nss/lib/ckfw/capi/constants.c
security/nss/lib/ckfw/capi/crsa.c
security/nss/lib/ckfw/capi/csession.c
security/nss/lib/ckfw/capi/cslot.c
security/nss/lib/ckfw/capi/ctoken.c
security/nss/lib/ckfw/capi/nsscapi.h
security/nss/lib/ckfw/capi/staticobj.c
security/nss/lib/ckfw/ckfw.h
security/nss/lib/ckfw/ckfwm.h
security/nss/lib/ckfw/ckfwtm.h
security/nss/lib/ckfw/ckmd.h
security/nss/lib/ckfw/crypto.c
security/nss/lib/ckfw/dbm/anchor.c
security/nss/lib/ckfw/dbm/ckdbm.h
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/dbm/find.c
security/nss/lib/ckfw/dbm/instance.c
security/nss/lib/ckfw/dbm/object.c
security/nss/lib/ckfw/dbm/session.c
security/nss/lib/ckfw/dbm/slot.c
security/nss/lib/ckfw/dbm/token.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/instance.c
security/nss/lib/ckfw/mechanism.c
security/nss/lib/ckfw/mutex.c
security/nss/lib/ckfw/nssckfw.h
security/nss/lib/ckfw/nssckfwc.h
security/nss/lib/ckfw/nssckfwt.h
security/nss/lib/ckfw/nssckmdt.h
security/nss/lib/ckfw/nssckt.h
security/nss/lib/ckfw/nssmkey/ckmk.h
security/nss/lib/ckfw/nssmkey/ckmkver.c
security/nss/lib/ckfw/nssmkey/manchor.c
security/nss/lib/ckfw/nssmkey/mconstants.c
security/nss/lib/ckfw/nssmkey/mfind.c
security/nss/lib/ckfw/nssmkey/minst.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/ckfw/nssmkey/mrsa.c
security/nss/lib/ckfw/nssmkey/msession.c
security/nss/lib/ckfw/nssmkey/mslot.c
security/nss/lib/ckfw/nssmkey/mtoken.c
security/nss/lib/ckfw/nssmkey/nssmkey.h
security/nss/lib/ckfw/nssmkey/staticobj.c
security/nss/lib/ckfw/object.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/sessobj.c
security/nss/lib/ckfw/slot.c
security/nss/lib/ckfw/token.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/crmf/asn1cmn.c
security/nss/lib/crmf/challcli.c
security/nss/lib/crmf/cmmf.h
security/nss/lib/crmf/cmmfasn1.c
security/nss/lib/crmf/cmmfchal.c
security/nss/lib/crmf/cmmfi.h
security/nss/lib/crmf/cmmfit.h
security/nss/lib/crmf/cmmfrec.c
security/nss/lib/crmf/cmmfresp.c
security/nss/lib/crmf/cmmft.h
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmfcont.c
security/nss/lib/crmf/crmfdec.c
security/nss/lib/crmf/crmfenc.c
security/nss/lib/crmf/crmffut.h
security/nss/lib/crmf/crmfget.c
security/nss/lib/crmf/crmfi.h
security/nss/lib/crmf/crmfit.h
security/nss/lib/crmf/crmfpop.c
security/nss/lib/crmf/crmfreq.c
security/nss/lib/crmf/crmft.h
security/nss/lib/crmf/crmftmpl.c
security/nss/lib/crmf/encutil.c
security/nss/lib/crmf/respcli.c
security/nss/lib/crmf/respcmn.c
security/nss/lib/crmf/servget.c
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/cryptoht.h
security/nss/lib/cryptohi/dsautil.c
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/keyi.h
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/sechash.c
security/nss/lib/cryptohi/sechash.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/freebl/ecl/ec_naf.c
security/nss/lib/freebl/ecl/ecp_256_32.c
security/nss/lib/freebl/ecl/ecp_aff.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/mpprime.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/rsa.c
security/nss/lib/libpkix/pkix/util/pkix_tools.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
security/nss/lib/manifest.mn
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssoptions.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pars.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pk11wrap/secmodi.h
security/nss/lib/pkcs7/secmime.c
security/nss/lib/pki/certificate.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/smime/cmscipher.c
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/lowkey.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/lowpbe.h
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/sftkpars.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/dtlscon.c
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslt.h
security/nss/lib/sysinit/nsssysinit.c
security/nss/lib/util/dertime.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11t.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/util/templates.c
security/nss/lib/util/utilmod.c
security/nss/lib/util/utilpars.c
security/nss/lib/util/utilpars.h
security/nss/tests/all.sh
security/nss/tests/common/init.sh
security/nss/tests/common/parsegtestreport.sed
security/nss/tests/pk11_gtests/pk11_gtests.sh
security/nss/tests/ssl/ssl.sh
security/nss/tests/ssl/sslpolicy.txt
security/nss/tests/ssl_gtests/parsereport.sed
security/nss/tests/ssl_gtests/ssl_gtests.sh
new file mode 100644
--- /dev/null
+++ b/security/nss/.clang-format
@@ -0,0 +1,64 @@
+---
+Language:        Cpp
+# BasedOnStyle:  Mozilla
+AccessModifierOffset: -2
+AlignAfterOpenBracket: true
+AlignEscapedNewlinesLeft: false
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: All
+AlwaysBreakAfterDefinitionReturnType: true
+AlwaysBreakTemplateDeclarations: false
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BinPackParameters: true
+BinPackArguments: true
+ColumnLimit:     0
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+DerivePointerAlignment: true
+ExperimentalAutoDetectBinPacking: false
+IndentCaseLabels: true
+IndentWrappedFunctionNames: false
+IndentFunctionDeclarationAfterType: false
+MaxEmptyLinesToKeep: 1
+KeepEmptyLinesAtTheStartOfBlocks: true
+NamespaceIndentation: None
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: true
+ObjCSpaceBeforeProtocolList: false
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakString: 1000
+PenaltyBreakFirstLessLess: 120
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 200
+PointerAlignment: Right
+SpacesBeforeTrailingComments: 1
+Cpp11BracedListStyle: false
+Standard:        Cpp03
+IndentWidth:     4
+TabWidth:        8
+UseTab:          Never
+BreakBeforeBraces: Linux
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpacesInAngles:  false
+SpaceInEmptyParentheses: false
+SpacesInCStyleCastParentheses: false
+SpaceAfterCStyleCast: false
+SpacesInContainerLiterals: true
+SpaceBeforeAssignmentOperators: true
+ContinuationIndentWidth: 4
+CommentPragmas:  '^ IWYU pragma:'
+ForEachMacros:   [ foreach, Q_FOREACH, BOOST_FOREACH ]
+SpaceBeforeParens: ControlStatements
+DisableFormat:   false
+...
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_21_RTM
+NSS_3_22_BETA2
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -3491,16 +3491,19 @@ shutdown:
 	PR_Close(outFile);
     }
     SECITEM_FreeItem(&certReqDER, PR_FALSE);
     SECITEM_FreeItem(&certDER, PR_FALSE);
     if (pwdata.data && pwdata.source == PW_PLAINTEXT) {
 	/* Allocated by a PL_strdup call in SECU_GetModulePassword. */
 	PL_strfree(pwdata.data);
     }
+    if (email) {
+	PL_strfree(email);
+    }
 
     /* Open the batch command file.
      *
      * - If -B <command line> option is specified, the contents in the
      * command file will be interpreted as subsequent certutil
      * commands to be executed in the current certutil process
      * context after the current certutil command has been executed.
      * - Each line in the command file consists of the command
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -37,17 +37,17 @@ extern char *sys_errlist[];
 
 #define ERROR_BREAK rv = SECFailure;break;
 
 const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
+    { 0 }
 };
 
 /* returns 0 for success, -1 for failure (EOF encountered) */
 static int
 UpdateRNG(void)
 {
     char           randbuf[RAND_BUF_SIZE];
     int            fd,  count;
deleted file mode 100644
--- a/security/nss/cmd/checkcert/Makefile
+++ /dev/null
@@ -1,48 +0,0 @@
-#! gmake
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
deleted file mode 100644
--- a/security/nss/cmd/checkcert/checkcert.c
+++ /dev/null
@@ -1,575 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "secutil.h"
-#include "plgetopt.h"
-#include "cert.h"
-#include "secoid.h"
-#include "cryptohi.h"
-
-/* maximum supported modulus length in bits (indicate problem if over this) */
-#define MAX_MODULUS (1024)
-
-
-static void Usage(char *progName)
-{
-    fprintf(stderr, "Usage: %s [aAvf] [certtocheck] [issuingcert]\n",
-	    progName);
-    fprintf(stderr, "%-20s Cert to check is base64 encoded\n",
-	    "-a");
-    fprintf(stderr, "%-20s Issuer's cert is base64 encoded\n",
-	    "-A");
-    fprintf(stderr, "%-20s Verbose (indicate decoding progress etc.)\n",
-	    "-v");
-    fprintf(stderr, "%-20s Force sanity checks even if pretty print fails.\n",
-	    "-f");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    fprintf(stderr, "%-20s Specify the input type (no default)\n",
-	    "-t type");
-    exit(-1);
-}
-
-
-/*
- * Check integer field named fieldName, printing out results and
- * returning the length of the integer in bits
- */   
-
-static
-int checkInteger(SECItem *intItem, char *fieldName, int verbose) 
-{
-    int len, bitlen;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    len = intItem->len;
-
-    if (len && (intItem->data[0] & 0x80)) {
-	printf("PROBLEM: %s is NEGATIVE 2's-complement integer.\n",
-	       fieldName);
-    }
-
-
-    /* calculate bit length and check for unnecessary leading zeros */
-    bitlen = len << 3;
-    if (len > 1 && intItem->data[0] == 0) {
-	/* leading zero byte(s) */
-	if (!(intItem->data[1] & 0x80)) {
-	    printf("PROBLEM: %s has unneeded leading zeros.  Violates DER.\n",
-		   fieldName);
-	}
-	/* strip leading zeros in length calculation */
-	{
-	    int i=0;
-	    while (bitlen > 8 && intItem->data[i] == 0) {
-		bitlen -= 8;
-		i++;
-	    }
-	}
-    }
-    return bitlen;
-}
-
-
-
-
-static
-void checkName(CERTName *n, char *fieldName, int verbose)
-{
-    char *v=0;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    v = CERT_GetCountryName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Country Name (C)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Organization Name (O)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgUnitName(n);
-    if (!v) {
-	printf("WARNING: %s lacks Organization Unit Name (OU)\n",
-	       fieldName);
-    }
-    PORT_Free(v);	
-
-    v = CERT_GetCommonName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Common Name (CN)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-}
-
-
-static
-SECStatus
-OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
-{
-    SECStatus rv;
-    VFYContext *cx;
-    SECOidData *sigAlgOid, *oiddata;
-    SECOidTag hashAlgTag;
-    int showDigestOid=0;
-
-    cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
-                                          NULL);
-    if (cx == NULL)
-	return SECFailure;
-
-    sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
-    if (sigAlgOid == 0)
-	return SECFailure;
-
-    if (showDigestOid) {
-	oiddata = SECOID_FindOIDByTag(hashAlgTag);
-	if ( oiddata ) {
-	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
-	} else {
-	    SECU_PrintAsHex(stdout,
-			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
-	}
-    }
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	rv = VFY_Update(cx, buf, len);
-	if (rv == SECSuccess)
-	    rv = VFY_End(cx);
-    }
-
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-
-
-static
-SECStatus
-OurVerifySignedData(CERTSignedData *sd, CERTCertificate *cert)
-{
-    SECItem sig;
-    SECKEYPublicKey *pubKey = 0;
-    SECStatus rv;
-
-    /* check the certificate's validity */
-    rv = CERT_CertTimesValid(cert);
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if ( !pubKey ) {
-	return(SECFailure);
-    }
-
-    /* check the signature */
-    sig = sd->signature;
-    DER_ConvertBitString(&sig);
-    rv = OurVerifyData(sd->data.data, sd->data.len, pubKey, &sig,
-		       &sd->signatureAlgorithm);
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-
-
-
-static
-CERTCertificate *createEmptyCertificate(void)
-{
-    PLArenaPool *arena = 0;
-    CERTCertificate *c = 0;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return 0;
-    }
-
-
-    c = (CERTCertificate *) PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-
-    if (c) {
-	c->referenceCount = 1;
-	c->arena = arena;
-    } else {
-	PORT_FreeArena(arena,PR_TRUE);
-    }
-
-    return c;
-}
-
-
-int main(int argc, char **argv)
-{
-    int verbose=0, force=0;
-    int ascii=0, issuerAscii=0;
-    char *progName=0;
-    PRFileDesc *inFile=0, *issuerCertFile=0;
-    SECItem derCert, derIssuerCert;
-    PLArenaPool *arena=0;
-    CERTSignedData *signedData=0;
-    CERTCertificate *cert=0, *issuerCert=0;
-    SECKEYPublicKey *rsapubkey=0;
-    SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
-    SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
-    SECItem spk;
-    int selfSigned=0;
-    int invalid=0;
-    char *inFileName = NULL, *issuerCertFileName = NULL;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
-    PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
-    PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
-    PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "aAvf");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case 'v':
-	    verbose = 1;
-	    break;
-
-	  case 'f':
-	    force = 1;
-	    break;
-
-	  case 'a':
-	    ascii = 1;
-	    break;
-
-	  case 'A':
-	    issuerAscii = 1;
-	    break;
-
-	  case '\0':
-	    if (!inFileName)
-		inFileName = PL_strdup(optstate->value);
-	    else if (!issuerCertFileName)
-		issuerCertFileName = PL_strdup(optstate->value);
-	    else
-		Usage(progName);
-	    break;
-	}
-    }
-
-    if (!inFileName || !issuerCertFileName || status == PL_OPT_BAD) {
-	/* insufficient or excess args */
-	Usage(progName);
-    }
-
-    inFile = PR_Open(inFileName, PR_RDONLY, 0);
-    if (!inFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, inFileName);
-	exit(1);
-    }
-
-    issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
-    if (!issuerCertFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, issuerCertFileName);
-	exit(1);
-    }
-
-    if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) {
-	printf("Couldn't read input certificate as DER binary or base64\n");
-	exit(1);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == 0) {
-	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
-	exit(1);
-    }
-
-    if (issuerCertFile) {
-	CERTSignedData *issuerCertSD=0;
-	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii,
-	                         PR_FALSE) != SECSuccess) {
-	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
-	    exit(1);
-	}
-	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
-	if (!issuerCertSD) {
-	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
-	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
-				&derIssuerCert);
-	if (rv) {
-	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
-		    progName);
-	    exit(1);
-	}
-	issuerCert = createEmptyCertificate();
-	if (!issuerCert) {
-	    printf("%s: can't allocate space for issuer cert.", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
-	                    SEC_ASN1_GET(CERT_CertificateTemplate),
-			    &issuerCertSD->data);
-	if (rv) {
-	    printf("%s: Does not appear to be an X509 Certificate.\n",
-		   progName);
-	    exit(1);
-	}
-    }
-
-    signedData =  PORT_ArenaZNew(arena,CERTSignedData);
-    if (!signedData) {
-	fprintf(stderr,"%s: can't allocate signedData!", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, signedData, 
-                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
-			    &derCert);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
-		progName);
-	exit(1);
-    }
-
-    if (verbose) {
-	printf("Decoded ok as X509 SIGNED data.\n");
-    }
-
-    cert = createEmptyCertificate();
-    if (!cert) {
-	fprintf(stderr, "%s: can't allocate cert", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, cert, 
-                        SEC_ASN1_GET(CERT_CertificateTemplate), 
-			&signedData->data);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
-		progName);
-	exit(1);
-    }
-
-
-    if (verbose) {
-	printf("Decoded ok as an X509 certificate.\n");
-    }
-
-    SECU_RegisterDynamicOids();
-    rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
-			      (SECU_PPFunc)SECU_PrintCertificate);
-
-    if (rv) {
-	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
-		progName, PORT_GetError());
-	if (!force) {
-	    exit(1);
-	}
-    }
-
-
-    /* Do various checks on the cert */
-
-    printf("\n");
-
-    /* Check algorithms */
-    rv = SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
-		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
-		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
-		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &rsaEncryption,
-		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    {
-	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md5WithRSAEncryption) == 0);
-	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md2WithRSAEncryption) == 0);
-	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &sha1WithRSAEncryption) == 0);
-
-	if (verbose) {
-	    printf("\nDoing algorithm checks.\n");
-	}
-
-	if (!(isMD5RSA || isMD2RSA || isSHA1RSA)) {
-	    printf("PROBLEM: Signature not PKCS1 MD5, MD2, or SHA1 + RSA.\n");
-	} else if (!isMD5RSA) {
-	    printf("WARNING: Signature not PKCS1 MD5 with RSA Encryption\n");
-	}
-
-	if (SECOID_CompareAlgorithmID(&cert->signature,
-				   &signedData->signatureAlgorithm)) {
-	    printf("PROBLEM: Algorithm in sig and certInfo don't match.\n");
-	}
-    }
-
-    if (SECOID_CompareAlgorithmID(&cert->subjectPublicKeyInfo.algorithm,
-			       &rsaEncryption)) {
-	printf("PROBLEM: Public key algorithm is not PKCS1 RSA Encryption.\n");
-    }
-
-    /* Check further public key properties */
-    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
-    DER_ConvertBitString(&spk);
-
-    if (verbose) {
-	printf("\nsubjectPublicKey DER\n");
-	rv = DER_PrettyPrint(stdout, &spk, PR_FALSE);
-	printf("\n");
-    }
-
-    rsapubkey = (SECKEYPublicKey *) 
-	             PORT_ArenaZAlloc(arena,sizeof(SECKEYPublicKey));
-    if (!rsapubkey) {
-	fprintf(stderr, "%s: rsapubkey allocation failed.\n", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
-                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
-    if (rv) {
-	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
-    } else {
-	int mlen;
-	int pubexp;
-	if (verbose) {
-	    printf("Decoded RSA Public Key ok.  Doing key checks.\n");
-	}
-	PORT_Assert(rsapubkey->keyType == rsaKey); /* XXX RSA */
-	mlen = checkInteger(&rsapubkey->u.rsa.modulus, "Modulus", verbose);
-	printf("INFO: Public Key modulus length in bits: %d\n", mlen);
-	if (mlen > MAX_MODULUS) {
-	    printf("PROBLEM: Modulus length exceeds %d bits.\n",
-		   MAX_MODULUS);
-	}
-	if (mlen < 512) {
-	    printf("WARNING: Short modulus.\n");
-	}
-	if (mlen != (1 << (ffs(mlen)-1))) {
-	    printf("WARNING: Unusual modulus length (not a power of two).\n");
-	}
-	checkInteger(&rsapubkey->u.rsa.publicExponent, "Public Exponent",
-                     verbose);
-	pubexp = DER_GetInteger(&rsapubkey->u.rsa.publicExponent);
-	if (pubexp != 17 && pubexp != 3 && pubexp != 65537) {
-	    printf("WARNING: Public exponent not any of: 3, 17, 65537\n");
-	}
-    }
-
-
-    /* Name checks */
-    checkName(&cert->issuer, "Issuer Name", verbose);
-    checkName(&cert->subject, "Subject Name", verbose);
-
-    if (issuerCert) {
-	SECComparison c =
-	    CERT_CompareName(&cert->issuer, &issuerCert->subject);
-	if (c) {
-         printf("PROBLEM: Issuer Name and Subject in Issuing Cert differ\n");
-        }
-    }
-
-    /* Check if self-signed */
-    selfSigned = (CERT_CompareName(&cert->issuer, &cert->subject) == 0);
-    if (selfSigned) {
-	printf("INFO: Certificate is self signed.\n");
-    } else {
-	printf("INFO: Certificate is NOT self-signed.\n");
-    }
-
-
-    /* Validity time check */
-    if (CERT_CertTimesValid(cert) == SECSuccess) {
-	printf("INFO: Inside validity period of certificate.\n");
-    } else {
-	printf("PROBLEM: Not in validity period of certificate.\n");
-	invalid = 1;
-    }
-
-    /* Signature check if self-signed */
-    if (selfSigned && !invalid) {
-	if (rsapubkey->u.rsa.modulus.len) {
-	    SECStatus ver;
-	    if (verbose) {
-		printf("Checking self signature.\n");
-	    }
-	    ver = OurVerifySignedData(signedData, cert);
-	    if (ver != SECSuccess) {
-		printf("PROBLEM: Verification of self-signature failed!\n");
-	    } else {
-		printf("INFO: Self-signature verifies ok.\n");
-	    }
-	} else {
-	    printf("INFO: Not checking signature due to key problems.\n");
-	}
-    } else if (!selfSigned && !invalid && issuerCert) {
-	SECStatus ver;
-	ver = OurVerifySignedData(signedData, issuerCert);
-	if (ver != SECSuccess) {
-	    printf("PROBLEM: Verification of issuer's signature failed!\n");
-	} else {
-	    printf("INFO: Issuer's signature verifies ok.\n");
-	}
-    } else {
-	printf("INFO: Not checking signature.\n");
-    }
-
-    return 0;    
-}
-
-
-
deleted file mode 100644
--- a/security/nss/cmd/checkcert/manifest.mn
+++ /dev/null
@@ -1,19 +0,0 @@
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-CORE_DEPTH	= ../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = checkcert.c
-
-PROGRAM	= checkcert
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -5339,19 +5339,19 @@ rsa_siggen_test(char *reqfn)
 
             unsigned char msg[128]; /* MAX msg 128 */
             unsigned int rsa_bytes_signed;
             unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
             SECStatus       rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPrivateKey * rsa_private_key;
             NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
+                                                NSSLOWKEYRSAKey };
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
+                                                NSSLOWKEYRSAKey };
 
             low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
             low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
 
             rsa_private_key = &low_RSA_private_key;
             rsa_public_key = &low_RSA_public_key;
 
             memset(sha, 0, sizeof sha);
@@ -5605,17 +5605,17 @@ rsa_sigver_test(char *reqfn)
 
         }
 
         /* S = ... */
         if (buf[0] == 'S') {
             SECStatus rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                  NSSLOWKEYRSAKey, };
+                                                  NSSLOWKEYRSAKey };
 
             /* convert to a low RSA public key */
             low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
             rsa_public_key = &low_RSA_public_key;
 
             memset(signature, 0, sizeof(signature));
             i = 1;
             while (isspace(buf[i]) || buf[i] == '=') {
--- a/security/nss/cmd/lib/derprint.c
+++ b/security/nss/cmd/lib/derprint.c
@@ -25,16 +25,23 @@ getInteger256(const unsigned char *data,
 	break;
       case 2:
 	val = (data[0] << 8) | data[1];
 	break;
       case 3:
 	val = (data[0] << 16) | (data[1] << 8) | data[2];
 	break;
       case 4:
+	/* If the most significant bit of data[0] is 1, val would be negative.
+	 * Treat it as an error.
+	 */
+	if (data[0] & 0x80) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return -1;
+	}
 	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
 	break;
       default:
 	PORT_SetError(SEC_ERROR_BAD_DER);
 	return -1;
     }
 
     return val;
@@ -227,16 +234,20 @@ prettyPrintObjectID(FILE *out, const uns
     /*
      * First print the Object Id in numeric format
      */
 
     rv = prettyIndent(out, level);
     if (rv < 0)
 	return rv;
 
