Bug 1009794: Update NSS to NSS_3_16_2_BETA2, which also includes fixes
authorWan-Teh Chang <wtc@google.com>
Thu, 22 May 2014 12:31:09 -0700
changeset 184559 980e7d78b358bbea293880348a1fb95305143ab2
parent 184558 1d3795ad8c1c279158b5d99f29e09c6b67304859
child 184560 1264ddc72695170bf7aa88d974c9c5c590209bb2
push id26826
push usercbook@mozilla.com
push dateFri, 23 May 2014 13:41:49 +0000
treeherdermozilla-central@e3d39ffacb5e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs1009794, 999893, 1011090, 1009785, 421391, 1011229
milestone32.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1009794: Update NSS to NSS_3_16_2_BETA2, which also includes fixes for bug 999893, bug 1011090, bug 1009785, bug 421391, and bug 1011229.
security/nss/TAG-INFO
security/nss/coreconf/Linux.mk
security/nss/coreconf/coreconf.dep
security/nss/lib/certdb/certdb.h
security/nss/lib/freebl/Makefile
security/nss/lib/jar/jarver.c
security/nss/lib/nss/nss.def
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/legacydb/lgutil.c
security/nss/lib/softoken/legacydb/pcertt.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslerr.h
security/nss/lib/ssl/sslsock.c
security/nss/lib/util/secerr.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_16_2_BETA1
+NSS_3_16_2_BETA2
--- a/security/nss/coreconf/Linux.mk
+++ b/security/nss/coreconf/Linux.mk
@@ -125,27 +125,27 @@ ifdef MOZ_DEBUG_SYMBOLS
 endif
 endif
 
 
 ifeq ($(USE_PTHREADS),1)
 OS_PTHREAD = -lpthread 
 endif
 
-OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
+OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
 DSO_CFLAGS		= -fPIC
-DSO_LDOPTS		= -shared $(ARCHFLAG)
+DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
 # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
 # incorrectly reports undefined references in the libraries we link with, so
 # we don't use -z defs there.
 ZDEFS_FLAG		= -Wl,-z,defs
 DSO_LDOPTS		+= $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
 LDFLAGS			+= $(ARCHFLAG)
 
 # On Maemo, we need to use the -rpath-link flag for even the standard system
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/certdb/certdb.h
+++ b/security/nss/lib/certdb/certdb.h
@@ -2,26 +2,26 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _CERTDB_H_
 #define _CERTDB_H_
 
 
 /* common flags for all types of certificates */
-#define CERTDB_TERMINAL_RECORD	(1<<0)
-#define CERTDB_TRUSTED		(1<<1)
-#define CERTDB_SEND_WARN	(1<<2)
-#define CERTDB_VALID_CA		(1<<3)
-#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
-#define CERTDB_NS_TRUSTED_CA	(1<<5)
-#define CERTDB_USER		(1<<6)
-#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
-#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
-#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
+#define CERTDB_TERMINAL_RECORD	(1u<<0)
+#define CERTDB_TRUSTED		(1u<<1)
+#define CERTDB_SEND_WARN	(1u<<2)
+#define CERTDB_VALID_CA		(1u<<3)
+#define CERTDB_TRUSTED_CA	(1u<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1u<<5)
+#define CERTDB_USER		(1u<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1u<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1u<<9) /* can do strong crypto in export ver */
 
 /* old usage, to keep old programs compiling */
 /* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
  * time deprecation warnings when applications use the old CERTDB_VALID_PEER
  * define */
 #if __GNUC__ > 3
 #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
 typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -659,12 +659,12 @@ ifdef INTEL_GCM
 #
 $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
 
 # The integrated assembler in Clang 3.2 does not support % in the
 # expression of a .set directive. intel-gcm.s uses .set to give
 # symbolic names to registers, for example,
 #     .set  Htbl, %rdi
 # So we can't use Clang's integrated assembler with intel-gcm.s.
-ifneq (,$(findstring clang,$(AS)))
+ifneq (,$(findstring clang,$(shell $(AS) --version)))
 $(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): ASFLAGS += -no-integrated-as
 endif
 endif
--- a/security/nss/lib/jar/jarver.c
+++ b/security/nss/lib/jar/jarver.c
@@ -9,23 +9,18 @@
  */
 
 #include "nssrenam.h"
 #include "jar.h"
 #include "jarint.h"
 #include "certdb.h"
 #include "certt.h"
 #include "secpkcs7.h"
-
-/*#include "cdbhdl.h" */
 #include "secder.h"
 
-/* from certdb.h */
-#define CERTDB_USER (1<<6)
-
 #define SZ 512
 
 static int
 jar_validate_pkcs7(JAR *jar, JAR_Signer *signer, char *data, long length);
 
 static void
 jar_catch_bytes(void *arg, const char *buf, unsigned long len);
 
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1048,8 +1048,15 @@ CERT_GetSubjectPublicKeyDigest;
 ;+NSS_3.16.1 { 	# NSS 3.16.1 release
 ;+    global:
 PK11_ExportDERPrivateKeyInfo;
 PK11_ExportPrivKeyInfo;
 SECMOD_InternaltoPubMechFlags;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.16.2 { 	# NSS 3.16.2 release
+;+    global:
+PK11_PubEncrypt;
+PK11_PrivDecrypt;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -909,27 +909,21 @@ PK11_Encrypt(PK11SymKey *symKey,
     *outLen = len;
     if (crv != CKR_OK) {
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
     return SECSuccess;
 }
 
-/*
- * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use
- * RSA keys, or they'll fail. We do the checks up front. If anyone comes
- * up with a meaning for rawdecrypt for any other public key operation,
- * then we need to move this check into some of PK11_PubDecrypt callers,
- * (namely SSL 2.0).
- */
 static SECStatus
-pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen, CK_MECHANISM_PTR mech)
+pk11_PrivDecryptRaw(SECKEYPrivateKey *key,
+                    unsigned char *data,  unsigned *outLen, unsigned int maxLen,
+                    const unsigned char *enc, unsigned encLen,
+                    CK_MECHANISM_PTR mech)
 {
     PK11SlotInfo *slot = key->pkcs11Slot;
     CK_ULONG out = maxLen;
     PRBool owner = PR_TRUE;
     CK_SESSION_HANDLE session;
     PRBool haslock = PR_FALSE;
     CK_RV crv;
 
@@ -955,67 +949,64 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *ke
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
 
     /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
      * do C_Login with CKU_CONTEXT_SPECIFIC 
      * between C_DecryptInit and C_Decrypt
      * ... But see note above about servers */
-     if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
+    if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
 	PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
     }
 
-    crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
+    crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen,
+				       data, &out);
     if (haslock) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     *outLen = out;
     if (crv != CKR_OK) {
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
     return SECSuccess;
 }
 
 SECStatus
-PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen)
+PK11_PubDecryptRaw(SECKEYPrivateKey *key,
+                   unsigned char *data, unsigned *outLen, unsigned int maxLen,
+                   const unsigned char *enc, unsigned encLen)
 {
     CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
     return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
 }
 
 SECStatus
-PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, 
-	unsigned *outLen, unsigned int maxLen, unsigned char *enc,
-				    unsigned encLen)
+PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
+                      unsigned char *data, unsigned *outLen, unsigned int maxLen,
+                      const unsigned char *enc, unsigned encLen)
 {
     CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
     return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech);
 }
 
 static SECStatus
-pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-		    unsigned char *data, unsigned dataLen, 
-		    CK_MECHANISM_PTR mech, void *wincx)
+pk11_PubEncryptRaw(SECKEYPublicKey *key,
+                   unsigned char *out, unsigned int *outLen,
+                   unsigned int maxLen,
+                   const unsigned char *data, unsigned dataLen,
+                   CK_MECHANISM_PTR mech, void *wincx)
 {
     PK11SlotInfo *slot;
     CK_OBJECT_HANDLE id;
-    CK_ULONG out;
+    CK_ULONG len = maxLen;
     PRBool owner = PR_TRUE;
     CK_SESSION_HANDLE session;
     CK_RV crv;
 
-    if (!key || key->keyType != rsaKey) {
-	PORT_SetError( SEC_ERROR_BAD_KEY );
-	return SECFailure;
-    }
-    out = SECKEY_PublicKeyStrength(key);
-
     slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx);
     if (slot == NULL) {
 	PORT_SetError( SEC_ERROR_NO_MODULE );
 	return SECFailure;
     }
 
     id = PK11_ImportPublicKey(slot,key,PR_FALSE);
 
@@ -1030,41 +1021,93 @@ pk11_PubEncryptRaw(SECKEYPublicKey *key,
     crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id);
     if (crv != CKR_OK) {
 	if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
 	pk11_CloseSession(slot,session,owner);
 	PK11_FreeSlot(slot);
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
-    crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out);
+    crv = PK11_GETTAB(slot)->C_Encrypt(session,(unsigned char *)data,dataLen,
+				       out,&len);
     if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     PK11_FreeSlot(slot);
+    *outLen = len;
     if (crv != CKR_OK) {
 	PORT_SetError( PK11_MapError(crv) );
 	return SECFailure;
     }
     return SECSuccess;
 }
 
 SECStatus
-PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-		unsigned char *data, unsigned dataLen, void *wincx)
+PK11_PubEncryptRaw(SECKEYPublicKey *key,
+                   unsigned char *enc,
+                   const unsigned char *data, unsigned dataLen,
+                   void *wincx)
 {
     CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 };
-    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
+    unsigned int outLen;
+    if (!key || key->keyType != rsaKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	return SECFailure;
+    }
+    outLen = SECKEY_PublicKeyStrength(key);
+    return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech,
+                              wincx);
 }
 
 SECStatus
-PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
-		unsigned char *data, unsigned dataLen, void *wincx)
+PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
+                     unsigned char *enc,
+                     const unsigned char *data, unsigned dataLen,
+                     void *wincx)
 {
     CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 };
-    return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx);
+    unsigned int outLen;
+    if (!key || key->keyType != rsaKey) {
+	PORT_SetError(SEC_ERROR_BAD_KEY);
+	return SECFailure;
+    }
+    outLen = SECKEY_PublicKeyStrength(key);
+    return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech,
+                              wincx);
+}
+
+SECStatus
+PK11_PrivDecrypt(SECKEYPrivateKey *key,
+                 CK_MECHANISM_TYPE mechanism, SECItem *param,
+                 unsigned char *out, unsigned int *outLen,
+                 unsigned int maxLen,
+                 const unsigned char *enc, unsigned encLen)
+{
+    CK_MECHANISM mech = { mechanism, NULL, 0 };
+    if (param) {
+        mech.pParameter = param->data;
+        mech.ulParameterLen = param->len;
+    }
+    return pk11_PrivDecryptRaw(key, out, outLen, maxLen, enc, encLen, &mech);
+}
+
+SECStatus
+PK11_PubEncrypt(SECKEYPublicKey *key,
+                CK_MECHANISM_TYPE mechanism, SECItem *param,
+                unsigned char *out, unsigned int *outLen,
+                unsigned int maxLen,
+                const unsigned char *data, unsigned dataLen,
+                void *wincx)
+{
+    CK_MECHANISM mech = { mechanism, NULL, 0 };
+    if (param) {
+        mech.pParameter = param->data;
+        mech.ulParameterLen = param->len;
+    }
+    return pk11_PubEncryptRaw(key, out, outLen, maxLen, data, dataLen, &mech,
+                              wincx);
 }
 
 SECKEYPrivateKey *
 PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
 		   CK_MECHANISM_TYPE wrapType, SECItem *param, 
 		   SECItem *wrappedKey, SECItem *label, 
 		   SECItem *idValue, PRBool perm, PRBool sensitive,
 		   CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage,
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -515,28 +515,48 @@ SECStatus PK11_Decrypt(PK11SymKey *symke
 		       const unsigned char *enc, unsigned int encLen);
 SECStatus PK11_Encrypt(PK11SymKey *symKey,
 		       CK_MECHANISM_TYPE mechanism, SECItem *param,
 		       unsigned char *out, unsigned int *outLen,
 		       unsigned int maxLen,
 		       const unsigned char *data, unsigned int dataLen);
 
 /* note: despite the name, this function takes a private key. */
-SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
-   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key,
+                             unsigned char *data, unsigned *outLen,
+                             unsigned int maxLen,
+                             const unsigned char *enc, unsigned encLen);
 #define PK11_PrivDecryptRaw PK11_PubDecryptRaw
 /* The encrypt function that complements the above decrypt function. */
-SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
-                unsigned char *data, unsigned dataLen, void *wincx);
+SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key,
+                             unsigned char *enc,
+                             const unsigned char *data, unsigned dataLen,
+                             void *wincx);
 
-SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data,
-   unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+SECStatus PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key,
+                                unsigned char *data, unsigned *outLen,
+                                unsigned int maxLen,
+                                const unsigned char *enc, unsigned encLen);
 /* The encrypt function that complements the above decrypt function. */
-SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc,
-                unsigned char *data, unsigned dataLen, void *wincx);
+SECStatus PK11_PubEncryptPKCS1(SECKEYPublicKey *key,
+                               unsigned char *enc,
+                               const unsigned char *data, unsigned dataLen,
+                               void *wincx);
+
+SECStatus PK11_PrivDecrypt(SECKEYPrivateKey *key,
+                           CK_MECHANISM_TYPE mechanism, SECItem *param,
+                           unsigned char *out, unsigned int *outLen,
+                           unsigned int maxLen,
+                           const unsigned char *enc, unsigned int encLen);
+SECStatus PK11_PubEncrypt(SECKEYPublicKey *key,
+                          CK_MECHANISM_TYPE mechanism, SECItem *param,
+                          unsigned char *out, unsigned int *outLen,
+                          unsigned int maxLen,
+                          const unsigned char *data, unsigned int dataLen,
+                          void *wincx);
 
 SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, 
 		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
 		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
 		unsigned int usage, void *wincx);
 SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
 		SECKEYPrivateKeyInfo *pki, SECItem *nickname,
 		SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -1367,17 +1367,17 @@ lg_GetSingleAttribute(LGObjectCache *obj
  * Fill in the attribute template based on the data in the database.
  */    
 CK_RV
 lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ, 
 		CK_ULONG count)
 {
     LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
     CK_RV crv, crvCollect = CKR_OK;
-    int i;
+    unsigned int i;
 
     if (obj == NULL) {
 	return CKR_OBJECT_HANDLE_INVALID;
     }
 
     for (i=0; i < count; i++) {
 	crv = lg_GetSingleAttribute(obj, &templ[i]);
 	if (crvCollect == CKR_OK) crvCollect = crv;
@@ -1429,17 +1429,17 @@ lg_cmpAttribute(LGObjectCache *obj, cons
 }
 
 PRBool
 lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
 		const CK_ATTRIBUTE *templ, CK_ULONG count)
 {
     PRBool match = PR_TRUE;
     LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class);
-    int i;
+    unsigned int i;
 
     if (obj == NULL) {
 	return PR_FALSE;
     }
 
     for (i=0; i < count; i++) {
 	match = lg_cmpAttribute(obj, &templ[i]);
 	if (!match) {
@@ -1753,17 +1753,17 @@ lg_SetSingleAttribute(LGObjectCache *obj
  */    
 CK_RV
 lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, 
 			const CK_ATTRIBUTE *templ, CK_ULONG count)
 {
     LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
     CK_RV crv, crvCollect = CKR_OK;
     PRBool writePrivate = PR_FALSE;
-    int i;
+    unsigned int i;
 
     if (obj == NULL) {
 	return CKR_OBJECT_HANDLE_INVALID;
     }
 
     for (i=0; i < count; i++) {
 	crv = lg_SetSingleAttribute(obj, &templ[i], &writePrivate);
 	if (crvCollect == CKR_OK) crvCollect = crv;
--- a/security/nss/lib/softoken/legacydb/lgutil.c
+++ b/security/nss/lib/softoken/legacydb/lgutil.c
@@ -13,17 +13,17 @@
  * look up and attribute structure from a type and Object structure.
  * The returned attribute is referenced and needs to be freed when 
  * it is no longer needed.
  */
 const CK_ATTRIBUTE *
 lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
 		 CK_ULONG count )
 {
-    int i;
+    unsigned int i;
 
     for (i=0; i < count; i++) {
 	if (templ[i].type == type) {
 	    return &templ[i];
 	}
     }
     return NULL;
 }
--- a/security/nss/lib/softoken/legacydb/pcertt.h
+++ b/security/nss/lib/softoken/legacydb/pcertt.h
@@ -392,27 +392,27 @@ typedef union {
 
 /* length of the fixed part of a database entry */
 #define DBCERT_V4_HEADER_LEN	7
 #define DB_CERT_V5_ENTRY_HEADER_LEN	7
 #define DB_CERT_V6_ENTRY_HEADER_LEN	7
 #define DB_CERT_ENTRY_HEADER_LEN	10
 
 /* common flags for all types of certificates */
-#define CERTDB_TERMINAL_RECORD	(1<<0)
-#define CERTDB_TRUSTED		(1<<1)
-#define CERTDB_SEND_WARN	(1<<2)
-#define CERTDB_VALID_CA		(1<<3)
-#define CERTDB_TRUSTED_CA	(1<<4) /* trusted for issuing server certs */
-#define CERTDB_NS_TRUSTED_CA	(1<<5)
-#define CERTDB_USER		(1<<6)
-#define CERTDB_TRUSTED_CLIENT_CA (1<<7) /* trusted for issuing client certs */
-#define CERTDB_INVISIBLE_CA	(1<<8) /* don't show in UI */
-#define CERTDB_GOVT_APPROVED_CA	(1<<9) /* can do strong crypto in export ver */
-#define CERTDB_MUST_VERIFY	(1<<10) /* explicitly don't trust this cert */
-#define CERTDB_TRUSTED_UNKNOWN	(1<<11) /* accept trust from another source */
+#define CERTDB_TERMINAL_RECORD	(1u<<0)
+#define CERTDB_TRUSTED		(1u<<1)
+#define CERTDB_SEND_WARN	(1u<<2)
+#define CERTDB_VALID_CA		(1u<<3)
+#define CERTDB_TRUSTED_CA	(1u<<4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA	(1u<<5)
+#define CERTDB_USER		(1u<<6)
+#define CERTDB_TRUSTED_CLIENT_CA (1u<<7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA	(1u<<8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA	(1u<<9) /* can do strong crypto in export ver */
+#define CERTDB_MUST_VERIFY	(1u<<10) /* explicitly don't trust this cert */
+#define CERTDB_TRUSTED_UNKNOWN	(1u<<11) /* accept trust from another source */
 
 /* bits not affected by the CKO_NETSCAPE_TRUST object */
 #define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \
         CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
                                         CERTDB_GOVT_APPROVED_CA)
 
 #endif /* _PCERTT_H_ */
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -261,16 +261,18 @@ static const struct mechanismList mechan
 
      /* ------------------------- RSA Operations ---------------------------*/
      {CKM_RSA_PKCS_KEY_PAIR_GEN,{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_GENERATE_KEY_PAIR},PR_TRUE},
      {CKM_RSA_PKCS,             {RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_DUZ_IT_ALL},       PR_TRUE},
      {CKM_RSA_PKCS_PSS,         {RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_SN_VR},            PR_TRUE},
+     {CKM_RSA_PKCS_OAEP,        {RSA_MIN_MODULUS_BITS,CK_MAX,
+                                 CKF_EN_DE_WR_UN},       PR_TRUE},
 #ifdef SFTK_RSA9796_SUPPORTED
      {CKM_RSA_9796,		{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_DUZ_IT_ALL},       PR_TRUE},
 #endif
      {CKM_RSA_X_509,		{RSA_MIN_MODULUS_BITS,CK_MAX,
 				 CKF_DUZ_IT_ALL},       PR_TRUE},
      /* -------------- RSA Multipart Signing Operations -------------------- */
      {CKM_MD2_RSA_PKCS,		{RSA_MIN_MODULUS_BITS,CK_MAX,
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -297,16 +297,56 @@ GetHashTypeFromMechanism(CK_MECHANISM_TY
         case CKM_SHA512:
         case CKG_MGF1_SHA512:
             return HASH_AlgSHA512;
         default:
             return HASH_AlgNULL;
     }
 }
 
+/*
+ * Returns true if "params" contains a valid set of PSS parameters
+ */
+static PRBool
+sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params)
+{
+    if (!params) {
+        return PR_FALSE;
+    }
+    if (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||
+        GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {
+        return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
+/*
+ * Returns true if "params" contains a valid set of OAEP parameters
+ */
+static PRBool
+sftk_ValidateOaepParams(const CK_RSA_PKCS_OAEP_PARAMS *params)
+{
+    if (!params) {
+        return PR_FALSE;
+    }
+    /* The requirements of ulSourceLen/pSourceData come from PKCS #11, which
+     * state:
+     *   If the parameter is empty, pSourceData must be NULL and
+     *   ulSourceDataLen must be zero.
+     */
+    if (params->source != CKZ_DATA_SPECIFIED ||
+        (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||
+        (GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||
+        (params->ulSourceDataLen == 0 && params->pSourceData != NULL) ||
+        (params->ulSourceDataLen != 0 && params->pSourceData == NULL)) {
+        return PR_FALSE;
+    }
+    return PR_TRUE;
+}
+
 /* 
  * return a context based on the SFTKContext type.
  */
 SFTKSessionContext *
 sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type)
 {
     switch (type) {
 	case SFTK_ENCRYPT:
@@ -583,21 +623,16 @@ sftk_RSAEncryptOAEP(SFTKOAEPEncryptInfo 
     if (info->key->keyType != NSSLOWKEYRSAKey) {
         PORT_SetError(SEC_ERROR_INVALID_KEY);
         return SECFailure;
     }
 
     hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
     maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
 
-    if (info->params->source != CKZ_DATA_SPECIFIED) {
-        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        return SECFailure;
-    }
-
     return RSA_EncryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
                            (const unsigned char*)info->params->pSourceData,
                            info->params->ulSourceDataLen, NULL, 0,
                            output, outputLen, maxLen, input, inputLen);
 }
 
 static SECStatus
 sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo *info, unsigned char *output,
@@ -612,21 +647,16 @@ sftk_RSADecryptOAEP(SFTKOAEPDecryptInfo 
     if (info->key->keyType != NSSLOWKEYRSAKey) {
         PORT_SetError(SEC_ERROR_INVALID_KEY);
         return SECFailure;
     }
 
     hashAlg = GetHashTypeFromMechanism(info->params->hashAlg);
     maskHashAlg = GetHashTypeFromMechanism(info->params->mgf);
 
-    if (info->params->source != CKZ_DATA_SPECIFIED) {
-        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        return SECFailure;
-    }
-
     rv = RSA_DecryptOAEP(&info->key->u.rsa, hashAlg, maskHashAlg,
                          (const unsigned char*)info->params->pSourceData,
                          info->params->ulSourceDataLen,
                          output, outputLen, maxLen, input, inputLen);
      if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
         sftk_fatalError = PR_TRUE;
     }
     return rv;
@@ -705,29 +735,28 @@ sftk_CryptInit(CK_SESSION_HANDLE hSessio
 	    context->maxLen = nsslowkey_PrivateModulusLen(privKey);
 	    context->cipherInfo =  (void *)privKey;
 	    context->update = (SFTKCipher) 
 		(pMechanism->mechanism == CKM_RSA_X_509
 					? sftk_RSADecryptRaw : sftk_RSADecrypt);
 	}
 	context->destroy = sftk_Null;
 	break;
-/* XXX: Disabled until unit tests land.
     case CKM_RSA_PKCS_OAEP:
 	if (key_type != CKK_RSA) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	}
+	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS) ||
+	    !sftk_ValidateOaepParams((CK_RSA_PKCS_OAEP_PARAMS*)pMechanism->pParameter)) {
+	    crv = CKR_MECHANISM_PARAM_INVALID;
+	    break;
+	}
 	context->multi = PR_FALSE;
 	context->rsa = PR_TRUE;
-	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS)) {
-	    crv = CKR_MECHANISM_PARAM_INVALID;
-	    break;
-	}
-	/\* XXX: Need Parameter validation here *\/
 	if (isEncrypt) {
 	    SFTKOAEPEncryptInfo *info = PORT_New(SFTKOAEPEncryptInfo);
 	    if (info == NULL) {
 	        crv = CKR_HOST_MEMORY;
 	        break;
 	    }
 	    info->params = pMechanism->pParameter;
 	    info->key = sftk_GetPubKey(key, CKK_RSA, &crv);
@@ -753,17 +782,16 @@ sftk_CryptInit(CK_SESSION_HANDLE hSessio
 	        break;
 	    }
 	    context->update = (SFTKCipher) sftk_RSADecryptOAEP;
 	    context->maxLen = nsslowkey_PrivateModulusLen(info->key);
 	    context->cipherInfo = info;
 	}
 	context->destroy = (SFTKDestroy) sftk_Space;
 	break;
-*/
     case CKM_RC2_CBC_PAD:
 	context->doPad = PR_TRUE;
 	/* fall thru */
     case CKM_RC2_ECB:
     case CKM_RC2_CBC:
 	context->blockSize = 8;
 	if (key_type != CKK_RC2) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -2381,17 +2409,18 @@ finish_rsa:
 	context->maxLen = nsslowkey_PrivateModulusLen(privKey);
 	break;
     case CKM_RSA_PKCS_PSS:
 	if (key_type != CKK_RSA) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	} 
 	context->rsa = PR_TRUE;
-	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
+	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
+	    !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS*)pMechanism->pParameter)) {
 	    crv = CKR_MECHANISM_PARAM_INVALID;
 	    break;
 	}
 	info = PORT_New(SFTKHashSignInfo);
 	if (info == NULL) {
 	    crv = CKR_HOST_MEMORY;
 	    break;
 	}
@@ -3018,17 +3047,18 @@ finish_rsa:
 	}
 	break;
     case CKM_RSA_PKCS_PSS:
 	if (key_type != CKK_RSA) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
 	} 
 	context->rsa = PR_TRUE;
-	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) {
+	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
+	    !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS*)pMechanism->pParameter)) {
 	    crv = CKR_MECHANISM_PARAM_INVALID;
 	    break;
 	}
 	info = PORT_New(SFTKHashVerifyInfo);
 	if (info == NULL) {
 	    crv = CKR_HOST_MEMORY;
 	    break;
 	}
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -5166,17 +5166,17 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 	if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
 	return rv;	/* err set by ssl3_AppendHandshake* */
     }
 
     if (sid)
 	rv = ssl3_AppendHandshakeVariable(
 	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
     if (rv != SECSuccess) {
 	if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
 	return rv;	/* err set by ssl3_AppendHandshake* */
     }
 
     if (IS_DTLS(ss)) {
 	rv = ssl3_AppendHandshakeVariable(
 	    ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
@@ -8609,17 +8609,17 @@ ssl3_SendServerHello(sslSocket *ss)
     if (rv != SECSuccess) {
 	return rv;	/* err set by AppendHandshake. */
     }
 
     if (sid)
 	rv = ssl3_AppendHandshakeVariable(
 	    ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
-	rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+	rv = ssl3_AppendHandshakeNumber(ss, 0, 1);
     if (rv != SECSuccess) {
 	return rv;	/* err set by AppendHandshake. */
     }
 
     rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.cipher_suite, 2);
     if (rv != SECSuccess) {
 	return rv;	/* err set by AppendHandshake. */
     }
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -5,17 +5,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* ECC code moved here from ssl3con.c */
 