+    if (len == 0) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
     val = data[0];
     i   = val % 40;
     val = val / 40;
     rv = fprintf(out, "%lu %u ", val, i);
     if (rv < 0) {
 	PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
@@ -277,34 +288,27 @@ prettyPrintObjectID(FILE *out, const uns
 
 	rv = fprintf(out, "(%s)", oiddata->desc);
 	if (rv < 0) {
 	    PORT_SetError(SEC_ERROR_IO);
 	    return rv;
 	}
     }
 
-    /*
-     * Finally, on a new line, print the raw bytes (if requested).
-     */
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
     if (raw) {
-	rv = prettyNewline(out);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
+	rv = prettyPrintLeaf(out, data, len, level);
+	if (rv < 0)
 	    return rv;
-	}
-
-	for (i = 0; i < len; i++) {
-	    rv = prettyPrintByte(out, *data++, level);
-	    if (rv < 0)
-		return rv;
-	}
     }
 
-    return prettyNewline(out);
+    return 0;
 }
 
 static char *prettyTagType [32] = {
   "End of Contents",
   "Boolean",
   "Integer",
   "Bit String",
   "Octet String",
@@ -418,16 +422,17 @@ prettyPrintLength(FILE *out, const unsig
     if (rv < 0) {
         PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
 
     *indefinitep = PR_FALSE;
 
     lbyte = *data++;
+    lenLen = 1;
     if (lbyte >= 0x80) {
 	/* Multibyte length */
 	unsigned nb = (unsigned) (lbyte & 0x7f);
 	if (nb > 4) {
 	    PORT_SetError(SEC_ERROR_BAD_DER);
 	    return -1;
 	}
 	if (nb > 0) {
@@ -439,32 +444,31 @@ prettyPrintLength(FILE *out, const unsig
 	    }
 	    il = getInteger256(data, nb);
 	    if (il < 0) return -1;
 	    *lenp = (unsigned) il;
 	} else {
 	    *lenp = 0;
 	    *indefinitep = PR_TRUE;
 	}
-	lenLen = nb + 1;
+	lenLen += nb;
 	if (raw) {
 	    unsigned int i;
 
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	    for (i = 0; i < nb; i++) {
 		rv = prettyPrintByte(out, data[i], lv);
 		if (rv < 0)
 		    return rv;
 	    }
 	}
     } else {
 	*lenp = lbyte;
-	lenLen = 1;
 	if (raw) {
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	}
     }
     if (*indefinitep)
 	rv = fprintf(out, "(indefinite)\n");
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -415,16 +415,19 @@ SECU_DefaultSSLDir(void)
 {
     char *dir;
     static char sslDir[1000];
 
     dir = PR_GetEnv("SSL_DIR");
     if (!dir)
 	return NULL;
 
+    if (strlen(dir) >= PR_ARRAY_SIZE(sslDir)) {
+	return NULL;
+    }
     sprintf(sslDir, "%s", dir);
 
     if (sslDir[strlen(sslDir)-1] == '/')
 	sslDir[strlen(sslDir)-1] = 0;
 
     return sslDir;
 }
 
@@ -3295,16 +3298,17 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case KU_KEY_CERT_SIGN:
 		    errstr = "Cert cannot sign other certs.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
+		break;
 	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
 		flags = (unsigned int)((char *)node->arg - (char *)NULL);
 		switch (flags) {
 		case NS_CERT_TYPE_SSL_CLIENT:
 		case NS_CERT_TYPE_SSL_SERVER:
 		    errstr = "Cert cannot be used for SSL.";
 		    break;
 		case NS_CERT_TYPE_SSL_CA:
@@ -3321,16 +3325,17 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 		    errstr = "Cert cannot be used as an object signing CA.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
+		break;
 	    case SEC_ERROR_UNKNOWN_ISSUER:
 	    case SEC_ERROR_UNTRUSTED_ISSUER:
 	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 		errstr = node->cert->issuerName;
 		break;
 	    default:
 		break;
 	    }
--- a/security/nss/cmd/libpkix/pkixutil/pkixutil.c
+++ b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
@@ -149,17 +149,17 @@ testFunctionRef testFnRefTable[] = {
     {"test_hashtable",                 test_hashtable},
     {"test_mem",                       test_mem},
     {"test_monitorlock",               test_monitorlock},
     {"test_mutex",                     test_mutex},
     {"test_mutex2",                    test_mutex2},
     {"test_mutex3",                    test_mutex3},
     {"test_object",                    test_object},
     {"test_oid",                       test_oid},
-/*  {"test_rwlock",                    test_rwlock, }*/
+/*  {"test_rwlock",                    test_rwlock }*/
     {"test_string",                    test_string},
     {"test_string2",                   test_string2},
     {"build_chain",                    build_chain},
     {"dumpcert",                       dumpcert},
     {"dumpcrl",                        dumpcrl},
     {"validate_chain",                 validate_chain},
     {NULL,                             NULL },
 };
--- a/security/nss/cmd/makepqg/makepqg.c
+++ b/security/nss/cmd/makepqg/makepqg.c
@@ -23,17 +23,17 @@
 char  *progName;
 
 
 const SEC_ASN1Template seckey_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
+    { 0 }
 };
 
 
 
 void
 Usage(void)
 {
     fprintf(stderr, "Usage:  %s\n", progName);
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -1,35 +1,53 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DEPTH	= ..
 # MODULE	= seccmd
 
+SOFTOKEN_SRCDIRS=
+NSS_SRCDIRS=
+LIB_SRCDIRS=
+
+ifdef NSS_BUILD_UTIL_ONLY
+REQUIRES = nspr
+else
 REQUIRES = nss nspr libdbm
+LIB_SRCDIRS = \
+ lib \
+ $(NULL)
+endif
 
-DIRS = lib  \
+ifndef NSS_BUILD_UTIL_ONLY
+SOFTOKEN_SRCDIRS = \
+ $(BLTEST_SRCDIR) \
+ $(FIPSTEST_SRCDIR)  \
+ $(LOWHASHTEST_SRCDIR)  \
+ $(SHLIBSIGN_SRCDIR) \
+ $(NULL)
+endif
+
+ifndef NSS_BUILD_SOFTOKEN_ONLY
+ifndef NSS_BUILD_UTIL_ONLY
+NSS_SRCDIRS = \
  addbuiltin \
  atob  \
- $(BLTEST_SRCDIR) \
  btoa  \
  certcgi \
  certutil  \
- checkcert  \
  chktest  \
  crlutil  \
  crmftest \
  dbtest \
  derdump  \
  digest  \
  httpserv  \
- $(FIPSTEST_SRCDIR)  \
- $(LOWHASHTEST_SRCDIR)  \
  listsuites \
  makepqg  \
  multinit \
  ocspclnt  \
  ocspresp \
  oidcalc  \
  p7content  \
  p7env  \
@@ -42,27 +60,33 @@ DIRS = lib  \
  pkix-errcodes \
  pp  \
  pwdecrypt \
  rsaperf \
  sdrtest \
  selfserv  \
  signtool \
  signver \
- $(SHLIBSIGN_SRCDIR) \
  smimetools  \
  ssltap  \
  strsclnt \
  symkeyutil \
  tests \
  tstclnt  \
  vfychain \
  vfyserv \
  modutil \
  $(NULL)
+endif
+endif
+
+DIRS = \
+ $(LIB_SRCDIRS) \
+ $(SOFTOKEN_SRCDIRS) \
+ $(NSS_SRCDIRS)
 
 TEMPORARILY_DONT_BUILD = \
  $(NULL)
 
 # rsaperf  \
 #
 #       needs to look at what needs to happen to make jar build in
 # the binary release environment.
--- a/security/nss/cmd/modutil/install-ds.c
+++ b/security/nss/cmd/modutil/install-ds.c
@@ -188,31 +188,29 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_RELATIVE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->relativePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 
 				/* Absolute directory */
 			} else if( !PORT_Strcasecmp(subpair->key, ABSOLUTE_DIR_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_ABSOLUTE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->absolutePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 
 			/* file permissions */
 			} else if( !PORT_Strcasecmp(subpair->key,
                                      FILE_PERMISSIONS_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE) ||
 				   !subval->string || !subval->string[0]){
@@ -222,18 +220,17 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				}
 				_this->permissions = (int) strtol(subval->string, &endp, 8);
 				if(*endp != '\0') {
 					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
                                     _this->jarPath);
 					goto loser;
 				}
 				gotPerms = PR_TRUE;
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			}
 		} else {
 			if(!PORT_Strcasecmp(val->string, EXECUTABLE_STRING)) {
 				_this->executable = PR_TRUE;
 			}
 		}
 	}
 
@@ -255,22 +252,20 @@ Pk11Install_File_Generate(Pk11Install_Fi
 	if(!_this->absolutePath) {
 		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
 		goto loser;
 	}
 #endif
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
+		Pk11Install_ListIter_delete(&iter);
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
+		Pk11Install_ListIter_delete(&subiter);
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_File
@@ -631,22 +626,25 @@ Pk11Install_PlatformName_GetVerString(Pk
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_PlatformName
 */
 void
 Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad)
 {
+	char *str = NULL;
 	PAD(pad); printf("OS: %s\n", _this->OS ? _this->OS : "<NULL>");
 	PAD(pad); printf("Digits: ");
 	if(_this->numDigits == 0) {
 		printf("None\n");
 	} else {
-		printf("%s\n", Pk11Install_PlatformName_GetVerString(_this));
+		str = Pk11Install_PlatformName_GetVerString(_this);
+		printf("%s\n", str);
+		PR_Free(str);
 	}
 	PAD(pad); printf("arch: %s\n", _this->arch ? _this->arch : "<NULL>");
 }
 
 Pk11Install_Platform*
 Pk11Install_Platform_new()
 {
 	Pk11Install_Platform* new_this;
@@ -765,37 +763,33 @@ Pk11Install_Platform_Generate(Pk11Instal
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_FILE],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleFile = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotModuleFile = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MODULE_NAME_STRING)){
 				if(gotModuleName) {
 					errStr = PR_smprintf(errString[REPEAT_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleName = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotModuleName = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MECH_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotMech) {
 					errStr = PR_smprintf(errString[REPEAT_MECH],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -808,19 +802,17 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->mechFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotMech = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key,CIPHER_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotCipher) {
 					errStr = PR_smprintf(errString[REPEAT_CIPHER],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -833,19 +825,17 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->cipherFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotCipher = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, FILES_STRING)) {
 				if(gotFiles) {
 					errStr = PR_smprintf(errString[REPEAT_FILES],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
@@ -1084,19 +1074,17 @@ Pk11Install_Info_Generate(Pk11Install_In
 					if(subval->type == STRING_VALUE) {
 						errStr = Pk11Install_PlatformName_Generate(
                               &_this->forwardCompatible[i], subval->string);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			} else if(!PORT_Strcasecmp(pair->key, PLATFORMS_STRING)) {
 				subiter = Pk11Install_ListIter_new(pair->list);
 				_this->numPlatforms = pair->list->numPairs;
 				_this->platforms = (Pk11Install_Platform*)
                             PR_Malloc(sizeof(Pk11Install_Platform)*
                             _this->numPlatforms);
 				for(i=0; i < _this->numPlatforms; i++, 
                        Pk11Install_ListIter_nextItem(subiter)) {
@@ -1104,19 +1092,17 @@ Pk11Install_Info_Generate(Pk11Install_In
 					subval = subiter->current;
 					if(subval->type == PAIR_VALUE) {
 						errStr = Pk11Install_Platform_Generate(&_this->platforms[i],subval->pair);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			}
 		}
 	}
 
 	if(_this->numPlatforms == 0) {
 		errStr = PR_smprintf(errString[NO_PLATFORMS]);
 		goto loser;
 	}
@@ -1187,24 +1173,20 @@ Pk11Install_Info_Generate(Pk11Install_In
 				first = first->equiv;
 			}
 			_this->platforms[i].equiv = first;
 		}
 	}
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
-		iter = NULL;
+		Pk11Install_ListIter_delete(&iter);
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
-		subiter = NULL;
+		Pk11Install_ListIter_delete(&subiter);
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:		GetBestPlatform
 // Class:		Pk11Install_Info
@@ -1343,20 +1325,22 @@ Pk11Install_ListIter_new(const Pk11Insta
                     PR_Malloc(sizeof(Pk11Install_ListIter));
 	new_this->list = _list;
 	new_this->current = _list->head;
 	return new_this;
 }
 
 /****************************************************************************/
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this)
+Pk11Install_ListIter_delete(Pk11Install_ListIter** _this)
 {
-	_this->list=NULL;
-	_this->current=NULL;
+	(*_this)->list=NULL;
+	(*_this)->current=NULL;
+	PR_Free(*_this);
+	*_this=NULL;
 }
 
 /****************************************************************************/
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this)
 {
 	if(_this->list) {
 		_this->current = _this->list->head;
--- a/security/nss/cmd/modutil/install-ds.h
+++ b/security/nss/cmd/modutil/install-ds.h
@@ -119,17 +119,17 @@ struct Pk11Install_ListIter_str {
 
 Pk11Install_ListIter* 
 Pk11Install_ListIter_new_default();
 void
 Pk11Install_ListIter_init(Pk11Install_ListIter* _this);
 Pk11Install_ListIter*
 Pk11Install_ListIter_new(const Pk11Install_ValueList* _list);
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this);
+Pk11Install_ListIter_delete(Pk11Install_ListIter** _this);
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this);
 Pk11Install_Value*
 Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this);
 
 /************************************************************************
  *
  * Pk11Install_File
--- a/security/nss/cmd/pk1sign/pk1sign.c
+++ b/security/nss/cmd/pk1sign/pk1sign.c
@@ -39,18 +39,18 @@ SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplat
 SEC_ASN1Template CERTSignatureDataTemplate[] =
 {
     { SEC_ASN1_SEQUENCE,
           0, NULL, sizeof(CERTSignedData) },
     { SEC_ASN1_INLINE,
           offsetof(CERTSignedData,signatureAlgorithm),
           SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_BIT_STRING,
-          offsetof(CERTSignedData,signature), },
-    { 0, }
+          offsetof(CERTSignedData,signature) },
+    { 0 }
 };
 
 
 static void
 Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -46,91 +46,140 @@ else
 CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 SOFTOKENLIB=
 EXTRA_SHARED_LIBS += \
 	-L$(SOFTOKEN_LIB_DIR) \
 	-lsoftokn3 \
 	$(NULL)
 endif
 
+ifndef NSS_BUILD_SOFTOKEN_ONLY
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
+endif
 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
+NSS_LIBS_1=
+SECTOOL_LIB=
+NSS_LIBS_2=
+NSS_LIBS_3=
+NSS_LIBS_4=
+
+ifneq ($(NSS_BUILD_UTIL_ONLY),1)
+SECTOOL_LIB = \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+else
+SECTOOL_LIB = \
+	$(NULL)
+endif
+
+ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
+# breakdown for windows
+NSS_LIBS_1 = \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_2 = \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(SOFTOKENLIB) \
-	$(CRYPTOLIB) \
+	$(NULL)
+NSS_LIBS_3 = \
 	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(PKIXLIB) \
 	$(DBMLIB) \
+	$(NULL)
+NSS_LIBS_4 = \
 	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
 	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
+else
+# breakdown for others
+NSS_LIBS_1 = \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(NULL)
+SECTOOL_LIB = \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_2 = \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_3 = \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_4 = \
+	$(DBMLIB) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(NULL)
+endif
+endif
+
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+ifeq ($(OS_ARCH), WINNT)
+
+EXTRA_LIBS += \
+	$(NSS_LIBS_1) \
+	$(SECTOOL_LIB) \
+	$(NSS_LIBS_2) \
+	$(SOFTOKENLIB) \
+	$(CRYPTOLIB) \
+	$(NSS_LIBS_3) \
+	$(NSS_LIBS_4) \
+	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
 
 EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(NSS_LIBS_1) \
+	$(SECTOOL_LIB) \
+	$(NSS_LIBS_2) \
 	$(SOFTOKENLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NSS_LIBS_3) \
 	$(CRYPTOLIB) \
-	$(DBMLIB) \
-	$(PKIXLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(NSS_LIBS_4) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -220,16 +220,17 @@ PrintParameterUsage()
 "           good, revoked, unknown, failure, badsig, corrupted\n"
 "   ocsp: fetch from external OCSP server using AIA, or none\n"
 "-A <ca> Nickname of a CA used to sign a stapled cert status\n"
 "-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
 "-H override default DHE server support, 0: disable, 1: enable\n"
 "-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
 "-c Restrict ciphers\n"
 "-Y prints cipher values allowed for parameter -c and exits\n"
+"-G enables the extended master secret extension [RFC7627]\n"
     , stderr);
 }
 
 static void
 Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -105,16 +105,17 @@ int renegotiationsDone = 0;
 static char *progName;
 
 secuPWData  pwdata          = { PW_NONE, 0 };
 
 void printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate * cert;
     const SECItemArray *csa;
+    const SECItem *scts;
     SSL3Statistics * ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo    channel;
     SSLCipherSuiteInfo suite;
 
     result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
     if (result == SECSuccess && 
         channel.length == sizeof channel && 
@@ -157,16 +158,21 @@ void printSecurityInfo(PRFileDesc *fd)
     	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
 	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
 
     csa = SSL_PeerStapledOCSPResponses(fd);
     if (csa) {
         fprintf(stderr, "Received %d Cert Status items (OCSP stapled data)\n",
                 csa->len);
     }
+    scts = SSL_PeerSignedCertTimestamps(fd);
+    if (scts && scts->len) {
+        fprintf(stderr, "Received a Signed Certificate Timestamp of length"
+                " %u\n", scts->len);
+    }
 }
 
 void
 handshakeCallback(PRFileDesc *fd, void *client_data)
 {
     const char *secondHandshakeName = (char *)client_data;
     if (secondHandshakeName) {
         SSL_SetURL(fd, secondHandshakeName);
@@ -179,17 +185,17 @@ handshakeCallback(PRFileDesc *fd, void *
 }
 
 static void PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
                     "[-D | -d certdir] [-C] [-b | -R root-module] \n"
 		    "[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
+                    "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
 
 static void PrintParameterUsage(void)
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -227,16 +233,17 @@ static void PrintParameterUsage(void)
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
     fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
     fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
     fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
+    fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
     fprintf(stderr, "%-20s Enable the extended master secret extension (session hash).\n", "-G");
     fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
                     "%-20s -F once means: require for server cert only\n"
                     "%-20s -F twice means: require for intermediates, too\n"
                     "%-20s (Connect, handshake with server, disable dynamic download\n"
                     "%-20s  of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.)\n"
                     "%-20s Exit code:\n"
                     "%-20s 0: have fresh and valid revocation data, status good\n"
@@ -245,16 +252,17 @@ static void PrintParameterUsage(void)
                     "%-20s 3: have fresh and valid revocation data, status revoked\n",
                     "-F", "", "", "", "", "", "", "", "", "");
     fprintf(stderr, "%-20s Test -F allows 0=any (default), 1=only OCSP, 2=only CRL\n", "-M");
     fprintf(stderr, "%-20s Restrict ciphers\n", "-c ciphers");
     fprintf(stderr, "%-20s Print cipher values allowed for parameter -c and exit\n", "-Y");
     fprintf(stderr, "%-20s Enforce using an IPv4 destination address\n", "-4");
     fprintf(stderr, "%-20s Enforce using an IPv6 destination address\n", "-6");
     fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", "");
+    fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G");
 }
 
 static void Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
     exit(1);
 }
@@ -915,16 +923,17 @@ int main(int argc, char **argv)
     PRBool             enableSSL2 = PR_TRUE;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
     int                enableCertStatus = 0;
+    int                enableSignedCertTimestamps = 0;
     int                forceFallbackSCSV = 0;
     int                enableExtendedMasterSecret = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
     PRBool             allowIPv4 = PR_TRUE;
     PRBool             allowIPv6 = PR_TRUE;
     PRBool             pingServerFirst = PR_FALSE;
@@ -965,17 +974,17 @@ int main(int argc, char **argv)
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46BCDFGKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "46BCDFGKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
 
@@ -1018,16 +1027,18 @@ int main(int argc, char **argv)
                     break;
 
           case 'R': rootModule = PORT_Strdup(optstate->value); break;
 
           case 'S': skipProtoHeader = PR_TRUE;                 break;
 
           case 'T': enableCertStatus = 1;               break;
 
+          case 'U': enableSignedCertTimestamps = 1;               break;
+
           case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                             enabledVersions, enableSSL2,
                             &enabledVersions, &enableSSL2) != SECSuccess) {
                         Usage(progName);
                     }
                     break;
 
           case 'Y': PrintCipherUsage(progName); exit(0); break;
@@ -1395,16 +1406,24 @@ int main(int argc, char **argv)
     if  (enableExtendedMasterSecret) {
         rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
 	if (rv != SECSuccess) {
             SECU_PrintError(progName, "error enabling extended master secret");
             return 1;
 	}
     }
 
+    /* enable Signed Certificate Timestamps. */
+    rv = SSL_OptionSet(s, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
+              enableSignedCertTimestamps);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "error enabling signed cert timestamps");
+        return 1;
+    }
+
     SSL_SetPKCS11PinArg(s, &pwdata);
 
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -99,17 +99,17 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mwindows -mms-bitfields -Werror
+    OS_CFLAGS += -mwindows -mms-bitfields
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
--- a/security/nss/coreconf/Werror.mk
+++ b/security/nss/coreconf/Werror.mk
@@ -16,17 +16,17 @@ ifndef WARNING_CFLAGS
   disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
 
   WARNING_CFLAGS = -Wall
   ifeq ($(CC_NAME),clang)
     # -Qunused-arguments : clang objects to arguments that it doesn't understand
     #    and fixing this would require rearchitecture
     WARNING_CFLAGS += -Qunused-arguments
     # -Wno-parentheses-equality : because clang warns about macro expansions
-    OS_CFLAGS += $(call disable_warning,parentheses-equality)
+    WARNING_CFLAGS += $(call disable_warning,parentheses-equality)
     ifdef BUILD_OPT
       # clang is unable to handle glib's expansion of strcmp and similar for optimized
       # builds, so ignore the resulting errors.
       # See https://llvm.org/bugs/show_bug.cgi?id=20144
       WARNING_CFLAGS += $(call disable_warning,array-bounds)
       WARNING_CFLAGS += $(call disable_warning,unevaluated-expression)
     endif
   endif # if clang
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/external_tests/README
+++ b/security/nss/external_tests/README
@@ -1,14 +1,14 @@
 GTest-based Unit Tests
 
 This directory contains GTest-based unit tests for NSS libssl.
 
-These aren't built by default, because they require C++.
-To build them, set ``NSS_BUILD_GTESTS=1''
+If your environment doesn't have C++ compiler suitable to build these tests,
+you may disable them using ``NSS_DISABLE_GTESTS=1''
 
 Once built, they are run as part of running ``test/all.sh''
 You can run just the GTests by running ``tests/ssl_gtests/ssl_gtests.sh''
 
 They can be run standalone or under a debugger by invoking the ssl_gtest
 executable with a ``-d'' option pointing to the directory created by either
 of the above options.  You can find that in
 
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/common/gtest.mk
@@ -0,0 +1,27 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include ../../cmd/platlibs.mk
+include ../../cmd/platrules.mk
+
+MKPROG = $(CCC)
+MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+
+ifeq (WINNT,$(OS_ARCH))
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS += -EHsc -nologo
+    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
+    OS_CFLAGS += -DNOMINMAX
+
+    # Linking to winsock to get htonl
+    OS_LIBS += Ws2_32.lib
+
+    # On windows, we need to create the parent directory
+    # Needed because we include files from a subdirectory
+    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
+else
+    CXXFLAGS += -std=c++0x
+endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/common/scoped_ptrs.h
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_h__
+#define scoped_ptrs_h__
+
+#include "keyhi.h"
+
+namespace nss_test {
+
+struct ScopedDelete {
+  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
+  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
+  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
+  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
+  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
+  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(CERTSubjectPublicKeyInfo* spki) {
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+  }
+};
+
+template<class T>
+struct ScopedMaybeDelete {
+  void operator()(T* ptr) { if (ptr) { ScopedDelete del; del(ptr); } }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped ## x
+
+SCOPED(PK11SlotInfo);
+SCOPED(SECItem);
+SCOPED(PK11SymKey);
+SCOPED(SECKEYPublicKey);
+SCOPED(SECKEYPrivateKey);
+SCOPED(SECAlgorithmID);
+SCOPED(CERTSubjectPublicKeyInfo);
+
+#undef SCOPED
+
+}  // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/google_test/Makefile
+++ b/security/nss/external_tests/google_test/Makefile
@@ -21,32 +21,24 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
+include ../common/gtest.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
-
-MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
-ifeq (WINNT,$(OS_ARCH))
-    # -EHsc because gtest has exception handlers
-    OS_CFLAGS += -EHsc
-    # On windows, we need to create the parent directory
-    # Needed because we include files from a subdirectory
-    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
-endif
--- a/security/nss/external_tests/manifest.mn
+++ b/security/nss/external_tests/manifest.mn
@@ -2,10 +2,11 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ..
 DEPTH      = ..
 
 DIRS = \
 	google_test \
+        pk11_gtest \
         ssl_gtest \
 	$(NULL)
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/Makefile
@@ -0,0 +1,44 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/manifest.mn
@@ -0,0 +1,22 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      pk11_pbkdf2_unittest.cc \
+      pk11_prf_unittest.cc \
+      pk11_rsapss_unittest.cc \
+      pk11_gtest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/external_tests/common
+
+REQUIRES = nspr nss libdbm gtest
+
+PROGRAM = pk11_gtest
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX)
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_gtest.cc
@@ -0,0 +1,21 @@
+#include "nspr.h"
+#include "nss.h"
+#include "ssl.h"
+
+#include <cstdlib>
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+int main(int argc, char **argv) {
+  // Start the tests
+  ::testing::InitGoogleTest(&argc, argv);
+
+  NSS_NoDB_Init(nullptr);
+  NSS_SetDomesticPolicy();
+  int rv = RUN_ALL_TESTS();
+
+  NSS_Shutdown();
+
+  return rv;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -0,0 +1,100 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+static unsigned char* ToUcharPtr(std::string& str) {
+  return const_cast<unsigned char*>(
+    reinterpret_cast<const unsigned char*>(str.c_str()));
+}
+
+class Pkcs11Pbkdf2Test : public ::testing::Test {
+ public:
+  void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg)
+  {
+    // Shared between test vectors.
+    const unsigned int iterations = 4096;
+    std::string pass("passwordPASSWORDpassword");
+    std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt");
+
+    // Derivation must succeed with the right values.
+    EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the password is bogus.
+    std::string bogusPass("PasswordPASSWORDpassword");
+    EXPECT_FALSE(DeriveBytes(bogusPass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the salt is bogus.
+    std::string bogusSalt("SaltSALTsaltSALTsaltSALTsaltSALTsalt");
+    EXPECT_FALSE(DeriveBytes(pass, bogusSalt, derived, hash_alg, iterations));
+
+    // Derivation must fail when using the wrong hash function.
+    SECOidTag next_hash_alg = static_cast<SECOidTag>(hash_alg + 1);
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, iterations));
+
+    // Derivation must fail when using the wrong number of iterations.
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, iterations + 1));
+  }
+
+ private:
+  bool DeriveBytes(std::string& pass, std::string& salt,
+                   std::vector<uint8_t>& derived, SECOidTag hash_alg,
+                   unsigned int iterations)
+  {
+    SECItem passItem = { siBuffer, ToUcharPtr(pass),
+                         static_cast<unsigned int>(pass.length()) };
+    SECItem saltItem = { siBuffer, ToUcharPtr(salt),
+                         static_cast<unsigned int>(salt.length()) };
+
+    // Set up PBKDF2 params.
+    ScopedSECAlgorithmID alg_id(
+      PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
+                                  derived.size(), iterations, &saltItem));
+
+    // Derive.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ScopedPK11SymKey symKey(
+      PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
+
+    SECStatus rv = PK11_ExtractKeyValue(symKey.get());
+    EXPECT_EQ(rv, SECSuccess);
+
+    SECItem* keyData = PK11_GetKeyData(symKey.get());
+    return !memcmp(&derived[0], keyData->data, keyData->len);
+  }
+};
+
+// RFC 6070 <http://tools.ietf.org/html/rfc6070>
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
+  std::vector<uint8_t> derived = {
+    0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36,
+    0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38
+  };
+
+  Derive(derived, SEC_OID_HMAC_SHA1);
+}
+
+// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
+  std::vector<uint8_t> derived = {
+    0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
+    0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
+    0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c,
+    0x7d, 0xac, 0x47, 0xe9
+  };
+
+  Derive(derived, SEC_OID_HMAC_SHA256);
+}
+
+}  // namespace nss_test
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
@@ -0,0 +1,250 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const size_t kPmsSize = 48;
+const size_t kMasterSecretSize = 48;
+const size_t kPrfSeedSizeSha256 = 32;
+const size_t kPrfSeedSizeTlsPrf = 36;
+
+// This is not the right size for anything
+const size_t kIncorrectSize = 17;
+
+const uint8_t kPmsData[] = {
+  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
+  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
+  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
+};
+
+const uint8_t kPrfSeed[] = {
+  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
+  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
+  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
+  0xd0,0xd1,0xd2,0xd3
+};
+
+const uint8_t kExpectedOutputEmsSha256[] = {
+  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
+  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
+  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
+  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
+  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
+  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
+};
+
+const uint8_t kExpectedOutputEmsTlsPrf[] = {
+  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
+  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
+  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
+  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
+  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
+  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
+};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(
+    static_cast<const unsigned char *>(v));
+}
+
+class TlsPrfTest : public ::testing::Test {
+ public:
+  TlsPrfTest()
+    : params_({siBuffer, nullptr, 0})
+    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
+    , key_mech_(0)
+    , slot_(nullptr)
+    , pms_(nullptr)
+    , ms_(nullptr)
+    , pms_version_({0, 0}) {}
+
+  ~TlsPrfTest() {
+    if (slot_) { PK11_FreeSlot(slot_); }
+    ClearTempVars();
+  }
+
+  void ClearTempVars() {
+    if (pms_) { PK11_FreeSymKey(pms_); }
+    if (ms_)  { PK11_FreeSymKey(ms_);  }
+  }
+
+  void Init() {
+    params_.type = siBuffer;
+
+    pms_item_.type = siBuffer;
+    pms_item_.data = const_cast<unsigned char*>(
+                        static_cast<const unsigned char *>(kPmsData));
+
+    slot_ = PK11_GetInternalSlot();
+    ASSERT_NE(nullptr, slot_);
+  }
+
+  void CheckForError(CK_MECHANISM_TYPE hash_mech,
+                     size_t seed_len,
+                     size_t pms_len,
+                     size_t output_len) {
+    // Error tests don't depend on the derivation mechansim
+    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
+          seed_len, pms_len, output_len, nullptr, nullptr);
+  }
+
+  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
+                          CK_MECHANISM_TYPE hash_mech,
+                          CK_VERSION* version,
+                          const uint8_t* expected) {
+    // Infer seed length from mechanism
+    int seed_len = 0;
+    switch (hash_mech) {
+      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
+      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    Inner(derive_mech, hash_mech, seed_len,
+          kPmsSize, 0, version, expected);
+  }
+
+
+  // Set output == nullptr to test when errors occur
+  void Inner(
+      CK_MECHANISM_TYPE derive_mech,
+      CK_MECHANISM_TYPE hash_mech,
+      size_t seed_len,
+      size_t pms_len,
+      size_t output_len,
+      CK_VERSION* version,
+      const uint8_t* expected) {
+    ClearTempVars();
+
+    // Infer the key mechanism from the hash type
+    switch (hash_mech) {
+      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
+      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    // Import the params
+    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
+      hash_mech,
+      toUcharPtr(kPrfSeed),
+      static_cast<CK_ULONG>(seed_len),
+      version
+    };
+    params_.data = reinterpret_cast<unsigned char*>(&master_params);
+    params_.len = sizeof(master_params);
+
+    // Import the PMS
+    pms_item_.len = pms_len;
+    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
+                            CKA_DERIVE, &pms_item_, NULL);
+    ASSERT_NE(nullptr, pms_);
+
+
+    // Compute the EMS
+    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
+        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
+
+    // Verify the EMS has the expected value (null or otherwise)
+    if (!expected) {
+      EXPECT_EQ(nullptr, ms_);
+    } else {
+      ASSERT_NE(nullptr, ms_);
+
+      SECStatus rv = PK11_ExtractKeyValue(ms_);
+      ASSERT_EQ(SECSuccess, rv);
+
+      SECItem *msData = PK11_GetKeyData(ms_);
+      ASSERT_NE(nullptr, msData);
+
+      ASSERT_EQ(kMasterSecretSize, msData->len);
+      EXPECT_EQ(0,
+                memcmp(msData->data, expected, kMasterSecretSize));
+    }
+  }
+
+ protected:
+  SECItem params_;
+  SECItem pms_item_;
+  CK_MECHANISM_TYPE key_mech_;
+  PK11SlotInfo *slot_;
+  PK11SymKey *pms_;
+  PK11SymKey *ms_;
+  CK_VERSION pms_version_;
+};
+
+TEST_F(TlsPrfTest, ExtendedMsParamErr) {
+  Init();
+
+  // This should fail; it's the correct set from which the below are derived
+  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
+
+  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
+
+  // not-DH && pms size != SSL3_PMS_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
+
+  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
+  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
+
+  // !CKM_TLS_PRF && seed length != hash output length
+  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
+}
+
+// Test matrix:
+//
+//            DH  RSA
+//  TLS_PRF   1   2
+//  SHA256    3   4
+TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_TLS_PRF,
+                     nullptr,
+                     kExpectedOutputEmsTlsPrf);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_TLS_PRF,
+                     &pms_version_,
+                     kExpectedOutputEmsTlsPrf);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+
+TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_SHA256,
+                     nullptr,
+                     kExpectedOutputEmsSha256);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_SHA256,
+                     &pms_version_,
+                     kExpectedOutputEmsSha256);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+}  // namespace nss_test
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -0,0 +1,246 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector1Spki[] = {
+  0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
+  0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17, 0x58, 0x9a, 0x51,
+  0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec, 0x0e, 0x36, 0xad, 0x52,
+  0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9, 0x91, 0xd8, 0xc5, 0x10, 0x56,
+  0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2, 0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94,
+  0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91, 0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0,
+  0xb1, 0xdf, 0xd5, 0xcd, 0x95, 0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5,
+  0xd6, 0x71, 0xef, 0x63, 0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70,
+  0xe2, 0x59, 0x8e, 0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0,
+  0xcb, 0x35, 0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22,
+  0xe1, 0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
+  0x37, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1
+const uint8_t kTestVector1Data[] = {
+  0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb, 0xbc,
+  0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54, 0x75, 0xcc,
+  0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c, 0xe2, 0x39, 0x2e,
+  0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15, 0x6a, 0x0d, 0x8d, 0x52,
+  0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09, 0x57, 0x86, 0xcb, 0x76, 0x97,
+  0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe, 0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5,
+  0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2, 0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67,
+  0x69, 0x3f, 0x90, 0xdf, 0xb0, 0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44,
+  0x72, 0xc0, 0x0e, 0x5f, 0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06,
+  0xce, 0x78, 0xe0, 0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0,
+  0x31, 0x7e, 0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38,
+  0x08, 0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
+  0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41, 0x62,
+  0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9, 0xea, 0x8f,
+  0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16, 0xbe, 0x02, 0x54,
+  0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26, 0x76, 0xe0, 0x8a, 0xed,
+  0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67, 0xd0
+};
+const uint8_t kTestVector1Sig[] = {
+  0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38, 0x8e,
+  0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1, 0x85, 0xdf,
+  0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd, 0x44, 0xdc, 0x86,
+  0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2, 0x26, 0xf3, 0xec, 0x22,
+  0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31, 0xf5, 0x05, 0x12, 0x15, 0xdf,
+  0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa, 0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14,
+  0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4, 0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa,
+  0x35, 0x42, 0xff, 0xee, 0x65, 0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d,
+  0xeb, 0x27, 0xdc, 0xa1, 0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00,
+  0xf1, 0xff, 0x2b, 0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c
+};
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector2Spki[] = {
+  0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00, 0x30, 0x82,
+  0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a, 0xc4, 0xcb, 0x02,
+  0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70, 0xef, 0x99, 0x1c, 0x56,
+  0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa, 0x89, 0x37, 0xce, 0xa5, 0x7b,
+  0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00, 0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22,
+  0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27, 0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80,
+  0x90, 0xfe, 0xe2, 0xa7, 0xad, 0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49,
+  0x97, 0xc7, 0xa4, 0x2d, 0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f,
+  0xe5, 0x21, 0xc1, 0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e,
+  0x4c, 0x7e, 0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57,
+  0x7e, 0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
+  0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc, 0x95,
+  0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79, 0x25, 0xfe,
+  0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea, 0x45, 0x49, 0xc5,
+  0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9, 0x1f, 0xff, 0x58, 0x73,
+  0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70, 0x5a, 0x33, 0xe3, 0x91, 0x90,
+  0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1, 0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c,
+  0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17, 0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d,
+  0xce, 0x09, 0xcb, 0x4a, 0xd0, 0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98,
+  0xee, 0x27, 0xcf, 0x55, 0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec,
+  0x8b, 0x17, 0x4b, 0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21,
+  0xae, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1
+const uint8_t kTestVector2Data[] = {
+  0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9, 0x68, 0x03, 0x27,
+  0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f, 0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a,
+  0x3a, 0xd6, 0x09
+};
+const uint8_t kTestVector2Sig[] = {
+  0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b, 0x19,
+  0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f, 0xce, 0x54,
+  0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd, 0xfd, 0xac, 0xe1,
+  0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14, 0x8e, 0xba, 0xd7, 0xa0,
+  0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5, 0x72, 0x7d, 0x05, 0xf2, 0x1e,
+  0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20, 0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a,
+  0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6, 0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59,
+  0x61, 0xc8, 0xbf, 0xad, 0x74, 0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39,
+  0x3e, 0x72, 0x23, 0x73, 0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55,
+  0x5b, 0x0e, 0xc0, 0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76,
+  0x14, 0xce, 0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95,
+  0x16, 0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
+  0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8, 0xfe,
+  0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77, 0x55, 0x92,
+  0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00, 0x0b, 0xe2, 0x5b,
+  0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86, 0x18, 0x4d, 0xd1, 0xc8,
+  0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f, 0x60, 0x66, 0x3d, 0xe7, 0xf5,
+  0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f, 0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4,
+  0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1, 0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2,
+  0x38, 0x52, 0x30, 0xd0, 0x70, 0xd0, 0x7e, 0x16, 0x66
+};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(
+    static_cast<const unsigned char*>(v));
+}
+
+class Pkcs11RsaPssTest : public ::testing::Test {
+};
+
+class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
+ public:
+  void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data,
+              size_t data_len, const uint8_t* sig, size_t sig_len) {
+    // Verify data signed with PSS/SHA-1.
+    SECOidTag hashOid = SEC_OID_SHA1;
+    CK_MECHANISM_TYPE hashMech = CKM_SHA_1;
+    CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA1;
+
+    // Set up PSS parameters.
+    unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+    CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
+    SECItem params = { siBuffer,
+                       reinterpret_cast<unsigned char*>(&rsaPssParams),
+                       sizeof(rsaPssParams) };
+
+    // Import public key.
+    SECItem spkiItem = { siBuffer, toUcharPtr(spki),
+                         static_cast<unsigned int>(spki_len) };
+    ScopedCERTSubjectPublicKeyInfo certSpki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+    ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+
+    // Hash the data.
+    std::vector<uint8_t> hashBuf(hLen);
+    SECItem hash = { siBuffer, &hashBuf[0],
+                     static_cast<unsigned int>(hashBuf.size()) };
+    SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data),
+                                data_len);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Verify.
+    CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+    SECItem sigItem = { siBuffer, toUcharPtr(sig),
+                        static_cast<unsigned int>(sig_len) };
+    rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sigItem, &hash,
+                                  nullptr);
+    EXPECT_EQ(rv, SECSuccess);
+  }
+};
+
+#define PSS_TEST_VECTOR_VERIFY(spki, data, sig) \
+  Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig));
+
+TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
+  // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
+  SECOidTag hashOid = SEC_OID_SHA256;
+  CK_MECHANISM_TYPE hashMech = CKM_SHA256;
+  CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
+  PK11RSAGenParams rsaGenParams = { 1024, 0x10001 };
+
+  // Generate RSA key pair.
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  SECKEYPublicKey* pubKeyRaw = nullptr;
+  ScopedSECKEYPrivateKey privKey(PK11_GenerateKeyPair(slot.get(),
+                                                      CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                                      &rsaGenParams, &pubKeyRaw,
+                                                      false, false, nullptr));
+  ASSERT_TRUE(!!privKey && pubKeyRaw);
+  ScopedSECKEYPublicKey pubKey(pubKeyRaw);
+
+  // Generate random data to sign.
+  uint8_t dataBuf[50];
+  SECItem data = { siBuffer, dataBuf, sizeof(dataBuf) };
+  unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), data.data, data.len);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Allocate memory for the signature.
+  std::vector<uint8_t> sigBuf(PK11_SignatureLen(privKey.get()));
+  SECItem sig = { siBuffer, &sigBuf[0],
+                  static_cast<unsigned int>(sigBuf.size()) };
+
+  // Set up PSS parameters.
+  CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
+  SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
+                     sizeof(rsaPssParams) };
+
+  // Sign.
+  CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+  rv = PK11_SignWithMechanism(privKey.get(), mech, &params, &sig, &data);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verify.
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verification with modified data must fail.
+  data.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+
+  // Verification with original data but the wrong signature must fail.
+  data.data[0] ^= 0xff; // Revert previous changes.
+  sig.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig);
+}
+
+}  // namespace nss_test
+
--- a/security/nss/external_tests/ssl_gtest/Makefile
+++ b/security/nss/external_tests/ssl_gtest/Makefile
@@ -20,41 +20,26 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (3) Include "component" configuration information. (OPTIONAL)       #
 #######################################################################
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-include ../../cmd/platlibs.mk
+include ../common/gtest.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-MKPROG = $(CCC)
 CFLAGS += -I$(CORE_DEPTH)/lib/ssl
-
-include ../../cmd/platrules.mk
-
-ifeq (WINNT,$(OS_ARCH))
-    # -EHsc because gtest has exception handlers
-    OS_CFLAGS += -EHsc -nologo
-    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
-    OS_CFLAGS += -DNOMINMAX
-
-    # Linking to winsock to get htonl
-    OS_LIBS += Ws2_32.lib
-else
-    CXXFLAGS += -std=c++0x
-endif
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -46,19 +46,26 @@ class DataBuffer {
 
   void Truncate(size_t len) {
     len_ = std::min(len_, len);
   }
 
   void Assign(const DataBuffer& other) {
     Assign(other.data(), other.len());
   }
+
   void Assign(const uint8_t* data, size_t len) {
-    Allocate(len);
-    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+    if (data) {
+      Allocate(len);
+      memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+    } else {
+      assert(len == 0);
+      data_ = nullptr;
+      len_ = 0;
+    }
   }
 
   // Write will do a new allocation and expand the size of the buffer if needed.
   void Write(size_t index, const uint8_t* val, size_t count) {
     if (index + count > len_) {
       size_t newlen = index + count;
       uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
       memcpy(static_cast<void*>(tmp),
@@ -161,11 +168,20 @@ inline std::ostream& operator<<(std::ost
     }
     stream << std::hex << std::setfill('0') << std::setw(2)
            << static_cast<unsigned>(buf.data()[i]);
   }
   stream << std::dec;
   return stream;
 }
 
+inline bool operator==(const DataBuffer& a, const DataBuffer& b) {
+  return (a.empty() && b.empty()) ||
+    (a.len() == b.len() && 0 == memcmp(a.data(), b.data(), a.len()));
+}
+
+inline bool operator!=(const DataBuffer& a, const DataBuffer& b) {
+  return !(a == b);
+}
+
 } // namespace nss_test
 
 #endif
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -10,17 +10,16 @@ MODULE = nss
 CSRCS = \
       libssl_internals.c \
       $(NULL)
 
 CPPSRCS = \
       ssl_agent_unittest.cc \
       ssl_loopback_unittest.cc \
       ssl_extension_unittest.cc \
-      ssl_prf_unittest.cc \
       ssl_skip_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
       tls_agent.cc \
       tls_connect.cc \
       tls_filter.cc \
       tls_parser.cc \
       $(NULL)
--- a/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
@@ -604,16 +604,120 @@ TEST_P(TlsExtensionTest12Plus, Signature
     uint32_t v;
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].hashAlg, static_cast<SSLHashType>(v));
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].sigAlg, static_cast<SSLSignType>(v));
   }
 }
 