 #include "nss.h"
 #include "cert.h"
 #include "ssl.h"
-#include "cryptohi.h"	/* for DSAU_ stuff */
+#include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
 #include "prtime.h"
@@ -29,17 +29,17 @@
 #include "secmod.h"
 
 #include <stdio.h>
 
 #ifndef NSS_DISABLE_ECC
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
-		(x)->pValue=(v); (x)->ulValueLen = (l);
+                (x)->pValue=(v); (x)->ulValueLen = (l);
 #endif
 
 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
     (ss->serverCerts[type].serverKeyPair ? \
     ss->serverCerts[type].serverKeyPair->pubKey : NULL)
 
 #define SSL_IS_CURVE_NEGOTIATED(curvemsk, curveName) \
     ((curveName > ec_noName) && \
@@ -51,300 +51,300 @@
 static SECStatus ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve);
 
 #define supportedCurve(x) (((x) > ec_noName) && ((x) < ec_pastLastName))
 
 /* Table containing OID tags for elliptic curves named in the
  * ECC-TLS IETF draft.
  */
 static const SECOidTag ecName2OIDTag[] = {
-	0,  
-	SEC_OID_SECG_EC_SECT163K1,  /*  1 */
-	SEC_OID_SECG_EC_SECT163R1,  /*  2 */
-	SEC_OID_SECG_EC_SECT163R2,  /*  3 */
-	SEC_OID_SECG_EC_SECT193R1,  /*  4 */
-	SEC_OID_SECG_EC_SECT193R2,  /*  5 */
-	SEC_OID_SECG_EC_SECT233K1,  /*  6 */
-	SEC_OID_SECG_EC_SECT233R1,  /*  7 */
-	SEC_OID_SECG_EC_SECT239K1,  /*  8 */
-	SEC_OID_SECG_EC_SECT283K1,  /*  9 */
-	SEC_OID_SECG_EC_SECT283R1,  /* 10 */
-	SEC_OID_SECG_EC_SECT409K1,  /* 11 */
-	SEC_OID_SECG_EC_SECT409R1,  /* 12 */
-	SEC_OID_SECG_EC_SECT571K1,  /* 13 */
-	SEC_OID_SECG_EC_SECT571R1,  /* 14 */
-	SEC_OID_SECG_EC_SECP160K1,  /* 15 */
-	SEC_OID_SECG_EC_SECP160R1,  /* 16 */
-	SEC_OID_SECG_EC_SECP160R2,  /* 17 */
-	SEC_OID_SECG_EC_SECP192K1,  /* 18 */
-	SEC_OID_SECG_EC_SECP192R1,  /* 19 */
-	SEC_OID_SECG_EC_SECP224K1,  /* 20 */
-	SEC_OID_SECG_EC_SECP224R1,  /* 21 */
-	SEC_OID_SECG_EC_SECP256K1,  /* 22 */
-	SEC_OID_SECG_EC_SECP256R1,  /* 23 */
-	SEC_OID_SECG_EC_SECP384R1,  /* 24 */
-	SEC_OID_SECG_EC_SECP521R1,  /* 25 */
+        0,
+        SEC_OID_SECG_EC_SECT163K1,  /*  1 */
+        SEC_OID_SECG_EC_SECT163R1,  /*  2 */
+        SEC_OID_SECG_EC_SECT163R2,  /*  3 */
+        SEC_OID_SECG_EC_SECT193R1,  /*  4 */
+        SEC_OID_SECG_EC_SECT193R2,  /*  5 */
+        SEC_OID_SECG_EC_SECT233K1,  /*  6 */
+        SEC_OID_SECG_EC_SECT233R1,  /*  7 */
+        SEC_OID_SECG_EC_SECT239K1,  /*  8 */
+        SEC_OID_SECG_EC_SECT283K1,  /*  9 */
+        SEC_OID_SECG_EC_SECT283R1,  /* 10 */
+        SEC_OID_SECG_EC_SECT409K1,  /* 11 */
+        SEC_OID_SECG_EC_SECT409R1,  /* 12 */
+        SEC_OID_SECG_EC_SECT571K1,  /* 13 */
+        SEC_OID_SECG_EC_SECT571R1,  /* 14 */
+        SEC_OID_SECG_EC_SECP160K1,  /* 15 */
+        SEC_OID_SECG_EC_SECP160R1,  /* 16 */
+        SEC_OID_SECG_EC_SECP160R2,  /* 17 */
+        SEC_OID_SECG_EC_SECP192K1,  /* 18 */
+        SEC_OID_SECG_EC_SECP192R1,  /* 19 */
+        SEC_OID_SECG_EC_SECP224K1,  /* 20 */
+        SEC_OID_SECG_EC_SECP224R1,  /* 21 */
+        SEC_OID_SECG_EC_SECP256K1,  /* 22 */
+        SEC_OID_SECG_EC_SECP256R1,  /* 23 */
+        SEC_OID_SECG_EC_SECP384R1,  /* 24 */
+        SEC_OID_SECG_EC_SECP521R1,  /* 25 */
 };
 
 static const PRUint16 curve2bits[] = {
-	  0, /*  ec_noName     = 0,   */
-	163, /*  ec_sect163k1  = 1,   */
-	163, /*  ec_sect163r1  = 2,   */
-	163, /*  ec_sect163r2  = 3,   */
-	193, /*  ec_sect193r1  = 4,   */
-	193, /*  ec_sect193r2  = 5,   */
-	233, /*  ec_sect233k1  = 6,   */
-	233, /*  ec_sect233r1  = 7,   */
-	239, /*  ec_sect239k1  = 8,   */
-	283, /*  ec_sect283k1  = 9,   */
-	283, /*  ec_sect283r1  = 10,  */
-	409, /*  ec_sect409k1  = 11,  */
-	409, /*  ec_sect409r1  = 12,  */
-	571, /*  ec_sect571k1  = 13,  */
-	571, /*  ec_sect571r1  = 14,  */
-	160, /*  ec_secp160k1  = 15,  */
-	160, /*  ec_secp160r1  = 16,  */
-	160, /*  ec_secp160r2  = 17,  */
-	192, /*  ec_secp192k1  = 18,  */
-	192, /*  ec_secp192r1  = 19,  */
-	224, /*  ec_secp224k1  = 20,  */
-	224, /*  ec_secp224r1  = 21,  */
-	256, /*  ec_secp256k1  = 22,  */
-	256, /*  ec_secp256r1  = 23,  */
-	384, /*  ec_secp384r1  = 24,  */
-	521, /*  ec_secp521r1  = 25,  */
+          0, /*  ec_noName     = 0,   */
+        163, /*  ec_sect163k1  = 1,   */
+        163, /*  ec_sect163r1  = 2,   */
+        163, /*  ec_sect163r2  = 3,   */
+        193, /*  ec_sect193r1  = 4,   */
+        193, /*  ec_sect193r2  = 5,   */
+        233, /*  ec_sect233k1  = 6,   */
+        233, /*  ec_sect233r1  = 7,   */
+        239, /*  ec_sect239k1  = 8,   */
+        283, /*  ec_sect283k1  = 9,   */
+        283, /*  ec_sect283r1  = 10,  */
+        409, /*  ec_sect409k1  = 11,  */
+        409, /*  ec_sect409r1  = 12,  */
+        571, /*  ec_sect571k1  = 13,  */
+        571, /*  ec_sect571r1  = 14,  */
+        160, /*  ec_secp160k1  = 15,  */
+        160, /*  ec_secp160r1  = 16,  */
+        160, /*  ec_secp160r2  = 17,  */
+        192, /*  ec_secp192k1  = 18,  */
+        192, /*  ec_secp192r1  = 19,  */
+        224, /*  ec_secp224k1  = 20,  */
+        224, /*  ec_secp224r1  = 21,  */
+        256, /*  ec_secp256k1  = 22,  */
+        256, /*  ec_secp256r1  = 23,  */
+        384, /*  ec_secp384r1  = 24,  */
+        521, /*  ec_secp521r1  = 25,  */
       65535  /*  ec_pastLastName      */
 };
 
 typedef struct Bits2CurveStr {
     PRUint16    bits;
     ECName      curve;
 } Bits2Curve;
 
 static const Bits2Curve bits2curve [] = {
-   {	192,     ec_secp192r1    /*  = 19,  fast */  },
-   {	160,     ec_secp160r2    /*  = 17,  fast */  },
-   {	160,     ec_secp160k1    /*  = 15,  */       },
-   {	160,     ec_secp160r1    /*  = 16,  */       },
-   {	163,     ec_sect163k1    /*  = 1,   */       },
-   {	163,     ec_sect163r1    /*  = 2,   */       },
-   {	163,     ec_sect163r2    /*  = 3,   */       },
-   {	192,     ec_secp192k1    /*  = 18,  */       },
-   {	193,     ec_sect193r1    /*  = 4,   */       },
-   {	193,     ec_sect193r2    /*  = 5,   */       },
-   {	224,     ec_secp224r1    /*  = 21,  fast */  },
-   {	224,     ec_secp224k1    /*  = 20,  */       },
-   {	233,     ec_sect233k1    /*  = 6,   */       },
-   {	233,     ec_sect233r1    /*  = 7,   */       },
-   {	239,     ec_sect239k1    /*  = 8,   */       },
-   {	256,     ec_secp256r1    /*  = 23,  fast */  },
-   {	256,     ec_secp256k1    /*  = 22,  */       },
-   {	283,     ec_sect283k1    /*  = 9,   */       },
-   {	283,     ec_sect283r1    /*  = 10,  */       },
-   {	384,     ec_secp384r1    /*  = 24,  fast */  },
-   {	409,     ec_sect409k1    /*  = 11,  */       },
-   {	409,     ec_sect409r1    /*  = 12,  */       },
-   {	521,     ec_secp521r1    /*  = 25,  fast */  },
-   {	571,     ec_sect571k1    /*  = 13,  */       },
-   {	571,     ec_sect571r1    /*  = 14,  */       },
+   {    192,     ec_secp192r1    /*  = 19,  fast */  },
+   {    160,     ec_secp160r2    /*  = 17,  fast */  },
+   {    160,     ec_secp160k1    /*  = 15,  */       },
+   {    160,     ec_secp160r1    /*  = 16,  */       },
+   {    163,     ec_sect163k1    /*  = 1,   */       },
+   {    163,     ec_sect163r1    /*  = 2,   */       },
+   {    163,     ec_sect163r2    /*  = 3,   */       },
+   {    192,     ec_secp192k1    /*  = 18,  */       },
+   {    193,     ec_sect193r1    /*  = 4,   */       },
+   {    193,     ec_sect193r2    /*  = 5,   */       },
+   {    224,     ec_secp224r1    /*  = 21,  fast */  },
+   {    224,     ec_secp224k1    /*  = 20,  */       },
+   {    233,     ec_sect233k1    /*  = 6,   */       },
+   {    233,     ec_sect233r1    /*  = 7,   */       },
+   {    239,     ec_sect239k1    /*  = 8,   */       },
+   {    256,     ec_secp256r1    /*  = 23,  fast */  },
+   {    256,     ec_secp256k1    /*  = 22,  */       },
+   {    283,     ec_sect283k1    /*  = 9,   */       },
+   {    283,     ec_sect283r1    /*  = 10,  */       },
+   {    384,     ec_secp384r1    /*  = 24,  fast */  },
+   {    409,     ec_sect409k1    /*  = 11,  */       },
+   {    409,     ec_sect409r1    /*  = 12,  */       },
+   {    521,     ec_secp521r1    /*  = 25,  fast */  },
+   {    571,     ec_sect571k1    /*  = 13,  */       },
+   {    571,     ec_sect571r1    /*  = 14,  */       },
    {  65535,     ec_noName    }
 };
 
 typedef struct ECDHEKeyPairStr {
     ssl3KeyPair *  pair;
     int            error;  /* error code of the call-once function */
     PRCallOnceType once;
 } ECDHEKeyPair;
 
 /* arrays of ECDHE KeyPairs */
 static ECDHEKeyPair gECDHEKeyPairs[ec_pastLastName];
 
-SECStatus 
+SECStatus
 ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params)
 {
     SECOidData *oidData = NULL;
 
     if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
-	((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
+        ((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	return SECFailure;
+        return SECFailure;
     }
 
     SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
-    /* 
+    /*
      * params->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
+     * representing the named curve. The actual OID is in
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     params->data[0] = SEC_ASN1_OBJECT_ID;
     params->data[1] = oidData->oid.len;
     memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
 
     return SECSuccess;
 }
 
-static ECName 
+static ECName
 params2ecName(SECKEYECParams * params)
 {
     SECItem oid = { siBuffer, NULL, 0};
     SECOidData *oidData = NULL;
     ECName i;
 
-    /* 
+    /*
      * params->data needs to contain the ASN encoding of an object ID (OID)
      * representing a named curve. Here, we strip away everything
      * before the actual OID and use the OID to look up a named curve.
      */
     if (params->data[0] != SEC_ASN1_OBJECT_ID) return ec_noName;
     oid.len = params->len - 2;
     oid.data = params->data + 2;
     if ((oidData = SECOID_FindOID(&oid)) == NULL) return ec_noName;
     for (i = ec_noName + 1; i < ec_pastLastName; i++) {
-	if (ecName2OIDTag[i] == oidData->offset)
-	    return i;
+        if (ecName2OIDTag[i] == oidData->offset)
+            return i;
     }
 
     return ec_noName;
 }
 
 /* Caller must set hiLevel error code. */
 static SECStatus
 ssl3_ComputeECDHKeyHash(SECOidTag hashAlg,
-			SECItem ec_params, SECItem server_ecpoint,
-			SSL3Random *client_rand, SSL3Random *server_rand,
-			SSL3Hashes *hashes, PRBool bypassPKCS11)
+                        SECItem ec_params, SECItem server_ecpoint,
+                        SSL3Random *client_rand, SSL3Random *server_rand,
+                        SSL3Hashes *hashes, PRBool bypassPKCS11)
 {
     PRUint8     * hashBuf;
     PRUint8     * pBuf;
-    SECStatus     rv 		= SECSuccess;
+    SECStatus     rv            = SECSuccess;
     unsigned int  bufLen;
     /*
      * XXX For now, we only support named curves (the appropriate
      * checks are made before this method is called) so ec_params
      * takes up only two bytes. ECPoint needs to fit in 256 bytes
      * (because the spec says the length must fit in one byte)
      */
     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 1 + 256];
 
     bufLen = 2*SSL3_RANDOM_LENGTH + ec_params.len + 1 + server_ecpoint.len;
     if (bufLen <= sizeof buf) {
-    	hashBuf = buf;
+        hashBuf = buf;
     } else {
-    	hashBuf = PORT_Alloc(bufLen);
-	if (!hashBuf) {
-	    return SECFailure;
-	}
+        hashBuf = PORT_Alloc(bufLen);
+        if (!hashBuf) {
+            return SECFailure;
+        }
     }
 
-    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH); 
-    	pBuf = hashBuf + SSL3_RANDOM_LENGTH;
+    memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
+        pBuf = hashBuf + SSL3_RANDOM_LENGTH;
     memcpy(pBuf, server_rand, SSL3_RANDOM_LENGTH);
-    	pBuf += SSL3_RANDOM_LENGTH;
+        pBuf += SSL3_RANDOM_LENGTH;
     memcpy(pBuf, ec_params.data, ec_params.len);
-    	pBuf += ec_params.len;
+        pBuf += ec_params.len;
     pBuf[0] = (PRUint8)(server_ecpoint.len);
     pBuf += 1;
     memcpy(pBuf, server_ecpoint.data, server_ecpoint.len);
-    	pBuf += server_ecpoint.len;
+        pBuf += server_ecpoint.len;
     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
 
     rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
-				   bypassPKCS11);
+                                   bypassPKCS11);
 
     PRINT_BUF(95, (NULL, "ECDHkey hash: ", hashBuf, bufLen));
     PRINT_BUF(95, (NULL, "ECDHkey hash: MD5 result",
-	      hashes->u.s.md5, MD5_LENGTH));
+              hashes->u.s.md5, MD5_LENGTH));
     PRINT_BUF(95, (NULL, "ECDHkey hash: SHA1 result",
-	      hashes->u.s.sha, SHA1_LENGTH));
+              hashes->u.s.sha, SHA1_LENGTH));
 
     if (hashBuf != buf)
-    	PORT_Free(hashBuf);
+        PORT_Free(hashBuf);
     return rv;
 }
 
 
 /* Called from ssl3_SendClientKeyExchange(). */
 SECStatus
 ssl3_SendECDHClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey)
 {
-    PK11SymKey *	pms 		= NULL;
-    SECStatus           rv    		= SECFailure;
+    PK11SymKey *        pms             = NULL;
+    SECStatus           rv              = SECFailure;
     PRBool              isTLS, isTLS12;
-    CK_MECHANISM_TYPE	target;
-    SECKEYPublicKey	*pubKey = NULL;		/* Ephemeral ECDH key */
-    SECKEYPrivateKey	*privKey = NULL;	/* Ephemeral ECDH key */
+    CK_MECHANISM_TYPE   target;
+    SECKEYPublicKey     *pubKey = NULL;         /* Ephemeral ECDH key */
+    SECKEYPrivateKey    *privKey = NULL;        /* Ephemeral ECDH key */
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
     /* Generate ephemeral EC keypair */
     if (svrPubKey->keyType != ecKey) {
-	PORT_SetError(SEC_ERROR_BAD_KEY);
-	goto loser;
+        PORT_SetError(SEC_ERROR_BAD_KEY);
+        goto loser;
     }
     /* XXX SHOULD CALL ssl3_CreateECDHEphemeralKeys here, instead! */
-    privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams, 
-	                                &pubKey, ss->pkcs11PinArg);
+    privKey = SECKEY_CreateECPrivateKey(&svrPubKey->u.ec.DEREncodedParams,
+                                        &pubKey, ss->pkcs11PinArg);
     if (!privKey || !pubKey) {
-	    ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	    rv = SECFailure;
-	    goto loser;
+            ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+            rv = SECFailure;
+            goto loser;
     }
     PRINT_BUF(50, (ss, "ECDH public value:",
-					pubKey->u.ec.publicValue.data,
-					pubKey->u.ec.publicValue.len));
+                                        pubKey->u.ec.publicValue.data,
+                                        pubKey->u.ec.publicValue.len));
 
     if (isTLS12) {
-	target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
+        target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
     } else if (isTLS) {
-	target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+        target = CKM_TLS_MASTER_KEY_DERIVE_DH;
     } else {
-	target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+        target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
     }
 
     /*  Determine the PMS */
     pms = PK11_PubDeriveWithKDF(privKey, svrPubKey, PR_FALSE, NULL, NULL,
-			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
-			    CKD_NULL, NULL, NULL);
+                            CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
+                            CKD_NULL, NULL, NULL);
 
     if (pms == NULL) {
-	SSL3AlertDescription desc  = illegal_parameter;
-	(void)SSL3_SendAlert(ss, alert_fatal, desc);
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
+        SSL3AlertDescription desc  = illegal_parameter;
+        (void)SSL3_SendAlert(ss, alert_fatal, desc);
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        goto loser;
     }
 
     SECKEY_DestroyPrivateKey(privKey);
     privKey = NULL;
 
     rv = ssl3_InitPendingCipherSpec(ss,  pms);
     PK11_FreeSymKey(pms); pms = NULL;
 
     if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	goto loser;
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        goto loser;
     }
 
-    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
-					pubKey->u.ec.publicValue.len + 1);
+    rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange,
+                                        pubKey->u.ec.publicValue.len + 1);
     if (rv != SECSuccess) {
-        goto loser;	/* err set by ssl3_AppendHandshake* */
+        goto loser;     /* err set by ssl3_AppendHandshake* */
     }
 
-    rv = ssl3_AppendHandshakeVariable(ss, 
-					pubKey->u.ec.publicValue.data,
-					pubKey->u.ec.publicValue.len, 1);
+    rv = ssl3_AppendHandshakeVariable(ss,
+                                        pubKey->u.ec.publicValue.data,
+                                        pubKey->u.ec.publicValue.len, 1);
     SECKEY_DestroyPublicKey(pubKey);
     pubKey = NULL;
 
     if (rv != SECSuccess) {
-        goto loser;	/* err set by ssl3_AppendHandshake* */
+        goto loser;     /* err set by ssl3_AppendHandshake* */
     }
 
     rv = SECSuccess;
 
 loser:
     if(pms) PK11_FreeSymKey(pms);
     if(privKey) SECKEY_DestroyPrivateKey(privKey);
     if(pubKey) SECKEY_DestroyPublicKey(pubKey);
@@ -352,84 +352,84 @@ loser:
 }
 
 
 /*
 ** Called from ssl3_HandleClientKeyExchange()
 */
 SECStatus
 ssl3_HandleECDHClientKeyExchange(sslSocket *ss, SSL3Opaque *b,
-				     PRUint32 length,
+                                     PRUint32 length,
                                      SECKEYPublicKey *srvrPubKey,
                                      SECKEYPrivateKey *srvrPrivKey)
 {
     PK11SymKey *      pms;
     SECStatus         rv;
     SECKEYPublicKey   clntPubKey;
-    CK_MECHANISM_TYPE	target;
+    CK_MECHANISM_TYPE   target;
     PRBool isTLS, isTLS12;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     clntPubKey.keyType = ecKey;
-    clntPubKey.u.ec.DEREncodedParams.len = 
-	srvrPubKey->u.ec.DEREncodedParams.len;
-    clntPubKey.u.ec.DEREncodedParams.data = 
-	srvrPubKey->u.ec.DEREncodedParams.data;
+    clntPubKey.u.ec.DEREncodedParams.len =
+        srvrPubKey->u.ec.DEREncodedParams.len;
+    clntPubKey.u.ec.DEREncodedParams.data =
+        srvrPubKey->u.ec.DEREncodedParams.data;
 
-    rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, 
-	                               1, &b, &length);
+    rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue,
+                                       1, &b, &length);
     if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure;	/* XXX Who sets the error code?? */
+        SEND_ALERT
+        return SECFailure;      /* XXX Who sets the error code?? */
     }
 
     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
     if (isTLS12) {
-	target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
+        target = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
     } else if (isTLS) {
-	target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+        target = CKM_TLS_MASTER_KEY_DERIVE_DH;
     } else {
-	target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+        target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
     }
 
     /*  Determine the PMS */
     pms = PK11_PubDeriveWithKDF(srvrPrivKey, &clntPubKey, PR_FALSE, NULL, NULL,
-			    CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
-			    CKD_NULL, NULL, NULL);
+                            CKM_ECDH1_DERIVE, target, CKA_DERIVE, 0,
+                            CKD_NULL, NULL, NULL);
 
     if (pms == NULL) {
-	/* last gasp.  */
-	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-	return SECFailure;
+        /* last gasp.  */
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        return SECFailure;
     }
 
     rv = ssl3_InitPendingCipherSpec(ss,  pms);
     PK11_FreeSymKey(pms);
     if (rv != SECSuccess) {
-	SEND_ALERT
-	return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
+        SEND_ALERT
+        return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
     }
     return SECSuccess;
 }
 
 ECName
 ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits)
 {
     int    i;
-    
+
     for ( i = 0; bits2curve[i].curve != ec_noName; i++) {
-	if (bits2curve[i].bits < requiredECCbits)
-	    continue;
-    	if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
-	    return bits2curve[i].curve;
-	}
+        if (bits2curve[i].bits < requiredECCbits)
+            continue;
+        if (SSL_IS_CURVE_NEGOTIATED(curvemsk, bits2curve[i].curve)) {
+            return bits2curve[i].curve;
+        }
     }
     PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
     return ec_noName;
 }
 
 /* find the "weakest link".  Get strength of signature key and of sym key.
  * choose curve for the weakest of those two.
  */
@@ -437,110 +437,110 @@ ECName
 ssl3_GetCurveNameForServerSocket(sslSocket *ss)
 {
     SECKEYPublicKey * svrPublicKey = NULL;
     ECName ec_curve = ec_noName;
     int    signatureKeyStrength = 521;
     int    requiredECCbits = ss->sec.secretKeyBits * 2;
 
     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa) {
-	svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
-	if (svrPublicKey)
-	    ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
-	if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
-	    PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-	    return ec_noName;
-	}
-	signatureKeyStrength = curve2bits[ ec_curve ];
+        svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_ecdh);
+        if (svrPublicKey)
+            ec_curve = params2ecName(&svrPublicKey->u.ec.DEREncodedParams);
+        if (!SSL_IS_CURVE_NEGOTIATED(ss->ssl3.hs.negotiatedECCurves, ec_curve)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return ec_noName;
+        }
+        signatureKeyStrength = curve2bits[ ec_curve ];
     } else {
         /* RSA is our signing cert */
         int serverKeyStrengthInBits;
- 
+
         svrPublicKey = SSL_GET_SERVER_PUBLIC_KEY(ss, kt_rsa);
         if (!svrPublicKey) {
             PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
             return ec_noName;
         }
- 
+
         /* currently strength in bytes */
         serverKeyStrengthInBits = svrPublicKey->u.rsa.modulus.len;
         if (svrPublicKey->u.rsa.modulus.data[0] == 0) {
             serverKeyStrengthInBits--;
         }
         /* convert to strength in bits */
         serverKeyStrengthInBits *= BPB;
- 
+
         signatureKeyStrength =
-	    SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
+            SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
     }
-    if ( requiredECCbits > signatureKeyStrength ) 
+    if ( requiredECCbits > signatureKeyStrength )
          requiredECCbits = signatureKeyStrength;
 
     return ssl3_GetCurveWithECKeyStrength(ss->ssl3.hs.negotiatedECCurves,
-					  requiredECCbits);
+                                          requiredECCbits);
 }
 