+/*
+ * Tests for Certificate Transparency (RFC 6962)
+ */
+
+// Helper class - stores signed certificate timestamps as provided
+// by the relevant callbacks on the client.
+class SignedCertificateTimestampsExtractor {
+ public:
+  SignedCertificateTimestampsExtractor(TlsAgent& client) {
+    client.SetAuthCertificateCallback(
+      [&](TlsAgent& agent, PRBool checksig, PRBool isServer) {
+        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
+        ASSERT_TRUE(scts);
+        auth_timestamps_.reset(new DataBuffer(scts->data, scts->len));
+      }
+    );
+    client.SetHandshakeCallback(
+      [&](TlsAgent& agent) {
+        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
+        ASSERT_TRUE(scts);
+        handshake_timestamps_.reset(new DataBuffer(scts->data, scts->len));
+      }
+    );
+  }
+
+  void assertTimestamps(const DataBuffer& timestamps) {
+    ASSERT_TRUE(auth_timestamps_);
+    ASSERT_EQ(timestamps, *auth_timestamps_);
+
+    ASSERT_TRUE(handshake_timestamps_);
+    ASSERT_EQ(timestamps, *handshake_timestamps_);
+  }
+
+ private:
+  std::unique_ptr<DataBuffer> auth_timestamps_;
+  std::unique_ptr<DataBuffer> handshake_timestamps_;
+};
+
+// Test timestamps extraction during a successful handshake.
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsHandshake) {
+  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
+  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
+  const DataBuffer timestamps(val, sizeof(val));
+
+  server_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
+      &si_timestamps, server_->kea()));
+
+  client_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_OptionSet(client_->ssl_fd(),
+      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(timestamps);
+}
+
+// Test SSL_PeerSignedCertTimestamps returning zero-length SECItem
+// when the client / the server / both have not enabled the feature.
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveClient) {
+  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
+  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
+
+  server_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
+      &si_timestamps, server_->kea()));
+
+  client_->StartConnect();
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveServer) {
+  server_->StartConnect();
+
+  client_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_OptionSet(client_->ssl_fd(),
+      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveBoth) {
+  server_->StartConnect();
+  client_->StartConnect();
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+
 INSTANTIATE_TEST_CASE_P(ExtensionTls10, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesStream,
                           TlsConnectTestBase::kTlsV10));
 INSTANTIATE_TEST_CASE_P(ExtensionVariants, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesAll,
                           TlsConnectTestBase::kTlsV11V12));
deleted file mode 100644
--- a/security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
+++ /dev/null
@@ -1,253 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nss.h"
-#include "pk11pub.h"
-#include <memory>
-
-#include "gtest_utils.h"
-
-namespace nss_test {
-
-#define CONST_UINT8_TO_UCHAR(a) const_cast<unsigned char*>( \
-    static_cast<const unsigned char *>(a))
-
-const size_t kPmsSize = 48;
-const size_t kMasterSecretSize = 48;
-const size_t kPrfSeedSizeSha256 = 32;
-const size_t kPrfSeedSizeTlsPrf = 36;
-
-// This is not the right size for anything
-const size_t kIncorrectSize = 17;
-
-const uint8_t kPmsData[] = {
-  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
-  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
-  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
-};
-
-const uint8_t kPrfSeed[] = {
-  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
-  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
-  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
-  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
-  0xd0,0xd1,0xd2,0xd3
-};
-
-const uint8_t kExpectedOutputEmsSha256[] = {
-  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
-  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
-  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
-  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
-  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
-  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
-};
-
-const uint8_t kExpectedOutputEmsTlsPrf[] = {
-  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
-  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
-  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
-  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
-  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
-  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
-};
-
-static unsigned char* toUcharPtr(const uint8_t* v) {
-  return const_cast<unsigned char*>(
-    static_cast<const unsigned char *>(v));
-}
-
-class TlsPrfTest : public ::testing::Test {
- public:
-  TlsPrfTest()
-    : params_({siBuffer, nullptr, 0})
-    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
-    , key_mech_(0)
-    , slot_(nullptr)
-    , pms_(nullptr)
-    , ms_(nullptr)
-    , pms_version_({0, 0}) {}
-
-  ~TlsPrfTest() {
-    if (slot_) { PK11_FreeSlot(slot_); }
-    ClearTempVars();
-  }
-
-  void ClearTempVars() {
-    if (pms_) { PK11_FreeSymKey(pms_); }
-    if (ms_)  { PK11_FreeSymKey(ms_);  }
-  }
-
-  void Init() {
-    params_.type = siBuffer;
-
-    pms_item_.type = siBuffer;
-    pms_item_.data = const_cast<unsigned char*>(
-                        static_cast<const unsigned char *>(kPmsData));
-
-    slot_ = PK11_GetInternalSlot();
-    ASSERT_NE(nullptr, slot_);
-  }
-
-  void CheckForError(CK_MECHANISM_TYPE hash_mech,
-                     size_t seed_len,
-                     size_t pms_len,
-                     size_t output_len) {
-    // Error tests don't depend on the derivation mechansim
-    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
-          seed_len, pms_len, output_len, nullptr, nullptr);
-  }
-
-  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
-                          CK_MECHANISM_TYPE hash_mech,
-                          CK_VERSION* version,
-                          const uint8_t* expected) {
-    // Infer seed length from mechanism
-    int seed_len = 0;
-    switch (hash_mech) {
-      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
-      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    Inner(derive_mech, hash_mech, seed_len,
-          kPmsSize, 0, version, expected);
-  }
-
-
-  // Set output == nullptr to test when errors occur
-  void Inner(
-      CK_MECHANISM_TYPE derive_mech,
-      CK_MECHANISM_TYPE hash_mech,
-      size_t seed_len,
-      size_t pms_len,
-      size_t output_len,
-      CK_VERSION* version,
-      const uint8_t* expected) {
-    ClearTempVars();
-
-    // Infer the key mechanism from the hash type
-    switch (hash_mech) {
-      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
-      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    // Import the params
-    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
-      hash_mech,
-      toUcharPtr(kPrfSeed),
-      seed_len,
-      version
-    };
-    params_.data = reinterpret_cast<unsigned char*>(&master_params);
-    params_.len = sizeof(master_params);
-
-    // Import the PMS
-    pms_item_.len = pms_len;
-    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
-                            CKA_DERIVE, &pms_item_, NULL);
-    ASSERT_NE(nullptr, pms_);
-
-
-    // Compute the EMS
-    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
-        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
-
-    // Verify the EMS has the expected value (null or otherwise)
-    if (!expected) {
-      EXPECT_EQ(nullptr, ms_);
-    } else {
-      ASSERT_NE(nullptr, ms_);
-
-      SECStatus rv = PK11_ExtractKeyValue(ms_);
-      ASSERT_EQ(SECSuccess, rv);
-
-      SECItem *msData = PK11_GetKeyData(ms_);
-      ASSERT_NE(nullptr, msData);
-
-      ASSERT_EQ(kMasterSecretSize, msData->len);
-      EXPECT_EQ(0,
-                memcmp(msData->data, expected, kMasterSecretSize));
-    }
-  }
-
- protected:
-  SECItem params_;
-  SECItem pms_item_;
-  CK_MECHANISM_TYPE key_mech_;
-  PK11SlotInfo *slot_;
-  PK11SymKey *pms_;
-  PK11SymKey *ms_;
-  CK_VERSION pms_version_;
-};
-
-TEST_F(TlsPrfTest, ExtendedMsParamErr) {
-  Init();
-
-  // This should fail; it's the correct set from which the below are derived
-  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
-
-  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
-
-  // not-DH && pms size != SSL3_PMS_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
-
-  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
-  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
-
-  // !CKM_TLS_PRF && seed length != hash output length
-  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
-}
-
-// Test matrix:
-//
-//            DH  RSA
-//  TLS_PRF   1   2
-//  SHA256    3   4
-TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_TLS_PRF,
-                     nullptr,
-                     kExpectedOutputEmsTlsPrf);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_TLS_PRF,
-                     &pms_version_,
-                     kExpectedOutputEmsTlsPrf);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-
-TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_SHA256,
-                     nullptr,
-                     kExpectedOutputEmsSha256);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_SHA256,
-                     &pms_version_,
-                     kExpectedOutputEmsSha256);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-}  // namespace nss_test
-
--- a/security/nss/external_tests/ssl_gtest/tls_agent.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -35,17 +35,19 @@ TlsAgent::TlsAgent(const std::string& na
     expect_resumption_(false),
     can_falsestart_hook_called_(false),
     sni_hook_called_(false),
     auth_certificate_hook_called_(false),
     handshake_callback_called_(false),
     error_code_(0),
     send_ctr_(0),
     recv_ctr_(0),
-    expected_read_error_(false) {
+    expected_read_error_(false),
+    handshake_callback_(),
+    auth_certificate_callback_() {
 
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
   SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
                                             ssl_variant_stream : ssl_variant_datagram,
                                             &vrange_);
   EXPECT_EQ(SECSuccess, rv);
 }
--- a/security/nss/external_tests/ssl_gtest/tls_agent.h
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -6,16 +6,17 @@
 
 #ifndef tls_agent_h_
 #define tls_agent_h_
 
 #include "prio.h"
 #include "ssl.h"
 
 #include <iostream>
+#include <functional>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
@@ -23,16 +24,26 @@ namespace nss_test {
 
 enum SessionResumptionMode {
   RESUME_NONE = 0,
   RESUME_SESSIONID = 1,
   RESUME_TICKET = 2,
   RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
 };
 
+class TlsAgent;
+
+typedef
+  std::function<void(TlsAgent& agent, PRBool checksig, PRBool isServer)>
+  AuthCertificateCallbackFunction;
+
+typedef
+  std::function<void(TlsAgent& agent)>
+  HandshakeCallbackFunction;
+
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
   enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
 
   TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
   virtual ~TlsAgent();
 
@@ -89,18 +100,22 @@ class TlsAgent : public PollTarget {
   void CheckErrorCode(int32_t expected) const;
   void SendData(size_t bytes, size_t blocksize = 1024);
   void ReadBytes();
   void ResetSentBytes(); // Hack to test drops.
   void EnableExtendedMasterSecret();
   void CheckExtendedMasterSecret(bool expected);
   void DisableRollbackDetection();
 
+  Role role() const { return role_; }
+
   State state() const { return state_; }
 
+  SSLKEAType kea() const { return kea_; }
+
   const char* state_str() const { return state_str(state()); }
 
   const char* state_str(State state) const { return states[state]; }
 
   PRFileDesc* ssl_fd() { return ssl_fd_; }
   DummyPrSocket* adapter() { return adapter_; }
 
   uint16_t min_version() const { return vrange_.min; }
@@ -126,16 +141,25 @@ class TlsAgent : public PollTarget {
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
 
   size_t received_bytes() const { return recv_ctr_; }
   int32_t error_code() const { return error_code_; }
 
+  void SetHandshakeCallback(HandshakeCallbackFunction handshake_callback) {
+    handshake_callback_ = handshake_callback;
+  }
+
+  void SetAuthCertificateCallback(
+      AuthCertificateCallbackFunction auth_certificate_callback) {
+    auth_certificate_callback_ = auth_certificate_callback;
+  }
+
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -143,25 +167,31 @@ class TlsAgent : public PollTarget {
   }
 
   // Dummy auth certificate hook.
   static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->auth_certificate_hook_called_ = true;
+    if (agent->auth_certificate_callback_) {
+      agent->auth_certificate_callback_(*agent, checksig, isServer);
+    }
     return SECSuccess;
   }
 
   // Client auth certificate hook.
   static SECStatus ClientAuthenticated(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     EXPECT_TRUE(agent->expect_client_auth_);
     EXPECT_TRUE(isServer);
+    if (agent->auth_certificate_callback_) {
+      agent->auth_certificate_callback_(*agent, checksig, isServer);
+    }
     return SECSuccess;
   }
 
   static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
                                          CERTDistNames* caNames,
                                          CERTCertificate** cert,
                                          SECKEYPrivateKey** privKey);
 
@@ -203,16 +233,19 @@ class TlsAgent : public PollTarget {
     *canFalseStart = true;
     return SECSuccess;
   }
 
   static void HandshakeCallback(PRFileDesc *fd, void *arg) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->handshake_callback_called_ = true;
+    if (agent->handshake_callback_) {
+      agent->handshake_callback_(*agent);
+    }
   }
 
   void CheckCallbacks() const;
   void Connected();
 
   const std::string name_;
   Mode mode_;
   SSLKEAType kea_;
@@ -232,16 +265,18 @@ class TlsAgent : public PollTarget {
   bool handshake_callback_called_;
   SSLChannelInfo info_;
   SSLCipherSuiteInfo csinfo_;
   SSLVersionRange vrange_;
   int32_t error_code_;
   size_t send_ctr_;
   size_t recv_ctr_;
   bool expected_read_error_;
+  HandshakeCallbackFunction handshake_callback_;
+  AuthCertificateCallbackFunction auth_certificate_callback_;
 };
 
 class TlsAgentTestBase : public ::testing::Test {
  public:
   static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
 
   TlsAgentTestBase(TlsAgent::Role role,
                    Mode mode) : agent_(nullptr),
--- a/security/nss/lib/Makefile
+++ b/security/nss/lib/Makefile
@@ -41,35 +41,53 @@ ifeq ($(OS_ARCH),Linux)
 SYSINIT_SRCDIR = sysinit  # Add the sysinit directory to DIRS.
 endif
 endif
 
 ifndef NSS_DISABLE_DBM
 DBM_SRCDIR = dbm  # Add the dbm directory to DIRS.
 endif
 
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+SYSINIT_SRCDIR=
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
-# Not included when building nss without softoken
-UTIL_SRCDIR =
-FREEBL_SRCDIR =
-SOFTOKEN_SRCDIR =
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+  UTIL_SRCDIR = util
+  FREEBL_SRCDIR =
+  SOFTOKEN_SRCDIR =
 else
-# default is to include all
-UTIL_SRCDIR = util
-FREEBL_SRCDIR = freebl
-SOFTOKEN_SRCDIR = softoken
+  ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+      UTIL_SRCDIR =
+      FREEBL_SRCDIR = freebl
+      SOFTOKEN_SRCDIR = softoken
+  else
+    ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+      # Not included when building nss without softoken
+      # This build type uses the build results of the prior
+      # NSS_BUILD_UTIL_ONLY and NSS_BUILD_SOFTOKEN_ONLY builds
+      UTIL_SRCDIR =
+      FREEBL_SRCDIR =
+      SOFTOKEN_SRCDIR =
+    else
+      # default is to include all
+      UTIL_SRCDIR = util
+      FREEBL_SRCDIR = freebl
+      SOFTOKEN_SRCDIR = softoken
+    endif
+  endif
 endif
--- a/security/nss/lib/base/arena.c
+++ b/security/nss/lib/base/arena.c
@@ -36,110 +36,104 @@
  *
  * The nonpublic methods relating to this type are:
  *
  *  nssArena_Create  -- constructor
  *  nssArena_Destroy
  *  nssArena_Mark
  *  nssArena_Release
  *  nssArena_Unmark
- * 
+ *
  *  nss_ZAlloc
  *  nss_ZFreeIf
  *  nss_ZRealloc
  *
  * In debug builds, the following calls are available:
  *
  *  nssArena_verifyPointer
  *  nssArena_registerDestructor
  *  nssArena_deregisterDestructor
  */
 
 struct NSSArenaStr {
-  PLArenaPool pool;
-  PRLock *lock;
+    PLArenaPool pool;
+    PRLock *lock;
 #ifdef ARENA_THREADMARK
-  PRThread *marking_thread;
-  nssArenaMark *first_mark;
-  nssArenaMark *last_mark;
+    PRThread *marking_thread;
+    nssArenaMark *first_mark;
+    nssArenaMark *last_mark;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *first_destructor;
-  struct arena_destructor_node *last_destructor;
+    struct arena_destructor_node *first_destructor;
+    struct arena_destructor_node *last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 /*
  * nssArenaMark
  *
  * This type is used to mark the current state of an NSSArena.
  */
 
 struct nssArenaMarkStr {
-  PRUint32 magic;
-  void *mark;
+    PRUint32 magic;
+    void *mark;
 #ifdef ARENA_THREADMARK
-  nssArenaMark *next;
+    nssArenaMark *next;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *next_destructor;
-  struct arena_destructor_node *prev_destructor;
+    struct arena_destructor_node *next_destructor;
+    struct arena_destructor_node *prev_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 #define MARK_MAGIC 0x4d41524b /* "MARK" how original */
 
 /*
  * But first, the pointer-tracking code
  */
 #ifdef DEBUG
 extern const NSSError NSS_ERROR_INTERNAL_ERROR;
 
 static nssPointerTracker arena_pointer_tracker;
 
 static PRStatus
-arena_add_pointer
-(
-  const NSSArena *arena
-)
+arena_add_pointer(const NSSArena *arena)
 {
-  PRStatus rv;
+    PRStatus rv;
+
+    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+    if (PR_SUCCESS != rv) {
+        return rv;
+    }
 
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
+    rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        NSSError e = NSS_GetError();
+        if (NSS_ERROR_NO_MEMORY != e) {
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        }
+
+        return rv;
+    }
 
-  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_SUCCESS;
+}
+
+static PRStatus
+arena_remove_pointer(const NSSArena *arena)
+{
+    PRStatus rv;
+
+    rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
     }
 
     return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-arena_remove_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
 }
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
@@ -150,186 +144,172 @@ arena_remove_pointer
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-)
+nssArena_verifyPointer(const NSSArena *arena)
 {
-  PRStatus rv;
+    PRStatus rv;
 
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    /*
-     * This is a little disingenious.  We have to initialize the
-     * tracker, because someone could "legitimately" try to verify
-     * an arena pointer before one is ever created.  And this step
-     * might fail, due to lack of memory.  But the only way that
-     * this step can fail is if it's doing the call_once stuff,
-     * (later calls just no-op).  And if it didn't no-op, there
-     * aren't any valid arenas.. so the argument certainly isn't one.
-     */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
+    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+    if (PR_SUCCESS != rv) {
+        /*
+         * This is a little disingenious.  We have to initialize the
+         * tracker, because someone could "legitimately" try to verify
+         * an arena pointer before one is ever created.  And this step
+         * might fail, due to lack of memory.  But the only way that
+         * this step can fail is if it's doing the call_once stuff,
+         * (later calls just no-op).  And if it didn't no-op, there
+         * aren't any valid arenas.. so the argument certainly isn't one.
+         */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
 
-  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
+    rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 struct arena_destructor_node {
-  struct arena_destructor_node *next;
-  struct arena_destructor_node *prev;
-  void (*destructor)(void *argument);
-  void *arg;
+    struct arena_destructor_node *next;
+    struct arena_destructor_node *prev;
+    void (*destructor)(void *argument);
+    void *arg;
 };
 
 /*
  * nssArena_registerDestructor
  *
  * This routine stores a pointer to a callback and an arbitrary
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * the the original intent of arenas.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
+nssArena_registerDestructor(NSSArena *arena, void (*destructor)(void *argument),
+                            void *arg)
 {
-  struct arena_destructor_node *it;
+    struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
-  
-  it = nss_ZNEW(arena, struct arena_destructor_node);
-  if( (struct arena_destructor_node *)NULL == it ) {
-    return PR_FAILURE;
-  }
+
+    it = nss_ZNEW(arena, struct arena_destructor_node);
+    if ((struct arena_destructor_node *)NULL == it) {
+        return PR_FAILURE;
+    }
 
-  it->prev = arena->last_destructor;
-  arena->last_destructor->next = it;
-  arena->last_destructor = it;
-  it->destructor = destructor;
-  it->arg = arg;
+    it->prev = arena->last_destructor;
+    arena->last_destructor->next = it;
+    arena->last_destructor = it;
+    it->destructor = destructor;
+    it->arg = arg;
 
-  if( (nssArenaMark *)NULL != arena->last_mark ) {
-    arena->last_mark->prev_destructor = it->prev;
-    arena->last_mark->next_destructor = it->next;
-  }
+    if ((nssArenaMark *)NULL != arena->last_mark) {
+        arena->last_mark->prev_destructor = it->prev;
+        arena->last_mark->next_destructor = it->next;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
+nssArena_deregisterDestructor(NSSArena *arena,
+                              void (*destructor)(void *argument), void *arg)
 {
-  struct arena_destructor_node *it;
+    struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  for( it = arena->first_destructor; it; it = it->next ) {
-    if( (it->destructor == destructor) && (it->arg == arg) ) {
-      break;
+    for (it = arena->first_destructor; it; it = it->next) {
+        if ((it->destructor == destructor) && (it->arg == arg)) {
+            break;
+        }
     }
-  }
 
-  if( (struct arena_destructor_node *)NULL == it ) {
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-  }
+    if ((struct arena_destructor_node *)NULL == it) {
+        nss_SetError(NSS_ERROR_NOT_FOUND);
+        return PR_FAILURE;
+    }
 
-  if( it == arena->first_destructor ) {
-    arena->first_destructor = it->next;
-  }
+    if (it == arena->first_destructor) {
+        arena->first_destructor = it->next;
+    }
 
-  if( it == arena->last_destructor ) {
-    arena->last_destructor = it->prev;
-  }
+    if (it == arena->last_destructor) {
+        arena->last_destructor = it->prev;
+    }
 
-  if( (struct arena_destructor_node *)NULL != it->prev ) {
-    it->prev->next = it->next;
-  }
+    if ((struct arena_destructor_node *)NULL != it->prev) {
+        it->prev->next = it->next;
+    }
 
-  if( (struct arena_destructor_node *)NULL != it->next ) {
-    it->next->prev = it->prev;
-  }
+    if ((struct arena_destructor_node *)NULL != it->next) {
+        it->next->prev = it->prev;
+    }
 
-  {
-    nssArenaMark *m;
-    for( m = arena->first_mark; m; m = m->next ) {
-      if( m->next_destructor == it ) {
-        m->next_destructor = it->next;
-      }
-      if( m->prev_destructor == it ) {
-        m->prev_destructor = it->prev;
-      }
+    {
+        nssArenaMark *m;
+        for (m = arena->first_mark; m; m = m->next) {
+            if (m->next_destructor == it) {
+                m->next_destructor = it->next;
+            }
+            if (m->prev_destructor == it) {
+                m->prev_destructor = it->prev;
+            }
+        }
     }
-  }
 
-  nss_ZFreeIf(it);
-  return PR_SUCCESS;
+    nss_ZFreeIf(it);
+    return PR_SUCCESS;
 }
 
 static void
-nss_arena_call_destructor_chain
-(
-  struct arena_destructor_node *it
-)
+nss_arena_call_destructor_chain(struct arena_destructor_node *it)
 {
-  for( ; it ; it = it->next ) {
-    (*(it->destructor))(it->arg);
-  }
+    for (; it; it = it->next) {
+        (*(it->destructor))(it->arg);
+    }
 }
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * NSSArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
@@ -339,382 +319,367 @@ nss_arena_call_destructor_chain
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-NSSArena_Create
-(
-  void
-)
+NSSArena_Create(void)
 {
-  nss_ClearErrorStack();
-  return nssArena_Create();
+    nss_ClearErrorStack();
+    return nssArena_Create();
 }
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
+ * NULL upon error, in which case it will have set an error on the
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-nssArena_Create
-(
-  void
-)
+nssArena_Create(void)
 {
-  NSSArena *rv = (NSSArena *)NULL;
+    NSSArena *rv = (NSSArena *)NULL;
 
-  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
-  if( (NSSArena *)NULL == rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
+    rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
+    if ((NSSArena *)NULL == rv) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (NSSArena *)NULL;
+    }
+
+    rv->lock = PR_NewLock();
+    if ((PRLock *)NULL == rv->lock) {
+        (void)nss_ZFreeIf(rv);
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (NSSArena *)NULL;
+    }
 
-  rv->lock = PR_NewLock();
-  if( (PRLock *)NULL == rv->lock ) {
-    (void)nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
+    /*
+     * Arena sizes.  The current security code has 229 occurrences of
+     * PORT_NewArena.  The default chunksizes specified break down as
+     *
+     *  Size    Mult.   Specified as
+     *   512       1    512
+     *  1024       7    1024
+     *  2048       5    2048
+     *  2048       5    CRMF_DEFAULT_ARENA_SIZE
+     *  2048     190    DER_DEFAULT_CHUNKSIZE
+     *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
+     *  4096       1    4096
+     *
+     * Obviously this "default chunksize" flexibility isn't very
+     * useful to us, so I'll just pick 2048.
+     */
 
-  /*
-   * Arena sizes.  The current security code has 229 occurrences of
-   * PORT_NewArena.  The default chunksizes specified break down as
-   *
-   *  Size    Mult.   Specified as
-   *   512       1    512
-   *  1024       7    1024
-   *  2048       5    2048
-   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
-   *  2048     190    DER_DEFAULT_CHUNKSIZE
-   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
-   *  4096       1    4096
-   *
-   * Obviously this "default chunksize" flexibility isn't very 
-   * useful to us, so I'll just pick 2048.
-   */
-
-  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
+    PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
 
 #ifdef DEBUG
-  {
-    PRStatus st;
-    st = arena_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PL_FinishArenaPool(&rv->pool);
-      PR_DestroyLock(rv->lock);
-      (void)nss_ZFreeIf(rv);
-      return (NSSArena *)NULL;
+    {
+        PRStatus st;
+        st = arena_add_pointer(rv);
+        if (PR_SUCCESS != st) {
+            PL_FinishArenaPool(&rv->pool);
+            PR_DestroyLock(rv->lock);
+            (void)nss_ZFreeIf(rv);
+            return (NSSArena *)NULL;
+        }
     }
-  }
 #endif /* DEBUG */
 
-  return rv;
+    return rv;
 }
 
 /*
  * NSSArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * create an error stack and return PR_FAILURE.
  *
  * The top-level error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
 NSS_IMPLEMENT PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-)
+NSSArena_Destroy(NSSArena *arena)
 {
-  nss_ClearErrorStack();
+    nss_ClearErrorStack();
 
 #ifdef DEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* DEBUG */
 
-  return nssArena_Destroy(arena);
+    return nssArena_Destroy(arena);
 }
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-)
+nssArena_Destroy(NSSArena *arena)
 {
-  PRLock *lock;
+    PRLock *lock;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  PR_Lock(arena->lock);
-  
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
+    PR_Lock(arena->lock);
+
 #ifdef DEBUG
-  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
-    PR_Unlock(arena->lock);
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != arena_remove_pointer(arena)) {
+        PR_Unlock(arena->lock);
+        return PR_FAILURE;
+    }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
-  /* Note that the arena is locked at this time */
-  nss_arena_call_destructor_chain(arena->first_destructor);
+    /* Note that the arena is locked at this time */
+    nss_arena_call_destructor_chain(arena->first_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-  PL_FinishArenaPool(&arena->pool);
-  lock = arena->lock;
-  arena->lock = (PRLock *)NULL;
-  PR_Unlock(lock);
-  PR_DestroyLock(lock);
-  (void)nss_ZFreeIf(arena);
-  return PR_SUCCESS;
+    PL_FinishArenaPool(&arena->pool);
+    lock = arena->lock;
+    arena->lock = (PRLock *)NULL;
+    PR_Unlock(lock);
+    PR_DestroyLock(lock);
+    (void)nss_ZFreeIf(arena);
+    return PR_SUCCESS;
 }
 
 static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
+ * or committed by calling nssArena_Unmark.  When successful,
+ * this routine returns a valid nssArenaMark pointer.  This
+ * routine may return NULL upon error, in which case it will
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
 NSS_IMPLEMENT nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-)
+nssArena_Mark(NSSArena *arena)
 {
-  nssArenaMark *rv;
-  void *p;
+    nssArenaMark *rv;
+    void *p;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return (nssArenaMark *)NULL;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return (nssArenaMark *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return (nssArenaMark *)NULL;
-  }
-  PR_Lock(arena->lock);
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return (nssArenaMark *)NULL;
+    }
+    PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL == arena->marking_thread ) {
-    /* Unmarked.  Store our thread ID */
-    arena->marking_thread = PR_GetCurrentThread();
-    /* This call never fails. */
-  } else {
-    /* Marked.  Verify it's the current thread */
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return (nssArenaMark *)NULL;
+    if ((PRThread *)NULL == arena->marking_thread) {
+        /* Unmarked.  Store our thread ID */
+        arena->marking_thread = PR_GetCurrentThread();
+        /* This call never fails. */
     }
-  }
+    else {
+        /* Marked.  Verify it's the current thread */
+        if (PR_GetCurrentThread() != arena->marking_thread) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+            return (nssArenaMark *)NULL;
+        }
+    }
 #endif /* ARENA_THREADMARK */
 
-  p = PL_ARENA_MARK(&arena->pool);
-  /* No error possible */
+    p = PL_ARENA_MARK(&arena->pool);
+    /* No error possible */
 
-  /* Do this after the mark */
-  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
-  if( (nssArenaMark *)NULL == rv ) {
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (nssArenaMark *)NULL;
-  }
+    /* Do this after the mark */
+    rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
+    if ((nssArenaMark *)NULL == rv) {
+        PR_Unlock(arena->lock);
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (nssArenaMark *)NULL;
+    }
 
 #ifdef ARENA_THREADMARK
-  if ( (nssArenaMark *)NULL == arena->first_mark) {
-    arena->first_mark = rv;
-    arena->last_mark = rv;
-  } else {
-    arena->last_mark->next = rv;
-    arena->last_mark = rv;
-  }
+    if ((nssArenaMark *)NULL == arena->first_mark) {
+        arena->first_mark = rv;
+        arena->last_mark = rv;
+    }
+    else {
+        arena->last_mark->next = rv;
+        arena->last_mark = rv;
+    }
 #endif /* ARENA_THREADMARK */
 
-  rv->mark = p;
-  rv->magic = MARK_MAGIC;
+    rv->mark = p;
+    rv->magic = MARK_MAGIC;
 
 #ifdef ARENA_DESTRUCTOR_LIST
-  rv->prev_destructor = arena->last_destructor;
+    rv->prev_destructor = arena->last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-  PR_Unlock(arena->lock);
+    PR_Unlock(arena->lock);
 
-  return rv;
+    return rv;
 }
 
 /*
  * nss_arena_unmark_release
  *
  * This static routine implements the routines nssArena_Release
  * ans nssArena_Unmark, which are almost identical.
  */
 
 static PRStatus
-nss_arena_unmark_release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark,
-  PRBool release
-)
+nss_arena_unmark_release(NSSArena *arena, nssArenaMark *arenaMark,
+                         PRBool release)
 {
-  void *inner_mark;
+    void *inner_mark;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  if( MARK_MAGIC != arenaMark->magic ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
+    if (MARK_MAGIC != arenaMark->magic) {
+        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+        return PR_FAILURE;
+    }
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  PR_Lock(arena->lock);
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
+    PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL != arena->marking_thread ) {
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return PR_FAILURE;
+    if ((PRThread *)NULL != arena->marking_thread) {
+        if (PR_GetCurrentThread() != arena->marking_thread) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+            return PR_FAILURE;
+        }
     }
-  }
 #endif /* ARENA_THREADMARK */
 
-  if( MARK_MAGIC != arenaMark->magic ) {
-    /* Just got released */
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  arenaMark->magic = 0;
-  inner_mark = arenaMark->mark;
-
-#ifdef ARENA_THREADMARK
-  {
-    nssArenaMark **pMark = &arena->first_mark;
-    nssArenaMark *rest;
-    nssArenaMark *last = (nssArenaMark *)NULL;
-
-    /* Find this mark */
-    while( *pMark != arenaMark ) {
-      last = *pMark;
-      pMark = &(*pMark)->next;
+    if (MARK_MAGIC != arenaMark->magic) {
+        /* Just got released */
+        PR_Unlock(arena->lock);
+        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+        return PR_FAILURE;
     }
 
-    /* Remember the pointer, then zero it */
-    rest = (*pMark)->next;
-    *pMark = (nssArenaMark *)NULL;
+    arenaMark->magic = 0;
+    inner_mark = arenaMark->mark;
 
-    arena->last_mark = last;
+#ifdef ARENA_THREADMARK
+    {
+        nssArenaMark **pMark = &arena->first_mark;
+        nssArenaMark *rest;
+        nssArenaMark *last = (nssArenaMark *)NULL;
+
+        /* Find this mark */
+        while (*pMark != arenaMark) {
+            last = *pMark;
+            pMark = &(*pMark)->next;
+        }
 
-    /* Invalidate any later marks being implicitly released */
-    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
-      rest->magic = 0;
-    }
+        /* Remember the pointer, then zero it */
+        rest = (*pMark)->next;
+        *pMark = (nssArenaMark *)NULL;
+
+        arena->last_mark = last;
 
-    /* If we just got rid of the first mark, clear the thread ID */
-    if( (nssArenaMark *)NULL == arena->first_mark ) {
-      arena->marking_thread = (PRThread *)NULL;
+        /* Invalidate any later marks being implicitly released */
+        for (; (nssArenaMark *)NULL != rest; rest = rest->next) {
+            rest->magic = 0;
+        }
+
+        /* If we just got rid of the first mark, clear the thread ID */
+        if ((nssArenaMark *)NULL == arena->first_mark) {
+            arena->marking_thread = (PRThread *)NULL;
+        }
     }
-  }
 #endif /* ARENA_THREADMARK */
 
-  if( release ) {
+    if (release) {
 #ifdef ARENA_DESTRUCTOR_LIST
-    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
-      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
-    }
-    arena->last_destructor = arenaMark->prev_destructor;
+        if ((struct arena_destructor_node *)NULL !=
+            arenaMark->prev_destructor) {
+            arenaMark->prev_destructor->next =
+                (struct arena_destructor_node *)NULL;
+        }
+        arena->last_destructor = arenaMark->prev_destructor;
 
-    /* Note that the arena is locked at this time */
-    nss_arena_call_destructor_chain(arenaMark->next_destructor);
+        /* Note that the arena is locked at this time */
+        nss_arena_call_destructor_chain(arenaMark->next_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-    PL_ARENA_RELEASE(&arena->pool, inner_mark);
-    /* No error return */
-  }
+        PL_ARENA_RELEASE(&arena->pool, inner_mark);
+        /* No error return */
+    }
 
-  PR_Unlock(arena->lock);
-  return PR_SUCCESS;
+    PR_Unlock(arena->lock);
+    return PR_SUCCESS;
 }
 
 /*
  * nssArena_Release
  *
  * This routine invalidates and releases all memory allocated from
  * the specified arena after the point at which the specified mark
  * was obtained.  This routine returns a PRStatus value; if successful,
@@ -727,23 +692,19 @@ nss_arena_unmark_release
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
+nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark)
 {
-  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
+    return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
 }
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
  * it, making them unreleasable.  Note that any earlier marks can
  * still be released, and such a release will invalidate these
@@ -759,456 +720,430 @@ nssArena_Release
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
+nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark)
 {
-  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
+    return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
 }
 
 /*
  * We prefix this header to all allocated blocks.  It is a multiple
  * of the alignment size.  Note that this usage of a header may make
  * purify spew bogus warnings about "potentially leaked blocks" of
  * memory; if that gets too annoying we can add in a pointer to the
  * header in the header itself.  There's not a lot of safety here;
  * maybe we should add a magic value?
  */
 struct pointer_header {
-  NSSArena *arena;
-  PRUint32 size;
+    NSSArena *arena;
+    PRUint32 size;
 };
 
 static void *
-nss_zalloc_arena_locked
-(
-  NSSArena *arena,
-  PRUint32 size
-)
+nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size)
 {
-  void *p;
-  void *rv;
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
-  PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
-  if( (void *)NULL == p ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-  /* 
-   * Do this before we unlock.  This way if the user is using
-   * an arena in one thread while destroying it in another, he'll
-   * fault/FMR in his code, not ours.
-   */
-  h = (struct pointer_header *)p;
-  h->arena = arena;
-  h->size = size;
-  rv = (void *)((char *)h + sizeof(struct pointer_header));
-  (void)nsslibc_memset(rv, 0, size);
-  return rv;
+    void *p;
+    void *rv;
+    struct pointer_header *h;
+    PRUint32 my_size = size + sizeof(struct pointer_header);
+    PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
+    if ((void *)NULL == p) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
+    }
+    /*
+     * Do this before we unlock.  This way if the user is using
+     * an arena in one thread while destroying it in another, he'll
+     * fault/FMR in his code, not ours.
+     */
+    h = (struct pointer_header *)p;
+    h->arena = arena;
+    h->size = size;
+    rv = (void *)((char *)h + sizeof(struct pointer_header));
+    (void)nsslibc_memset(rv, 0, size);
+    return rv;
 }
 
 /*
  * NSS_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling NSS_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-NSS_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
+NSS_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
 {
-  return nss_ZAlloc(arenaOpt, size);
+    return nss_ZAlloc(arenaOpt, size);
 }
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
+nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
 {
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
+    struct pointer_header *h;
+    PRUint32 my_size = size + sizeof(struct pointer_header);
 
-  if( my_size < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    /* Heap allocation, no locking required. */
-    h = (struct pointer_header *)PR_Calloc(1, my_size);
-    if( (struct pointer_header *)NULL == h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
+    if (my_size < sizeof(struct pointer_header)) {
+        /* Wrapped */
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
     }
 
-    h->arena = (NSSArena *)NULL;
-    h->size = size;
-    /* We used calloc: it's already zeroed */
+    if ((NSSArena *)NULL == arenaOpt) {
+        /* Heap allocation, no locking required. */
+        h = (struct pointer_header *)PR_Calloc(1, my_size);
+        if ((struct pointer_header *)NULL == h) {
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    return (void *)((char *)h + sizeof(struct pointer_header));
-  } else {
-    void *rv;
-    /* Arena allocation */
+        h->arena = (NSSArena *)NULL;
+        h->size = size;
+        /* We used calloc: it's already zeroed */
+
+        return (void *)((char *)h + sizeof(struct pointer_header));
+    }
+    else {
+        void *rv;
+/* Arena allocation */
 #ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (void *)NULL;
+        }
 #endif /* NSSDEBUG */
 
-    if( (PRLock *)NULL == arenaOpt->lock ) {
-      /* Just got destroyed */
-      nss_SetError(NSS_ERROR_INVALID_ARENA);
-      return (void *)NULL;
-    }
-    PR_Lock(arenaOpt->lock);
+        if ((PRLock *)NULL == arenaOpt->lock) {
+            /* Just got destroyed */
+            nss_SetError(NSS_ERROR_INVALID_ARENA);
+            return (void *)NULL;
+        }
+        PR_Lock(arenaOpt->lock);
 
 #ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
-      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        PR_Unlock(arenaOpt->lock);
-        return (void *)NULL;
-      }
-    }
+        if ((PRThread *)NULL != arenaOpt->marking_thread) {
+            if (PR_GetCurrentThread() != arenaOpt->marking_thread) {
+                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+                PR_Unlock(arenaOpt->lock);
+                return (void *)NULL;
+            }
+        }
 #endif /* ARENA_THREADMARK */
 
-    rv = nss_zalloc_arena_locked(arenaOpt, size);
+        rv = nss_zalloc_arena_locked(arenaOpt, size);
 
-    PR_Unlock(arenaOpt->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
+        PR_Unlock(arenaOpt->lock);
+        return rv;
+    }
+    /*NOTREACHED*/
 }
 
 /*
  * NSS_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * NSS_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * NSS_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 NSS_IMPLEMENT PRStatus
-NSS_ZFreeIf
-(
-  void *pointer
-)
+NSS_ZFreeIf(void *pointer)
 {
-   return nss_ZFreeIf(pointer);
+    return nss_ZFreeIf(pointer);
 }
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * nss_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-)
+nss_ZFreeIf(void *pointer)
 {
-  struct pointer_header *h;
+    struct pointer_header *h;
 
-  if( (void *)NULL == pointer ) {
-    return PR_SUCCESS;
-  }
+    if ((void *)NULL == pointer) {
+        return PR_SUCCESS;
+    }
 
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
+    h = (struct pointer_header *)((char *)pointer -
+                                  sizeof(struct pointer_header));
+
+    /* Check any magic here */
 
-  /* Check any magic here */
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    (void)nsslibc_memset(pointer, 0, h->size);
-    PR_Free(h);
-    return PR_SUCCESS;
-  } else {
-    /* Arena */
+    if ((NSSArena *)NULL == h->arena) {
+        /* Heap */
+        (void)nsslibc_memset(pointer, 0, h->size);
+        PR_Free(h);
+        return PR_SUCCESS;
+    }
+    else {
+/* Arena */
 #ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return PR_FAILURE;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(h->arena)) {
+            return PR_FAILURE;
+        }
 #endif /* NSSDEBUG */
 
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return PR_FAILURE;
-    }
-    PR_Lock(h->arena->lock);
+        if ((PRLock *)NULL == h->arena->lock) {
+            /* Just got destroyed.. so this pointer is invalid */
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return PR_FAILURE;
+        }
+        PR_Lock(h->arena->lock);
 
-    (void)nsslibc_memset(pointer, 0, h->size);
+        (void)nsslibc_memset(pointer, 0, h->size);
 
-    /* No way to "free" it within an NSPR arena. */
+        /* No way to "free" it within an NSPR arena. */
 
-    PR_Unlock(h->arena->lock);
-    return PR_SUCCESS;
-  }
-  /*NOTREACHED*/
+        PR_Unlock(h->arena->lock);
+        return PR_SUCCESS;
+    }
+    /*NOTREACHED*/
 }
 
 /*
  * NSS_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-NSS_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
+NSS_ZRealloc(void *pointer, PRUint32 newSize)
 {
     return nss_ZRealloc(pointer, newSize);
 }
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
+nss_ZRealloc(void *pointer, PRUint32 newSize)
 {
-  NSSArena *arena;
-  struct pointer_header *h, *new_h;
-  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
-  void *rv;
+    NSSArena *arena;
+    struct pointer_header *h, *new_h;
+    PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
+    void *rv;
 
-  if( my_newSize < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
+    if (my_newSize < sizeof(struct pointer_header)) {
+        /* Wrapped */
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
+    }
 
-  if( (void *)NULL == pointer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
-
-  /* Check any magic here */
+    if ((void *)NULL == pointer) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 
-  if( newSize == h->size ) {
-    /* saves thrashing */
-    return pointer;
-  }
+    h = (struct pointer_header *)((char *)pointer -
+                                  sizeof(struct pointer_header));
 
-  arena = h->arena;
-  if (!arena) {
-    /* Heap */
-    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
-    if( (struct pointer_header *)NULL == new_h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
+    /* Check any magic here */
+
+    if (newSize == h->size) {
+        /* saves thrashing */
+        return pointer;
     }
 
-    new_h->arena = (NSSArena *)NULL;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+    arena = h->arena;
+    if (!arena) {
+        /* Heap */
+        new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
+        if ((struct pointer_header *)NULL == new_h) {
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    if( newSize > h->size ) {
-      (void)nsslibc_memcpy(rv, pointer, h->size);
-      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
-                           0, (newSize - h->size));
-    } else {
-      (void)nsslibc_memcpy(rv, pointer, newSize);
-    }
+        new_h->arena = (NSSArena *)NULL;
+        new_h->size = newSize;
+        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
 
-    (void)nsslibc_memset(pointer, 0, h->size);
-    h->size = 0;
-    PR_Free(h);
+        if (newSize > h->size) {
+            (void)nsslibc_memcpy(rv, pointer, h->size);
+            (void)nsslibc_memset(&((char *)rv)[h->size], 0,
+                                 (newSize - h->size));
+        }
+        else {
+            (void)nsslibc_memcpy(rv, pointer, newSize);
+        }
 
-    return rv;
-  } else {
-    void *p;
-    /* Arena */
+        (void)nsslibc_memset(pointer, 0, h->size);
+        h->size = 0;
+        PR_Free(h);
+
+        return rv;
+    }
+    else {
+        void *p;
+/* Arena */
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-      return (void *)NULL;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
 #endif /* NSSDEBUG */
 
-    if (!arena->lock) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (void *)NULL;
-    }
-    PR_Lock(arena->lock);
+        if (!arena->lock) {
+            /* Just got destroyed.. so this pointer is invalid */
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return (void *)NULL;
+        }
+        PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-    if (arena->marking_thread) {
-      if (PR_GetCurrentThread() != arena->marking_thread) {
-        PR_Unlock(arena->lock);
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        return (void *)NULL;
-      }
-    }
+        if (arena->marking_thread) {
+            if (PR_GetCurrentThread() != arena->marking_thread) {
+                PR_Unlock(arena->lock);
+                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+                return (void *)NULL;
+            }
+        }
 #endif /* ARENA_THREADMARK */
 
-    if( newSize < h->size ) {
-      /*
-       * We have no general way of returning memory to the arena
-       * (mark/release doesn't work because things may have been
-       * allocated after this object), so the memory is gone
-       * anyway.  We might as well just return the same pointer to
-       * the user, saying "yeah, uh-hunh, you can only use less of
-       * it now."  We'll zero the leftover part, of course.  And
-       * in fact we might as well *not* adjust h->size-- this way,
-       * if the user reallocs back up to something not greater than
-       * the original size, then voila, there's the memory!  This
-       * way a thrash big/small/big/small doesn't burn up the arena.
-       */
-      char *extra = &((char *)pointer)[ newSize ];
-      (void)nsslibc_memset(extra, 0, (h->size - newSize));
-      PR_Unlock(arena->lock);
-      return pointer;
-    }
+        if (newSize < h->size) {
+            /*
+             * We have no general way of returning memory to the arena
+             * (mark/release doesn't work because things may have been
+             * allocated after this object), so the memory is gone
+             * anyway.  We might as well just return the same pointer to
+             * the user, saying "yeah, uh-hunh, you can only use less of
+             * it now."  We'll zero the leftover part, of course.  And
+             * in fact we might as well *not* adjust h->size-- this way,
+             * if the user reallocs back up to something not greater than
+             * the original size, then voila, there's the memory!  This
+             * way a thrash big/small/big/small doesn't burn up the arena.
+             */
+            char *extra = &((char *)pointer)[newSize];
+            (void)nsslibc_memset(extra, 0, (h->size - newSize));
+            PR_Unlock(arena->lock);
+            return pointer;
+        }
 
-    PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
-    if( (void *)NULL == p ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
+        PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
+        if ((void *)NULL == p) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    new_h = (struct pointer_header *)p;
-    new_h->arena = arena;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-    if (rv != pointer) {
-	(void)nsslibc_memcpy(rv, pointer, h->size);
-	(void)nsslibc_memset(pointer, 0, h->size);
+        new_h = (struct pointer_header *)p;
+        new_h->arena = arena;
+        new_h->size = newSize;
+        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+        if (rv != pointer) {
+            (void)nsslibc_memcpy(rv, pointer, h->size);
+            (void)nsslibc_memset(pointer, 0, h->size);
+        }
+        (void)nsslibc_memset(&((char *)rv)[h->size], 0, (newSize - h->size));
+        h->arena = (NSSArena *)NULL;
+        h->size = 0;
+        PR_Unlock(arena->lock);
+        return rv;
     }
-    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, (newSize - h->size));
-    h->arena = (NSSArena *)NULL;
-    h->size = 0;
-    PR_Unlock(arena->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
+    /*NOTREACHED*/
 }
 
-PRStatus 
+PRStatus
 nssArena_Shutdown(void)
 {
-  PRStatus rv = PR_SUCCESS;
+    PRStatus rv = PR_SUCCESS;
 #ifdef DEBUG
-  rv = nssPointerTracker_finalize(&arena_pointer_tracker);
+    rv = nssPointerTracker_finalize(&arena_pointer_tracker);
 #endif
-  return rv;
+    return rv;
 }
--- a/security/nss/lib/base/base.h
+++ b/security/nss/lib/base/base.h
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BASE_H
 #define BASE_H
 
 /*
  * base.h
  *
- * This header file contains basic prototypes and preprocessor 
+ * This header file contains basic prototypes and preprocessor
  * definitions used throughout nss but not available publicly.
  */
 
 #ifndef BASET_H
 #include "baset.h"
 #endif /* BASET_H */
 
 #ifndef NSSBASE_H
@@ -59,17 +59,17 @@ PR_BEGIN_EXTERN_C
  *
  *  nssArenaHashAllocOps
  */
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
+ * NULL upon error, in which case it will have set an error on the
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
@@ -78,74 +78,62 @@ PR_BEGIN_EXTERN_C
 /*
  * XXX fgmr
  * Arenas can be named upon creation; this is mostly of use when
  * debugging.  Should we expose that here, allowing an optional
  * "const char *name" argument?  Should the public version of this
  * call (NSSArena_Create) have it too?
  */
 