 /* function to clear out the lists */
-static SECStatus 
+static SECStatus
 ssl3_ShutdownECDHECurves(void *appData, void *nssData)
 {
     int i;
     ECDHEKeyPair *keyPair = &gECDHEKeyPairs[0];
 
     for (i=0; i < ec_pastLastName; i++, keyPair++) {
-	if (keyPair->pair) {
-	    ssl3_FreeKeyPair(keyPair->pair);
-	}
+        if (keyPair->pair) {
+            ssl3_FreeKeyPair(keyPair->pair);
+        }
     }
     memset(gECDHEKeyPairs, 0, sizeof gECDHEKeyPairs);
     return SECSuccess;
 }
 
 static PRStatus
 ssl3_ECRegister(void)
 {
     SECStatus rv;
     rv = NSS_RegisterShutdown(ssl3_ShutdownECDHECurves, gECDHEKeyPairs);
     if (rv != SECSuccess) {
-	gECDHEKeyPairs[ec_noName].error = PORT_GetError();
+        gECDHEKeyPairs[ec_noName].error = PORT_GetError();
     }
     return (PRStatus)rv;
 }
 
 /* CallOnce function, called once for each named curve. */
-static PRStatus 
+static PRStatus
 ssl3_CreateECDHEphemeralKeyPair(void * arg)
 {
     SECKEYPrivateKey *    privKey  = NULL;
     SECKEYPublicKey *     pubKey   = NULL;
-    ssl3KeyPair *	  keyPair  = NULL;
+    ssl3KeyPair *         keyPair  = NULL;
     ECName                ec_curve = (ECName)arg;
     SECKEYECParams        ecParams = { siBuffer, NULL, 0 };
 
     PORT_Assert(gECDHEKeyPairs[ec_curve].pair == NULL);
 
     /* ok, no one has generated a global key for this curve yet, do so */
     if (ssl3_ECName2Params(NULL, ec_curve, &ecParams) != SECSuccess) {
-	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
-	return PR_FAILURE;
+        gECDHEKeyPairs[ec_curve].error = PORT_GetError();
+        return PR_FAILURE;
     }
 
-    privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);    
+    privKey = SECKEY_CreateECPrivateKey(&ecParams, &pubKey, NULL);
     SECITEM_FreeItem(&ecParams, PR_FALSE);
 
     if (!privKey || !pubKey || !(keyPair = ssl3_NewKeyPair(privKey, pubKey))) {
-	if (privKey) {
-	    SECKEY_DestroyPrivateKey(privKey);
-	}
-	if (pubKey) {
-	    SECKEY_DestroyPublicKey(pubKey);
-	}
-	ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-	gECDHEKeyPairs[ec_curve].error = PORT_GetError();
-	return PR_FAILURE;
+        if (privKey) {
+            SECKEY_DestroyPrivateKey(privKey);
+        }
+        if (pubKey) {
+            SECKEY_DestroyPublicKey(pubKey);
+        }
+        ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+        gECDHEKeyPairs[ec_curve].error = PORT_GetError();
+        return PR_FAILURE;
     }
 
     gECDHEKeyPairs[ec_curve].pair = keyPair;
     return PR_SUCCESS;
 }
 
 /*
  * Creates the ephemeral public and private ECDH keys used by
@@ -549,40 +549,40 @@ ssl3_CreateECDHEphemeralKeyPair(void * a
  * strength as the signing certificate (ECC or RSA).
  * We need an API to specify the curve. This won't be a real
  * issue until we further develop server-side support for ECC
  * cipher suites.
  */
 static SECStatus
 ssl3_CreateECDHEphemeralKeys(sslSocket *ss, ECName ec_curve)
 {
-    ssl3KeyPair *	  keyPair        = NULL;
+    ssl3KeyPair *         keyPair        = NULL;
 
     /* if there's no global key for this curve, make one. */
     if (gECDHEKeyPairs[ec_curve].pair == NULL) {
-	PRStatus status;
+        PRStatus status;
 
-	status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
+        status = PR_CallOnce(&gECDHEKeyPairs[ec_noName].once, ssl3_ECRegister);
         if (status != PR_SUCCESS) {
-	    PORT_SetError(gECDHEKeyPairs[ec_noName].error);
-	    return SECFailure;
-    	}
-	status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
-	                            ssl3_CreateECDHEphemeralKeyPair,
-				    (void *)ec_curve);
+            PORT_SetError(gECDHEKeyPairs[ec_noName].error);
+            return SECFailure;
+        }
+        status = PR_CallOnceWithArg(&gECDHEKeyPairs[ec_curve].once,
+                                    ssl3_CreateECDHEphemeralKeyPair,
+                                    (void *)ec_curve);
         if (status != PR_SUCCESS) {
-	    PORT_SetError(gECDHEKeyPairs[ec_curve].error);
-	    return SECFailure;
-    	}
+            PORT_SetError(gECDHEKeyPairs[ec_curve].error);
+            return SECFailure;
+        }
     }
 
     keyPair = gECDHEKeyPairs[ec_curve].pair;
     PORT_Assert(keyPair != NULL);
-    if (!keyPair) 
-    	return SECFailure;
+    if (!keyPair)
+        return SECFailure;
     ss->ephemeralECDHKeyPair = ssl3_GetKeyPairRef(keyPair);
 
     return SECSuccess;
 }
 
 SECStatus
 ssl3_HandleECDHServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
@@ -607,136 +607,136 @@ ssl3_HandleECDHServerKeyExchange(sslSock
 
     /* XXX This works only for named curves, revisit this when
      * we support generic curves.
      */
     ec_params.len  = sizeof paramBuf;
     ec_params.data = paramBuf;
     rv = ssl3_ConsumeHandshake(ss, ec_params.data, ec_params.len, &b, &length);
     if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
+        goto loser;             /* malformed. */
     }
 
     /* Fail if the curve is not a named curve */
-    if ((ec_params.data[0] != ec_type_named) || 
-	(ec_params.data[1] != 0) ||
-	!supportedCurve(ec_params.data[2])) {
-	    errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
-	    desc = handshake_failure;
-	    goto alert_loser;
+    if ((ec_params.data[0] != ec_type_named) ||
+        (ec_params.data[1] != 0) ||
+        !supportedCurve(ec_params.data[2])) {
+            errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+            desc = handshake_failure;
+            goto alert_loser;
     }
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &ec_point, 1, &b, &length);
     if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
+        goto loser;             /* malformed. */
     }
     /* Fail if the ec point uses compressed representation */
     if (ec_point.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
-	    errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
-	    desc = handshake_failure;
-	    goto alert_loser;
+            errCode = SEC_ERROR_UNSUPPORTED_EC_POINT_FORM;
+            desc = handshake_failure;
+            goto alert_loser;
     }
 
     if (isTLS12) {
-	rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
-						   &sigAndHash);
-	if (rv != SECSuccess) {
-	    goto loser;		/* malformed or unsupported. */
-	}
-	rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
-		&sigAndHash, ss->sec.peerCert);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
+        rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
+                                                   &sigAndHash);
+        if (rv != SECSuccess) {
+            goto loser;         /* malformed or unsupported. */
+        }
+        rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
+                &sigAndHash, ss->sec.peerCert);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
     }
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
     if (rv != SECSuccess) {
-	goto loser;		/* malformed. */
+        goto loser;             /* malformed. */
     }
 
     if (length != 0) {
-	if (isTLS)
-	    desc = decode_error;
-	goto alert_loser;		/* malformed. */
+        if (isTLS)
+            desc = decode_error;
+        goto alert_loser;               /* malformed. */
     }
 
-    PRINT_BUF(60, (NULL, "Server EC params", ec_params.data, 
-	ec_params.len));
+    PRINT_BUF(60, (NULL, "Server EC params", ec_params.data,
+        ec_params.len));
     PRINT_BUF(60, (NULL, "Server EC point", ec_point.data, ec_point.len));
 
     /* failures after this point are not malformed handshakes. */
     /* TLS: send decrypt_error if signature failed. */
     desc = isTLS ? decrypt_error : handshake_failure;
 
     /*
      *  check to make sure the hash is signed by right guy
      */
     rv = ssl3_ComputeECDHKeyHash(sigAndHash.hashAlg, ec_params, ec_point,
-				 &ss->ssl3.hs.client_random,
-				 &ss->ssl3.hs.server_random, 
-				 &hashes, ss->opt.bypassPKCS11);
+                                 &ss->ssl3.hs.client_random,
+                                 &ss->ssl3.hs.server_random,
+                                 &hashes, ss->opt.bypassPKCS11);
 
     if (rv != SECSuccess) {
-	errCode =
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto alert_loser;
+        errCode =
+            ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto alert_loser;
     }
     rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
-				isTLS, ss->pkcs11PinArg);
+                                isTLS, ss->pkcs11PinArg);
     if (rv != SECSuccess)  {
-	errCode =
-	    ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto alert_loser;
+        errCode =
+            ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto alert_loser;
     }
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL) {
-	goto no_memory;
+        goto no_memory;
     }
 
     ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
     if (peerKey == NULL) {
-	goto no_memory;
+        goto no_memory;
     }
 
     peerKey->arena                 = arena;
     peerKey->keyType               = ecKey;
 
     /* set up EC parameters in peerKey */
-    if (ssl3_ECName2Params(arena, ec_params.data[2], 
-	    &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
-	/* we should never get here since we already 
-	 * checked that we are dealing with a supported curve
-	 */
-	errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
-	goto alert_loser;
+    if (ssl3_ECName2Params(arena, ec_params.data[2],
+            &peerKey->u.ec.DEREncodedParams) != SECSuccess) {
+        /* we should never get here since we already
+         * checked that we are dealing with a supported curve
+         */
+        errCode = SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+        goto alert_loser;
     }
 
     /* copy publicValue in peerKey */
     if (SECITEM_CopyItem(arena, &peerKey->u.ec.publicValue,  &ec_point))
     {
-	PORT_FreeArena(arena, PR_FALSE);
-	goto no_memory;
+        PORT_FreeArena(arena, PR_FALSE);
+        goto no_memory;
     }
     peerKey->pkcs11Slot         = NULL;
     peerKey->pkcs11ID           = CK_INVALID_HANDLE;
 
     ss->sec.peerKey = peerKey;
     ss->ssl3.hs.ws = wait_cert_request;
 
     return SECSuccess;
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 loser:
     PORT_SetError( errCode );
     return SECFailure;
 
-no_memory:	/* no-memory error has already been set. */
+no_memory:      /* no-memory error has already been set. */
     ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
     return SECFailure;
 }
 
 SECStatus
 ssl3_SendECDHServerKeyExchange(
     sslSocket *ss,
     const SSL3SignatureAndHashAlgorithm *sigAndHash)
@@ -752,114 +752,114 @@ ssl3_SendECDHServerKeyExchange(
     SECItem            ec_params = {siBuffer, NULL, 0};
     unsigned char      paramBuf[3];
     ECName             curve;
     SSL3KEAType        certIndex;
 
     /* Generate ephemeral ECDH key pair and send the public key */
     curve = ssl3_GetCurveNameForServerSocket(ss);
     if (curve == ec_noName) {
-    	goto loser;
+        goto loser;
     }
     rv = ssl3_CreateECDHEphemeralKeys(ss, curve);
     if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
-    }	    
+        goto loser;     /* err set by AppendHandshake. */
+    }
     ecdhePub = ss->ephemeralECDHKeyPair->pubKey;
     PORT_Assert(ecdhePub != NULL);
     if (!ecdhePub) {
-	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	return SECFailure;
-    }	
-    
+        PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        return SECFailure;
+    }
+
     ec_params.len  = sizeof paramBuf;
     ec_params.data = paramBuf;
     curve = params2ecName(&ecdhePub->u.ec.DEREncodedParams);
     if (curve != ec_noName) {
-	ec_params.data[0] = ec_type_named;
-	ec_params.data[1] = 0x00;
-	ec_params.data[2] = curve;
+        ec_params.data[0] = ec_type_named;
+        ec_params.data[1] = 0x00;
+        ec_params.data[2] = curve;
     } else {
-	PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
-	goto loser;
-    }		
+        PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+        goto loser;
+    }
 
     rv = ssl3_ComputeECDHKeyHash(sigAndHash->hashAlg,
-				 ec_params,
-				 ecdhePub->u.ec.publicValue,
-				 &ss->ssl3.hs.client_random,
-				 &ss->ssl3.hs.server_random,
-				 &hashes, ss->opt.bypassPKCS11);
+                                 ec_params,
+                                 ecdhePub->u.ec.publicValue,
+                                 &ss->ssl3.hs.client_random,
+                                 &ss->ssl3.hs.server_random,
+                                 &hashes, ss->opt.bypassPKCS11);
     if (rv != SECSuccess) {
-	ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto loser;
+        ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto loser;
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
-    /* XXX SSLKEAType isn't really a good choice for 
+    /* XXX SSLKEAType isn't really a good choice for
      * indexing certificates but that's all we have
      * for now.
      */
     if (kea_def->kea == kea_ecdhe_rsa)
-	certIndex = kt_rsa;
+        certIndex = kt_rsa;
     else /* kea_def->kea == kea_ecdhe_ecdsa */
-	certIndex = kt_ecdh;
+        certIndex = kt_ecdh;
 
-    rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY, 
-			 &signed_hash, isTLS);
+    rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
+                         &signed_hash, isTLS);
     if (rv != SECSuccess) {
-	goto loser;		/* ssl3_SignHashes has set err. */
+        goto loser;             /* ssl3_SignHashes has set err. */
     }
     if (signed_hash.data == NULL) {
-	/* how can this happen and rv == SECSuccess ?? */
-	PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
-	goto loser;
+        /* how can this happen and rv == SECSuccess ?? */
+        PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto loser;
     }
 
-    length = ec_params.len + 
-	     1 + ecdhePub->u.ec.publicValue.len + 
-	     (isTLS12 ? 2 : 0) + 2 + signed_hash.len;
+    length = ec_params.len +
+             1 + ecdhePub->u.ec.publicValue.len +
+             (isTLS12 ? 2 : 0) + 2 + signed_hash.len;
 
     rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
     if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
+        goto loser;     /* err set by AppendHandshake. */
     }
 
     rv = ssl3_AppendHandshake(ss, ec_params.data, ec_params.len);
     if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
+        goto loser;     /* err set by AppendHandshake. */
     }
 
     rv = ssl3_AppendHandshakeVariable(ss, ecdhePub->u.ec.publicValue.data,
-				      ecdhePub->u.ec.publicValue.len, 1);
+                                      ecdhePub->u.ec.publicValue.len, 1);
     if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
+        goto loser;     /* err set by AppendHandshake. */
     }
 
     if (isTLS12) {
-	rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash);
-	if (rv != SECSuccess) {
-	    goto loser; 	/* err set by AppendHandshake. */
-	}
+        rv = ssl3_AppendSignatureAndHashAlgorithm(ss, sigAndHash);
+        if (rv != SECSuccess) {
+            goto loser;         /* err set by AppendHandshake. */
+        }
     }
 
     rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
-				      signed_hash.len, 2);
+                                      signed_hash.len, 2);
     if (rv != SECSuccess) {
-	goto loser; 	/* err set by AppendHandshake. */
+        goto loser;     /* err set by AppendHandshake. */
     }
 
     PORT_Free(signed_hash.data);
     return SECSuccess;
 
 loser:
-    if (signed_hash.data != NULL) 
-    	PORT_Free(signed_hash.data);
+    if (signed_hash.data != NULL)
+        PORT_Free(signed_hash.data);
     return SECFailure;
 }
 
 /* Lists of ECC cipher suites for searching and disabling. */
 
 static const ssl3CipherSuite ecdh_suites[] = {
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
@@ -943,122 +943,122 @@ static const ssl3CipherSuite ecSuites[] 
     0 /* end of list marker */
 };
 
 /* On this socket, Disable the ECC cipher suites in the argument's list */
 SECStatus
 ssl3_DisableECCSuites(sslSocket * ss, const ssl3CipherSuite * suite)
 {
     if (!suite)
-    	suite = ecSuites;
+        suite = ecSuites;
     for (; *suite; ++suite) {
-	SECStatus rv      = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
+        SECStatus rv      = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);
 
-	PORT_Assert(rv == SECSuccess); /* else is coding error */
+        PORT_Assert(rv == SECSuccess); /* else is coding error */
     }
     return SECSuccess;
 }
 
 /* Look at the server certs configured on this socket, and disable any
  * ECC cipher suites that are not supported by those certs.
  */
 void
 ssl3_FilterECCipherSuitesByServerCerts(sslSocket * ss)
 {
     CERTCertificate * svrCert;
 
     svrCert = ss->serverCerts[kt_rsa].serverCert;
     if (!svrCert) {
-	ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
+        ssl3_DisableECCSuites(ss, ecdhe_rsa_suites);
     }
 
     svrCert = ss->serverCerts[kt_ecdh].serverCert;
     if (!svrCert) {
-	ssl3_DisableECCSuites(ss, ecdh_suites);
-	ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
+        ssl3_DisableECCSuites(ss, ecdh_suites);
+        ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
     } else {
-	SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
+        SECOidTag sigTag = SECOID_GetAlgorithmTag(&svrCert->signature);
 
-	switch (sigTag) {
-	case SEC_OID_PKCS1_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
-	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-	    ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
-	    break;
-	case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
-	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
-	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
-	case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
-	case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
-	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
-	case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
-	    ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
-	    break;
-	default:
-	    ssl3_DisableECCSuites(ss, ecdh_suites);
-	    break;
-	}
+        switch (sigTag) {
+        case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+            ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
+            break;
+        case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
+        case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
+            ssl3_DisableECCSuites(ss, ecdh_rsa_suites);
+            break;
+        default:
+            ssl3_DisableECCSuites(ss, ecdh_suites);
+            break;
+        }
     }
 }
 
 /* Ask: is ANY ECC cipher suite enabled on this socket? */
 /* Order(N^2).  Yuk.  Also, this ignores export policy. */
 PRBool
 ssl3_IsECCEnabled(sslSocket * ss)
 {
     const ssl3CipherSuite * suite;
     PK11SlotInfo *slot;
 
     /* make sure we can do ECC */
     slot = PK11_GetBestSlot(CKM_ECDH1_DERIVE,  ss->pkcs11PinArg);
     if (!slot) {
-	return PR_FALSE;
+        return PR_FALSE;
     }
     PK11_FreeSlot(slot);
 
     /* make sure an ECC cipher is enabled */
     for (suite = ecSuites; *suite; ++suite) {
-	PRBool    enabled = PR_FALSE;
-	SECStatus rv      = ssl3_CipherPrefGet(ss, *suite, &enabled);
+        PRBool    enabled = PR_FALSE;
+        SECStatus rv      = ssl3_CipherPrefGet(ss, *suite, &enabled);
 
-	PORT_Assert(rv == SECSuccess); /* else is coding error */
-	if (rv == SECSuccess && enabled)
-	    return PR_TRUE;
+        PORT_Assert(rv == SECSuccess); /* else is coding error */
+        if (rv == SECSuccess && enabled)
+            return PR_TRUE;
     }
     return PR_FALSE;
 }
 
 #define BE(n) 0, n
 
 /* Prefabricated TLS client hello extension, Elliptic Curves List,
- * offers only 3 curves, the Suite B curves, 23-25 
+ * offers only 3 curves, the Suite B curves, 23-25
  */
 static const PRUint8 suiteBECList[12] = {
     BE(10),         /* Extension type */
     BE( 8),         /* octets that follow ( 3 pairs + 1 length pair) */
     BE( 6),         /* octets that follow ( 3 pairs) */
     BE(23), BE(24), BE(25)
 };
 
 /* Prefabricated TLS client hello extension, Elliptic Curves List,
  * offers curves 1-25.
  */
 static const PRUint8 tlsECList[56] = {
     BE(10),         /* Extension type */
     BE(52),         /* octets that follow (25 pairs + 1 length pair) */
     BE(50),         /* octets that follow (25 pairs) */
-            BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7), 
-    BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15), 
-    BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23), 
+            BE( 1), BE( 2), BE( 3), BE( 4), BE( 5), BE( 6), BE( 7),
+    BE( 8), BE( 9), BE(10), BE(11), BE(12), BE(13), BE(14), BE(15),
+    BE(16), BE(17), BE(18), BE(19), BE(20), BE(21), BE(22), BE(23),
     BE(24), BE(25)
 };
 
 static const PRUint8 ecPtFmt[6] = {
     BE(11),         /* Extension type */
     BE( 2),         /* octets that follow */
              1,     /* octets that follow */
                  0  /* uncompressed type only */
@@ -1071,187 +1071,187 @@ static const PRUint8 ecPtFmt[6] = {
  * presume the token that allowed ECC to be enabled can only do suite B
  * curves. */
 static PRBool
 ssl3_SuiteBOnly(sslSocket *ss)
 {
     /* See if we can support small curves (like 163). If not, assume we can
      * only support Suite-B curves (P-256, P-384, P-521). */
     PK11SlotInfo *slot =
-	PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
-				       ss ? ss->pkcs11PinArg : NULL);
+        PK11_GetBestSlotWithAttributes(CKM_ECDH1_DERIVE, 0, 163,
+                                       ss ? ss->pkcs11PinArg : NULL);
 
     if (!slot) {
-	/* nope, presume we can only do suite B */
-	return PR_TRUE;
+        /* nope, presume we can only do suite B */
+        return PR_TRUE;
     }
     /* we can, presume we can do all curves */
     PK11_FreeSlot(slot);
     return PR_FALSE;
 }
 
 /* Send our "canned" (precompiled) Supported Elliptic Curves extension,
  * which says that we support all TLS-defined named curves.
  */
 PRInt32
 ssl3_SendSupportedCurvesXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
+                        sslSocket * ss,
+                        PRBool      append,
+                        PRUint32    maxBytes)
 {
     PRInt32 ecListSize = 0;
     const PRUint8 *ecList = NULL;
 
     if (!ss || !ssl3_IsECCEnabled(ss))
-    	return 0;
+        return 0;
 
     if (ssl3_SuiteBOnly(ss)) {
-	ecListSize = sizeof suiteBECList;
-	ecList = suiteBECList;
+        ecListSize = sizeof suiteBECList;
+        ecList = suiteBECList;
     } else {
-	ecListSize = sizeof tlsECList;
-	ecList = tlsECList;
+        ecListSize = sizeof tlsECList;
+        ecList = tlsECList;
     }
- 
+
     if (append && maxBytes >= ecListSize) {
-	SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize);
-	if (rv != SECSuccess)
-	    return -1;
-	if (!ss->sec.isServer) {
-	    TLSExtensionData *xtnData = &ss->xtnData;
-	    xtnData->advertised[xtnData->numAdvertised++] =
-		ssl_elliptic_curves_xtn;
-	}
+        SECStatus rv = ssl3_AppendHandshake(ss, ecList, ecListSize);
+        if (rv != SECSuccess)
+            return -1;
+        if (!ss->sec.isServer) {
+            TLSExtensionData *xtnData = &ss->xtnData;
+            xtnData->advertised[xtnData->numAdvertised++] =
+                ssl_elliptic_curves_xtn;
+        }
     }
     return ecListSize;
 }
 
 PRUint32
 ssl3_GetSupportedECCurveMask(sslSocket *ss)
 {
     if (ssl3_SuiteBOnly(ss)) {
-	return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
+        return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
     }
     return SSL3_ALL_SUPPORTED_CURVES_MASK;
 }
 
 /* Send our "canned" (precompiled) Supported Point Formats extension,
  * which says that we only support uncompressed points.
  */
 PRInt32
 ssl3_SendSupportedPointFormatsXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
+                        sslSocket * ss,
+                        PRBool      append,
+                        PRUint32    maxBytes)
 {
     if (!ss || !ssl3_IsECCEnabled(ss))
-    	return 0;
+        return 0;
     if (append && maxBytes >= (sizeof ecPtFmt)) {
-	SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt));
-	if (rv != SECSuccess)
-	    return -1;
-	if (!ss->sec.isServer) {
-	    TLSExtensionData *xtnData = &ss->xtnData;
-	    xtnData->advertised[xtnData->numAdvertised++] =
-		ssl_ec_point_formats_xtn;
-	}
+        SECStatus rv = ssl3_AppendHandshake(ss, ecPtFmt, (sizeof ecPtFmt));
+        if (rv != SECSuccess)
+            return -1;
+        if (!ss->sec.isServer) {
+            TLSExtensionData *xtnData = &ss->xtnData;
+            xtnData->advertised[xtnData->numAdvertised++] =
+                ssl_ec_point_formats_xtn;
+        }
     }
     return (sizeof ecPtFmt);
 }
 
 /* Just make sure that the remote client supports uncompressed points,
  * Since that is all we support.  Disable ECC cipher suites if it doesn't.
  */
 SECStatus
 ssl3_HandleSupportedPointFormatsXtn(sslSocket *ss, PRUint16 ex_type,
                                     SECItem *data)
 {
     int i;
 
     if (data->len < 2 || data->len > 255 || !data->data ||
         data->len != (unsigned int)data->data[0] + 1) {
-    	/* malformed */
-	goto loser;
+        /* malformed */
+        goto loser;
     }
     for (i = data->len; --i > 0; ) {
-    	if (data->data[i] == 0) {
-	    /* indicate that we should send a reply */
-	    SECStatus rv;
-	    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-			      &ssl3_SendSupportedPointFormatsXtn);
-	    return rv;
-	}
+        if (data->data[i] == 0) {
+            /* indicate that we should send a reply */
+            SECStatus rv;
+            rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+                              &ssl3_SendSupportedPointFormatsXtn);
+            return rv;
+        }
     }
 loser:
     /* evil client doesn't support uncompressed */
     ssl3_DisableECCSuites(ss, ecSuites);
     return SECFailure;
 }
 