-NSS_EXTERN NSSArena *
-nssArena_Create
-(
-  void
-);
+NSS_EXTERN NSSArena *nssArena_Create(void);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-);
+NSS_EXTERN PRStatus nssArena_Destroy(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
+ * or committed by calling nssArena_Unmark.  When successful,
+ * this routine returns a valid nssArenaMark pointer.  This
+ * routine may return NULL upon error, in which case it will
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
-NSS_EXTERN nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-);
+NSS_EXTERN nssArenaMark *nssArena_Mark(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nssArena_Release
  *
@@ -160,22 +148,17 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
+NSS_EXTERN PRStatus nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
@@ -192,22 +175,17 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
+NSS_EXTERN PRStatus nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 /*
@@ -217,229 +195,205 @@ extern const NSSError NSS_ERROR_ARENA_MA
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * the the original intent of arenas.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
+NSS_EXTERN PRStatus nssArena_registerDestructor(
+    NSSArena *arena, void (*destructor)(void *argument), void *arg);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_deregisterDestructor
  *
  * This routine will remove the first destructor in the specified
  * arena which has the specified destructor and argument values.
  * The destructor will not be called.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NOT_FOUND
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
+NSS_EXTERN PRStatus nssArena_deregisterDestructor(
+    NSSArena *arena, void (*destructor)(void *argument), void *arg);
 
 extern const NSSError NSS_ERROR_INVALID_ITEM;
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NOT_FOUND;
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-NSS_EXTERN void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);
+NSS_EXTERN void *nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * nss_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-);
+NSS_EXTERN PRStatus nss_ZFreeIf(void *pointer);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-);
+NSS_EXTERN void *nss_ZRealloc(void *pointer, PRUint32 newSize);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZNEW
  *
  * This preprocessor macro will allocate memory for a new object
  * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
+ * return value appropriately.  If the optional arena argument is
+ * non-null, the memory will be obtained from that arena; otherwise,
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
  * upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
 #define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
 
 /*
  * nss_ZNEWARRAY
  *
  * This preprocessor macro will allocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
+ * If the optional arena argument is non-null, the memory will
+ * be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon
+ * error, in which case it will have set an error upon the error
  * stack.  The array size may be specified as zero.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
+#define nss_ZNEWARRAY(arenaOpt, type, quantity)                                \
+    ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
 
 /*
  * nss_ZREALLOCARRAY
  *
  * This preprocessor macro will reallocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * This routine may return NULL upon error, in which case it will 
+ * This routine may return NULL upon error, in which case it will
  *  have set an error upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
-#define nss_ZREALLOCARRAY(p, type, quantity) ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
+#define nss_ZREALLOCARRAY(p, type, quantity)                                   \
+    ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
  * this routine will return PR_SUCCESS.  Otherwise, it will put an
@@ -449,21 +403,17 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-);
+NSS_EXTERN PRStatus nssArena_verifyPointer(const NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 #endif /* DEBUG */
 
 /*
  * nssArena_VERIFYPOINTER
  *
  * This macro is always available.  In debug builds it will call
@@ -474,35 +424,35 @@ extern const NSSError NSS_ERROR_INVALID_
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
 #define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
 #else /* DEBUG */
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
+
+#define nssArena_VERIFYPOINTER(p)                                              \
+    (((NSSArena *)NULL == (p)) ? PR_FAILURE : PR_SUCCESS)
 #endif /* DEBUG */
 
 /*
- * Private function to be called by NSS_Shutdown to cleanup nssArena 
+ * Private function to be called by NSS_Shutdown to cleanup nssArena
  * bookkeeping.
  */
-extern PRStatus
-nssArena_Shutdown(void);
+extern PRStatus nssArena_Shutdown(void);
 
 /*
  * nssArenaHashAllocOps
  *
  * This constant structure contains allocation callbacks designed for
  * use with the NSPL routine PL_NewHashTable.  For example:
  *
  *  NSSArena *hashTableArena = nssArena_Create();
- *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
+ *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare,
  *    value_compare, nssArenaHashAllocOps, hashTableArena);
  */
 
 NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
 
 /*
  * The error stack
  *
@@ -510,176 +460,129 @@ NSS_EXTERN_DATA PLHashAllocOps nssArenaH
  *
  *  nss_SetError
  *  nss_ClearErrorStack
  */
 
 /*
  * nss_SetError
  *
- * This routine places a new error code on the top of the calling 
+ * This routine places a new error code on the top of the calling
  * thread's error stack.  Calling this routine wiht an error code
  * of zero will clear the error stack.
  */
 
-NSS_EXTERN void
-nss_SetError
-(
-  PRUint32 error
-);
+NSS_EXTERN void nss_SetError(PRUint32 error);
 
 /*
  * nss_ClearErrorStack
  *
  * This routine clears the calling thread's error stack.
  */
 
-NSS_EXTERN void
-nss_ClearErrorStack
-(
-  void
-);
+NSS_EXTERN void nss_ClearErrorStack(void);
 
 /*
  * nss_DestroyErrorStack
  *
  * This routine frees the calling thread's error stack.
  */
 
-NSS_EXTERN void
-nss_DestroyErrorStack
-(
-  void
-);
+NSS_EXTERN void nss_DestroyErrorStack(void);
 
 /*
  * NSSItem
  *
  * nssItem_Create
  * nssItem_Duplicate
  * nssItem_Equal
  */
 
-NSS_EXTERN NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-);
+NSS_EXTERN NSSItem *nssItem_Create(NSSArena *arenaOpt, NSSItem *rvOpt,
+                                   PRUint32 length, const void *data);
 
-NSS_EXTERN void
-nssItem_Destroy
-(
-  NSSItem *item
-);
+NSS_EXTERN void nssItem_Destroy(NSSItem *item);
 
-NSS_EXTERN NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-);
+NSS_EXTERN NSSItem *nssItem_Duplicate(NSSItem *obj, NSSArena *arenaOpt,
+                                      NSSItem *rvOpt);
 
-NSS_EXTERN PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssItem_Equal(const NSSItem *one, const NSSItem *two,
+                                PRStatus *statusOpt);
 
 /*
  * NSSUTF8
  *
  *  nssUTF8_CaseIgnoreMatch
  *  nssUTF8_Duplicate
  *  nssUTF8_Size
  *  nssUTF8_Length
  *  nssUTF8_CopyIntoFixedBuffer
  */
 
 /*
  * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
+ *
+ * Returns true if the two UTF8-encoded strings pointed to by the
  * two specified NSSUTF8 pointers differ only in typcase.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a, const NSSUTF8 *b,
+                                          PRStatus *statusOpt);
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
  * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
  * not null, the memory required will be obtained from that arena;
  * otherwise, the memory required will be obtained from the heap.
  * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
+ * an error will be placed on the error stack and NULL will be
  * returned.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  */
 
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-);
+NSS_EXTERN NSSUTF8 *nssUTF8_Duplicate(const NSSUTF8 *s, NSSArena *arenaOpt);
 
 /*
  * nssUTF8_PrintableMatch
  *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
+ * Returns true if the two Printable strings pointed to by the
+ * two specified NSSUTF8 pointers match when compared with the
+ * rules for Printable String (leading and trailing spaces are
+ * disregarded, extents of whitespace match irregardless of length,
  * and case is not significant), then PR_TRUE will be returned.
  * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
  * will be returned.  If the optional statusOpt argument is not
  * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
  * location.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_PrintableMatch(const NSSUTF8 *a, const NSSUTF8 *b,
+                                         PRStatus *statusOpt);
 
 /*
  * nssUTF8_Size
  *
  * This routine returns the length in bytes (including the terminating
  * null) of the UTF8-encoded string pointed to by the specified
  * NSSUTF8 pointer.  Zero is returned on error.
  *
@@ -687,22 +590,17 @@ nssUTF8_PrintableMatch
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_VALUE_TOO_LARGE
  *
  * Return value:
  *  nonzero size of the string
  *  0 on error
  */
 
-NSS_EXTERN PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRUint32 nssUTF8_Size(const NSSUTF8 *s, PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 
 /*
  * nssUTF8_Length
  *
  * This routine returns the length in characters (not including the
@@ -714,22 +612,17 @@ extern const NSSError NSS_ERROR_VALUE_TO
  *  NSS_ERROR_VALUE_TOO_LARGE
  *  NSS_ERROR_INVALID_STRING
  *
  * Return value:
  *  length of the string (which may be zero)
  *  0 on error
  */
 
-NSS_EXTERN PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRUint32 nssUTF8_Length(const NSSUTF8 *s, PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 extern const NSSError NSS_ERROR_INVALID_STRING;
 
 /*
  * nssUTF8_Create
  *
@@ -748,265 +641,174 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_UNSUPPORTED_TYPE
  *
  * Return value:
  *  NULL upon error
  *  A non-null pointer to a new UTF8 string otherwise
  */
 
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-);
+NSS_EXTERN NSSUTF8 *nssUTF8_Create(NSSArena *arenaOpt, nssStringType type,
+                                   const void *inputString,
+                                   PRUint32 size /* in bytes, not characters */
+                                   );
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
 
-NSS_EXTERN NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-);
+NSS_EXTERN NSSItem *nssUTF8_GetEncoding(NSSArena *arenaOpt, NSSItem *rvOpt,
+                                        nssStringType type, NSSUTF8 *string);
 
 /*
  * nssUTF8_CopyIntoFixedBuffer
  *
- * This will copy a UTF8 string into a fixed-length buffer, making 
+ * This will copy a UTF8 string into a fixed-length buffer, making
  * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
+ * be padded with the specified ASCII character, typically either
  * null or space.
  *
  * Blah, blah, blah.
  */
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
 
-NSS_EXTERN PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-);
+NSS_EXTERN PRStatus nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *string, char *buffer,
+                                                PRUint32 bufferSize, char pad);
 
 /*
  * nssUTF8_Equal
  *
  */
 
-NSS_EXTERN PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_Equal(const NSSUTF8 *a, const NSSUTF8 *b,
+                                PRStatus *statusOpt);
 
 /*
  * nssList
  *
  * The goal is to provide a simple, optionally threadsafe, linked list
  * class.  Since NSS did not seem to use the circularity of PRCList
  * much before, this provides a list that appears to be a linear,
  * NULL-terminated list.
  */
 
 /*
  * nssList_Create
  *
  * If threadsafe is true, the list will be locked during modifications
  * and traversals.
  */
-NSS_EXTERN nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-);
+NSS_EXTERN nssList *nssList_Create(NSSArena *arenaOpt, PRBool threadSafe);
 
 /*
  * nssList_Destroy
  */
-NSS_EXTERN PRStatus
-nssList_Destroy
-(
-  nssList *list
-);
+NSS_EXTERN PRStatus nssList_Destroy(nssList *list);
 
-NSS_EXTERN void
-nssList_Clear
-(
-  nssList *list, 
-  nssListElementDestructorFunc destructor
-);
+NSS_EXTERN void nssList_Clear(nssList *list,
+                              nssListElementDestructorFunc destructor);
 
 /*
  * nssList_SetCompareFunction
  *
  * By default, two list elements will be compared by comparing their
  * data pointers.  By setting this function, the user can control
  * how elements are compared.
  */
-NSS_EXTERN void
-nssList_SetCompareFunction
-(
-  nssList *list, 
-  nssListCompareFunc compareFunc
-);
+NSS_EXTERN void nssList_SetCompareFunction(nssList *list,
+                                           nssListCompareFunc compareFunc);
 
 /*
  * nssList_SetSortFunction
  *
  * Sort function to use for an ordered list.
  */
-NSS_EXTERN void
-nssList_SetSortFunction
-(
-  nssList *list, 
-  nssListSortFunc sortFunc
-);
+NSS_EXTERN void nssList_SetSortFunction(nssList *list,
+                                        nssListSortFunc sortFunc);
 
 /*
  * nssList_Add
  */
-NSS_EXTERN PRStatus
-nssList_Add
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN PRStatus nssList_Add(nssList *list, void *data);
 
 /*
  * nssList_AddUnique
  *
  * This will use the compare function to see if the element is already
  * in the list.
  */
-NSS_EXTERN PRStatus
-nssList_AddUnique
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN PRStatus nssList_AddUnique(nssList *list, void *data);
 
 /*
  * nssList_Remove
  *
  * Uses the compare function to locate the element and remove it.
  */
-NSS_EXTERN PRStatus
-nssList_Remove(nssList *list, void *data);
+NSS_EXTERN PRStatus nssList_Remove(nssList *list, void *data);
 
 /*
  * nssList_Get
  *
  * Uses the compare function to locate an element.  Also serves as
  * nssList_Exists.
  */
-NSS_EXTERN void *
-nssList_Get
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN void *nssList_Get(nssList *list, void *data);
 
 /*
  * nssList_Count
  */
-NSS_EXTERN PRUint32
-nssList_Count
-(
-  nssList *list
-);
+NSS_EXTERN PRUint32 nssList_Count(nssList *list);
 
 /*
  * nssList_GetArray
  *
  * Fill rvArray, up to maxElements, with elements in the list.  The
  * array is NULL-terminated, so its allocated size must be maxElements + 1.
  */
-NSS_EXTERN PRStatus
-nssList_GetArray
-(
-  nssList *list, 
-  void **rvArray, 
-  PRUint32 maxElements
-);
+NSS_EXTERN PRStatus nssList_GetArray(nssList *list, void **rvArray,
+                                     PRUint32 maxElements);
 
 /*
  * nssList_CreateIterator
  *
  * Create an iterator for list traversal.
  */
-NSS_EXTERN nssListIterator *
-nssList_CreateIterator
-(
-  nssList *list
-);
+NSS_EXTERN nssListIterator *nssList_CreateIterator(nssList *list);
 
-NSS_EXTERN nssList *
-nssList_Clone
-(
-  nssList *list
-);
+NSS_EXTERN nssList *nssList_Clone(nssList *list);
 
 /*
  * nssListIterator_Destroy
  */
-NSS_EXTERN void
-nssListIterator_Destroy
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void nssListIterator_Destroy(nssListIterator *iter);
 
 /*
  * nssListIterator_Start
  *
  * Begin a list iteration.  After this call, if the list is threadSafe,
  * the list is *locked*.
  */
-NSS_EXTERN void *
-nssListIterator_Start
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void *nssListIterator_Start(nssListIterator *iter);
 
 /*
  * nssListIterator_Next
  *
  * Continue a list iteration.
  */
-NSS_EXTERN void *
-nssListIterator_Next
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void *nssListIterator_Next(nssListIterator *iter);
 
 /*
  * nssListIterator_Finish
  *
  * Complete a list iteration.  This *must* be called in order for the
  * lock to be released.
  */
-NSS_EXTERN PRStatus
-nssListIterator_Finish
-(
-  nssListIterator *iter
-);
+NSS_EXTERN PRStatus nssListIterator_Finish(nssListIterator *iter);
 
 /*
  * nssHash
  *
  *  nssHash_Create
  *  nssHash_Destroy
  *  nssHash_Add
  *  nssHash_Remove
@@ -1016,178 +818,122 @@ nssListIterator_Finish
  *  nssHash_Iterate
  */
 
 /*
  * nssHash_Create
  *
  */
 
-NSS_EXTERN nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-);
+NSS_EXTERN nssHash *nssHash_Create(NSSArena *arenaOpt, PRUint32 numBuckets,
+                                   PLHashFunction keyHash,
+                                   PLHashComparator keyCompare,
+                                   PLHashComparator valueCompare);
 
-NSS_EXTERN nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreatePointer(NSSArena *arenaOpt,
+                                          PRUint32 numBuckets);
 
-NSS_EXTERN nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreateString(NSSArena *arenaOpt,
+                                         PRUint32 numBuckets);
 
-NSS_EXTERN nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreateItem(NSSArena *arenaOpt, PRUint32 numBuckets);
 
 /*
  * nssHash_Destroy
  *
  */
-NSS_EXTERN void
-nssHash_Destroy
-(
-  nssHash *hash
-);
+NSS_EXTERN void nssHash_Destroy(nssHash *hash);
 
 /*
  * nssHash_Add
  *
  */
 
 extern const NSSError NSS_ERROR_HASH_COLLISION;
 
-NSS_EXTERN PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-);
+NSS_EXTERN PRStatus nssHash_Add(nssHash *hash, const void *key,
+                                const void *value);
 
 /*
  * nssHash_Remove
  *
  */
-NSS_EXTERN void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN void nssHash_Remove(nssHash *hash, const void *it);
 
 /*
  * nssHash_Count
  *
  */
-NSS_EXTERN PRUint32
-nssHash_Count
-(
-  nssHash *hash
-);
+NSS_EXTERN PRUint32 nssHash_Count(nssHash *hash);
 
 /*
  * nssHash_Exists
  *
  */
-NSS_EXTERN PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN PRBool nssHash_Exists(nssHash *hash, const void *it);
 
 /*
  * nssHash_Lookup
  *
  */
-NSS_EXTERN void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN void *nssHash_Lookup(nssHash *hash, const void *it);
 
 /*
  * nssHash_Iterate
  *
  */
-NSS_EXTERN void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-);
-
+NSS_EXTERN void nssHash_Iterate(nssHash *hash, nssHashIterator fcn,
+                                void *closure);
 
 /*
  * nssPointerTracker
  *
  * This type and these methods are only present in debug builds.
- * 
+ *
  * The nonpublic methods relating to this type are:
  *
  *  nssPointerTracker_initialize
  *  nssPointerTracker_finalize
  *  nssPointerTracker_add
  *  nssPointerTracker_remove
  *  nssPointerTracker_verify
  */
 
 /*
  * nssPointerTracker_initialize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine initializes an nssPointerTracker object.  Note that
  * the object must have been declared *static* to guarantee that it
  * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * may even be safely called by multiple threads simultaneously with
+ * the same argument.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  On failure it will set an
  * error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-);
+NSS_EXTERN PRStatus nssPointerTracker_initialize(nssPointerTracker *tracker);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_finalize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine returns the nssPointerTracker object to the pre-
  * initialized state, releasing all resources used by the object.
  * It will *NOT* destroy the objects being tracked by the pointer
  * (should any remain), and therefore cannot be used to "sweep up"
  * remaining objects.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCES.  On failure it will set an
  * error on the error stack and return PR_FAILURE.  If any objects
  * remain in the tracker when it is finalized, that will be treated
@@ -1197,21 +943,17 @@ extern const NSSError NSS_ERROR_NO_MEMOR
  *  NSS_ERROR_TRACKER_NOT_EMPTY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-);
+NSS_EXTERN PRStatus nssPointerTracker_finalize(nssPointerTracker *tracker);
 
 extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_add
  *
  * This method is only present in debug builds.
@@ -1229,92 +971,80 @@ extern const NSSError NSS_ERROR_TRACKER_
  *  NSS_ERROR_DUPLICATE_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_add(nssPointerTracker *tracker,
+                                          const void *pointer);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
 extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_remove
  *
  * This method is only present in debug builds.
  *
- * This routine removes the specified pointer from the 
+ * This routine removes the specified pointer from the
  * nssPointerTracker object.  It does not call any destructor for the
  * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * The nssPointerTracker is threadsafe, but this call is not
+ * idempotent.  This routine returns a PRStatus value; if successful
+ * it will return PR_SUCCESS.  On failure it will set an error on the
  * error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_TRACKER_NOT_INITIALIZED
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_remove(nssPointerTracker *tracker,
+                                             const void *pointer);
 
 extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_verify
  *
  * This method is only present in debug builds.
  *
  * This routine verifies that the specified pointer has been registered
  * with the nssPointerTracker object.  The nssPointerTracker object is
  * threadsafe, and this call may be safely called from multiple threads
  * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
+ * PRStatus value; if the pointer is registered this will return
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and
+ * return PR_FAILURE.  Although the error is suitable for leaving on
+ * the stack, callers may wish to augment the information available by
  * placing a more type-specific error on the stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILRUE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_verify(nssPointerTracker *tracker,
+                                             const void *pointer);
 
 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
 #endif /* DEBUG */
 
 /*
  * libc
  *
  * nsslibc_memcpy
@@ -1328,67 +1058,49 @@ extern const NSSError NSS_ERROR_POINTER_
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
-NSS_EXTERN void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-);
+NSS_EXTERN void *nsslibc_memcpy(void *dest, const void *source, PRUint32 n);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nsslibc_memset
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
-NSS_EXTERN void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-);
+NSS_EXTERN void *nsslibc_memset(void *dest, PRUint8 byte, PRUint32 n);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nsslibc_memequal
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if they match
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nsslibc_memequal(const void *a, const void *b, PRUint32 len,
+                                   PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 #define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
 
 PR_END_EXTERN_C
 
 #endif /* BASE_H */
--- a/security/nss/lib/base/baset.h
+++ b/security/nss/lib/base/baset.h
@@ -27,17 +27,17 @@ PR_BEGIN_EXTERN_C
  */
 
 struct nssArenaMarkStr;
 typedef struct nssArenaMarkStr nssArenaMark;
 
 #ifdef DEBUG
 /*
  * ARENA_THREADMARK
- * 
+ *
  * Optionally, this arena implementation can be compiled with some
  * runtime checking enabled, which will catch the situation where
  * one thread "marks" the arena, another thread allocates memory,
  * and then the mark is released.  Usually this is a surprise to
  * the second thread, and this leads to weird runtime errors.
  * Define ARENA_THREADMARK to catch these cases; we define it for all
  * (internal and external) debug builds.
  */
@@ -63,63 +63,62 @@ typedef struct nssArenaMarkStr nssArenaM
 #ifdef ARENA_THREADMARK
 #define ARENA_DESTRUCTOR_LIST
 #endif /* ARENA_THREADMARK */
 
 #endif /* DEBUG */
 
 typedef struct nssListStr nssList;
 typedef struct nssListIteratorStr nssListIterator;
-typedef PRBool (* nssListCompareFunc)(void *a, void *b);
-typedef PRIntn (* nssListSortFunc)(void *a, void *b);
-typedef void (* nssListElementDestructorFunc)(void *el);
+typedef PRBool (*nssListCompareFunc)(void *a, void *b);
+typedef PRIntn (*nssListSortFunc)(void *a, void *b);
+typedef void (*nssListElementDestructorFunc)(void *el);
 
 typedef struct nssHashStr nssHash;
-typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
-                                            void *value, 
-                                            void *arg);
+typedef void(PR_CALLBACK *nssHashIterator)(const void *key, void *value,
+                                           void *arg);
 
 /*
  * nssPointerTracker
  *
  * This type is used in debug builds (both external and internal) to
  * track our object pointers.  Objects of this type must be statically
  * allocated, which means the structure size must be available to the
  * compiler.  Therefore we must expose the contents of this structure.
  * But please don't access elements directly; use the accessors.
  */
 
 #ifdef DEBUG
 struct nssPointerTrackerStr {
-  PRCallOnceType once;
-  PZLock *lock;
-  PLHashTable *table;
+    PRCallOnceType once;
+    PZLock *lock;
+    PLHashTable *table;
 };
 typedef struct nssPointerTrackerStr nssPointerTracker;
 #endif /* DEBUG */
 
 /*
  * nssStringType
  *
  * There are several types of strings in the real world.  We try to
  * use only UTF8 and avoid the rest, but that's not always possible.
  * So we have a couple converter routines to go to and from the other
  * string types.  We have to be able to specify those string types,
  * so we have this enumeration.
  */
 
 enum nssStringTypeEnum {
-  nssStringType_DirectoryString,
-  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
-  nssStringType_PrintableString,
-  nssStringType_UniversalString,
-  nssStringType_BMPString,
-  nssStringType_UTF8String,
-  nssStringType_PHGString,
-  nssStringType_GeneralString,
+    nssStringType_DirectoryString,
+    nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
+    nssStringType_PrintableString,
+    nssStringType_UniversalString,
+    nssStringType_BMPString,
+    nssStringType_UTF8String,
+    nssStringType_PHGString,
+    nssStringType_GeneralString,
 