 
 #define SSL3_GET_SERVER_PUBLICKEY(sock, type) \
     (ss->serverCerts[type].serverKeyPair ? \
     ss->serverCerts[type].serverKeyPair->pubKey : NULL)
 
 /* Extract the TLS curve name for the public key in our EC server cert. */
-ECName ssl3_GetSvrCertCurveName(sslSocket *ss) 
+ECName ssl3_GetSvrCertCurveName(sslSocket *ss)
 {
-    SECKEYPublicKey       *srvPublicKey; 
-    ECName		  ec_curve       = ec_noName;
+    SECKEYPublicKey       *srvPublicKey;
+    ECName                ec_curve       = ec_noName;
 
     srvPublicKey = SSL3_GET_SERVER_PUBLICKEY(ss, kt_ecdh);
     if (srvPublicKey) {
-	ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
+        ec_curve = params2ecName(&srvPublicKey->u.ec.DEREncodedParams);
     }
     return ec_curve;
 }
 
 /* Ensure that the curve in our server cert is one of the ones suppored
  * by the remote client, and disable all ECC cipher suites if not.
  */
 SECStatus
 ssl3_HandleSupportedCurvesXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
 {
     PRInt32  list_len;
     PRUint32 peerCurves   = 0;
     PRUint32 mutualCurves = 0;
     PRUint16 svrCertCurveName;
 
     if (!data->data || data->len < 4 || data->len > 65535)
-    	goto loser;
+        goto loser;
     /* get the length of elliptic_curve_list */
     list_len = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
     if (list_len < 0 || data->len != list_len || (data->len % 2) != 0) {
-    	/* malformed */
-	goto loser;
+        /* malformed */
+        goto loser;
     }
     /* build bit vector of peer's supported curve names */
     while (data->len) {
-	PRInt32  curve_name = 
-		 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
-	if (curve_name > ec_noName && curve_name < ec_pastLastName) {
-	    peerCurves |= (1U << curve_name);
-	}
+        PRInt32  curve_name =
+                 ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
+        if (curve_name > ec_noName && curve_name < ec_pastLastName) {
+            peerCurves |= (1U << curve_name);
+        }
     }
     /* What curves do we support in common? */
     mutualCurves = ss->ssl3.hs.negotiatedECCurves &= peerCurves;
     if (!mutualCurves) { /* no mutually supported EC Curves */
-    	goto loser;
+        goto loser;
     }
 
-    /* if our ECC cert doesn't use one of these supported curves, 
-     * disable ECC cipher suites that require an ECC cert. 
+    /* if our ECC cert doesn't use one of these supported curves,
+     * disable ECC cipher suites that require an ECC cert.
      */
     svrCertCurveName = ssl3_GetSvrCertCurveName(ss);
     if (svrCertCurveName != ec_noName &&
         (mutualCurves & (1U << svrCertCurveName)) != 0) {
-	return SECSuccess;
+        return SECSuccess;
     }
     /* Our EC cert doesn't contain a mutually supported curve.
-     * Disable all ECC cipher suites that require an EC cert 
+     * Disable all ECC cipher suites that require an EC cert
      */
     ssl3_DisableECCSuites(ss, ecdh_ecdsa_suites);
     ssl3_DisableECCSuites(ss, ecdhe_ecdsa_suites);
     return SECFailure;
 
 loser:
     /* no common curve supported */
     ssl3_DisableECCSuites(ss, ecSuites);
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -43,28 +43,28 @@ static SECStatus ssl3_GetSessionTicketKe
     PK11SymKey **aes_key, PK11SymKey **mac_key);
 #ifndef NO_PKCS11_BYPASS
 static SECStatus ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
     PRUint32 *aes_key_length, const unsigned char **mac_key,
     PRUint32 *mac_key_length);
 #endif
 static PRInt32 ssl3_SendRenegotiationInfoXtn(sslSocket * ss,
     PRBool append, PRUint32 maxBytes);
-static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, 
+static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
-			PRUint16 ex_type, SECItem *data);
+                        PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
-			PRUint16 ex_type, SECItem *data);
+                        PRUint16 ex_type, SECItem *data);
 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
-			PRUint16 ex_type, SECItem *data);
+                        PRUint16 ex_type, SECItem *data);
 static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
-					  PRUint32 maxBytes);
+                                          PRUint32 maxBytes);
 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
-					       PRUint32 maxBytes);
+                                               PRUint32 maxBytes);
 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
     PRUint32 maxBytes);
 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
     SECItem *data);
 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
     PRBool append, PRUint32 maxBytes);
 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
     PRUint16 ex_type, SECItem *data);
@@ -82,17 +82,17 @@ static SECStatus ssl3_ServerHandleSigAlg
  * Write bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
  * on a shallow copy of the structure.
  */
 static SECStatus
 ssl3_AppendToItem(SECItem *item, const unsigned char *buf, PRUint32 bytes)
 {
     if (bytes > item->len)
-	return SECFailure;
+        return SECFailure;
 
     PORT_Memcpy(item->data, buf, bytes);
     item->data += bytes;
     item->len -= bytes;
     return SECSuccess;
 }
 
 /*
@@ -104,120 +104,120 @@ static SECStatus
 ssl3_AppendNumberToItem(SECItem *item, PRUint32 num, PRInt32 lenSize)
 {
     SECStatus rv;
     PRUint8   b[4];
     PRUint8 * p = b;
 
     switch (lenSize) {
     case 4:
-	*p++ = (PRUint8) (num >> 24);
+        *p++ = (PRUint8) (num >> 24);
     case 3:
-	*p++ = (PRUint8) (num >> 16);
+        *p++ = (PRUint8) (num >> 16);
     case 2:
-	*p++ = (PRUint8) (num >> 8);
+        *p++ = (PRUint8) (num >> 8);
     case 1:
-	*p = (PRUint8) num;
+        *p = (PRUint8) num;
     }
     rv = ssl3_AppendToItem(item, &b[0], lenSize);
     return rv;
 }
 
 static SECStatus ssl3_SessionTicketShutdown(void* appData, void* nssData)
 {
     if (session_ticket_enc_key_pkcs11) {
-	PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
-	session_ticket_enc_key_pkcs11 = NULL;
+        PK11_FreeSymKey(session_ticket_enc_key_pkcs11);
+        session_ticket_enc_key_pkcs11 = NULL;
     }
     if (session_ticket_mac_key_pkcs11) {
-	PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
-	session_ticket_mac_key_pkcs11 = NULL;
+        PK11_FreeSymKey(session_ticket_mac_key_pkcs11);
+        session_ticket_mac_key_pkcs11 = NULL;
     }
     PORT_Memset(&generate_session_keys_once, 0,
-	sizeof(generate_session_keys_once));
+        sizeof(generate_session_keys_once));
     return SECSuccess;
 }
 
 
 static PRStatus
 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
 {
     SECStatus rv;
     sslSocket *ss = (sslSocket *)data;
     SECKEYPrivateKey *svrPrivKey = ss->serverCerts[kt_rsa].SERVERKEY;
     SECKEYPublicKey *svrPubKey = ss->serverCerts[kt_rsa].serverKeyPair->pubKey;
 
     if (svrPrivKey == NULL || svrPubKey == NULL) {
-	SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
-			SSL_GETPID(), ss->fd));
-	goto loser;
+        SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+                        SSL_GETPID(), ss->fd));
+        goto loser;
     }
 
     /* Get a copy of the session keys from shared memory. */
     PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
-	sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+        sizeof(SESS_TICKET_KEY_NAME_PREFIX));
     if (!ssl_GetSessionTicketKeysPKCS11(svrPrivKey, svrPubKey,
-	    ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
-	    &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
-	return PR_FAILURE;
+            ss->pkcs11PinArg, &key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
+            &session_ticket_enc_key_pkcs11, &session_ticket_mac_key_pkcs11))
+        return PR_FAILURE;
 
     rv = NSS_RegisterShutdown(ssl3_SessionTicketShutdown, NULL);
     if (rv != SECSuccess)
-	goto loser;
+        goto loser;
 
     return PR_SUCCESS;
 
 loser:
     ssl3_SessionTicketShutdown(NULL, NULL);
     return PR_FAILURE;
 }
 
 static SECStatus
 ssl3_GetSessionTicketKeysPKCS11(sslSocket *ss, PK11SymKey **aes_key,
                                 PK11SymKey **mac_key)
 {
     if (PR_CallOnceWithArg(&generate_session_keys_once,
-	    ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
-	return SECFailure;
+            ssl3_GenerateSessionTicketKeysPKCS11, ss) != PR_SUCCESS)
+        return SECFailure;
 
     if (session_ticket_enc_key_pkcs11 == NULL ||
-	session_ticket_mac_key_pkcs11 == NULL)
-	return SECFailure;
+        session_ticket_mac_key_pkcs11 == NULL)
+        return SECFailure;
 
     *aes_key = session_ticket_enc_key_pkcs11;
     *mac_key = session_ticket_mac_key_pkcs11;
     return SECSuccess;
 }
 
 #ifndef NO_PKCS11_BYPASS
 static PRStatus
 ssl3_GenerateSessionTicketKeys(void)
 {
     PORT_Memcpy(key_name, SESS_TICKET_KEY_NAME_PREFIX,
-	sizeof(SESS_TICKET_KEY_NAME_PREFIX));
+        sizeof(SESS_TICKET_KEY_NAME_PREFIX));
 
     if (!ssl_GetSessionTicketKeys(&key_name[SESS_TICKET_KEY_NAME_PREFIX_LEN],
-	    session_ticket_enc_key, session_ticket_mac_key))
-	return PR_FAILURE;
+            session_ticket_enc_key, session_ticket_mac_key))
+        return PR_FAILURE;
 
     session_ticket_keys_initialized = PR_TRUE;
     return PR_SUCCESS;
 }
 
 static SECStatus
 ssl3_GetSessionTicketKeys(const unsigned char **aes_key,
     PRUint32 *aes_key_length, const unsigned char **mac_key,
     PRUint32 *mac_key_length)
 {
     if (PR_CallOnce(&generate_session_keys_once,
-	    ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
-	return SECFailure;
+            ssl3_GenerateSessionTicketKeys) != PR_SUCCESS)
+        return SECFailure;
 
     if (!session_ticket_keys_initialized)
-	return SECFailure;
+        return SECFailure;
 
     *aes_key = session_ticket_enc_key;
     *aes_key_length = sizeof(session_ticket_enc_key);
     *mac_key = session_ticket_mac_key;
     *mac_key_length = sizeof(session_ticket_mac_key);
 
     return SECSuccess;
 }
@@ -263,108 +263,108 @@ static const ssl3HelloExtensionHandler s
 };
 
 /* Tables of functions to format TLS hello extensions, one function per
  * extension.
  * These static tables are for the formatting of client hello extensions.
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
-static const 
+static const
 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_server_name_xtn,        &ssl3_SendServerNameXtn        },
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
 #ifndef NSS_DISABLE_ECC
     { ssl_elliptic_curves_xtn,    &ssl3_SendSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
     { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
     { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
-static const 
+static const
 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
 static PRBool
 arrayContainsExtension(const PRUint16 *array, PRUint32 len, PRUint16 ex_type)
 {
     int i;
     for (i = 0; i < len; i++) {
-	if (ex_type == array[i])
-	    return PR_TRUE;
+        if (ex_type == array[i])
+            return PR_TRUE;
     }
     return PR_FALSE;
 }
 
 PRBool
 ssl3_ExtensionNegotiated(sslSocket *ss, PRUint16 ex_type) {
     TLSExtensionData *xtnData = &ss->xtnData;
     return arrayContainsExtension(xtnData->negotiated,
-	                          xtnData->numNegotiated, ex_type);
+                                  xtnData->numNegotiated, ex_type);
 }
 
 static PRBool
 ssl3_ClientExtensionAdvertised(sslSocket *ss, PRUint16 ex_type) {
     TLSExtensionData *xtnData = &ss->xtnData;
     return arrayContainsExtension(xtnData->advertised,
-	                          xtnData->numAdvertised, ex_type);
+                                  xtnData->numAdvertised, ex_type);
 }
 
 /* Format an SNI extension, using the name from the socket's URL,
  * unless that name is a dotted decimal string.
  * Used by client and server.
  */
 PRInt32
 ssl3_SendServerNameXtn(sslSocket * ss, PRBool append,
                        PRUint32 maxBytes)
 {
     SECStatus rv;
     if (!ss)
-    	return 0;
+        return 0;
     if (!ss->sec.isServer) {
         PRUint32 len;
         PRNetAddr netAddr;
-        
+
         /* must have a hostname */
         if (!ss->url || !ss->url[0])
             return 0;
         /* must not be an IPv4 or IPv6 address */
         if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
             /* is an IP address (v4 or v6) */
             return 0;
         }
         len  = PORT_Strlen(ss->url);
         if (append && maxBytes >= len + 9) {
             /* extension_type */
-            rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2); 
+            rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
             if (rv != SECSuccess) return -1;
             /* length of extension_data */
-            rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2); 
+            rv = ssl3_AppendHandshakeNumber(ss, len + 5, 2);
             if (rv != SECSuccess) return -1;
             /* length of server_name_list */
             rv = ssl3_AppendHandshakeNumber(ss, len + 3, 2);
             if (rv != SECSuccess) return -1;
             /* Name Type (sni_host_name) */
             rv = ssl3_AppendHandshake(ss,       "\0",    1);
             if (rv != SECSuccess) return -1;
             /* HostName (length and value) */
             rv = ssl3_AppendHandshakeVariable(ss, (PRUint8 *)ss->url, len, 2);
             if (rv != SECSuccess) return -1;
             if (!ss->sec.isServer) {
                 TLSExtensionData *xtnData = &ss->xtnData;
-                xtnData->advertised[xtnData->numAdvertised++] = 
-		    ssl_server_name_xtn;
+                xtnData->advertised[xtnData->numAdvertised++] =
+                    ssl_server_name_xtn;
             }
         }
         return len + 9;
     }
     /* Server side */
     if (append && maxBytes >= 4) {
         rv = ssl3_AppendHandshakeNumber(ss, ssl_server_name_xtn, 2);
         if (rv != SECSuccess)  return -1;
@@ -396,28 +396,28 @@ ssl3_HandleServerNameXtn(sslSocket * ss,
     }
 
     /* Server side - consume client data and register server sender. */
     /* do not parse the data if don't have user extension handling function. */
     if (!ss->sniSocketConfig) {
         return SECSuccess;
     }
     /* length of server_name_list */
-    listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len); 
+    listLenBytes = ssl3_ConsumeHandshakeNumber(ss, 2, &data->data, &data->len);
     if (listLenBytes == 0 || listLenBytes != data->len) {
         return SECFailure;
     }
     ldata = *data;
     /* Calculate the size of the array.*/
     while (listLenBytes > 0) {
         SECItem litem;
         SECStatus rv;
         PRInt32  type;
         /* Name Type (sni_host_name) */
-        type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len); 
+        type = ssl3_ConsumeHandshakeNumber(ss, 1, &ldata.data, &ldata.len);
         if (!ldata.len) {
             return SECFailure;
         }
         rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 2, &ldata.data, &ldata.len);
         if (rv != SECSuccess) {
             return SECFailure;
         }
         /* Adjust total length for cunsumed item, item len and type.*/
@@ -435,17 +435,17 @@ ssl3_HandleServerNameXtn(sslSocket * ss,
         return SECFailure;
     }
     for (i = 0;i < listCount;i++) {
         int j;
         PRInt32  type;
         SECStatus rv;
         PRBool nametypePresent = PR_FALSE;
         /* Name Type (sni_host_name) */
-        type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len); 
+        type = ssl3_ConsumeHandshakeNumber(ss, 1, &data->data, &data->len);
         /* Check if we have such type in the list */
         for (j = 0;j < listCount && names[j].data;j++) {
             if (names[j].type == type) {
                 nametypePresent = PR_TRUE;
                 break;
             }
         }
         /* HostName (length and value) */
@@ -467,109 +467,109 @@ ssl3_HandleServerNameXtn(sslSocket * ss,
     xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn;
 
     return SECSuccess;
 
 loser:
     PORT_Free(names);
     return SECFailure;
 }
-        
+
 /* Called by both clients and servers.
  * Clients sends a filled in session ticket if one is available, and otherwise
  * sends an empty ticket.  Servers always send empty tickets.
  */
 PRInt32
 ssl3_SendSessionTicketXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
+                        sslSocket * ss,
+                        PRBool      append,
+                        PRUint32    maxBytes)
 {
     PRInt32 extension_length;
     NewSessionTicket *session_ticket = NULL;
     sslSessionID *sid = ss->sec.ci.sid;
 
     /* Ignore the SessionTicket extension if processing is disabled. */
     if (!ss->opt.enableSessionTickets)
-	return 0;
+        return 0;
 
     /* Empty extension length = extension_type (2-bytes) +
      * length(extension_data) (2-bytes)
      */
     extension_length = 4;
 
     /* If we are a client then send a session ticket if one is availble.
      * Servers that support the extension and are willing to negotiate the
      * the extension always respond with an empty extension.
      */
     if (!ss->sec.isServer) {
-	/* The caller must be holding sid->u.ssl3.lock for reading. We cannot
-	 * just acquire and release the lock within this function because the
-	 * caller will call this function twice, and we need the inputs to be
-	 * consistent between the two calls. Note that currently the caller
-	 * will only be holding the lock when we are the client and when we're
-	 * attempting to resume an existing session.
-	 */
+        /* The caller must be holding sid->u.ssl3.lock for reading. We cannot
+         * just acquire and release the lock within this function because the
+         * caller will call this function twice, and we need the inputs to be
+         * consistent between the two calls. Note that currently the caller
+         * will only be holding the lock when we are the client and when we're
+         * attempting to resume an existing session.
+         */
 
-	session_ticket = &sid->u.ssl3.locked.sessionTicket;
-	if (session_ticket->ticket.data) {
-	    if (ss->xtnData.ticketTimestampVerified) {
-		extension_length += session_ticket->ticket.len;
-	    } else if (!append &&
-		(session_ticket->ticket_lifetime_hint == 0 ||
-		(session_ticket->ticket_lifetime_hint +
-		    session_ticket->received_timestamp > ssl_Time()))) {
-		extension_length += session_ticket->ticket.len;
-		ss->xtnData.ticketTimestampVerified = PR_TRUE;
-	    }
-	}
+        session_ticket = &sid->u.ssl3.locked.sessionTicket;
+        if (session_ticket->ticket.data) {
+            if (ss->xtnData.ticketTimestampVerified) {
+                extension_length += session_ticket->ticket.len;
+            } else if (!append &&
+                (session_ticket->ticket_lifetime_hint == 0 ||
+                (session_ticket->ticket_lifetime_hint +
+                    session_ticket->received_timestamp > ssl_Time()))) {
+                extension_length += session_ticket->ticket.len;
+                ss->xtnData.ticketTimestampVerified = PR_TRUE;
+            }
+        }
     }
 
     if (append && maxBytes >= extension_length) {
-	SECStatus rv;
-	/* extension_type */
+        SECStatus rv;
+        /* extension_type */
         rv = ssl3_AppendHandshakeNumber(ss, ssl_session_ticket_xtn, 2);
         if (rv != SECSuccess)
-	    goto loser;
-	if (session_ticket && session_ticket->ticket.data &&
-	    ss->xtnData.ticketTimestampVerified) {
-	    rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
-		session_ticket->ticket.len, 2);
-	    ss->xtnData.ticketTimestampVerified = PR_FALSE;
-	    ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
-	} else {
-	    rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-	}
+            goto loser;
+        if (session_ticket && session_ticket->ticket.data &&
+            ss->xtnData.ticketTimestampVerified) {
+            rv = ssl3_AppendHandshakeVariable(ss, session_ticket->ticket.data,
+                session_ticket->ticket.len, 2);
+            ss->xtnData.ticketTimestampVerified = PR_FALSE;
+            ss->xtnData.sentSessionTicketInClientHello = PR_TRUE;
+        } else {
+            rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+        }
         if (rv != SECSuccess)
-	    goto loser;
+            goto loser;
 
-	if (!ss->sec.isServer) {
-	    TLSExtensionData *xtnData = &ss->xtnData;
-	    xtnData->advertised[xtnData->numAdvertised++] = 
-		ssl_session_ticket_xtn;
-	}
+        if (!ss->sec.isServer) {
+            TLSExtensionData *xtnData = &ss->xtnData;
+            xtnData->advertised[xtnData->numAdvertised++] =
+                ssl_session_ticket_xtn;
+        }
     } else if (maxBytes < extension_length) {
-	PORT_Assert(0);
+        PORT_Assert(0);
         return 0;
     }
     return extension_length;
 
  loser:
     ss->xtnData.ticketTimestampVerified = PR_FALSE;
     return -1;
 }
 
 /* handle an incoming Next Protocol Negotiation extension. */
 static SECStatus
 ssl3_ServerHandleNextProtoNegoXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     if (ss->firstHsDone || data->len != 0) {
-	/* Clients MUST send an empty NPN extension, if any. */
-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
+        /* Clients MUST send an empty NPN extension, if any. */
+        PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+        return SECFailure;
     }
 
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     /* TODO: server side NPN support would require calling
      * ssl3_RegisterServerHelloExtensionSender here in order to echo the
      * extension back to the client. */
 
@@ -580,223 +580,223 @@ ssl3_ServerHandleNextProtoNegoXtn(sslSoc
  * of the lengths may be 0 and the sum of the lengths must equal the length of
  * the block. */
 SECStatus
 ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned int length)
 {
     unsigned int offset = 0;
 
     while (offset < length) {
-	unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
-	/* Reject embedded nulls to protect against buggy applications that
-	 * store protocol identifiers in null-terminated strings.
-	 */
-	if (newOffset > length || data[offset] == 0) {
-	    PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	    return SECFailure;
-	}
-	offset = newOffset;
+        unsigned int newOffset = offset + 1 + (unsigned int) data[offset];
+        /* Reject embedded nulls to protect against buggy applications that
+         * store protocol identifiers in null-terminated strings.
+         */
+        if (newOffset > length || data[offset] == 0) {
+            PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+            return SECFailure;
+        }
+        offset = newOffset;
     }
 
     if (offset > length) {
-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+        return SECFailure;
     }
 
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
-				  SECItem *data)
+                                  SECItem *data)
 {
     SECStatus rv;
     unsigned char resultBuffer[255];
     SECItem result = { siBuffer, resultBuffer, 0 };
 
     PORT_Assert(!ss->firstHsDone);
 
     if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
-	/* If the server negotiated ALPN then it has already told us what
-	 * protocol to use, so it doesn't make sense for us to try to negotiate
-	 * a different one by sending the NPN handshake message. However, if
-	 * we've negotiated NPN then we're required to send the NPN handshake
-	 * message. Thus, these two extensions cannot both be negotiated on the
-	 * same connection. */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+        /* If the server negotiated ALPN then it has already told us what
+         * protocol to use, so it doesn't make sense for us to try to negotiate
+         * a different one by sending the NPN handshake message. However, if
+         * we've negotiated NPN then we're required to send the NPN handshake
+         * message. Thus, these two extensions cannot both be negotiated on the
+         * same connection. */
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
 
     rv = ssl3_ValidateNextProtoNego(data->data, data->len);
     if (rv != SECSuccess)
-	return rv;
+        return rv;
 
     /* ss->nextProtoCallback cannot normally be NULL if we negotiated the
      * extension. However, It is possible that an application erroneously
      * cleared the callback between the time we sent the ClientHello and now.
      */
     PORT_Assert(ss->nextProtoCallback != NULL);
     if (!ss->nextProtoCallback) {
-	/* XXX Use a better error code. This is an application error, not an
-	 * NSS bug. */
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+        /* XXX Use a better error code. This is an application error, not an
+         * NSS bug. */
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
 
     rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd, data->data, data->len,
-			       result.data, &result.len, sizeof resultBuffer);
+                               result.data, &result.len, sizeof resultBuffer);
     if (rv != SECSuccess)
-	return rv;
+        return rv;
     /* If the callback wrote more than allowed to |result| it has corrupted our
      * stack. */
     if (result.len > sizeof resultBuffer) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
     }
 
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
     return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
 }
 
 static SECStatus
 ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
 {
     const unsigned char* d = data->data;
     PRUint16 name_list_len;
     SECItem protocol_name;
 
     if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
-	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
     }
 
     /* The extension data from the server has the following format:
      *   uint16 name_list_len;
      *   uint8 len;
      *   uint8 protocol_name[len]; */
     if (data->len < 4 || data->len > 2 + 1 + 255) {
-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+        return SECFailure;
     }
 
     name_list_len = ((PRUint16) d[0]) << 8 |
-	            ((PRUint16) d[1]);
+                    ((PRUint16) d[1]);
     if (name_list_len != data->len - 2 || d[2] != data->len - 3) {
-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
+        return SECFailure;
     }
 
     protocol_name.data = data->data + 3;
     protocol_name.len = data->len - 3;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
     ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED;
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
     return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name);
 }
 
 static PRInt32
 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
-				PRUint32 maxBytes)
+                                PRUint32 maxBytes)
 {
     PRInt32 extension_length;
 
     /* Renegotiations do not send this extension. */
     if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
-	return 0;
+        return 0;
     }
 
     extension_length = 4;
 
     if (append && maxBytes >= extension_length) {
-	SECStatus rv;
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
-	if (rv != SECSuccess)
-	    goto loser;
-	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-	if (rv != SECSuccess)
-	    goto loser;
-	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-		ssl_next_proto_nego_xtn;
+        SECStatus rv;
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_next_proto_nego_xtn, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_next_proto_nego_xtn;
     } else if (maxBytes < extension_length) {
-	return 0;
+        return 0;
     }
 
     return extension_length;
 
 loser:
     return -1;
 }
 
 static PRInt32
 ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 {
     PRInt32 extension_length;
     unsigned char *alpn_protos = NULL;
 
     /* Renegotiations do not send this extension. */
     if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
-	return 0;
+        return 0;
     }
 
     extension_length = 2 /* extension type */ + 2 /* extension length */ +
-		       2 /* protocol name list length */ +
-		       ss->opt.nextProtoNego.len;
+                       2 /* protocol name list length */ +
+                       ss->opt.nextProtoNego.len;
 
     if (append && maxBytes >= extension_length) {
-	/* NPN requires that the client's fallback protocol is first in the
-	 * list. However, ALPN sends protocols in preference order. So we
-	 * allocate a buffer and move the first protocol to the end of the
-	 * list. */
-	SECStatus rv;
-	const unsigned int len = ss->opt.nextProtoNego.len;
+        /* NPN requires that the client's fallback protocol is first in the
+         * list. However, ALPN sends protocols in preference order. So we
+         * allocate a buffer and move the first protocol to the end of the
+         * list. */
+        SECStatus rv;
+        const unsigned int len = ss->opt.nextProtoNego.len;
 
-	alpn_protos = PORT_Alloc(len);
-	if (alpn_protos == NULL) {
-	    return SECFailure;
-	}
-	if (len > 0) {
-	    /* Each protocol string is prefixed with a single byte length. */
-	    unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
-	    if (i <= len) {
-		memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
-		memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
-	    } else {
-		/* This seems to be invalid data so we'll send as-is. */
-		memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
-	    }
-	}
+        alpn_protos = PORT_Alloc(len);
+        if (alpn_protos == NULL) {
+            return SECFailure;
+        }
+        if (len > 0) {
+            /* Each protocol string is prefixed with a single byte length. */
+            unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
+            if (i <= len) {
+                memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
+                memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
+            } else {
+                /* This seems to be invalid data so we'll send as-is. */
+                memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
+            }
+        }
 
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
-	PORT_Free(alpn_protos);
-	alpn_protos = NULL;
-	if (rv != SECSuccess) {
-	    goto loser;
-	}
-	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-		ssl_app_layer_protocol_xtn;
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
+        PORT_Free(alpn_protos);
+        alpn_protos = NULL;
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_app_layer_protocol_xtn;
     } else if (maxBytes < extension_length) {
-	return 0;
+        return 0;
     }
 
     return extension_length;
 
 loser:
     if (alpn_protos) {
-	PORT_Free(alpn_protos);
+        PORT_Free(alpn_protos);
     }
     return -1;
 }
 
 static SECStatus
 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
                                  SECItem *data)
 {
@@ -807,49 +807,49 @@ ssl3_ClientHandleStatusRequestXtn(sslSoc
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     return SECSuccess;
 }
 
 static PRInt32
 ssl3_ServerSendStatusRequestXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
+                        sslSocket * ss,
+                        PRBool      append,
+                        PRUint32    maxBytes)
 {
     PRInt32 extension_length;
     SECStatus rv;
     int i;
     PRBool haveStatus = PR_FALSE;
 
     for (i = kt_null; i < kt_kea_size; i++) {
-	/* TODO: This is a temporary workaround.
-	 *       The correct code needs to see if we have an OCSP response for
-	 *       the server certificate being used, rather than if we have any
-	 *       OCSP response. See also ssl3_SendCertificateStatus.
-	 */
-	if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
-	    haveStatus = PR_TRUE;
-	    break;
-	}
+        /* TODO: This is a temporary workaround.
+         *       The correct code needs to see if we have an OCSP response for
+         *       the server certificate being used, rather than if we have any
+         *       OCSP response. See also ssl3_SendCertificateStatus.
+         */
+        if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
+            haveStatus = PR_TRUE;
+            break;
+        }
     }
     if (!haveStatus)
-	return 0;
+        return 0;
 
     extension_length = 2 + 2;
     if (append && maxBytes >= extension_length) {
-	/* extension_type */
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
-	if (rv != SECSuccess)
-	    return -1;
-	/* length of extension_data */
-	rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-	if (rv != SECSuccess)
-	    return -1;
+        /* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
+        if (rv != SECSuccess)
+            return -1;
+        /* length of extension_data */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
+        if (rv != SECSuccess)
+            return -1;
     }
 
     return extension_length;
 }
 
 /* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
  * client side. See RFC 4366 section 3.6. */
 static PRInt32
@@ -949,130 +949,130 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
     unsigned char        iv[AES_BLOCK_SIZE];
     SECItem              ivItem;
     SECItem             *srvName = NULL;
     PRUint32             srvNameLen = 0;
     CK_MECHANISM_TYPE    msWrapMech = 0; /* dummy default value,
                                           * must be >= 0 */
 
     SSL_TRC(3, ("%d: SSL3[%d]: send session_ticket handshake",
-		SSL_GETPID(), ss->fd));
+                SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ticket.ticket_lifetime_hint = TLS_EX_SESS_TICKET_LIFETIME_HINT;
     cert_length = (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) ?
-	3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
+        3 + ss->sec.ci.sid->peerCert->derCert.len : 0;
 
     /* Get IV and encryption keys */
     ivItem.data = iv;
     ivItem.len = sizeof(iv);
     rv = PK11_GenerateRandom(iv, sizeof(iv));
     if (rv != SECSuccess) goto loser;
 
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
-	rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
-	    &mac_key, &mac_key_length);
-    } else 
+        rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+            &mac_key, &mac_key_length);
+    } else
 #endif
     {
-	rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
-	    &mac_key_pkcs11);
+        rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+            &mac_key_pkcs11);
     }
     if (rv != SECSuccess) goto loser;
 
     if (ss->ssl3.pwSpec->msItem.len && ss->ssl3.pwSpec->msItem.data) {
-	/* The master secret is available unwrapped. */
-	ms_item.data = ss->ssl3.pwSpec->msItem.data;
-	ms_item.len = ss->ssl3.pwSpec->msItem.len;
-	ms_is_wrapped = PR_FALSE;
+        /* The master secret is available unwrapped. */
+        ms_item.data = ss->ssl3.pwSpec->msItem.data;
+        ms_item.len = ss->ssl3.pwSpec->msItem.len;
+        ms_is_wrapped = PR_FALSE;
     } else {
-	/* Extract the master secret wrapped. */
-	sslSessionID sid;
-	PORT_Memset(&sid, 0, sizeof(sslSessionID));
+        /* Extract the master secret wrapped. */
+        sslSessionID sid;
+        PORT_Memset(&sid, 0, sizeof(sslSessionID));
 
-	if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
-	    effectiveExchKeyType = kt_rsa;
-	} else {
-	    effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
-	}
+        if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+            effectiveExchKeyType = kt_rsa;
+        } else {
+            effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
+        }
 
-	rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
-	    effectiveExchKeyType);
-	if (rv == SECSuccess) {
-	    if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
-		goto loser;
-	    memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
-		sid.u.ssl3.keys.wrapped_master_secret_len);
-	    ms_item.data = wrapped_ms;
-	    ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
-	    msWrapMech = sid.u.ssl3.masterWrapMech;
-	} else {
-	    /* TODO: else send an empty ticket. */
-	    goto loser;
-	}
-	ms_is_wrapped = PR_TRUE;
+        rv = ssl3_CacheWrappedMasterSecret(ss, &sid, ss->ssl3.pwSpec,
+            effectiveExchKeyType);
+        if (rv == SECSuccess) {
+            if (sid.u.ssl3.keys.wrapped_master_secret_len > sizeof(wrapped_ms))
+                goto loser;
+            memcpy(wrapped_ms, sid.u.ssl3.keys.wrapped_master_secret,
+                sid.u.ssl3.keys.wrapped_master_secret_len);
+            ms_item.data = wrapped_ms;
+            ms_item.len = sid.u.ssl3.keys.wrapped_master_secret_len;
+            msWrapMech = sid.u.ssl3.masterWrapMech;
+        } else {
+            /* TODO: else send an empty ticket. */
+            goto loser;
+        }
+        ms_is_wrapped = PR_TRUE;
     }
     /* Prep to send negotiated name */
     srvName = &ss->ssl3.pwSpec->srvVirtName;
     if (srvName->data && srvName->len) {
         srvNameLen = 2 + srvName->len; /* len bytes + name len */
     }
 
-    ciphertext_length = 
-	sizeof(PRUint16)                     /* ticket_version */
-	+ sizeof(SSL3ProtocolVersion)        /* ssl_version */
-	+ sizeof(ssl3CipherSuite)            /* ciphersuite */
-	+ 1                                  /* compression */
-	+ 10                                 /* cipher spec parameters */
-	+ 1                                  /* SessionTicket.ms_is_wrapped */
-	+ 1                                  /* effectiveExchKeyType */
-	+ 4                                  /* msWrapMech */
-	+ 2                                  /* master_secret.length */
-	+ ms_item.len                        /* master_secret */
-	+ 1                                  /* client_auth_type */
-	+ cert_length                        /* cert */
+    ciphertext_length =
+        sizeof(PRUint16)                     /* ticket_version */
+        + sizeof(SSL3ProtocolVersion)        /* ssl_version */
+        + sizeof(ssl3CipherSuite)            /* ciphersuite */
+        + 1                                  /* compression */
+        + 10                                 /* cipher spec parameters */
+        + 1                                  /* SessionTicket.ms_is_wrapped */
+        + 1                                  /* effectiveExchKeyType */
+        + 4                                  /* msWrapMech */
+        + 2                                  /* master_secret.length */
+        + ms_item.len                        /* master_secret */
+        + 1                                  /* client_auth_type */
+        + cert_length                        /* cert */
         + 1                                  /* server name type */
         + srvNameLen                         /* name len + length field */
-	+ sizeof(ticket.ticket_lifetime_hint);
+        + sizeof(ticket.ticket_lifetime_hint);
     padding_length =  AES_BLOCK_SIZE -
-	(ciphertext_length % AES_BLOCK_SIZE);
+        (ciphertext_length % AES_BLOCK_SIZE);
     ciphertext_length += padding_length;
 
     message_length =
-	sizeof(ticket.ticket_lifetime_hint)    /* ticket_lifetime_hint */
-	+ 2 /* length field for NewSessionTicket.ticket */
-	+ SESS_TICKET_KEY_NAME_LEN             /* key_name */
-	+ AES_BLOCK_SIZE                       /* iv */
-	+ 2 /* length field for NewSessionTicket.ticket.encrypted_state */
-	+ ciphertext_length                    /* encrypted_state */
-	+ TLS_EX_SESS_TICKET_MAC_LENGTH;       /* mac */
+        sizeof(ticket.ticket_lifetime_hint)    /* ticket_lifetime_hint */
+        + 2 /* length field for NewSessionTicket.ticket */
+        + SESS_TICKET_KEY_NAME_LEN             /* key_name */
+        + AES_BLOCK_SIZE                       /* iv */
+        + 2 /* length field for NewSessionTicket.ticket.encrypted_state */
+        + ciphertext_length                    /* encrypted_state */
+        + TLS_EX_SESS_TICKET_MAC_LENGTH;       /* mac */
 
     if (SECITEM_AllocItem(NULL, &plaintext_item, ciphertext_length) == NULL)
-	goto loser;
+        goto loser;
 
     plaintext = plaintext_item;
 
     /* ticket_version */
     rv = ssl3_AppendNumberToItem(&plaintext, TLS_EX_SESS_TICKET_VERSION,
-	sizeof(PRUint16));
+        sizeof(PRUint16));
     if (rv != SECSuccess) goto loser;
 
     /* ssl_version */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->version,
-	sizeof(SSL3ProtocolVersion));
+        sizeof(SSL3ProtocolVersion));
     if (rv != SECSuccess) goto loser;
 
     /* ciphersuite */
-    rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite, 
-	sizeof(ssl3CipherSuite));
+    rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.cipher_suite,
+        sizeof(ssl3CipherSuite));
     if (rv != SECSuccess) goto loser;
-    
+
     /* compression */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->ssl3.hs.compression, 1);
     if (rv != SECSuccess) goto loser;
 
     /* cipher spec parameters */
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authAlgorithm, 1);
     if (rv != SECSuccess) goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ss->sec.authKeyBits, 4);
@@ -1091,34 +1091,34 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
     if (rv != SECSuccess) goto loser;
     rv = ssl3_AppendNumberToItem(&plaintext, ms_item.len, 2);
     if (rv != SECSuccess) goto loser;
     rv = ssl3_AppendToItem(&plaintext, ms_item.data, ms_item.len);
     if (rv != SECSuccess) goto loser;
 
     /* client_identity */
     if (ss->opt.requestCertificate && ss->sec.ci.sid->peerCert) {
-	rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
-	if (rv != SECSuccess) goto loser;
-	rv = ssl3_AppendNumberToItem(&plaintext,
-	    ss->sec.ci.sid->peerCert->derCert.len, 3);
-	if (rv != SECSuccess) goto loser;
-	rv = ssl3_AppendToItem(&plaintext,
-	    ss->sec.ci.sid->peerCert->derCert.data,
-	    ss->sec.ci.sid->peerCert->derCert.len);
-	if (rv != SECSuccess) goto loser;
+        rv = ssl3_AppendNumberToItem(&plaintext, CLIENT_AUTH_CERTIFICATE, 1);
+        if (rv != SECSuccess) goto loser;
+        rv = ssl3_AppendNumberToItem(&plaintext,
+            ss->sec.ci.sid->peerCert->derCert.len, 3);
+        if (rv != SECSuccess) goto loser;
+        rv = ssl3_AppendToItem(&plaintext,
+            ss->sec.ci.sid->peerCert->derCert.data,
+            ss->sec.ci.sid->peerCert->derCert.len);
+        if (rv != SECSuccess) goto loser;
     } else {
-	rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
-	if (rv != SECSuccess) goto loser;
+        rv = ssl3_AppendNumberToItem(&plaintext, 0, 1);
+        if (rv != SECSuccess) goto loser;
     }
 
     /* timestamp */
     now = ssl_Time();
     rv = ssl3_AppendNumberToItem(&plaintext, now,
-	sizeof(ticket.ticket_lifetime_hint));
+        sizeof(ticket.ticket_lifetime_hint));
     if (rv != SECSuccess) goto loser;
 
     if (srvNameLen) {
         /* Name Type (sni_host_name) */
         rv = ssl3_AppendNumberToItem(&plaintext, srvName->type, 1);
         if (rv != SECSuccess) goto loser;
         /* HostName (length and value) */
         rv = ssl3_AppendNumberToItem(&plaintext, srvName->len, 2);
@@ -1129,136 +1129,136 @@ ssl3_SendNewSessionTicket(sslSocket *ss)
         /* No Name */
         rv = ssl3_AppendNumberToItem(&plaintext, (char)TLS_STE_NO_SERVER_NAME,
                                      1);
         if (rv != SECSuccess) goto loser;
     }
 
     PORT_Assert(plaintext.len == padding_length);
     for (i = 0; i < padding_length; i++)
-	plaintext.data[i] = (unsigned char)padding_length;
+        plaintext.data[i] = (unsigned char)padding_length;
 
     if (SECITEM_AllocItem(NULL, &ciphertext, ciphertext_length) == NULL) {
-	rv = SECFailure;
-	goto loser;
+        rv = SECFailure;
+        goto loser;
     }
 
     /* Generate encrypted portion of ticket. */
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
-	aes_ctx = (AESContext *)aes_ctx_buf;
-	rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv, 
-	    NSS_AES_CBC, 1, AES_BLOCK_SIZE);
-	if (rv != SECSuccess) goto loser;
+        aes_ctx = (AESContext *)aes_ctx_buf;
+        rv = AES_InitContext(aes_ctx, aes_key, aes_key_length, iv,
+            NSS_AES_CBC, 1, AES_BLOCK_SIZE);
+        if (rv != SECSuccess) goto loser;
 
-	rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
-	    ciphertext.len, plaintext_item.data,
-	    plaintext_item.len);
-	if (rv != SECSuccess) goto loser;
-    } else 
+        rv = AES_Encrypt(aes_ctx, ciphertext.data, &ciphertext.len,
+            ciphertext.len, plaintext_item.data,
+            plaintext_item.len);
+        if (rv != SECSuccess) goto loser;
+    } else
 #endif
     {
-	aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
-	    CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
-	if (!aes_ctx_pkcs11) 
-	    goto loser;
+        aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+            CKA_ENCRYPT, aes_key_pkcs11, &ivItem);
+        if (!aes_ctx_pkcs11)
+            goto loser;
 
-	rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
-	    (int *)&ciphertext.len, ciphertext.len,
-	    plaintext_item.data, plaintext_item.len);
-	PK11_Finalize(aes_ctx_pkcs11);
-	PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
-	if (rv != SECSuccess) goto loser;
+        rv = PK11_CipherOp(aes_ctx_pkcs11, ciphertext.data,
+            (int *)&ciphertext.len, ciphertext.len,
+            plaintext_item.data, plaintext_item.len);
+        PK11_Finalize(aes_ctx_pkcs11);
+        PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+        if (rv != SECSuccess) goto loser;
     }
 
     /* Convert ciphertext length to network order. */
     length_buf[0] = (ciphertext.len >> 8) & 0xff;
     length_buf[1] = (ciphertext.len     ) & 0xff;
 
     /* Compute MAC. */
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
-	hmac_ctx = (HMACContext *)hmac_ctx_buf;
-	hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
-	if (HMAC_Init(hmac_ctx, hashObj, mac_key,
-		mac_key_length, PR_FALSE) != SECSuccess)
-	    goto loser;
+        hmac_ctx = (HMACContext *)hmac_ctx_buf;
+        hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+        if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+                mac_key_length, PR_FALSE) != SECSuccess)
+            goto loser;
 
-	HMAC_Begin(hmac_ctx);
-	HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
-	HMAC_Update(hmac_ctx, iv, sizeof(iv));
-	HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
-	HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
-	HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
-	    sizeof(computed_mac));
-    } else 
+        HMAC_Begin(hmac_ctx);
+        HMAC_Update(hmac_ctx, key_name, SESS_TICKET_KEY_NAME_LEN);
+        HMAC_Update(hmac_ctx, iv, sizeof(iv));
+        HMAC_Update(hmac_ctx, (unsigned char *)length_buf, 2);
+        HMAC_Update(hmac_ctx, ciphertext.data, ciphertext.len);
+        HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+            sizeof(computed_mac));
+    } else
 #endif
     {
-	SECItem macParam;
-	macParam.data = NULL;
-	macParam.len = 0;
-	hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
-	    CKA_SIGN, mac_key_pkcs11, &macParam);
-	if (!hmac_ctx_pkcs11)
-	    goto loser;
+        SECItem macParam;
+        macParam.data = NULL;
+        macParam.len = 0;
+        hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+            CKA_SIGN, mac_key_pkcs11, &macParam);
+        if (!hmac_ctx_pkcs11)
+            goto loser;
 
-	rv = PK11_DigestBegin(hmac_ctx_pkcs11);
-	rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
-	    SESS_TICKET_KEY_NAME_LEN);
-	rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
-	rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
-	rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
-	rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
-	    &computed_mac_length, sizeof(computed_mac));
-	PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
-	if (rv != SECSuccess) goto loser;
+        rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+        rv = PK11_DigestOp(hmac_ctx_pkcs11, key_name,
+            SESS_TICKET_KEY_NAME_LEN);
+        rv = PK11_DigestOp(hmac_ctx_pkcs11, iv, sizeof(iv));
+        rv = PK11_DigestOp(hmac_ctx_pkcs11, (unsigned char *)length_buf, 2);
+        rv = PK11_DigestOp(hmac_ctx_pkcs11, ciphertext.data, ciphertext.len);
+        rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+            &computed_mac_length, sizeof(computed_mac));
+        PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+        if (rv != SECSuccess) goto loser;
     }
 
     /* Serialize the handshake message. */
     rv = ssl3_AppendHandshakeHeader(ss, new_session_ticket, message_length);
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshakeNumber(ss, ticket.ticket_lifetime_hint,
-	sizeof(ticket.ticket_lifetime_hint));
+        sizeof(ticket.ticket_lifetime_hint));
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshakeNumber(ss,
-	message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
+        message_length - sizeof(ticket.ticket_lifetime_hint) - 2, 2);
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshake(ss, key_name, SESS_TICKET_KEY_NAME_LEN);
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshake(ss, iv, sizeof(iv));
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshakeVariable(ss, ciphertext.data, ciphertext.len, 2);
     if (rv != SECSuccess) goto loser;
 
     rv = ssl3_AppendHandshake(ss, computed_mac, computed_mac_length);
     if (rv != SECSuccess) goto loser;
 
 loser:
     if (plaintext_item.data)
-	SECITEM_FreeItem(&plaintext_item, PR_FALSE);
+        SECITEM_FreeItem(&plaintext_item, PR_FALSE);
     if (ciphertext.data)
-	SECITEM_FreeItem(&ciphertext, PR_FALSE);
+        SECITEM_FreeItem(&ciphertext, PR_FALSE);
 
     return rv;
 }
 
 /* When a client receives a SessionTicket extension a NewSessionTicket
  * message is expected during the handshake.
  */
 SECStatus
 ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                                   SECItem *data)
 {
     if (data->len != 0)
-	return SECFailure;
+        return SECFailure;
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
     return SECSuccess;
 }
 
 SECStatus
 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
@@ -1267,738 +1267,738 @@ ssl3_ServerHandleSessionTicketXtn(sslSoc
     SECStatus rv;
     SECItem *decrypted_state = NULL;
     SessionTicket *parsed_session_ticket = NULL;
     sslSessionID *sid = NULL;
     SSL3Statistics *ssl3stats;
 
     /* Ignore the SessionTicket extension if processing is disabled. */
     if (!ss->opt.enableSessionTickets)
-	return SECSuccess;
+        return SECSuccess;
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     /* Parse the received ticket sent in by the client.  We are
      * lenient about some parse errors, falling back to a fullshake
      * instead of terminating the current connection.
      */
     if (data->len == 0) {
-	ss->xtnData.emptySessionTicket = PR_TRUE;
+        ss->xtnData.emptySessionTicket = PR_TRUE;
     } else {
-	int                    i;
-	SECItem                extension_data;
-	EncryptedSessionTicket enc_session_ticket;
-	unsigned char          computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
-	unsigned int           computed_mac_length;
+        int                    i;
+        SECItem                extension_data;
+        EncryptedSessionTicket enc_session_ticket;
+        unsigned char          computed_mac[TLS_EX_SESS_TICKET_MAC_LENGTH];
+        unsigned int           computed_mac_length;
 #ifndef NO_PKCS11_BYPASS
-	const SECHashObject   *hashObj;
-	const unsigned char   *aes_key;
-	const unsigned char   *mac_key;
-	PRUint32               aes_key_length;
-	PRUint32               mac_key_length;
-	PRUint64               hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
-	HMACContext           *hmac_ctx;
-	PRUint64               aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
-	AESContext            *aes_ctx;
+        const SECHashObject   *hashObj;
+        const unsigned char   *aes_key;
+        const unsigned char   *mac_key;
+        PRUint32               aes_key_length;
+        PRUint32               mac_key_length;
+        PRUint64               hmac_ctx_buf[MAX_MAC_CONTEXT_LLONGS];
+        HMACContext           *hmac_ctx;
+        PRUint64               aes_ctx_buf[MAX_CIPHER_CONTEXT_LLONGS];
+        AESContext            *aes_ctx;
 #endif
-	PK11SymKey            *aes_key_pkcs11;
-	PK11SymKey            *mac_key_pkcs11;
-	PK11Context           *hmac_ctx_pkcs11;
-	CK_MECHANISM_TYPE      macMech = CKM_SHA256_HMAC;
-	PK11Context           *aes_ctx_pkcs11;
-	CK_MECHANISM_TYPE      cipherMech = CKM_AES_CBC;
-	unsigned char *        padding;
-	PRUint32               padding_length;
-	unsigned char         *buffer;
-	unsigned int           buffer_len;
-	PRInt32                temp;
-	SECItem                cert_item;
+        PK11SymKey            *aes_key_pkcs11;
+        PK11SymKey            *mac_key_pkcs11;
+        PK11Context           *hmac_ctx_pkcs11;
+        CK_MECHANISM_TYPE      macMech = CKM_SHA256_HMAC;
+        PK11Context           *aes_ctx_pkcs11;
+        CK_MECHANISM_TYPE      cipherMech = CKM_AES_CBC;
+        unsigned char *        padding;
+        PRUint32               padding_length;
+        unsigned char         *buffer;
+        unsigned int           buffer_len;
+        PRInt32                temp;
+        SECItem                cert_item;
         PRInt8                 nameType = TLS_STE_NO_SERVER_NAME;
 
-	/* Turn off stateless session resumption if the client sends a
-	 * SessionTicket extension, even if the extension turns out to be
-	 * malformed (ss->sec.ci.sid is non-NULL when doing session
-	 * renegotiation.)
-	 */
-	if (ss->sec.ci.sid != NULL) {
-	    if (ss->sec.uncache)
-		ss->sec.uncache(ss->sec.ci.sid);
-	    ssl_FreeSID(ss->sec.ci.sid);
-	    ss->sec.ci.sid = NULL;
-	}
+        /* Turn off stateless session resumption if the client sends a
+         * SessionTicket extension, even if the extension turns out to be
+         * malformed (ss->sec.ci.sid is non-NULL when doing session
+         * renegotiation.)
+         */
+        if (ss->sec.ci.sid != NULL) {
+            if (ss->sec.uncache)
+                ss->sec.uncache(ss->sec.ci.sid);
+            ssl_FreeSID(ss->sec.ci.sid);
+            ss->sec.ci.sid = NULL;
+        }
 
-	extension_data.data = data->data; /* Keep a copy for future use. */
-	extension_data.len = data->len;
+        extension_data.data = data->data; /* Keep a copy for future use. */
+        extension_data.len = data->len;
 
-	if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
-	    != SECSuccess)
-	    return SECFailure;
+        if (ssl3_ParseEncryptedSessionTicket(ss, data, &enc_session_ticket)
+            != SECSuccess)
+            return SECFailure;
 
-	/* Get session ticket keys. */
+        /* Get session ticket keys. */
 #ifndef NO_PKCS11_BYPASS
-	if (ss->opt.bypassPKCS11) {
-	    rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
-		&mac_key, &mac_key_length);
-	} else 
+        if (ss->opt.bypassPKCS11) {
+            rv = ssl3_GetSessionTicketKeys(&aes_key, &aes_key_length,
+                &mac_key, &mac_key_length);
+        } else
 #endif
-	{
-	    rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
-		&mac_key_pkcs11);
-	}
-	if (rv != SECSuccess) {
-	    SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
-			SSL_GETPID(), ss->fd));
-	    goto loser;
-	}
+        {
+            rv = ssl3_GetSessionTicketKeysPKCS11(ss, &aes_key_pkcs11,
+                &mac_key_pkcs11);
+        }
+        if (rv != SECSuccess) {
+            SSL_DBG(("%d: SSL[%d]: Unable to get/generate session ticket keys.",
+                        SSL_GETPID(), ss->fd));
+            goto loser;
+        }
 