-  nssStringType_Unknown = -1
+    nssStringType_Unknown = -1
 };
 typedef enum nssStringTypeEnum nssStringType;
 
 PR_END_EXTERN_C
 
 #endif /* BASET_H */
--- a/security/nss/lib/base/error.c
+++ b/security/nss/lib/base/error.c
@@ -1,42 +1,42 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * error.c
  *
- * This file contains the code implementing the per-thread error 
+ * This file contains the code implementing the per-thread error
  * stacks upon which most NSS routines report their errors.
  */
 
 #ifndef BASE_H
 #include "base.h"
-#endif /* BASE_H */
+#endif              /* BASE_H */
 #include <limits.h> /* for UINT_MAX */
 #include <string.h> /* for memmove */
 
 #define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
 
 /*
  * The stack itself has a header, and a sequence of integers.
  * The header records the amount of space (as measured in stack
  * slots) already allocated for the stack, and the count of the
  * number of records currently being used.
  */
 
 struct stack_header_str {
-  PRUint16 space;
-  PRUint16 count;
+    PRUint16 space;
+    PRUint16 count;
 };
 
 struct error_stack_str {
-  struct stack_header_str header;
-  PRInt32 stack[1];
+    struct stack_header_str header;
+    PRInt32 stack[1];
 };
 typedef struct error_stack_str error_stack;
 
 /*
  * error_stack_index
  *
  * Thread-private data must be indexed.  This is that index.
  * See PR_NewThreadPrivateIndex for more information.
@@ -57,72 +57,74 @@ static PRUintn error_stack_index = INVAL
 static PRCallOnceType error_call_once;
 
 /*
  * error_once_function
  *
  * This is the once-called callback.
  */
 static PRStatus
-error_once_function ( void)
+error_once_function(void)
 {
-  return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+    return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
 }
 
 /*
  * error_get_my_stack
  *
  * This routine returns the calling thread's error stack, creating
  * it if necessary.  It may return NULL upon error, which implicitly
  * means that it ran out of memory.
  */
 
 static error_stack *
-error_get_my_stack ( void)
+error_get_my_stack(void)
 {
-  PRStatus st;
-  error_stack *rv;
-  PRUintn new_size;
-  PRUint32 new_bytes;
-  error_stack *new_stack;
+    PRStatus st;
+    error_stack *rv;
+    PRUintn new_size;
+    PRUint32 new_bytes;
+    error_stack *new_stack;
 
-  if( INVALID_TPD_INDEX == error_stack_index ) {
-    st = PR_CallOnce(&error_call_once, error_once_function);
-    if( PR_SUCCESS != st ) {
-      return (error_stack *)NULL;
+    if (INVALID_TPD_INDEX == error_stack_index) {
+        st = PR_CallOnce(&error_call_once, error_once_function);
+        if (PR_SUCCESS != st) {
+            return (error_stack *)NULL;
+        }
     }
-  }
 
-  rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
-  if( (error_stack *)NULL == rv ) {
-    /* Doesn't exist; create one */
-    new_size = 16;
-  } else if( rv->header.count == rv->header.space  &&
-             rv->header.count  < NSS_MAX_ERROR_STACK_COUNT ) {
-    /* Too small, expand it */
-    new_size = PR_MIN( rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
-  } else {
-    /* Okay, return it */
-    return rv;
-  }
+    rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
+    if ((error_stack *)NULL == rv) {
+        /* Doesn't exist; create one */
+        new_size = 16;
+    }
+    else if (rv->header.count == rv->header.space &&
+             rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
+        /* Too small, expand it */
+        new_size = PR_MIN(rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
+    }
+    else {
+        /* Okay, return it */
+        return rv;
+    }
 
-  new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
-  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
-  new_stack = PR_Calloc(1, new_bytes);
-  
-  if( (error_stack *)NULL != new_stack ) {
-    if( (error_stack *)NULL != rv ) {
-	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
+    new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
+    /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
+    new_stack = PR_Calloc(1, new_bytes);
+
+    if ((error_stack *)NULL != new_stack) {
+        if ((error_stack *)NULL != rv) {
+            (void)nsslibc_memcpy(new_stack, rv, rv->header.space);
+        }
+        new_stack->header.space = new_size;
     }
-    new_stack->header.space = new_size;
-  }
 
-  /* Set the value, whether or not the allocation worked */
-  PR_SetThreadPrivate(error_stack_index, new_stack);
-  return new_stack;
+    /* Set the value, whether or not the allocation worked */
+    PR_SetThreadPrivate(error_stack_index, new_stack);
+    return new_stack;
 }
 
 /*
  * The error stack
  *
  * The public methods relating to the error stack are:
  *
  *  NSS_GetError
@@ -146,124 +148,125 @@ error_get_my_stack ( void)
  * indicates that the previous NSS library call did not set an error.
  *
  * Return value:
  *  0 if no error has been set
  *  A nonzero error number
  */
 
 NSS_IMPLEMENT PRInt32
-NSS_GetError ( void)
+NSS_GetError(void)
 {
-  error_stack *es = error_get_my_stack();
+    error_stack *es = error_get_my_stack();
 
-  if( (error_stack *)NULL == es ) {
-    return NSS_ERROR_NO_MEMORY; /* Good guess! */
-  }
+    if ((error_stack *)NULL == es) {
+        return NSS_ERROR_NO_MEMORY; /* Good guess! */
+    }
 
-  if( 0 == es->header.count ) {
-    return 0;
-  }
+    if (0 == es->header.count) {
+        return 0;
+    }
 
-  return es->stack[ es->header.count-1 ];
+    return es->stack[es->header.count - 1];
 }
 
 /*
  * NSS_GetErrorStack
  *
  * This routine returns a pointer to an array of integers, containing
  * the entire sequence or "stack" of errors set by the most recent NSS
  * library routine called by the same thread calling this routine.
  * NOTE: the caller DOES NOT OWN the memory pointed to by the return
  * value.  The pointer will remain valid until the calling thread
- * calls another NSS routine.  The lowest-level (most specific) error 
+ * calls another NSS routine.  The lowest-level (most specific) error
  * is first in the array, and the highest-level is last.  The array is
  * zero-terminated.  This routine may return NULL upon error; this
  * indicates a low-memory situation.
  *
  * Return value:
  *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
  *  A NON-caller-owned pointer to an array of integers
  */
 
 NSS_IMPLEMENT PRInt32 *
-NSS_GetErrorStack ( void)
+NSS_GetErrorStack(void)
 {
-  error_stack *es = error_get_my_stack();
+    error_stack *es = error_get_my_stack();
 
-  if( (error_stack *)NULL == es ) {
-    return (PRInt32 *)NULL;
-  }
+    if ((error_stack *)NULL == es) {
+        return (PRInt32 *)NULL;
+    }
 
-  /* Make sure it's terminated */
-  es->stack[ es->header.count ] = 0;
+    /* Make sure it's terminated */
+    es->stack[es->header.count] = 0;
 
-  return es->stack;
+    return es->stack;
 }
 
 /*
  * nss_SetError
  *
- * This routine places a new error code on the top of the calling 
+ * This routine places a new error code on the top of the calling
  * thread's error stack.  Calling this routine wiht an error code
  * of zero will clear the error stack.
  */
 
 NSS_IMPLEMENT void
-nss_SetError ( PRUint32 error)
+nss_SetError(PRUint32 error)
 {
-  error_stack *es;
+    error_stack *es;
 
-  if( 0 == error ) {
-    nss_ClearErrorStack();
-    return;
-  }
+    if (0 == error) {
+        nss_ClearErrorStack();
+        return;
+    }
 
-  es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
+    es = error_get_my_stack();
+    if ((error_stack *)NULL == es) {
+        /* Oh, well. */
+        return;
+    }
 
-  if (es->header.count < es->header.space) {
-    es->stack[ es->header.count++ ] = error;
-  } else {
-    memmove(es->stack, es->stack + 1, 
-		(es->header.space - 1) * (sizeof es->stack[0]));
-    es->stack[ es->header.space - 1 ] = error;
-  }
-  return;
+    if (es->header.count < es->header.space) {
+        es->stack[es->header.count++] = error;
+    }
+    else {
+        memmove(es->stack, es->stack + 1,
+                (es->header.space - 1) * (sizeof es->stack[0]));
+        es->stack[es->header.space - 1] = error;
+    }
+    return;
 }
 
 /*
  * nss_ClearErrorStack
  *
  * This routine clears the calling thread's error stack.
  */
 
 NSS_IMPLEMENT void
-nss_ClearErrorStack ( void)
+nss_ClearErrorStack(void)
 {
-  error_stack *es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
+    error_stack *es = error_get_my_stack();
+    if ((error_stack *)NULL == es) {
+        /* Oh, well. */
+        return;
+    }
+
+    es->header.count = 0;
+    es->stack[0] = 0;
     return;
-  }
-
-  es->header.count = 0;
-  es->stack[0] = 0;
-  return;
 }
 
 /*
  * nss_DestroyErrorStack
  *
  * This routine frees the calling thread's error stack.
  */
 
 NSS_IMPLEMENT void
-nss_DestroyErrorStack ( void)
+nss_DestroyErrorStack(void)
 {
-  if( INVALID_TPD_INDEX != error_stack_index ) {
-    PR_SetThreadPrivate(error_stack_index, NULL);
-  }
-  return;
+    if (INVALID_TPD_INDEX != error_stack_index) {
+        PR_SetThreadPrivate(error_stack_index, NULL);
+    }
+    return;
 }
--- a/security/nss/lib/base/errorval.c
+++ b/security/nss/lib/base/errorval.c
@@ -7,16 +7,18 @@
  *
  * This file contains the actual error constants used in NSS.
  */
 
 #ifndef NSSBASET_H
 #include "nssbaset.h"
 #endif /* NSSBASET_H */
 
+/* clang-format off */
+
 const NSSError NSS_ERROR_NO_ERROR                       =  0;
 const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
 const NSSError NSS_ERROR_NO_MEMORY                      =  2;
 const NSSError NSS_ERROR_INVALID_POINTER                =  3;
 const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
 const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
 const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
 const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
@@ -55,8 +57,9 @@ const NSSError NSS_ERROR_CERTIFICATE_IN_
 const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
 const NSSError NSS_ERROR_DEVICE_ERROR                   = 34;
 const NSSError NSS_ERROR_INVALID_CERTIFICATE            = 35;
 const NSSError NSS_ERROR_BUSY                           = 36;
 const NSSError NSS_ERROR_ALREADY_INITIALIZED            = 37;
 
 const NSSError NSS_ERROR_PKCS11                         = 38;
 
+/* clang-format on */
\ No newline at end of file
--- a/security/nss/lib/base/hash.c
+++ b/security/nss/lib/base/hash.c
@@ -27,345 +27,293 @@
  *  nssHash_Remove
  *  nssHash_Count
  *  nssHash_Exists
  *  nssHash_Lookup
  *  nssHash_Iterate
  */
 
 struct nssHashStr {
-  NSSArena *arena;
-  PRBool i_alloced_arena;
-  PRLock *mutex;
+    NSSArena *arena;
+    PRBool i_alloced_arena;
+    PRLock *mutex;
 
-  /*
-   * The invariant that mutex protects is:
-   *   The count accurately reflects the hashtable state.
-   */
+    /*
+     * The invariant that mutex protects is:
+     *   The count accurately reflects the hashtable state.
+     */
 
-  PLHashTable *plHashTable;
-  PRUint32 count;
+    PLHashTable *plHashTable;
+    PRUint32 count;
 };
 
 static PLHashNumber
-nss_identity_hash
-(
-  const void *key
-)
+nss_identity_hash(const void *key)
 {
-  return (PLHashNumber)((char *)key - (char *)NULL);
+    return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 static PLHashNumber
-nss_item_hash
-(
-  const void *key
-)
+nss_item_hash(const void *key)
 {
-  unsigned int i;
-  PLHashNumber h;
-  NSSItem *it = (NSSItem *)key;
-  h = 0;
-  for (i=0; i<it->size; i++)
-    h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i];
-  return h;
+    unsigned int i;
+    PLHashNumber h;
+    NSSItem *it = (NSSItem *)key;
+    h = 0;
+    for (i = 0; i < it->size; i++)
+        h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i];
+    return h;
 }
 
 static int
 nss_compare_items(const void *v1, const void *v2)
 {
-  PRStatus ignore;
-  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
+    PRStatus ignore;
+    return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
 }
 
 /*
  * nssHash_create
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-)
+nssHash_Create(NSSArena *arenaOpt, PRUint32 numBuckets, PLHashFunction keyHash,
+               PLHashComparator keyCompare, PLHashComparator valueCompare)
 {
-  nssHash *rv;
-  NSSArena *arena;
-  PRBool i_alloced;
+    nssHash *rv;
+    NSSArena *arena;
+    PRBool i_alloced;
 
 #ifdef NSSDEBUG
-  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssHash *)NULL;
-  }
+    if (arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (nssHash *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  if (arenaOpt) {
-    arena = arenaOpt;
-    i_alloced = PR_FALSE;
-  } else {
-    arena = nssArena_Create();
-    i_alloced = PR_TRUE;
-  }
+    if (arenaOpt) {
+        arena = arenaOpt;
+        i_alloced = PR_FALSE;
+    }
+    else {
+        arena = nssArena_Create();
+        i_alloced = PR_TRUE;
+    }
 
-  rv = nss_ZNEW(arena, nssHash);
-  if( (nssHash *)NULL == rv ) {
-    goto loser;
-  }
+    rv = nss_ZNEW(arena, nssHash);
+    if ((nssHash *)NULL == rv) {
+        goto loser;
+    }
 
-  rv->mutex = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == rv->mutex ) {
-    goto loser;
-  }
+    rv->mutex = PZ_NewLock(nssILockOther);
+    if ((PZLock *)NULL == rv->mutex) {
+        goto loser;
+    }
 
-  rv->plHashTable = PL_NewHashTable(numBuckets, 
-                                    keyHash, keyCompare, valueCompare,
-                                    &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
-    (void)PZ_DestroyLock(rv->mutex);
-    goto loser;
-  }
+    rv->plHashTable =
+        PL_NewHashTable(numBuckets, keyHash, keyCompare, valueCompare,
+                        &nssArenaHashAllocOps, arena);
+    if ((PLHashTable *)NULL == rv->plHashTable) {
+        (void)PZ_DestroyLock(rv->mutex);
+        goto loser;
+    }
 
-  rv->count = 0;
-  rv->arena = arena;
-  rv->i_alloced_arena = i_alloced;
+    rv->count = 0;
+    rv->arena = arena;
+    rv->i_alloced_arena = i_alloced;
 
-  return rv;
+    return rv;
 loser:
-  (void)nss_ZFreeIf(rv);
-  return (nssHash *)NULL;
+    (void)nss_ZFreeIf(rv);
+    return (nssHash *)NULL;
 }
 
 /*
  * nssHash_CreatePointer
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreatePointer(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
+    return nssHash_Create(arenaOpt, numBuckets, nss_identity_hash,
+                          PL_CompareValues, PL_CompareValues);
 }
 
 /*
  * nssHash_CreateString
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreateString(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
+    return nssHash_Create(arenaOpt, numBuckets, PL_HashString,
+                          PL_CompareStrings, PL_CompareStrings);
 }
 
 /*
  * nssHash_CreateItem
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreateItem(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_item_hash, nss_compare_items, PL_CompareValues);
+    return nssHash_Create(arenaOpt, numBuckets, nss_item_hash,
+                          nss_compare_items, PL_CompareValues);
 }
 
 /*
  * nssHash_Destroy
  *
  */
 NSS_IMPLEMENT void
-nssHash_Destroy
-(
-  nssHash *hash
-)
+nssHash_Destroy(nssHash *hash)
 {
-  (void)PZ_DestroyLock(hash->mutex);
-  PL_HashTableDestroy(hash->plHashTable);
-  if (hash->i_alloced_arena) {
-    nssArena_Destroy(hash->arena);
-  } else {
-    nss_ZFreeIf(hash);
-  }
+    (void)PZ_DestroyLock(hash->mutex);
+    PL_HashTableDestroy(hash->plHashTable);
+    if (hash->i_alloced_arena) {
+        nssArena_Destroy(hash->arena);
+    }
+    else {
+        nss_ZFreeIf(hash);
+    }
 }
 
 /*
  * nssHash_Add
  *
  */
 NSS_IMPLEMENT PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-)
+nssHash_Add(nssHash *hash, const void *key, const void *value)
 {
-  PRStatus error = PR_FAILURE;
-  PLHashEntry *he;
+    PRStatus error = PR_FAILURE;
+    PLHashEntry *he;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-  
-  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  } else if (he->value != value) {
-    nss_SetError(NSS_ERROR_HASH_COLLISION);
-  } else {
-    hash->count++;
-    error = PR_SUCCESS;
-  }
+    he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+    if ((PLHashEntry *)NULL == he) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+    }
+    else if (he->value != value) {
+        nss_SetError(NSS_ERROR_HASH_COLLISION);
+    }
+    else {
+        hash->count++;
+        error = PR_SUCCESS;
+    }
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return error;
+    return error;
 }
 
 /*
  * nssHash_Remove
  *
  */
 NSS_IMPLEMENT void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Remove(nssHash *hash, const void *it)
 {
-  PRBool found;
+    PRBool found;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
+    found = PL_HashTableRemove(hash->plHashTable, it);
+    if (found) {
+        hash->count--;
+    }
 
-  found = PL_HashTableRemove(hash->plHashTable, it);
-  if( found ) {
-    hash->count--;
-  }
-
-  (void)PZ_Unlock(hash->mutex);
-  return;
+    (void)PZ_Unlock(hash->mutex);
+    return;
 }
 
 /*
  * nssHash_Count
  *
  */
 NSS_IMPLEMENT PRUint32
-nssHash_Count
-(
-  nssHash *hash
-)
+nssHash_Count(nssHash *hash)
 {
-  PRUint32 count;
+    PRUint32 count;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-
-  count = hash->count;
+    count = hash->count;
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return count;
+    return count;
 }
 
 /*
  * nssHash_Exists
  *
  */
 NSS_IMPLEMENT PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Exists(nssHash *hash, const void *it)
 {
-  void *value;
+    void *value;
 
-  PZ_Lock(hash->mutex);
+    PZ_Lock(hash->mutex);
+
+    value = PL_HashTableLookup(hash->plHashTable, it);
 
-  value = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  if( (void *)NULL == value ) {
-    return PR_FALSE;
-  } else {
-    return PR_TRUE;
-  }
+    if ((void *)NULL == value) {
+        return PR_FALSE;
+    }
+    else {
+        return PR_TRUE;
+    }
 }
 
 /*
  * nssHash_Lookup
  *
  */
 NSS_IMPLEMENT void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Lookup(nssHash *hash, const void *it)
 {
-  void *rv;
+    void *rv;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-
-  rv = PL_HashTableLookup(hash->plHashTable, it);
+    rv = PL_HashTableLookup(hash->plHashTable, it);
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return rv;
+    return rv;
 }
 
 struct arg_str {
-  nssHashIterator fcn;
-  void *closure;
+    nssHashIterator fcn;
+    void *closure;
 };
 
 static PRIntn
-nss_hash_enumerator
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
+nss_hash_enumerator(PLHashEntry *he, PRIntn index, void *arg)
 {
-  struct arg_str *as = (struct arg_str *)arg;
-  as->fcn(he->key, he->value, as->closure);
-  return HT_ENUMERATE_NEXT;
+    struct arg_str *as = (struct arg_str *)arg;
+    as->fcn(he->key, he->value, as->closure);
+    return HT_ENUMERATE_NEXT;
 }
 
 /*
  * nssHash_Iterate
  *
  * NOTE that the iteration function will be called with the hashtable locked.
  */
 NSS_IMPLEMENT void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-)
+nssHash_Iterate(nssHash *hash, nssHashIterator fcn, void *closure)
 {
-  struct arg_str as;
-  as.fcn = fcn;
-  as.closure = closure;
+    struct arg_str as;
+    as.fcn = fcn;
+    as.closure = closure;
 
-  PZ_Lock(hash->mutex);
+    PZ_Lock(hash->mutex);
 
-  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
+    PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return;
+    return;
 }
--- a/security/nss/lib/base/hashops.c
+++ b/security/nss/lib/base/hashops.c
@@ -7,78 +7,58 @@
  *
  * This file includes a set of PLHashAllocOps that use NSSArenas.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
-static void * PR_CALLBACK
-nss_arena_hash_alloc_table
-(
-  void *pool,
-  PRSize size
-)
+static void *PR_CALLBACK
+nss_arena_hash_alloc_table(void *pool, PRSize size)
 {
-  NSSArena *arena = (NSSArena *)NULL;
+    NSSArena *arena = (NSSArena *)NULL;
 
 #ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
+    if ((void *)NULL != arena) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
     }
-  }
 #endif /* NSSDEBUG */
 
-  return nss_ZAlloc(arena, size);
+    return nss_ZAlloc(arena, size);
 }
 
 static void PR_CALLBACK
-nss_arena_hash_free_table
-(
-  void *pool, 
-  void *item
-)
+nss_arena_hash_free_table(void *pool, void *item)
 {
-  (void)nss_ZFreeIf(item);
+    (void)nss_ZFreeIf(item);
 }
 
-static PLHashEntry * PR_CALLBACK
-nss_arena_hash_alloc_entry
-(
-  void *pool,
-  const void *key
-)
+static PLHashEntry *PR_CALLBACK
+nss_arena_hash_alloc_entry(void *pool, const void *key)
 {
-  NSSArena *arena = NULL;
+    NSSArena *arena = NULL;
 
 #ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
+    if ((void *)NULL != arena) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
     }
-  }
 #endif /* NSSDEBUG */
 
-  return nss_ZNEW(arena, PLHashEntry);
+    return nss_ZNEW(arena, PLHashEntry);
 }
 
 static void PR_CALLBACK
-nss_arena_hash_free_entry
-(
-  void *pool,
-  PLHashEntry *he,
-  PRUintn flag
-)
+nss_arena_hash_free_entry(void *pool, PLHashEntry *he, PRUintn flag)
 {
-  if( HT_FREE_ENTRY == flag ) {
-    (void)nss_ZFreeIf(he);
-  }
+    if (HT_FREE_ENTRY == flag) {
+        (void)nss_ZFreeIf(he);
+    }
 }
 
-NSS_IMPLEMENT_DATA PLHashAllocOps 
-nssArenaHashAllocOps = {
-  nss_arena_hash_alloc_table,
-  nss_arena_hash_free_table,
-  nss_arena_hash_alloc_entry,
-  nss_arena_hash_free_entry
+NSS_IMPLEMENT_DATA PLHashAllocOps nssArenaHashAllocOps = {
+    nss_arena_hash_alloc_table, nss_arena_hash_free_table,
+    nss_arena_hash_alloc_entry, nss_arena_hash_free_entry
 };
--- a/security/nss/lib/base/item.c
+++ b/security/nss/lib/base/item.c
@@ -17,128 +17,115 @@
  *
  * -- fgmr comments --
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *  NSS_ERROR_INVALID_POINTER
- *  
+ *
  * Return value:
  *  A pointer to an NSSItem upon success
  *  NULL upon failure
  */
 
 NSS_IMPLEMENT NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-)
+nssItem_Create(NSSArena *arenaOpt, NSSItem *rvOpt, PRUint32 length,
+               const void *data)
 {
-  NSSItem *rv = (NSSItem *)NULL;
+    NSSItem *rv = (NSSItem *)NULL;
 