-	/* If the ticket sent by the client was generated under a key different
-	 * from the one we have, bypass ticket processing.
-	 */
-	if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
-		SESS_TICKET_KEY_NAME_LEN) != 0) {
-	    SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
-			SSL_GETPID(), ss->fd));
-	    goto no_ticket;
-	}
+        /* If the ticket sent by the client was generated under a key different
+         * from the one we have, bypass ticket processing.
+         */
+        if (PORT_Memcmp(enc_session_ticket.key_name, key_name,
+                SESS_TICKET_KEY_NAME_LEN) != 0) {
+            SSL_DBG(("%d: SSL[%d]: Session ticket key_name sent mismatch.",
+                        SSL_GETPID(), ss->fd));
+            goto no_ticket;
+        }
 
-	/* Verify the MAC on the ticket.  MAC verification may also
-	 * fail if the MAC key has been recently refreshed.
-	 */
+        /* Verify the MAC on the ticket.  MAC verification may also
+         * fail if the MAC key has been recently refreshed.
+         */
 #ifndef NO_PKCS11_BYPASS
-	if (ss->opt.bypassPKCS11) {
-	    hmac_ctx = (HMACContext *)hmac_ctx_buf;
-	    hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
-	    if (HMAC_Init(hmac_ctx, hashObj, mac_key,
-		    sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
-		goto no_ticket;
-	    HMAC_Begin(hmac_ctx);
-	    HMAC_Update(hmac_ctx, extension_data.data,
-		extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
-	    if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
-		    sizeof(computed_mac)) != SECSuccess)
-		goto no_ticket;
-	} else 
+        if (ss->opt.bypassPKCS11) {
+            hmac_ctx = (HMACContext *)hmac_ctx_buf;
+            hashObj = HASH_GetRawHashObject(HASH_AlgSHA256);
+            if (HMAC_Init(hmac_ctx, hashObj, mac_key,
+                    sizeof(session_ticket_mac_key), PR_FALSE) != SECSuccess)
+                goto no_ticket;
+            HMAC_Begin(hmac_ctx);
+            HMAC_Update(hmac_ctx, extension_data.data,
+                extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+            if (HMAC_Finish(hmac_ctx, computed_mac, &computed_mac_length,
+                    sizeof(computed_mac)) != SECSuccess)
+                goto no_ticket;
+        } else
 #endif
-	{
-	    SECItem macParam;
-	    macParam.data = NULL;
-	    macParam.len = 0;
-	    hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
-		CKA_SIGN, mac_key_pkcs11, &macParam);
-	    if (!hmac_ctx_pkcs11) {
-		SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
-			    SSL_GETPID(), ss->fd, PORT_GetError()));
-		goto no_ticket;
-	    } else {
-		SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
-			    SSL_GETPID(), ss->fd));
-	    }
-	    rv = PK11_DigestBegin(hmac_ctx_pkcs11);
-	    rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
-		extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
-	    if (rv != SECSuccess) {
-		PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
-		goto no_ticket;
-	    }
-	    rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
-		&computed_mac_length, sizeof(computed_mac));
-	    PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
-	    if (rv != SECSuccess)
-		goto no_ticket;
-	}
-	if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
-		computed_mac_length) != 0) {
-	    SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
-			SSL_GETPID(), ss->fd));
-	    goto no_ticket;
-	}
+        {
+            SECItem macParam;
+            macParam.data = NULL;
+            macParam.len = 0;
+            hmac_ctx_pkcs11 = PK11_CreateContextBySymKey(macMech,
+                CKA_SIGN, mac_key_pkcs11, &macParam);
+            if (!hmac_ctx_pkcs11) {
+                SSL_DBG(("%d: SSL[%d]: Unable to create HMAC context: %d.",
+                            SSL_GETPID(), ss->fd, PORT_GetError()));
+                goto no_ticket;
+            } else {
+                SSL_DBG(("%d: SSL[%d]: Successfully created HMAC context.",
+                            SSL_GETPID(), ss->fd));
+            }
+            rv = PK11_DigestBegin(hmac_ctx_pkcs11);
+            rv = PK11_DigestOp(hmac_ctx_pkcs11, extension_data.data,
+                extension_data.len - TLS_EX_SESS_TICKET_MAC_LENGTH);
+            if (rv != SECSuccess) {
+                PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+                goto no_ticket;
+            }
+            rv = PK11_DigestFinal(hmac_ctx_pkcs11, computed_mac,
+                &computed_mac_length, sizeof(computed_mac));
+            PK11_DestroyContext(hmac_ctx_pkcs11, PR_TRUE);
+            if (rv != SECSuccess)
+                goto no_ticket;
+        }
+        if (NSS_SecureMemcmp(computed_mac, enc_session_ticket.mac,
+                computed_mac_length) != 0) {
+            SSL_DBG(("%d: SSL[%d]: Session ticket MAC mismatch.",
+                        SSL_GETPID(), ss->fd));
+            goto no_ticket;
+        }
 
-	/* We ignore key_name for now.
-	 * This is ok as MAC verification succeeded.
-	 */
+        /* We ignore key_name for now.
+         * This is ok as MAC verification succeeded.
+         */
 
-	/* Decrypt the ticket. */
+        /* Decrypt the ticket. */
 
-	/* Plaintext is shorter than the ciphertext due to padding. */
-	decrypted_state = SECITEM_AllocItem(NULL, NULL,
-	    enc_session_ticket.encrypted_state.len);
+        /* Plaintext is shorter than the ciphertext due to padding. */
+        decrypted_state = SECITEM_AllocItem(NULL, NULL,
+            enc_session_ticket.encrypted_state.len);
 
 #ifndef NO_PKCS11_BYPASS
-	if (ss->opt.bypassPKCS11) {
-	    aes_ctx = (AESContext *)aes_ctx_buf;
-	    rv = AES_InitContext(aes_ctx, aes_key,
-		sizeof(session_ticket_enc_key), enc_session_ticket.iv,
-		NSS_AES_CBC, 0,AES_BLOCK_SIZE);
-	    if (rv != SECSuccess) {
-		SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
-			    SSL_GETPID(), ss->fd));
-		goto no_ticket;
-	    }
+        if (ss->opt.bypassPKCS11) {
+            aes_ctx = (AESContext *)aes_ctx_buf;
+            rv = AES_InitContext(aes_ctx, aes_key,
+                sizeof(session_ticket_enc_key), enc_session_ticket.iv,
+                NSS_AES_CBC, 0,AES_BLOCK_SIZE);
+            if (rv != SECSuccess) {
+                SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+                            SSL_GETPID(), ss->fd));
+                goto no_ticket;
+            }
 
-	    rv = AES_Decrypt(aes_ctx, decrypted_state->data,
-		&decrypted_state->len, decrypted_state->len,
-		enc_session_ticket.encrypted_state.data,
-		enc_session_ticket.encrypted_state.len);
-	    if (rv != SECSuccess)
-		goto no_ticket;
-	} else 
+            rv = AES_Decrypt(aes_ctx, decrypted_state->data,
+                &decrypted_state->len, decrypted_state->len,
+                enc_session_ticket.encrypted_state.data,
+                enc_session_ticket.encrypted_state.len);
+            if (rv != SECSuccess)
+                goto no_ticket;
+        } else
 #endif
-	{
-	    SECItem ivItem;
-	    ivItem.data = enc_session_ticket.iv;
-	    ivItem.len = AES_BLOCK_SIZE;
-	    aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
-		CKA_DECRYPT, aes_key_pkcs11, &ivItem);
-	    if (!aes_ctx_pkcs11) {
-		SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
-			    SSL_GETPID(), ss->fd));
-		goto no_ticket;
-	    }
+        {
+            SECItem ivItem;
+            ivItem.data = enc_session_ticket.iv;
+            ivItem.len = AES_BLOCK_SIZE;
+            aes_ctx_pkcs11 = PK11_CreateContextBySymKey(cipherMech,
+                CKA_DECRYPT, aes_key_pkcs11, &ivItem);
+            if (!aes_ctx_pkcs11) {
+                SSL_DBG(("%d: SSL[%d]: Unable to create AES context.",
+                            SSL_GETPID(), ss->fd));
+                goto no_ticket;
+            }
 
-	    rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
-		(int *)&decrypted_state->len, decrypted_state->len,
-		enc_session_ticket.encrypted_state.data,
-		enc_session_ticket.encrypted_state.len);
-	    PK11_Finalize(aes_ctx_pkcs11);
-	    PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
-	    if (rv != SECSuccess)
-		goto no_ticket;
-	}
+            rv = PK11_CipherOp(aes_ctx_pkcs11, decrypted_state->data,
+                (int *)&decrypted_state->len, decrypted_state->len,
+                enc_session_ticket.encrypted_state.data,
+                enc_session_ticket.encrypted_state.len);
+            PK11_Finalize(aes_ctx_pkcs11);
+            PK11_DestroyContext(aes_ctx_pkcs11, PR_TRUE);
+            if (rv != SECSuccess)
+                goto no_ticket;
+        }
 
-	/* Check padding. */
-	padding_length = 
-	    (PRUint32)decrypted_state->data[decrypted_state->len - 1];
-	if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
-	    goto no_ticket;
+        /* Check padding. */
+        padding_length =
+            (PRUint32)decrypted_state->data[decrypted_state->len - 1];
+        if (padding_length == 0 || padding_length > AES_BLOCK_SIZE)
+            goto no_ticket;
 
-	padding = &decrypted_state->data[decrypted_state->len - padding_length];
-	for (i = 0; i < padding_length; i++, padding++) {
-	    if (padding_length != (PRUint32)*padding)
-		goto no_ticket;
-	}
+        padding = &decrypted_state->data[decrypted_state->len - padding_length];
+        for (i = 0; i < padding_length; i++, padding++) {
+            if (padding_length != (PRUint32)*padding)
+                goto no_ticket;
+        }
 
-	/* Deserialize session state. */
-	buffer = decrypted_state->data;
-	buffer_len = decrypted_state->len;
+        /* Deserialize session state. */
+        buffer = decrypted_state->data;
+        buffer_len = decrypted_state->len;
 
-	parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
-	if (parsed_session_ticket == NULL) {
-	    rv = SECFailure;
-	    goto loser;
-	}
+        parsed_session_ticket = PORT_ZAlloc(sizeof(SessionTicket));
+        if (parsed_session_ticket == NULL) {
+            rv = SECFailure;
+            goto loser;
+        }
 
-	/* Read ticket_version (which is ignored for now.) */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
+        /* Read ticket_version (which is ignored for now.) */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->ticket_version = (SSL3ProtocolVersion)temp;
 
-	/* Read SSLVersion. */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
+        /* Read SSLVersion. */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->ssl_version = (SSL3ProtocolVersion)temp;
 
-	/* Read cipher_suite. */
-	temp =  ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
+        /* Read cipher_suite. */
+        temp =  ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->cipher_suite = (ssl3CipherSuite)temp;
 
-	/* Read compression_method. */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
+        /* Read compression_method. */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->compression_method = (SSLCompressionMethod)temp;
 
-	/* Read cipher spec parameters. */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
-	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->authKeyBits = (PRUint32)temp;
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->keaType = (SSLKEAType)temp;
-	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->keaKeyBits = (PRUint32)temp;
+        /* Read cipher spec parameters. */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->authAlgorithm = (SSLSignType)temp;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->authKeyBits = (PRUint32)temp;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->keaType = (SSLKEAType)temp;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->keaKeyBits = (PRUint32)temp;
 
-	/* Read wrapped master_secret. */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
+        /* Read wrapped master_secret. */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->ms_is_wrapped = (PRBool)temp;
 
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->exchKeyType = (SSL3KEAType)temp;
 
-	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->msWrapMech = (CK_MECHANISM_TYPE)temp;
 
-	temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
-	if (temp < 0) goto no_ticket;
-	parsed_session_ticket->ms_length = (PRUint16)temp;
-	if (parsed_session_ticket->ms_length == 0 ||  /* sanity check MS. */
-	    parsed_session_ticket->ms_length >
-	    sizeof(parsed_session_ticket->master_secret))
-	    goto no_ticket;
-	
-	/* Allow for the wrapped master secret to be longer. */
-	if (buffer_len < parsed_session_ticket->ms_length)
-	    goto no_ticket;
-	PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
-	    parsed_session_ticket->ms_length);
-	buffer += parsed_session_ticket->ms_length;
-	buffer_len -= parsed_session_ticket->ms_length;
+        temp = ssl3_ConsumeHandshakeNumber(ss, 2, &buffer, &buffer_len);
+        if (temp < 0) goto no_ticket;
+        parsed_session_ticket->ms_length = (PRUint16)temp;
+        if (parsed_session_ticket->ms_length == 0 ||  /* sanity check MS. */
+            parsed_session_ticket->ms_length >
+            sizeof(parsed_session_ticket->master_secret))
+            goto no_ticket;
+
+        /* Allow for the wrapped master secret to be longer. */
+        if (buffer_len < parsed_session_ticket->ms_length)
+            goto no_ticket;
+        PORT_Memcpy(parsed_session_ticket->master_secret, buffer,
+            parsed_session_ticket->ms_length);
+        buffer += parsed_session_ticket->ms_length;
+        buffer_len -= parsed_session_ticket->ms_length;
 
-	/* Read client_identity */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
-	if (temp < 0)
-	    goto no_ticket;
-	parsed_session_ticket->client_identity.client_auth_type = 
-	    (ClientAuthenticationType)temp;
-	switch(parsed_session_ticket->client_identity.client_auth_type) {
+        /* Read client_identity */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
+        if (temp < 0)
+            goto no_ticket;
+        parsed_session_ticket->client_identity.client_auth_type =
+            (ClientAuthenticationType)temp;
+        switch(parsed_session_ticket->client_identity.client_auth_type) {
             case CLIENT_AUTH_ANONYMOUS:
-		break;
+                break;
             case CLIENT_AUTH_CERTIFICATE:
-		rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
-		    &buffer, &buffer_len);
-		if (rv != SECSuccess) goto no_ticket;
-		rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
-		    &cert_item);
-		if (rv != SECSuccess) goto no_ticket;
-		break;
+                rv = ssl3_ConsumeHandshakeVariable(ss, &cert_item, 3,
+                    &buffer, &buffer_len);
+                if (rv != SECSuccess) goto no_ticket;
+                rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->peer_cert,
+                    &cert_item);
+                if (rv != SECSuccess) goto no_ticket;
+                break;
             default:
-		goto no_ticket;
-	}
-	/* Read timestamp. */
-	temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
-	if (temp < 0)
-	    goto no_ticket;
-	parsed_session_ticket->timestamp = (PRUint32)temp;
+                goto no_ticket;
+        }
+        /* Read timestamp. */
+        temp = ssl3_ConsumeHandshakeNumber(ss, 4, &buffer, &buffer_len);
+        if (temp < 0)
+            goto no_ticket;
+        parsed_session_ticket->timestamp = (PRUint32)temp;
 
         /* Read server name */
         nameType =
-                ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len); 
+                ssl3_ConsumeHandshakeNumber(ss, 1, &buffer, &buffer_len);
         if (nameType != TLS_STE_NO_SERVER_NAME) {
             SECItem name_item;
             rv = ssl3_ConsumeHandshakeVariable(ss, &name_item, 2, &buffer,
                                                &buffer_len);
             if (rv != SECSuccess) goto no_ticket;
             rv = SECITEM_CopyItem(NULL, &parsed_session_ticket->srvName,
                                   &name_item);
             if (rv != SECSuccess) goto no_ticket;
             parsed_session_ticket->srvName.type = nameType;
         }
 
-	/* Done parsing.  Check that all bytes have been consumed. */
-	if (buffer_len != padding_length)
-	    goto no_ticket;
+        /* Done parsing.  Check that all bytes have been consumed. */
+        if (buffer_len != padding_length)
+            goto no_ticket;
 
-	/* Use the ticket if it has not expired, otherwise free the allocated
-	 * memory since the ticket is of no use.
-	 */
-	if (parsed_session_ticket->timestamp != 0 &&
-	    parsed_session_ticket->timestamp +
-	    TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
+        /* Use the ticket if it has not expired, otherwise free the allocated
+         * memory since the ticket is of no use.
+         */
+        if (parsed_session_ticket->timestamp != 0 &&
+            parsed_session_ticket->timestamp +
+            TLS_EX_SESS_TICKET_LIFETIME_HINT > ssl_Time()) {
 
-	    sid = ssl3_NewSessionID(ss, PR_TRUE);
-	    if (sid == NULL) {
-		rv = SECFailure;
-		goto loser;
-	    }
+            sid = ssl3_NewSessionID(ss, PR_TRUE);
+            if (sid == NULL) {
+                rv = SECFailure;
+                goto loser;
+            }
 
-	    /* Copy over parameters. */
-	    sid->version = parsed_session_ticket->ssl_version;
-	    sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
-	    sid->u.ssl3.compression = parsed_session_ticket->compression_method;
-	    sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
-	    sid->authKeyBits = parsed_session_ticket->authKeyBits;
-	    sid->keaType = parsed_session_ticket->keaType;
-	    sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
+            /* Copy over parameters. */
+            sid->version = parsed_session_ticket->ssl_version;
+            sid->u.ssl3.cipherSuite = parsed_session_ticket->cipher_suite;
+            sid->u.ssl3.compression = parsed_session_ticket->compression_method;
+            sid->authAlgorithm = parsed_session_ticket->authAlgorithm;
+            sid->authKeyBits = parsed_session_ticket->authKeyBits;
+            sid->keaType = parsed_session_ticket->keaType;
+            sid->keaKeyBits = parsed_session_ticket->keaKeyBits;
 
-	    /* Copy master secret. */
+            /* Copy master secret. */
 #ifndef NO_PKCS11_BYPASS
-	    if (ss->opt.bypassPKCS11 &&
-		    parsed_session_ticket->ms_is_wrapped)
-		goto no_ticket;
+            if (ss->opt.bypassPKCS11 &&
+                    parsed_session_ticket->ms_is_wrapped)
+                goto no_ticket;
 #endif
-	    if (parsed_session_ticket->ms_length >
-		    sizeof(sid->u.ssl3.keys.wrapped_master_secret))
-		goto no_ticket;
-	    PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
-		parsed_session_ticket->master_secret,
-		parsed_session_ticket->ms_length);
-	    sid->u.ssl3.keys.wrapped_master_secret_len =
-		parsed_session_ticket->ms_length;
-	    sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
-	    sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
-	    sid->u.ssl3.keys.msIsWrapped =
-		parsed_session_ticket->ms_is_wrapped;
-	    sid->u.ssl3.masterValid    = PR_TRUE;
-	    sid->u.ssl3.keys.resumable = PR_TRUE;
+            if (parsed_session_ticket->ms_length >
+                    sizeof(sid->u.ssl3.keys.wrapped_master_secret))
+                goto no_ticket;
+            PORT_Memcpy(sid->u.ssl3.keys.wrapped_master_secret,
+                parsed_session_ticket->master_secret,
+                parsed_session_ticket->ms_length);
+            sid->u.ssl3.keys.wrapped_master_secret_len =
+                parsed_session_ticket->ms_length;
+            sid->u.ssl3.exchKeyType = parsed_session_ticket->exchKeyType;
+            sid->u.ssl3.masterWrapMech = parsed_session_ticket->msWrapMech;
+            sid->u.ssl3.keys.msIsWrapped =
+                parsed_session_ticket->ms_is_wrapped;
+            sid->u.ssl3.masterValid    = PR_TRUE;
+            sid->u.ssl3.keys.resumable = PR_TRUE;
 
-	    /* Copy over client cert from session ticket if there is one. */
-	    if (parsed_session_ticket->peer_cert.data != NULL) {
-		if (sid->peerCert != NULL)
-		    CERT_DestroyCertificate(sid->peerCert);
-		sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
-		    &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
-		if (sid->peerCert == NULL) {
-		    rv = SECFailure;
-		    goto loser;
-		}
-	    }
-	    if (parsed_session_ticket->srvName.data != NULL) {
+            /* Copy over client cert from session ticket if there is one. */
+            if (parsed_session_ticket->peer_cert.data != NULL) {
+                if (sid->peerCert != NULL)
+                    CERT_DestroyCertificate(sid->peerCert);
+                sid->peerCert = CERT_NewTempCertificate(ss->dbHandle,
+                    &parsed_session_ticket->peer_cert, NULL, PR_FALSE, PR_TRUE);
+                if (sid->peerCert == NULL) {
+                    rv = SECFailure;
+                    goto loser;
+                }
+            }
+            if (parsed_session_ticket->srvName.data != NULL) {
                 sid->u.ssl3.srvName = parsed_session_ticket->srvName;
             }
-	    ss->statelessResume = PR_TRUE;
-	    ss->sec.ci.sid = sid;
-	}
+            ss->statelessResume = PR_TRUE;
+            ss->sec.ci.sid = sid;
+        }
     }
 
     if (0) {
 no_ticket:
-	SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
-			SSL_GETPID(), ss->fd));
-	ssl3stats = SSL_GetStatistics();
-	SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
+        SSL_DBG(("%d: SSL[%d]: Session ticket parsing failed.",
+                        SSL_GETPID(), ss->fd));
+        ssl3stats = SSL_GetStatistics();
+        SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
     }
     rv = SECSuccess;
 
 loser:
-	/* ss->sec.ci.sid == sid if it did NOT come here via goto statement
-	 * in that case do not free sid
-	 */
-	if (sid && (ss->sec.ci.sid != sid)) {
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
+        /* ss->sec.ci.sid == sid if it did NOT come here via goto statement
+         * in that case do not free sid
+         */
+        if (sid && (ss->sec.ci.sid != sid)) {
+            ssl_FreeSID(sid);
+            sid = NULL;
+        }
     if (decrypted_state != NULL) {
-	SECITEM_FreeItem(decrypted_state, PR_TRUE);
-	decrypted_state = NULL;
+        SECITEM_FreeItem(decrypted_state, PR_TRUE);
+        decrypted_state = NULL;
     }
 
     if (parsed_session_ticket != NULL) {
-	if (parsed_session_ticket->peer_cert.data) {
-	    SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
-	}
-	PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
+        if (parsed_session_ticket->peer_cert.data) {
+            SECITEM_FreeItem(&parsed_session_ticket->peer_cert, PR_FALSE);
+        }
+        PORT_ZFree(parsed_session_ticket, sizeof(SessionTicket));
     }
 
     return rv;
 }
 
 /*
  * Read bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
  * on a shallow copy of the structure.
  */
-static SECStatus 
+static SECStatus
 ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
 {
     if (bytes > item->len)
-	return SECFailure;
+        return SECFailure;
 
     *buf = item->data;
     item->data += bytes;
     item->len -= bytes;
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_ParseEncryptedSessionTicket(sslSocket *ss, SECItem *data,
                                  EncryptedSessionTicket *enc_session_ticket)
 {
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->key_name,
-	    SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
-	return SECFailure;
+            SESS_TICKET_KEY_NAME_LEN) != SECSuccess)
+        return SECFailure;
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->iv,
-	    AES_BLOCK_SIZE) != SECSuccess)
-	return SECFailure;
+            AES_BLOCK_SIZE) != SECSuccess)
+        return SECFailure;
     if (ssl3_ConsumeHandshakeVariable(ss, &enc_session_ticket->encrypted_state,
-	    2, &data->data, &data->len) != SECSuccess)
-	return SECFailure;
+            2, &data->data, &data->len) != SECSuccess)
+        return SECFailure;
     if (ssl3_ConsumeFromItem(data, &enc_session_ticket->mac,
-	    TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
-	return SECFailure;
+            TLS_EX_SESS_TICKET_MAC_LENGTH) != SECSuccess)
+        return SECFailure;
     if (data->len != 0)  /* Make sure that we have consumed all bytes. */
-	return SECFailure;
+        return SECFailure;
 
     return SECSuccess;
 }
 
 /* go through hello extensions in buffer "b".
- * For each one, find the extension handler in the table, and 
- * if present, invoke that handler.  
+ * For each one, find the extension handler in the table, and
+ * if present, invoke that handler.
  * Servers ignore any extensions with unknown extension types.
  * Clients reject any extensions with unadvertised extension types.
  */
-SECStatus 
+SECStatus
 ssl3_HandleHelloExtensions(sslSocket *ss, SSL3Opaque **b, PRUint32 *length)
 {
     const ssl3HelloExtensionHandler * handlers;
 
     if (ss->sec.isServer) {
         handlers = clientHelloHandlers;
     } else if (ss->version > SSL_LIBRARY_VERSION_3_0) {
         handlers = serverHelloHandlersTLS;
     } else {
         handlers = serverHelloHandlersSSL3;
     }
 
     while (*length) {
-	const ssl3HelloExtensionHandler * handler;
-	SECStatus rv;
-	PRInt32   extension_type;
-	SECItem   extension_data;
+        const ssl3HelloExtensionHandler * handler;
+        SECStatus rv;
+        PRInt32   extension_type;
+        SECItem   extension_data;
 
-	/* Get the extension's type field */
-	extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
-	if (extension_type < 0)  /* failure to decode extension_type */
-	    return SECFailure;   /* alert already sent */
+        /* Get the extension's type field */
+        extension_type = ssl3_ConsumeHandshakeNumber(ss, 2, b, length);
+        if (extension_type < 0)  /* failure to decode extension_type */
+            return SECFailure;   /* alert already sent */
 
-	/* get the data for this extension, so we can pass it or skip it. */
-	rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
-	if (rv != SECSuccess)
-	    return rv;
+        /* get the data for this extension, so we can pass it or skip it. */
+        rv = ssl3_ConsumeHandshakeVariable(ss, &extension_data, 2, b, length);
+        if (rv != SECSuccess)
+            return rv;
 
-	/* Check whether the server sent an extension which was not advertised
-	 * in the ClientHello.
-	 */
-	if (!ss->sec.isServer &&
-	    !ssl3_ClientExtensionAdvertised(ss, extension_type))
-	    return SECFailure;  /* TODO: send unsupported_extension alert */
+        /* Check whether the server sent an extension which was not advertised
+         * in the ClientHello.
+         */
+        if (!ss->sec.isServer &&
+            !ssl3_ClientExtensionAdvertised(ss, extension_type))
+            return SECFailure;  /* TODO: send unsupported_extension alert */
 
-	/* Check whether an extension has been sent multiple times. */
-	if (ssl3_ExtensionNegotiated(ss, extension_type))
-	    return SECFailure;
+        /* Check whether an extension has been sent multiple times. */
+        if (ssl3_ExtensionNegotiated(ss, extension_type))
+            return SECFailure;
 
-	/* find extension_type in table of Hello Extension Handlers */
-	for (handler = handlers; handler->ex_type >= 0; handler++) {
-	    /* if found, call this handler */
-	    if (handler->ex_type == extension_type) {
-		rv = (*handler->ex_handler)(ss, (PRUint16)extension_type, 
-	                                         	&extension_data);
-		/* Ignore this result */
-		/* Treat all bad extensions as unrecognized types. */
-	        break;
-	    }
-	}
+        /* find extension_type in table of Hello Extension Handlers */
+        for (handler = handlers; handler->ex_type >= 0; handler++) {
+            /* if found, call this handler */
+            if (handler->ex_type == extension_type) {
+                rv = (*handler->ex_handler)(ss, (PRUint16)extension_type,
+                                                        &extension_data);
+                /* Ignore this result */
+                /* Treat all bad extensions as unrecognized types. */
+                break;
+            }
+        }
     }
     return SECSuccess;
 }
 
 /* Add a callback function to the table of senders of server hello extensions.
  */
-SECStatus 
+SECStatus
 ssl3_RegisterServerHelloExtensionSender(sslSocket *ss, PRUint16 ex_type,
-				        ssl3HelloExtensionSenderFunc cb)
+                                        ssl3HelloExtensionSenderFunc cb)
 {
     int i;
     ssl3HelloExtensionSender *sender = &ss->xtnData.serverSenders[0];
 
     for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
         if (!sender->ex_sender) {
-	    sender->ex_type   = ex_type;
-	    sender->ex_sender = cb;
-	    return SECSuccess;
-	}
-	/* detect duplicate senders */
-	PORT_Assert(sender->ex_type != ex_type);
-	if (sender->ex_type == ex_type) {
-	    /* duplicate */
-	    break;
-	}
+            sender->ex_type   = ex_type;
+            sender->ex_sender = cb;
+            return SECSuccess;
+        }
+        /* detect duplicate senders */
+        PORT_Assert(sender->ex_type != ex_type);
+        if (sender->ex_type == ex_type) {
+            /* duplicate */
+            break;
+        }
     }
     PORT_Assert(i < SSL_MAX_EXTENSIONS); /* table needs to grow */
     PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     return SECFailure;
 }
 
 /* call each of the extension senders and return the accumulated length */
 PRInt32
 ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
                                const ssl3HelloExtensionSender *sender)
 {
     PRInt32 total_exten_len = 0;
     int i;
 
     if (!sender) {
-    	sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
+        sender = ss->version > SSL_LIBRARY_VERSION_3_0 ?
                  &clientHelloSendersTLS[0] : &clientHelloSendersSSL3[0];
     }
 
     for (i = 0; i < SSL_MAX_EXTENSIONS; ++i, ++sender) {
-	if (sender->ex_sender) {
-	    PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
-	    if (extLen < 0)
-	    	return -1;
-	    maxBytes        -= extLen;
-	    total_exten_len += extLen;
-	}
+        if (sender->ex_sender) {
+            PRInt32 extLen = (*sender->ex_sender)(ss, append, maxBytes);
+            if (extLen < 0)
+                return -1;
+            maxBytes        -= extLen;
+            total_exten_len += extLen;
+        }
     }
     return total_exten_len;
 }
 
 
 /* Extension format:
  * Extension number:   2 bytes
  * Extension length:   2 bytes
  * Verify Data Length: 1 byte
  * Verify Data (TLS): 12 bytes (client) or 24 bytes (server)
  * Verify Data (SSL): 36 bytes (client) or 72 bytes (server)
  */
-static PRInt32 
+static PRInt32
 ssl3_SendRenegotiationInfoXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
+                        sslSocket * ss,
+                        PRBool      append,
+                        PRUint32    maxBytes)
 {
     PRInt32 len, needed;
 
     /* In draft-ietf-tls-renegotiation-03, it is NOT RECOMMENDED to send
-     * both the SCSV and the empty RI, so when we send SCSV in 
+     * both the SCSV and the empty RI, so when we send SCSV in
      * the initial handshake, we don't also send RI.
      */
     if (!ss || ss->ssl3.hs.sendingSCSV)
-    	return 0;
-    len = !ss->firstHsDone ? 0 : 
-	   (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2 
-			     : ss->ssl3.hs.finishedBytes);
+        return 0;
+    len = !ss->firstHsDone ? 0 :
+           (ss->sec.isServer ? ss->ssl3.hs.finishedBytes * 2
+                             : ss->ssl3.hs.finishedBytes);
     needed = 5 + len;
     if (append && maxBytes >= needed) {
-	SECStatus rv;
-	/* extension_type */
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2); 
-	if (rv != SECSuccess) return -1;
-	/* length of extension_data */
-	rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2); 
-	if (rv != SECSuccess) return -1;
-	/* verify_Data from previous Finished message(s) */
-	rv = ssl3_AppendHandshakeVariable(ss, 
-		  ss->ssl3.hs.finishedMsgs.data, len, 1);
-	if (rv != SECSuccess) return -1;
-	if (!ss->sec.isServer) {
-	    TLSExtensionData *xtnData = &ss->xtnData;
-	    xtnData->advertised[xtnData->numAdvertised++] = 
-	                                           ssl_renegotiation_info_xtn;
-	}
+        SECStatus rv;
+        /* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_renegotiation_info_xtn, 2);
+        if (rv != SECSuccess) return -1;
+        /* length of extension_data */
+        rv = ssl3_AppendHandshakeNumber(ss, len + 1, 2);
+        if (rv != SECSuccess) return -1;
+        /* verify_Data from previous Finished message(s) */
+        rv = ssl3_AppendHandshakeVariable(ss,
+                  ss->ssl3.hs.finishedMsgs.data, len, 1);
+        if (rv != SECSuccess) return -1;
+        if (!ss->sec.isServer) {
+            TLSExtensionData *xtnData = &ss->xtnData;
+            xtnData->advertised[xtnData->numAdvertised++] =
+                                                   ssl_renegotiation_info_xtn;
+        }
     }
     return needed;
 }
 
 static SECStatus
 ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
-				  SECItem *data)
+                                  SECItem *data)
 {
     SECStatus rv = SECSuccess;
 
     /* remember that we got this extension. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
     PORT_Assert(ss->sec.isServer);
     /* prepare to send back the appropriate response */
     rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-					    ssl3_ServerSendStatusRequestXtn);
+                                            ssl3_ServerSendStatusRequestXtn);
     return rv;
 }
 
 /* This function runs in both the client and server.  */
 static SECStatus
 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv = SECSuccess;
     PRUint32 len = 0;
 
     if (ss->firstHsDone) {
-	len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes 
-	                       : ss->ssl3.hs.finishedBytes * 2;
+        len = ss->sec.isServer ? ss->ssl3.hs.finishedBytes
+                               : ss->ssl3.hs.finishedBytes * 2;
     }
     if (data->len != 1 + len  ||
-	data->data[0] != len  || (len && 
-	NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
-	                 data->data + 1, len))) {
-	/* Can we do this here? Or, must we arrange for the caller to do it? */     
-	(void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);                   
-	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-	return SECFailure;
+        data->data[0] != len  || (len &&
+        NSS_SecureMemcmp(ss->ssl3.hs.finishedMsgs.data,
+                         data->data + 1, len))) {
+        /* Can we do this here? Or, must we arrange for the caller to do it? */
+        (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+        PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+        return SECFailure;
     }
     /* remember that we got this extension and it was correct. */
     ss->peerRequestedProtection = 1;
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
     if (ss->sec.isServer) {
-	/* prepare to send back the appropriate response */
-	rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-					     ssl3_SendRenegotiationInfoXtn);
+        /* prepare to send back the appropriate response */
+        rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+                                             ssl3_SendRenegotiationInfoXtn);
     }
     return rv;
 }
 
 static PRInt32
 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes)
 {
     PRUint32 ext_data_len;
     PRInt16 i;
     SECStatus rv;
 
     if (!ss)
-	return 0;
+        return 0;
 
     if (!ss->sec.isServer) {
-	/* Client side */
+        /* Client side */
 
-	if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
-	    return 0;  /* Not relevant */
+        if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount)
+            return 0;  /* Not relevant */
 
-	ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
+        ext_data_len = 2 + 2 * ss->ssl3.dtlsSRTPCipherCount + 1;
 
-	if (append && maxBytes >= 4 + ext_data_len) {
-	    /* Extension type */
-	    rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
-	    if (rv != SECSuccess) return -1;
-	    /* Length of extension data */
-	    rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
-	    if (rv != SECSuccess) return -1;
-	    /* Length of the SRTP cipher list */
-	    rv = ssl3_AppendHandshakeNumber(ss,
-					    2 * ss->ssl3.dtlsSRTPCipherCount,
-					    2);
-	    if (rv != SECSuccess) return -1;
-	    /* The SRTP ciphers */
-	    for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
-		rv = ssl3_AppendHandshakeNumber(ss,
-						ss->ssl3.dtlsSRTPCiphers[i],
-						2);
-	    }
-	    /* Empty MKI value */
-	    ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+        if (append && maxBytes >= 4 + ext_data_len) {
+            /* Extension type */
+            rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+            if (rv != SECSuccess) return -1;
+            /* Length of extension data */
+            rv = ssl3_AppendHandshakeNumber(ss, ext_data_len, 2);
+            if (rv != SECSuccess) return -1;
+            /* Length of the SRTP cipher list */
+            rv = ssl3_AppendHandshakeNumber(ss,
+                                            2 * ss->ssl3.dtlsSRTPCipherCount,
+                                            2);
+            if (rv != SECSuccess) return -1;
+            /* The SRTP ciphers */
+            for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+                rv = ssl3_AppendHandshakeNumber(ss,
+                                                ss->ssl3.dtlsSRTPCiphers[i],
+                                                2);
+            }
+            /* Empty MKI value */
+            ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
 
-	    ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-		ssl_use_srtp_xtn;
-	}
+            ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_use_srtp_xtn;
+        }
 
-	return 4 + ext_data_len;
+        return 4 + ext_data_len;
     }
 
     /* Server side */
     if (append && maxBytes >= 9) {
-	/* Extension type */
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
-	if (rv != SECSuccess) return -1;
-	/* Length of extension data */
-	rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
-	if (rv != SECSuccess) return -1;
-	/* Length of the SRTP cipher list */
-	rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
-	if (rv != SECSuccess) return -1;
-	/* The selected cipher */
-	rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
-	if (rv != SECSuccess) return -1;
-	/* Empty MKI value */
-	ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
+        /* Extension type */
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_use_srtp_xtn, 2);
+        if (rv != SECSuccess) return -1;
+        /* Length of extension data */
+        rv = ssl3_AppendHandshakeNumber(ss, 5, 2);
+        if (rv != SECSuccess) return -1;
+        /* Length of the SRTP cipher list */
+        rv = ssl3_AppendHandshakeNumber(ss, 2, 2);
+        if (rv != SECSuccess) return -1;
+        /* The selected cipher */
+        rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.dtlsSRTPCipherSuite, 2);
+        if (rv != SECSuccess) return -1;
+        /* Empty MKI value */
+        ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
     }
 
     return 9;
 }
 
 static SECStatus
 ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
@@ -2006,312 +2006,312 @@ ssl3_HandleUseSRTPXtn(sslSocket * ss, PR
     SECItem ciphers = {siBuffer, NULL, 0};
     PRUint16 i;
     unsigned int j;
     PRUint16 cipher = 0;
     PRBool found = PR_FALSE;
     SECItem litem;
 
     if (!ss->sec.isServer) {
-	/* Client side */
-	if (!data->data || !data->len) {
+        /* Client side */
+        if (!data->data || !data->len) {
             /* malformed */
             return SECFailure;
-	}
+        }
 
-	/* Get the cipher list */
-	rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
-					   &data->data, &data->len);
-	if (rv != SECSuccess) {
-	    return SECFailure;
-	}
-	/* Now check that the number of ciphers listed is 1 (len = 2) */
-	if (ciphers.len != 2) {
-	    return SECFailure;
-	}
+        /* Get the cipher list */
+        rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
+                                           &data->data, &data->len);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        /* Now check that the number of ciphers listed is 1 (len = 2) */
+        if (ciphers.len != 2) {
+            return SECFailure;
+        }
 
-	/* Get the selected cipher */
-	cipher = (ciphers.data[0] << 8) | ciphers.data[1];
+        /* Get the selected cipher */
+        cipher = (ciphers.data[0] << 8) | ciphers.data[1];
 
-	/* Now check that this is one of the ciphers we offered */
-	for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
-	    if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
-		found = PR_TRUE;
-		break;
-	    }
-	}
+        /* Now check that this is one of the ciphers we offered */
+        for (i = 0; i < ss->ssl3.dtlsSRTPCipherCount; i++) {
+            if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+                found = PR_TRUE;
+                break;
+            }
+        }
 
-	if (!found) {
-	    return SECFailure;
-	}
+        if (!found) {
+            return SECFailure;
+        }
 
-	/* Get the srtp_mki value */
+        /* Get the srtp_mki value */
         rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1,
-					   &data->data, &data->len);
+                                           &data->data, &data->len);
         if (rv != SECSuccess) {
             return SECFailure;
         }
 
-	/* We didn't offer an MKI, so this must be 0 length */
-	/* XXX RFC 5764 Section 4.1.3 says:
-	 *   If the client detects a nonzero-length MKI in the server's
-	 *   response that is different than the one the client offered,
-	 *   then the client MUST abort the handshake and SHOULD send an
-	 *   invalid_parameter alert.
-	 *
-	 * Due to a limitation of the ssl3_HandleHelloExtensions function,
-	 * returning SECFailure here won't abort the handshake.  It will
-	 * merely cause the use_srtp extension to be not negotiated.  We
-	 * should fix this.  See NSS bug 753136.
-	 */
-	if (litem.len != 0) {
-	    return SECFailure;
-	}
+        /* We didn't offer an MKI, so this must be 0 length */
+        /* XXX RFC 5764 Section 4.1.3 says:
+         *   If the client detects a nonzero-length MKI in the server's
+         *   response that is different than the one the client offered,
+         *   then the client MUST abort the handshake and SHOULD send an
+         *   invalid_parameter alert.
+         *
+         * Due to a limitation of the ssl3_HandleHelloExtensions function,
+         * returning SECFailure here won't abort the handshake.  It will
+         * merely cause the use_srtp extension to be not negotiated.  We
+         * should fix this.  See NSS bug 753136.
+         */
+        if (litem.len != 0) {
+            return SECFailure;
+        }
 
-	if (data->len != 0) {
+        if (data->len != 0) {
             /* malformed */
             return SECFailure;
-	}
+        }
 
-	/* OK, this looks fine. */
-	ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
-	ss->ssl3.dtlsSRTPCipherSuite = cipher;
-	return SECSuccess;
+        /* OK, this looks fine. */
+        ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
+        ss->ssl3.dtlsSRTPCipherSuite = cipher;
+        return SECSuccess;
     }
 
     /* Server side */
     if (!IS_DTLS(ss) || !ss->ssl3.dtlsSRTPCipherCount) {
-	/* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
-	 * preferences have been set. */
-	return SECSuccess;
+        /* Ignore the extension if we aren't doing DTLS or no DTLS-SRTP
+         * preferences have been set. */
+        return SECSuccess;
     }
 
     if (!data->data || data->len < 5) {
-	/* malformed */
-	return SECFailure;
+        /* malformed */
+        return SECFailure;
     }
 
     /* Get the cipher list */
     rv = ssl3_ConsumeHandshakeVariable(ss, &ciphers, 2,
-				       &data->data, &data->len);
+                                       &data->data, &data->len);
     if (rv != SECSuccess) {
-	return SECFailure;
+        return SECFailure;
     }
     /* Check that the list is even length */
     if (ciphers.len % 2) {
-	return SECFailure;
+        return SECFailure;
     }
 
     /* Walk through the offered list and pick the most preferred of our
      * ciphers, if any */
     for (i = 0; !found && i < ss->ssl3.dtlsSRTPCipherCount; i++) {
-	for (j = 0; j + 1 < ciphers.len; j += 2) {
-	    cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
-	    if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
-		found = PR_TRUE;
-		break;
-	    }
-	}
+        for (j = 0; j + 1 < ciphers.len; j += 2) {
+            cipher = (ciphers.data[j] << 8) | ciphers.data[j + 1];
+            if (cipher == ss->ssl3.dtlsSRTPCiphers[i]) {
+                found = PR_TRUE;
+                break;
+            }
+        }
     }
 
     /* Get the srtp_mki value */
     rv = ssl3_ConsumeHandshakeVariable(ss, &litem, 1, &data->data, &data->len);
     if (rv != SECSuccess) {
-	return SECFailure;
+        return SECFailure;
     }
 
     if (data->len != 0) {
-	return SECFailure; /* Malformed */
+        return SECFailure; /* Malformed */
     }
 
     /* Now figure out what to do */
     if (!found) {
-	/* No matching ciphers */
-	return SECSuccess;
+        /* No matching ciphers */
+        return SECSuccess;
     }
 
     /* OK, we have a valid cipher and we've selected it */
     ss->ssl3.dtlsSRTPCipherSuite = cipher;
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_use_srtp_xtn;
 
     return ssl3_RegisterServerHelloExtensionSender(ss, ssl_use_srtp_xtn,
-						   ssl3_SendUseSRTPXtn);
+                                                   ssl3_SendUseSRTPXtn);
 }
 
 /* ssl3_ServerHandleSigAlgsXtn handles the signature_algorithms extension
  * from a client.
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 static SECStatus
 ssl3_ServerHandleSigAlgsXtn(sslSocket * ss, PRUint16 ex_type, SECItem *data)
 {
     SECStatus rv;
     SECItem algorithms;
     const unsigned char *b;
     unsigned int numAlgorithms, i;
 
     /* Ignore this extension if we aren't doing TLS 1.2 or greater. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
-	return SECSuccess;
+        return SECSuccess;
     }
 
     /* Keep track of negotiated extensions. */
     ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &data->data,
-				       &data->len);
+                                       &data->len);
     if (rv != SECSuccess) {
-	return SECFailure;
+        return SECFailure;
     }
     /* Trailing data, empty value, or odd-length value is invalid. */
     if (data->len != 0 || algorithms.len == 0 || (algorithms.len & 1) != 0) {
-	PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+        return SECFailure;
     }
 
     numAlgorithms = algorithms.len/2;
 
     /* We don't care to process excessive numbers of algorithms. */
     if (numAlgorithms > 512) {
-	numAlgorithms = 512;
+        numAlgorithms = 512;
     }
 
     ss->ssl3.hs.clientSigAndHash =
-	    PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
+            PORT_NewArray(SSL3SignatureAndHashAlgorithm, numAlgorithms);
     if (!ss->ssl3.hs.clientSigAndHash) {
-	return SECFailure;
+        return SECFailure;
     }
     ss->ssl3.hs.numClientSigAndHash = 0;
 
     b = algorithms.data;
     for (i = 0; i < numAlgorithms; i++) {
-	unsigned char tls_hash = *(b++);
-	unsigned char tls_sig = *(b++);
-	SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
+        unsigned char tls_hash = *(b++);
+        unsigned char tls_sig = *(b++);
+        SECOidTag hash = ssl3_TLSHashAlgorithmToOID(tls_hash);
 
-	if (hash == SEC_OID_UNKNOWN) {
-	    /* We ignore formats that we don't understand. */
-	    continue;
-	}
-	/* tls_sig support will be checked later in
-	 * ssl3_PickSignatureHashAlgorithm. */
-	ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
-	ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
-	ss->ssl3.hs.numClientSigAndHash++;
+        if (hash == SEC_OID_UNKNOWN) {
+            /* We ignore formats that we don't understand. */
+            continue;
+        }
+        /* tls_sig support will be checked later in
+         * ssl3_PickSignatureHashAlgorithm. */
+        ss->ssl3.hs.clientSigAndHash[i].hashAlg = hash;
+        ss->ssl3.hs.clientSigAndHash[i].sigAlg = tls_sig;
+        ss->ssl3.hs.numClientSigAndHash++;
     }
 
     if (!ss->ssl3.hs.numClientSigAndHash) {
-	/* We didn't understand any of the client's requested signature
-	 * formats. We'll use the defaults. */
-	PORT_Free(ss->ssl3.hs.clientSigAndHash);
-	ss->ssl3.hs.clientSigAndHash = NULL;
+        /* We didn't understand any of the client's requested signature
+         * formats. We'll use the defaults. */
+        PORT_Free(ss->ssl3.hs.clientSigAndHash);
+        ss->ssl3.hs.clientSigAndHash = NULL;
     }
 
     return SECSuccess;
 }
 
 /* ssl3_ClientSendSigAlgsXtn sends the signature_algorithm extension for TLS
  * 1.2 ClientHellos. */
 static PRInt32
 ssl3_ClientSendSigAlgsXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
 {
     static const unsigned char signatureAlgorithms[] = {
-	/* This block is the contents of our signature_algorithms extension, in
-	 * wire format. See
-	 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
-	tls_hash_sha256, tls_sig_rsa,
-	tls_hash_sha384, tls_sig_rsa,
-	tls_hash_sha1,   tls_sig_rsa,
+        /* This block is the contents of our signature_algorithms extension, in
+         * wire format. See
+         * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+        tls_hash_sha256, tls_sig_rsa,
+        tls_hash_sha384, tls_sig_rsa,
+        tls_hash_sha1,   tls_sig_rsa,
 #ifndef NSS_DISABLE_ECC
-	tls_hash_sha256, tls_sig_ecdsa,
-	tls_hash_sha384, tls_sig_ecdsa,
-	tls_hash_sha1,   tls_sig_ecdsa,
+        tls_hash_sha256, tls_sig_ecdsa,
+        tls_hash_sha384, tls_sig_ecdsa,
+        tls_hash_sha1,   tls_sig_ecdsa,
 #endif
-	tls_hash_sha256, tls_sig_dsa,
-	tls_hash_sha1,   tls_sig_dsa,
+        tls_hash_sha256, tls_sig_dsa,
+        tls_hash_sha1,   tls_sig_dsa,
     };
     PRInt32 extension_length;
 
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) {
-	return 0;
+        return 0;
     }
 
     extension_length =
-	2 /* extension type */ +
-	2 /* extension length */ +
-	2 /* supported_signature_algorithms length */ +
-	sizeof(signatureAlgorithms);
+        2 /* extension type */ +
+        2 /* extension length */ +
+        2 /* supported_signature_algorithms length */ +
+        sizeof(signatureAlgorithms);
 
     if (append && maxBytes >= extension_length) {
-	SECStatus rv;
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
-	if (rv != SECSuccess)
-	    goto loser;
-	rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
-	if (rv != SECSuccess)
-	    goto loser;
-	rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
-					  sizeof(signatureAlgorithms), 2);
-	if (rv != SECSuccess)
-	    goto loser;
-	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-		ssl_signature_algorithms_xtn;
+        SECStatus rv;
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_signature_algorithms_xtn, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
+        if (rv != SECSuccess)
+            goto loser;
+        rv = ssl3_AppendHandshakeVariable(ss, signatureAlgorithms,
+                                          sizeof(signatureAlgorithms), 2);
+        if (rv != SECSuccess)
+            goto loser;
+        ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
+                ssl_signature_algorithms_xtn;
     } else if (maxBytes < extension_length) {
-	PORT_Assert(0);
-	return 0;
+        PORT_Assert(0);
+        return 0;
     }
 
     return extension_length;
 
 loser:
     return -1;
 }
 
 unsigned int
 ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
 {
     unsigned int recordLength = 1 /* handshake message type */ +
-				3 /* handshake message length */ +
-				clientHelloLength;
+                                3 /* handshake message length */ +
+                                clientHelloLength;
     unsigned int extensionLength;
 
     if (recordLength < 256 || recordLength >= 512) {
-	return 0;
+        return 0;
     }
 
     extensionLength = 512 - recordLength;
     /* Extensions take at least four bytes to encode. */
     if (extensionLength < 4) {
-	extensionLength = 4;
+        extensionLength = 4;
     }
 
     return extensionLength;
 }
 
 /* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
  * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
  * that we don't trigger bugs in F5 products. */
 PRInt32
 ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-			    PRUint32 maxBytes)
+                            PRUint32 maxBytes)
 {
     unsigned int paddingLen = extensionLen - 4;
     static unsigned char padding[256];
 
     if (extensionLen == 0) {
-	return 0;
+        return 0;
     }
 
     if (extensionLen < 4 ||
-	extensionLen > maxBytes ||
-	paddingLen > sizeof(padding)) {
-	PORT_Assert(0);
-	return -1;
+        extensionLen > maxBytes ||
+        paddingLen > sizeof(padding)) {
+        PORT_Assert(0);
+        return -1;
     }
 
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
-	return -1;
+        return -1;
     if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
-	return -1;
+        return -1;
     if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
-	return -1;
+        return -1;
 
     return extensionLen;
 }
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -12,35 +12,35 @@
 typedef PRUint8 SSL3Opaque;
 
 typedef PRUint16 SSL3ProtocolVersion;
 /* version numbers are defined in sslproto.h */
 
 typedef PRUint16 ssl3CipherSuite;
 /* The cipher suites are defined in sslproto.h */
 
-#define MAX_CERT_TYPES			10
-#define MAX_COMPRESSION_METHODS		10
-#define MAX_MAC_LENGTH			64
-#define MAX_PADDING_LENGTH		64
-#define MAX_KEY_LENGTH			64
-#define EXPORT_KEY_LENGTH		 5
-#define SSL3_RANDOM_LENGTH		32
+#define MAX_CERT_TYPES                  10
+#define MAX_COMPRESSION_METHODS         10
+#define MAX_MAC_LENGTH                  64
+#define MAX_PADDING_LENGTH              64
+#define MAX_KEY_LENGTH                  64
+#define EXPORT_KEY_LENGTH                5
+#define SSL3_RANDOM_LENGTH              32
 