 #ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSItem *)NULL;
+        }
     }
-  }
 
-  if( (const void *)NULL == data ) {
-    if( length > 0 ) {
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (NSSItem *)NULL;
+    if ((const void *)NULL == data) {
+        if (length > 0) {
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return (NSSItem *)NULL;
+        }
     }
-  }
 #endif /* DEBUG */
 
-  if( (NSSItem *)NULL == rvOpt ) {
-    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      goto loser;
+    if ((NSSItem *)NULL == rvOpt) {
+        rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
+        if ((NSSItem *)NULL == rv) {
+            goto loser;
+        }
     }
-  } else {
-    rv = rvOpt;
-  }
+    else {
+        rv = rvOpt;
+    }
 
-  rv->size = length;
-  rv->data = nss_ZAlloc(arenaOpt, length);
-  if( (void *)NULL == rv->data ) {
-    goto loser;
-  }
+    rv->size = length;
+    rv->data = nss_ZAlloc(arenaOpt, length);
+    if ((void *)NULL == rv->data) {
+        goto loser;
+    }
 
-  if( length > 0 ) {
-    (void)nsslibc_memcpy(rv->data, data, length);
-  }
+    if (length > 0) {
+        (void)nsslibc_memcpy(rv->data, data, length);
+    }
 
-  return rv;
+    return rv;
 
- loser:
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
+loser:
+    if (rv != rvOpt) {
+        nss_ZFreeIf(rv);
+    }
 
-  return (NSSItem *)NULL;
+    return (NSSItem *)NULL;
 }
 
 NSS_IMPLEMENT void
-nssItem_Destroy
-(
-  NSSItem *item
-)
+nssItem_Destroy(NSSItem *item)
 {
-  nss_ClearErrorStack();
+    nss_ClearErrorStack();
 
-  nss_ZFreeIf(item->data);
-  nss_ZFreeIf(item);
-
+    nss_ZFreeIf(item->data);
+    nss_ZFreeIf(item);
 }
 
 /*
  * nssItem_Duplicate
  *
  * -- fgmr comments --
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *  NSS_ERROR_INVALID_ITEM
- *  
+ *
  * Return value:
  *  A pointer to an NSSItem upon success
  *  NULL upon failure
  */
 
 NSS_IMPLEMENT NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-)
+nssItem_Duplicate(NSSItem *obj, NSSArena *arenaOpt, NSSItem *rvOpt)
 {
 #ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSItem *)NULL;
+        }
     }
-  }
 
-  if( (NSSItem *)NULL == obj ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return (NSSItem *)NULL;
-  }
+    if ((NSSItem *)NULL == obj) {
+        nss_SetError(NSS_ERROR_INVALID_ITEM);
+        return (NSSItem *)NULL;
+    }
 #endif /* DEBUG */
 
-  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+    return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
 }
 
 #ifdef DEBUG
 /*
  * nssItem_verifyPointer
  *
  * -- fgmr comments --
  *
@@ -146,28 +133,25 @@ nssItem_Duplicate
  *  NSS_ERROR_INVALID_ITEM
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
 NSS_IMPLEMENT PRStatus
-nssItem_verifyPointer
-(
-  const NSSItem *item
-)
+nssItem_verifyPointer(const NSSItem *item)
 {
-  if( ((const NSSItem *)NULL == item) ||
-      (((void *)NULL == item->data) && (item->size > 0)) ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return PR_FAILURE;
-  }
+    if (((const NSSItem *)NULL == item) ||
+        (((void *)NULL == item->data) && (item->size > 0))) {
+        nss_SetError(NSS_ERROR_INVALID_ITEM);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 #endif /* DEBUG */
 
 /*
  * nssItem_Equal
  *
  * -- fgmr comments --
  *
@@ -176,33 +160,28 @@ nssItem_verifyPointer
  *
  * Return value:
  *  PR_TRUE if the items are identical
  *  PR_FALSE if they aren't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-)
+nssItem_Equal(const NSSItem *one, const NSSItem *two, PRStatus *statusOpt)
 {
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
+
+    if (((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two)) {
+        return PR_TRUE;
+    }
 
-  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
-    return PR_TRUE;
-  }
+    if (((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two)) {
+        return PR_FALSE;
+    }
 
-  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
-    return PR_FALSE;
-  }
+    if (one->size != two->size) {
+        return PR_FALSE;
+    }
 
-  if( one->size != two->size ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+    return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
 }
--- a/security/nss/lib/base/libc.c
+++ b/security/nss/lib/base/libc.c
@@ -1,19 +1,19 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * libc.c
  *
- * This file contains our wrappers/reimplementations for "standard" 
- * libc functions.  Things like "memcpy."  We add to this as we need 
- * it.  Oh, and let's keep it in alphabetical order, should it ever 
- * get large.  Most string/character stuff should be in utf8.c, not 
+ * This file contains our wrappers/reimplementations for "standard"
+ * libc functions.  Things like "memcpy."  We add to this as we need
+ * it.  Oh, and let's keep it in alphabetical order, should it ever
+ * get large.  Most string/character stuff should be in utf8.c, not
  * here.  This file (and maybe utf8.c) should be the only ones in
  * NSS to include files with angle brackets.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
@@ -33,132 +33,112 @@
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
 NSS_IMPLEMENT void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-)
+nsslibc_memcpy(void *dest, const void *source, PRUint32 n)
 {
 #ifdef NSSDEBUG
-  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
+    if (((void *)NULL == dest) || ((const void *)NULL == source)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  return memcpy(dest, source, (size_t)n);
+    return memcpy(dest, source, (size_t)n);
 }
 
 /*
  * nsslibc_memset
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
 NSS_IMPLEMENT void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-)
+nsslibc_memset(void *dest, PRUint8 byte, PRUint32 n)
 {
 #ifdef NSSDEBUG
-  if( ((void *)NULL == dest) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
+    if (((void *)NULL == dest)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  return memset(dest, (int)byte, (size_t)n);
+    return memset(dest, (int)byte, (size_t)n);
 }
 
 /*
  * nsslibc_memequal
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if they match
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
+nsslibc_memequal(const void *a, const void *b, PRUint32 len,
+                 PRStatus *statusOpt)
 {
 #ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ((((void *)NULL == a) || ((void *)NULL == b))) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return PR_FALSE;
     }
-    return PR_FALSE;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  if( 0 == memcmp(a, b, len) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
+    if (0 == memcmp(a, b, len)) {
+        return PR_TRUE;
+    }
+    else {
+        return PR_FALSE;
+    }
 }
 
 /*
  * nsslibc_memcmp
  */
 
 NSS_IMPLEMENT PRInt32
-nsslibc_memcmp
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
+nsslibc_memcmp(const void *a, const void *b, PRUint32 len, PRStatus *statusOpt)
 {
-  int v;
+    int v;
 
 #ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ((((void *)NULL == a) || ((void *)NULL == b))) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return -2;
     }
-    return -2;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  v = memcmp(a, b, len);
-  return (PRInt32)v;
+    v = memcmp(a, b, len);
+    return (PRInt32)v;
 }
 
 /*
  * offsetof is a preprocessor definition
  */
--- a/security/nss/lib/base/list.c
+++ b/security/nss/lib/base/list.c
@@ -8,131 +8,131 @@
  * This contains the implementation of NSS's thread-safe linked list.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
 struct nssListElementStr {
-    PRCList  link;
-    void    *data;
+    PRCList link;
+    void *data;
 };
 
 typedef struct nssListElementStr nssListElement;
 
 struct nssListStr {
-    NSSArena       *arena;
-    PZLock         *lock;
+    NSSArena *arena;
+    PZLock *lock;
     nssListElement *head;
-    PRUint32        count;
+    PRUint32 count;
     nssListCompareFunc compareFunc;
-    nssListSortFunc    sortFunc;
+    nssListSortFunc sortFunc;
     PRBool i_alloced_arena;
 };
 
 struct nssListIteratorStr {
     PZLock *lock;
     nssList *list;
     nssListElement *current;
 };
 
-#define NSSLIST_LOCK_IF(list) \
-    if ((list)->lock) PZ_Lock((list)->lock)
+#define NSSLIST_LOCK_IF(list)                                                  \
+    if ((list)->lock)                                                          \
+    PZ_Lock((list)->lock)
 
-#define NSSLIST_UNLOCK_IF(list) \
-    if ((list)->lock) PZ_Unlock((list)->lock)
+#define NSSLIST_UNLOCK_IF(list)                                                \
+    if ((list)->lock)                                                          \
+    PZ_Unlock((list)->lock)
 
 static PRBool
 pointer_compare(void *a, void *b)
 {
     return (PRBool)(a == b);
 }
 
 static nssListElement *
 nsslist_get_matching_element(nssList *list, void *data)
 {
     PRCList *link;
     nssListElement *node;
     node = list->head;
     if (!node) {
-	return NULL;
+        return NULL;
     }
     link = &node->link;
     while (node) {
-	/* using a callback slows things down when it's just compare ... */
-	if (list->compareFunc(node->data, data)) {
-	    break;
-	}
-	link = &node->link;
-	if (link == PR_LIST_TAIL(&list->head->link)) {
-	    node = NULL;
-	    break;
-	}
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+        /* using a callback slows things down when it's just compare ... */
+        if (list->compareFunc(node->data, data)) {
+            break;
+        }
+        link = &node->link;
+        if (link == PR_LIST_TAIL(&list->head->link)) {
+            node = NULL;
+            break;
+        }
+        node = (nssListElement *)PR_NEXT_LINK(&node->link);
     }
     return node;
 }
 
 NSS_IMPLEMENT nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-)
+nssList_Create(NSSArena *arenaOpt, PRBool threadSafe)
 {
     NSSArena *arena;
     nssList *list;
     PRBool i_alloced;
     if (arenaOpt) {
-	arena = arenaOpt;
-	i_alloced = PR_FALSE;
-    } else {
-	arena = nssArena_Create();
-	i_alloced = PR_TRUE;
+        arena = arenaOpt;
+        i_alloced = PR_FALSE;
+    }
+    else {
+        arena = nssArena_Create();
+        i_alloced = PR_TRUE;
     }
     if (!arena) {
-	return (nssList *)NULL;
+        return (nssList *)NULL;
     }
     list = nss_ZNEW(arena, nssList);
     if (!list) {
-	if (!arenaOpt) {
-	    NSSArena_Destroy(arena);
-	}
-	return (nssList *)NULL;
+        if (!arenaOpt) {
+            NSSArena_Destroy(arena);
+        }
+        return (nssList *)NULL;
     }
     if (threadSafe) {
-	list->lock = PZ_NewLock(nssILockOther);
-	if (!list->lock) {
-	    if (arenaOpt) {
-		nss_ZFreeIf(list);
-	    } else {
-		NSSArena_Destroy(arena);
-	    }
-	    return (nssList *)NULL;
-	}
+        list->lock = PZ_NewLock(nssILockOther);
+        if (!list->lock) {
+            if (arenaOpt) {
+                nss_ZFreeIf(list);
+            }
+            else {
+                NSSArena_Destroy(arena);
+            }
+            return (nssList *)NULL;
+        }
     }
     list->arena = arena;
     list->i_alloced_arena = i_alloced;
     list->compareFunc = pointer_compare;
     return list;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Destroy(nssList *list)
 {
     if (!list->i_alloced_arena) {
-	nssList_Clear(list, NULL);
+        nssList_Clear(list, NULL);
     }
     if (list->lock) {
-	(void)PZ_DestroyLock(list->lock);
+        (void)PZ_DestroyLock(list->lock);
     }
     if (list->i_alloced_arena) {
-	NSSArena_Destroy(list->arena);
-	list = NULL;
+        NSSArena_Destroy(list->arena);
+        list = NULL;
     }
     nss_ZFreeIf(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT void
 nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
 {
@@ -156,64 +156,68 @@ NSS_IMPLEMENT void
 nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
 {
     PRCList *link;
     nssListElement *node, *tmp;
     NSSLIST_LOCK_IF(list);
     node = list->head;
     list->head = NULL;
     while (node && list->count > 0) {
-	if (destructor) (*destructor)(node->data);
-	link = &node->link;
-	tmp = (nssListElement *)PR_NEXT_LINK(link);
-	PR_REMOVE_LINK(link);
-	nss_ZFreeIf(node);
-	node = tmp;
-	--list->count;
+        if (destructor)
+            (*destructor)(node->data);
+        link = &node->link;
+        tmp = (nssListElement *)PR_NEXT_LINK(link);
+        PR_REMOVE_LINK(link);
+        nss_ZFreeIf(node);
+        node = tmp;
+        --list->count;
     }
     NSSLIST_UNLOCK_IF(list);
 }
 
 static PRStatus
 nsslist_add_element(nssList *list, void *data)
 {
     nssListElement *node = nss_ZNEW(list->arena, nssListElement);
     if (!node) {
-	return PR_FAILURE;
+        return PR_FAILURE;
     }
     PR_INIT_CLIST(&node->link);
     node->data = data;
     if (list->head) {
-	if (list->sortFunc) {
-	    PRCList *link;
-	    nssListElement *currNode;
-	    currNode = list->head;
-	    /* insert in ordered list */
-	    while (currNode) {
-		link = &currNode->link;
-		if (list->sortFunc(data, currNode->data) <= 0) {
-		    /* new element goes before current node */
-		    PR_INSERT_BEFORE(&node->link, link);
-		    /* reset head if this is first */
-		    if (currNode == list->head) list->head = node;
-		    break;
-		}
-		if (link == PR_LIST_TAIL(&list->head->link)) {
-		    /* reached end of list, append */
-		    PR_INSERT_AFTER(&node->link, link);
-		    break;
-		}
-		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
-	    }
-	} else {
-	    /* not sorting */
-	    PR_APPEND_LINK(&node->link, &list->head->link);
-	}
-    } else {
-	list->head = node;
+        if (list->sortFunc) {
+            PRCList *link;
+            nssListElement *currNode;
+            currNode = list->head;
+            /* insert in ordered list */
+            while (currNode) {
+                link = &currNode->link;
+                if (list->sortFunc(data, currNode->data) <= 0) {
+                    /* new element goes before current node */
+                    PR_INSERT_BEFORE(&node->link, link);
+                    /* reset head if this is first */
+                    if (currNode == list->head)
+                        list->head = node;
+                    break;
+                }
+                if (link == PR_LIST_TAIL(&list->head->link)) {
+                    /* reached end of list, append */
+                    PR_INSERT_AFTER(&node->link, link);
+                    break;
+                }
+                currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
+            }
+        }
+        else {
+            /* not sorting */
+            PR_APPEND_LINK(&node->link, &list->head->link);
+        }
+    }
+    else {
+        list->head = node;
     }
     ++list->count;
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Add(nssList *list, void *data)
 {
@@ -226,40 +230,40 @@ nssList_Add(nssList *list, void *data)
 NSS_IMPLEMENT PRStatus
 nssList_AddUnique(nssList *list, void *data)
 {
     PRStatus nssrv;
     nssListElement *node;
     NSSLIST_LOCK_IF(list);
     node = nsslist_get_matching_element(list, data);
     if (node) {
-	/* already in, finish */
-	NSSLIST_UNLOCK_IF(list);
-	return PR_SUCCESS;
+        /* already in, finish */
+        NSSLIST_UNLOCK_IF(list);
+        return PR_SUCCESS;
     }
     nssrv = nsslist_add_element(list, data);
     NSSLIST_UNLOCK_IF(list);
     return nssrv;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Remove(nssList *list, void *data)
 {
     nssListElement *node;
     NSSLIST_LOCK_IF(list);
     node = nsslist_get_matching_element(list, data);
     if (node) {
-	if (node == list->head) {
-	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
-	}
-	PR_REMOVE_LINK(&node->link);
-	nss_ZFreeIf(node);
-	if (--list->count == 0) {
-	    list->head = NULL;
-	}
+        if (node == list->head) {
+            list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
+        }
+        PR_REMOVE_LINK(&node->link);
+        nss_ZFreeIf(node);
+        if (--list->count == 0) {
+            list->head = NULL;
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT void *
 nssList_Get(nssList *list, void *data)
 {
@@ -279,122 +283,122 @@ nssList_Count(nssList *list)
 NSS_IMPLEMENT PRStatus
 nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
 {
     nssListElement *node;
     PRUint32 i = 0;
     PR_ASSERT(maxElements > 0);
     node = list->head;
     if (!node) {
-	return PR_SUCCESS;
+        return PR_SUCCESS;
     }
     NSSLIST_LOCK_IF(list);
     while (node) {
-	rvArray[i++] = node->data;
-	if (i == maxElements) break;
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	if (node == list->head) {
-	    break;
-	}
+        rvArray[i++] = node->data;
+        if (i == maxElements)
+            break;
+        node = (nssListElement *)PR_NEXT_LINK(&node->link);
+        if (node == list->head) {
+            break;
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT nssList *
 nssList_Clone(nssList *list)
 {
     nssList *rvList;
     nssListElement *node;
     rvList = nssList_Create(NULL, (list->lock != NULL));
     if (!rvList) {
-	return NULL;
+        return NULL;
     }
     NSSLIST_LOCK_IF(list);
     if (list->count > 0) {
-	node = list->head;
-	while (PR_TRUE) {
-	    nssList_Add(rvList, node->data);
-	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	    if (node == list->head) {
-		break;
-	    }
-	}
+        node = list->head;
+        while (PR_TRUE) {
+            nssList_Add(rvList, node->data);
+            node = (nssListElement *)PR_NEXT_LINK(&node->link);
+            if (node == list->head) {
+                break;
+            }
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return rvList;
 }
 
 NSS_IMPLEMENT nssListIterator *
 nssList_CreateIterator(nssList *list)
 {
     nssListIterator *rvIterator;
     rvIterator = nss_ZNEW(NULL, nssListIterator);
     if (!rvIterator) {
-	return NULL;
+        return NULL;
     }
     rvIterator->list = nssList_Clone(list);
     if (!rvIterator->list) {
-	nss_ZFreeIf(rvIterator);
-	return NULL;
+        nss_ZFreeIf(rvIterator);
+        return NULL;
     }
     rvIterator->current = rvIterator->list->head;
     if (list->lock) {
-	rvIterator->lock = PZ_NewLock(nssILockOther);
-	if (!rvIterator->lock) {
-	    nssList_Destroy(rvIterator->list);
-	    nss_ZFreeIf(rvIterator);
-	    rvIterator = NULL;
-	}
+        rvIterator->lock = PZ_NewLock(nssILockOther);
+        if (!rvIterator->lock) {
+            nssList_Destroy(rvIterator->list);
+            nss_ZFreeIf(rvIterator);
+            rvIterator = NULL;
+        }
     }
     return rvIterator;
 }
 
 NSS_IMPLEMENT void
 nssListIterator_Destroy(nssListIterator *iter)
 {
     if (iter->lock) {
-	(void)PZ_DestroyLock(iter->lock);
+        (void)PZ_DestroyLock(iter->lock);
     }
     nssList_Destroy(iter->list);
     nss_ZFreeIf(iter);
 }
 
 NSS_IMPLEMENT void *
 nssListIterator_Start(nssListIterator *iter)
 {
     NSSLIST_LOCK_IF(iter);
     if (iter->list->count == 0) {
-	return NULL;
+        return NULL;
     }
     iter->current = iter->list->head;
     return iter->current->data;
 }
 
 NSS_IMPLEMENT void *
 nssListIterator_Next(nssListIterator *iter)
 {
     nssListElement *node;
     PRCList *link;
     if (iter->list->count == 1 || iter->current == NULL) {
-	/* Reached the end of the list.  Don't change the state, force to
-	 * user to call nssList_Finish to clean up.
-	 */
-	return NULL;
+        /* Reached the end of the list.  Don't change the state, force to
+         * user to call nssList_Finish to clean up.
+         */
+        return NULL;
     }
     node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
     link = &node->link;
     if (link == PR_LIST_TAIL(&iter->list->head->link)) {
-	/* Signal the end of the list. */
-	iter->current = NULL;
-	return node->data;
+        /* Signal the end of the list. */
+        iter->current = NULL;
+        return node->data;
     }
     iter->current = node;
     return node->data;
 }
 
 NSS_IMPLEMENT PRStatus
 nssListIterator_Finish(nssListIterator *iter)
 {
     iter->current = iter->list->head;
     return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
 }
-
--- a/security/nss/lib/base/nssbase.h
+++ b/security/nss/lib/base/nssbase.h
@@ -39,45 +39,37 @@ PR_BEGIN_EXTERN_C
  * The top-level error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
-NSS_EXTERN NSSArena *
-NSSArena_Create
-(
-  void
-);
+NSS_EXTERN NSSArena *NSSArena_Create(void);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * NSSArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * create an error stack and return PR_FAILURE.
  *
  * The top-level error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
-NSS_EXTERN PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-);
+NSS_EXTERN PRStatus NSSArena_Destroy(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 
 /*
  * The error stack
  *
  * The public methods relating to the error stack are:
  *
@@ -95,152 +87,131 @@ extern const NSSError NSS_ERROR_INVALID_
  * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
  * indicates that the previous NSS library call did not set an error.
  *
  * Return value:
  *  0 if no error has been set
  *  A nonzero error number
  */
 
-NSS_EXTERN NSSError
-NSS_GetError
-(
-  void
-);
+NSS_EXTERN NSSError NSS_GetError(void);
 
 extern const NSSError NSS_ERROR_NO_ERROR;
 
 /*
  * NSS_GetErrorStack
  *
- * This routine returns a pointer to an array of NSSError values, 
- * containingthe entire sequence or "stack" of errors set by the most 
- * recent NSS library routine called by the same thread calling this 
- * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
- * the return value.  The pointer will remain valid until the calling 
- * thread calls another NSS routine.  The lowest-level (most specific) 
- * error is first in the array, and the highest-level is last.  The 
- * array is zero-terminated.  This routine may return NULL upon error; 
+ * This routine returns a pointer to an array of NSSError values,
+ * containingthe entire sequence or "stack" of errors set by the most
+ * recent NSS library routine called by the same thread calling this
+ * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by
+ * the return value.  The pointer will remain valid until the calling
+ * thread calls another NSS routine.  The lowest-level (most specific)
+ * error is first in the array, and the highest-level is last.  The
+ * array is zero-terminated.  This routine may return NULL upon error;
  * this indicates a low-memory situation.
  *
  * Return value:
  *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
  *  A NON-caller-owned pointer to an array of NSSError values
  */
 
-NSS_EXTERN NSSError *
-NSS_GetErrorStack
-(
-  void
-);
+NSS_EXTERN NSSError *NSS_GetErrorStack(void);
 
 /*
  * NSS_ZNEW
  *
  * This preprocessor macro will allocate memory for a new object
  * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
+ * return value appropriately.  If the optional arena argument is
+ * non-null, the memory will be obtained from that arena; otherwise,
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
  * upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs barfs if we split it. */
 #define NSS_ZNEW(arenaOpt, type) ((type *)NSS_ZAlloc((arenaOpt), sizeof(type)))
 
 /*
  * NSS_ZNEWARRAY
  *
  * This preprocessor macro will allocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
+ * If the optional arena argument is non-null, the memory will
+ * be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon
+ * error, in which case it will have set an error upon the error
  * stack.  The array size may be specified as zero.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs barfs if we split it. */
-#define NSS_ZNEWARRAY(arenaOpt, type, quantity) ((type *)NSS_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
-
+#define NSS_ZNEWARRAY(arenaOpt, type, quantity)                                \
+    ((type *)NSS_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
 
 /*
  * NSS_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling NSS_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-NSS_EXTERN void *
-NSS_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);