-#define SSL3_RECORD_HEADER_LENGTH	 5
+#define SSL3_RECORD_HEADER_LENGTH        5
 
 /* SSL3_RECORD_HEADER_LENGTH + epoch/sequence_number */
 #define DTLS_RECORD_HEADER_LENGTH       13
 
-#define MAX_FRAGMENT_LENGTH		16384
-     
+#define MAX_FRAGMENT_LENGTH          16384
+
 typedef enum {
-    content_change_cipher_spec = 20, 
+    content_change_cipher_spec = 20,
     content_alert              = 21,
-    content_handshake          = 22, 
+    content_handshake          = 22,
     content_application_data   = 23
 } SSL3ContentType;
 
 typedef struct {
     SSL3ContentType     type;
     SSL3ProtocolVersion version;
     PRUint16            length;
     SECItem             fragment;
@@ -72,21 +72,21 @@ typedef struct {
 } SSL3ChangeCipherSpec;
 
 typedef enum { alert_warning = 1, alert_fatal = 2 } SSL3AlertLevel;
 
 typedef enum {
     close_notify            = 0,
     unexpected_message      = 10,
     bad_record_mac          = 20,
-    decryption_failed_RESERVED = 21,	/* do not send; see RFC 5246 */
-    record_overflow         = 22,	/* TLS only */
+    decryption_failed_RESERVED = 21,    /* do not send; see RFC 5246 */
+    record_overflow         = 22,       /* TLS only */
     decompression_failure   = 30,
     handshake_failure       = 40,
-    no_certificate          = 41,	/* SSL3 only, NOT TLS */
+    no_certificate          = 41,       /* SSL3 only, NOT TLS */
     bad_certificate         = 42,
     unsupported_certificate = 43,
     certificate_revoked     = 44,
     certificate_expired     = 45,
     certificate_unknown     = 46,
     illegal_parameter       = 47,
 
 /* All alerts below are TLS only. */
@@ -111,107 +111,107 @@ typedef enum {
 } SSL3AlertDescription;
 
 typedef struct {
     SSL3AlertLevel       level;
     SSL3AlertDescription description;
 } SSL3Alert;
 
 typedef enum {
-    hello_request	= 0, 
-    client_hello	= 1, 
-    server_hello	= 2,
+    hello_request       = 0,
+    client_hello        = 1,
+    server_hello        = 2,
     hello_verify_request = 3,
-    new_session_ticket	= 4,
-    certificate 	= 11, 
+    new_session_ticket  = 4,
+    certificate         = 11,
     server_key_exchange = 12,
-    certificate_request	= 13, 
-    server_hello_done	= 14,
-    certificate_verify	= 15, 
-    client_key_exchange	= 16, 
-    finished		= 20,
+    certificate_request = 13,
+    server_hello_done   = 14,
+    certificate_verify  = 15,
+    client_key_exchange = 16,
+    finished            = 20,
     certificate_status  = 22,
-    next_proto		= 67
+    next_proto          = 67
 } SSL3HandshakeType;
 
 typedef struct {
     PRUint8 empty;
 } SSL3HelloRequest;
-     
+
 typedef struct {
     SSL3Opaque rand[SSL3_RANDOM_LENGTH];
 } SSL3Random;
-     
+
 typedef struct {
     SSL3Opaque id[32];
     PRUint8 length;
 } SSL3SessionID;
-     
+
 typedef struct {
     SSL3ProtocolVersion   client_version;
     SSL3Random            random;
     SSL3SessionID         session_id;
     SECItem               cipher_suites;
-    PRUint8                 cm_count;
+    PRUint8               cm_count;
     SSLCompressionMethod  compression_methods[MAX_COMPRESSION_METHODS];
 } SSL3ClientHello;
-     
+
 typedef struct  {
     SSL3ProtocolVersion   server_version;
     SSL3Random            random;
     SSL3SessionID         session_id;
     ssl3CipherSuite       cipher_suite;
     SSLCompressionMethod  compression_method;
 } SSL3ServerHello;
-     
+
 typedef struct {
     SECItem list;
 } SSL3Certificate;
 
 /* SSL3SignType moved to ssl.h */
 
-/* The SSL key exchange method used */     
+/* The SSL key exchange method used */
 typedef enum {
-    kea_null, 
-    kea_rsa, 
+    kea_null,
+    kea_rsa,
     kea_rsa_export,
     kea_rsa_export_1024,
-    kea_dh_dss, 
-    kea_dh_dss_export, 
-    kea_dh_rsa, 
+    kea_dh_dss,
+    kea_dh_dss_export,
+    kea_dh_rsa,
     kea_dh_rsa_export,
-    kea_dhe_dss, 
-    kea_dhe_dss_export, 
-    kea_dhe_rsa, 
+    kea_dhe_dss,
+    kea_dhe_dss_export,
+    kea_dhe_rsa,
     kea_dhe_rsa_export,
-    kea_dh_anon, 
-    kea_dh_anon_export, 
+    kea_dh_anon,
+    kea_dh_anon_export,
     kea_rsa_fips,
     kea_ecdh_ecdsa,
     kea_ecdhe_ecdsa,
     kea_ecdh_rsa,
     kea_ecdhe_rsa,
     kea_ecdh_anon
 } SSL3KeyExchangeAlgorithm;
-     
+
 typedef struct {
     SECItem modulus;
     SECItem exponent;
 } SSL3ServerRSAParams;
 
 typedef struct {
     SECItem p;
     SECItem g;
     SECItem Ys;
 } SSL3ServerDHParams;
 
 typedef struct {
     union {
-	SSL3ServerDHParams dh;
-	SSL3ServerRSAParams rsa;
+        SSL3ServerDHParams dh;
+        SSL3ServerRSAParams rsa;
     } u;
 } SSL3ServerParams;
 
 /* This enum reflects HashAlgorithm enum from
  * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
  *
  * When updating, be sure to also update ssl3_TLSHashAlgorithmToOID. */
 enum {
@@ -245,87 +245,87 @@ typedef struct {
 
 /* SSL3Hashes contains an SSL hash value. The digest is contained in |u.raw|
  * which, if |hashAlg==SEC_OID_UNKNOWN| is also a SSL3HashesIndividually
  * struct. */
 typedef struct {
     unsigned int len;
     SECOidTag hashAlg;
     union {
-	PRUint8 raw[64];
-	SSL3HashesIndividually s;
+        PRUint8 raw[64];
+        SSL3HashesIndividually s;
     } u;
 } SSL3Hashes;
 
 typedef struct {
     union {
-	SSL3Opaque anonymous;
-	SSL3Hashes certified;
+        SSL3Opaque anonymous;
+        SSL3Hashes certified;
     } u;
 } SSL3ServerKeyExchange;
-     
+
 typedef enum {
-    ct_RSA_sign 	=  1, 
-    ct_DSS_sign 	=  2, 
-    ct_RSA_fixed_DH 	=  3,
-    ct_DSS_fixed_DH 	=  4, 
-    ct_RSA_ephemeral_DH =  5, 
+    ct_RSA_sign         =  1,
+    ct_DSS_sign         =  2,
+    ct_RSA_fixed_DH     =  3,
+    ct_DSS_fixed_DH     =  4,
+    ct_RSA_ephemeral_DH =  5,
     ct_DSS_ephemeral_DH =  6,
-    ct_ECDSA_sign	=  64, 
-    ct_RSA_fixed_ECDH	=  65, 
-    ct_ECDSA_fixed_ECDH	=  66 
+    ct_ECDSA_sign       =  64,
+    ct_RSA_fixed_ECDH   =  65,
+    ct_ECDSA_fixed_ECDH =  66
 
 } SSL3ClientCertificateType;
-     
+
 typedef SECItem *SSL3DistinquishedName;
 
 typedef struct {
     SSL3Opaque client_version[2];
     SSL3Opaque random[46];
 } SSL3RSAPreMasterSecret;
-     
+
 typedef SECItem SSL3EncryptedPreMasterSecret;
 
 
 typedef SSL3Opaque SSL3MasterSecret[48];
 
 typedef enum { implicit, explicit } SSL3PublicValueEncoding;
-     
+
 typedef struct {
     union {
-	SSL3Opaque implicit;
-	SECItem    explicit;
+        SSL3Opaque implicit;
+        SECItem    explicit;
     } dh_public;
 } SSL3ClientDiffieHellmanPublic;
-     
+
 typedef struct {
     union {
-	SSL3EncryptedPreMasterSecret  rsa;
-	SSL3ClientDiffieHellmanPublic diffie_helman;
+        SSL3EncryptedPreMasterSecret  rsa;
+        SSL3ClientDiffieHellmanPublic diffie_helman;
     } exchange_keys;
 } SSL3ClientKeyExchange;
 
 typedef SSL3Hashes SSL3PreSignedCertificateVerify;
 
 typedef SECItem SSL3CertificateVerify;
 
 typedef enum {
     sender_client = 0x434c4e54,
     sender_server = 0x53525652
 } SSL3Sender;
 
-typedef SSL3HashesIndividually SSL3Finished;   
+typedef SSL3HashesIndividually SSL3Finished;
 
 typedef struct {
     SSL3Opaque verify_data[12];
 } TLSFinished;
 
 /*
  * TLS extension related data structures and constants.
- */ 
+ */
 
 /* SessionTicket extension related data structures. */
 
 /* NewSessionTicket handshake message. */
 typedef struct {
     PRUint32 received_timestamp;
     PRUint32 ticket_lifetime_hint;
     SECItem  ticket;
@@ -334,29 +334,29 @@ typedef struct {
 typedef enum {
     CLIENT_AUTH_ANONYMOUS   = 0,
     CLIENT_AUTH_CERTIFICATE = 1
 } ClientAuthenticationType;
 
 typedef struct {
     ClientAuthenticationType client_auth_type;
     union {
-	SSL3Opaque *certificate_list;
+        SSL3Opaque *certificate_list;
     } identity;
 } ClientIdentity;
 
 #define SESS_TICKET_KEY_NAME_LEN       16
 #define SESS_TICKET_KEY_NAME_PREFIX    "NSS!"
 #define SESS_TICKET_KEY_NAME_PREFIX_LEN 4
 #define SESS_TICKET_KEY_VAR_NAME_LEN   12
 
 typedef struct {
     unsigned char *key_name;
     unsigned char *iv;
     SECItem encrypted_state;
     unsigned char *mac;
 } EncryptedSessionTicket;
 
-#define TLS_EX_SESS_TICKET_MAC_LENGTH       32
+#define TLS_EX_SESS_TICKET_MAC_LENGTH 32
 
 #define TLS_STE_NO_SERVER_NAME        -1
 
 #endif /* __ssl3proto_h_ */
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -3,198 +3,198 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef __SSL_ERR_H_
 #define __SSL_ERR_H_
 
 
-#define SSL_ERROR_BASE				(-0x3000)
-#define SSL_ERROR_LIMIT				(SSL_ERROR_BASE + 1000)
+#define SSL_ERROR_BASE                          (-0x3000)
+#define SSL_ERROR_LIMIT                         (SSL_ERROR_BASE + 1000)
 
 #define IS_SSL_ERROR(code) \
     (((code) >= SSL_ERROR_BASE) && ((code) < SSL_ERROR_LIMIT))
 
 #ifndef NO_SECURITY_ERROR_ENUM
 typedef enum {
-SSL_ERROR_EXPORT_ONLY_SERVER 		= (SSL_ERROR_BASE +  0),
-SSL_ERROR_US_ONLY_SERVER 		= (SSL_ERROR_BASE +  1),
-SSL_ERROR_NO_CYPHER_OVERLAP 		= (SSL_ERROR_BASE +  2),
-/* 
+SSL_ERROR_EXPORT_ONLY_SERVER            = (SSL_ERROR_BASE +  0),
+SSL_ERROR_US_ONLY_SERVER                = (SSL_ERROR_BASE +  1),
+SSL_ERROR_NO_CYPHER_OVERLAP             = (SSL_ERROR_BASE +  2),
+/*
  * Received an alert reporting what we did wrong.  (more alerts below)
  */
-SSL_ERROR_NO_CERTIFICATE /*_ALERT */	= (SSL_ERROR_BASE +  3),
-SSL_ERROR_BAD_CERTIFICATE            	= (SSL_ERROR_BASE +  4),
-SSL_ERROR_UNUSED_5			= (SSL_ERROR_BASE +  5),
-					/* error 5 is obsolete */
-SSL_ERROR_BAD_CLIENT 			= (SSL_ERROR_BASE +  6),
-SSL_ERROR_BAD_SERVER 			= (SSL_ERROR_BASE +  7),
-SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE	= (SSL_ERROR_BASE +  8),
-SSL_ERROR_UNSUPPORTED_VERSION 		= (SSL_ERROR_BASE +  9),
-SSL_ERROR_UNUSED_10			= (SSL_ERROR_BASE + 10),
-					/* error 10 is obsolete */
-SSL_ERROR_WRONG_CERTIFICATE		= (SSL_ERROR_BASE + 11),
-SSL_ERROR_BAD_CERT_DOMAIN 		= (SSL_ERROR_BASE + 12),
-SSL_ERROR_POST_WARNING 			= (SSL_ERROR_BASE + 13),
-SSL_ERROR_SSL2_DISABLED 		= (SSL_ERROR_BASE + 14),
-SSL_ERROR_BAD_MAC_READ 			= (SSL_ERROR_BASE + 15),
-/* 
+SSL_ERROR_NO_CERTIFICATE /*_ALERT */    = (SSL_ERROR_BASE +  3),
+SSL_ERROR_BAD_CERTIFICATE               = (SSL_ERROR_BASE +  4),
+SSL_ERROR_UNUSED_5                      = (SSL_ERROR_BASE +  5),
+                                        /* error 5 is obsolete */
+SSL_ERROR_BAD_CLIENT                    = (SSL_ERROR_BASE +  6),
+SSL_ERROR_BAD_SERVER                    = (SSL_ERROR_BASE +  7),
+SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE  = (SSL_ERROR_BASE +  8),
+SSL_ERROR_UNSUPPORTED_VERSION           = (SSL_ERROR_BASE +  9),
+SSL_ERROR_UNUSED_10                     = (SSL_ERROR_BASE + 10),
+                                        /* error 10 is obsolete */
+SSL_ERROR_WRONG_CERTIFICATE             = (SSL_ERROR_BASE + 11),
+SSL_ERROR_BAD_CERT_DOMAIN               = (SSL_ERROR_BASE + 12),
+SSL_ERROR_POST_WARNING                  = (SSL_ERROR_BASE + 13),
+SSL_ERROR_SSL2_DISABLED                 = (SSL_ERROR_BASE + 14),
+SSL_ERROR_BAD_MAC_READ                  = (SSL_ERROR_BASE + 15),
+/*
  * Received an alert reporting what we did wrong.
  * (two more alerts above, and many more below)
  */
-SSL_ERROR_BAD_MAC_ALERT 		= (SSL_ERROR_BASE + 16),
+SSL_ERROR_BAD_MAC_ALERT                 = (SSL_ERROR_BASE + 16),
 SSL_ERROR_BAD_CERT_ALERT                = (SSL_ERROR_BASE + 17),
-SSL_ERROR_REVOKED_CERT_ALERT 		= (SSL_ERROR_BASE + 18),
-SSL_ERROR_EXPIRED_CERT_ALERT 		= (SSL_ERROR_BASE + 19),
+SSL_ERROR_REVOKED_CERT_ALERT            = (SSL_ERROR_BASE + 18),
+SSL_ERROR_EXPIRED_CERT_ALERT            = (SSL_ERROR_BASE + 19),
 
-SSL_ERROR_SSL_DISABLED 			= (SSL_ERROR_BASE + 20),
-SSL_ERROR_FORTEZZA_PQG 			= (SSL_ERROR_BASE + 21),
-SSL_ERROR_UNKNOWN_CIPHER_SUITE		= (SSL_ERROR_BASE + 22),
-SSL_ERROR_NO_CIPHERS_SUPPORTED		= (SSL_ERROR_BASE + 23),
-SSL_ERROR_BAD_BLOCK_PADDING		= (SSL_ERROR_BASE + 24),
-SSL_ERROR_RX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 25),
-SSL_ERROR_TX_RECORD_TOO_LONG		= (SSL_ERROR_BASE + 26),
-/* 
+SSL_ERROR_SSL_DISABLED                  = (SSL_ERROR_BASE + 20),
+SSL_ERROR_FORTEZZA_PQG                  = (SSL_ERROR_BASE + 21),
+SSL_ERROR_UNKNOWN_CIPHER_SUITE          = (SSL_ERROR_BASE + 22),
+SSL_ERROR_NO_CIPHERS_SUPPORTED          = (SSL_ERROR_BASE + 23),
+SSL_ERROR_BAD_BLOCK_PADDING             = (SSL_ERROR_BASE + 24),
+SSL_ERROR_RX_RECORD_TOO_LONG            = (SSL_ERROR_BASE + 25),
+SSL_ERROR_TX_RECORD_TOO_LONG            = (SSL_ERROR_BASE + 26),
+/*
  * Received a malformed (too long or short) SSL handshake.
  */
-SSL_ERROR_RX_MALFORMED_HELLO_REQUEST	= (SSL_ERROR_BASE + 27),
-SSL_ERROR_RX_MALFORMED_CLIENT_HELLO	= (SSL_ERROR_BASE + 28),
-SSL_ERROR_RX_MALFORMED_SERVER_HELLO	= (SSL_ERROR_BASE + 29),
-SSL_ERROR_RX_MALFORMED_CERTIFICATE	= (SSL_ERROR_BASE + 30),
-SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 31),
-SSL_ERROR_RX_MALFORMED_CERT_REQUEST	= (SSL_ERROR_BASE + 32),
-SSL_ERROR_RX_MALFORMED_HELLO_DONE	= (SSL_ERROR_BASE + 33),
-SSL_ERROR_RX_MALFORMED_CERT_VERIFY	= (SSL_ERROR_BASE + 34),
-SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 35),
-SSL_ERROR_RX_MALFORMED_FINISHED 	= (SSL_ERROR_BASE + 36),
-/* 
+SSL_ERROR_RX_MALFORMED_HELLO_REQUEST    = (SSL_ERROR_BASE + 27),
+SSL_ERROR_RX_MALFORMED_CLIENT_HELLO     = (SSL_ERROR_BASE + 28),
+SSL_ERROR_RX_MALFORMED_SERVER_HELLO     = (SSL_ERROR_BASE + 29),
+SSL_ERROR_RX_MALFORMED_CERTIFICATE      = (SSL_ERROR_BASE + 30),
+SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH  = (SSL_ERROR_BASE + 31),
+SSL_ERROR_RX_MALFORMED_CERT_REQUEST     = (SSL_ERROR_BASE + 32),
+SSL_ERROR_RX_MALFORMED_HELLO_DONE       = (SSL_ERROR_BASE + 33),
+SSL_ERROR_RX_MALFORMED_CERT_VERIFY      = (SSL_ERROR_BASE + 34),
+SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH  = (SSL_ERROR_BASE + 35),
+SSL_ERROR_RX_MALFORMED_FINISHED         = (SSL_ERROR_BASE + 36),
+/*
  * Received a malformed (too long or short) SSL record.
  */
-SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 37),
-SSL_ERROR_RX_MALFORMED_ALERT	 	= (SSL_ERROR_BASE + 38),
-SSL_ERROR_RX_MALFORMED_HANDSHAKE 	= (SSL_ERROR_BASE + 39),
-SSL_ERROR_RX_MALFORMED_APPLICATION_DATA	= (SSL_ERROR_BASE + 40),
+SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER    = (SSL_ERROR_BASE + 37),
+SSL_ERROR_RX_MALFORMED_ALERT            = (SSL_ERROR_BASE + 38),
+SSL_ERROR_RX_MALFORMED_HANDSHAKE        = (SSL_ERROR_BASE + 39),
+SSL_ERROR_RX_MALFORMED_APPLICATION_DATA = (SSL_ERROR_BASE + 40),
 /*
  * Received an SSL handshake that was inappropriate for the state we're in.
  * E.g. Server received message from server, or wrong state in state machine.
  */
-SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST	= (SSL_ERROR_BASE + 41),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO	= (SSL_ERROR_BASE + 42),
-SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO	= (SSL_ERROR_BASE + 43),
-SSL_ERROR_RX_UNEXPECTED_CERTIFICATE	= (SSL_ERROR_BASE + 44),
-SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH	= (SSL_ERROR_BASE + 45),
-SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST	= (SSL_ERROR_BASE + 46),
-SSL_ERROR_RX_UNEXPECTED_HELLO_DONE	= (SSL_ERROR_BASE + 47),
-SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY	= (SSL_ERROR_BASE + 48),
-SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH	= (SSL_ERROR_BASE + 49),
-SSL_ERROR_RX_UNEXPECTED_FINISHED 	= (SSL_ERROR_BASE + 50),
+SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST   = (SSL_ERROR_BASE + 41),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO    = (SSL_ERROR_BASE + 42),
+SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO    = (SSL_ERROR_BASE + 43),
+SSL_ERROR_RX_UNEXPECTED_CERTIFICATE     = (SSL_ERROR_BASE + 44),
+SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH = (SSL_ERROR_BASE + 45),
+SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST    = (SSL_ERROR_BASE + 46),
+SSL_ERROR_RX_UNEXPECTED_HELLO_DONE      = (SSL_ERROR_BASE + 47),
+SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY     = (SSL_ERROR_BASE + 48),
+SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH = (SSL_ERROR_BASE + 49),
+SSL_ERROR_RX_UNEXPECTED_FINISHED        = (SSL_ERROR_BASE + 50),
 /*
  * Received an SSL record that was inappropriate for the state we're in.
  */
-SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER 	= (SSL_ERROR_BASE + 51),
-SSL_ERROR_RX_UNEXPECTED_ALERT	 	= (SSL_ERROR_BASE + 52),
-SSL_ERROR_RX_UNEXPECTED_HANDSHAKE 	= (SSL_ERROR_BASE + 53),
-SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA= (SSL_ERROR_BASE + 54),
+SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER   = (SSL_ERROR_BASE + 51),
+SSL_ERROR_RX_UNEXPECTED_ALERT           = (SSL_ERROR_BASE + 52),
+SSL_ERROR_RX_UNEXPECTED_HANDSHAKE       = (SSL_ERROR_BASE + 53),
+SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA = (SSL_ERROR_BASE + 54),
 /*
  * Received record/message with unknown discriminant.
  */
-SSL_ERROR_RX_UNKNOWN_RECORD_TYPE	= (SSL_ERROR_BASE + 55),
-SSL_ERROR_RX_UNKNOWN_HANDSHAKE 		= (SSL_ERROR_BASE + 56),
-SSL_ERROR_RX_UNKNOWN_ALERT 		= (SSL_ERROR_BASE + 57),
-/* 
+SSL_ERROR_RX_UNKNOWN_RECORD_TYPE        = (SSL_ERROR_BASE + 55),
+SSL_ERROR_RX_UNKNOWN_HANDSHAKE          = (SSL_ERROR_BASE + 56),
+SSL_ERROR_RX_UNKNOWN_ALERT              = (SSL_ERROR_BASE + 57),
+/*
  * Received an alert reporting what we did wrong.  (more alerts above)
  */
-SSL_ERROR_CLOSE_NOTIFY_ALERT 		= (SSL_ERROR_BASE + 58),
-SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT 	= (SSL_ERROR_BASE + 59),
-SSL_ERROR_DECOMPRESSION_FAILURE_ALERT 	= (SSL_ERROR_BASE + 60),
-SSL_ERROR_HANDSHAKE_FAILURE_ALERT 	= (SSL_ERROR_BASE + 61),
-SSL_ERROR_ILLEGAL_PARAMETER_ALERT 	= (SSL_ERROR_BASE + 62),
-SSL_ERROR_UNSUPPORTED_CERT_ALERT 	= (SSL_ERROR_BASE + 63),
-SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT 	= (SSL_ERROR_BASE + 64),
+SSL_ERROR_CLOSE_NOTIFY_ALERT            = (SSL_ERROR_BASE + 58),
+SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT    = (SSL_ERROR_BASE + 59),
+SSL_ERROR_DECOMPRESSION_FAILURE_ALERT   = (SSL_ERROR_BASE + 60),
+SSL_ERROR_HANDSHAKE_FAILURE_ALERT       = (SSL_ERROR_BASE + 61),
+SSL_ERROR_ILLEGAL_PARAMETER_ALERT       = (SSL_ERROR_BASE + 62),
+SSL_ERROR_UNSUPPORTED_CERT_ALERT        = (SSL_ERROR_BASE + 63),
+SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT     = (SSL_ERROR_BASE + 64),
 
-SSL_ERROR_GENERATE_RANDOM_FAILURE	= (SSL_ERROR_BASE + 65),
-SSL_ERROR_SIGN_HASHES_FAILURE		= (SSL_ERROR_BASE + 66),
-SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE	= (SSL_ERROR_BASE + 67),
-SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 68),
-SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE	= (SSL_ERROR_BASE + 69),
+SSL_ERROR_GENERATE_RANDOM_FAILURE       = (SSL_ERROR_BASE + 65),
+SSL_ERROR_SIGN_HASHES_FAILURE           = (SSL_ERROR_BASE + 66),
+SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE    = (SSL_ERROR_BASE + 67),
+SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE   = (SSL_ERROR_BASE + 68),
+SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE   = (SSL_ERROR_BASE + 69),
 
-SSL_ERROR_ENCRYPTION_FAILURE		= (SSL_ERROR_BASE + 70),
-SSL_ERROR_DECRYPTION_FAILURE		= (SSL_ERROR_BASE + 71), /* don't use */
-SSL_ERROR_SOCKET_WRITE_FAILURE		= (SSL_ERROR_BASE + 72),
+SSL_ERROR_ENCRYPTION_FAILURE            = (SSL_ERROR_BASE + 70),
+SSL_ERROR_DECRYPTION_FAILURE            = (SSL_ERROR_BASE + 71), /* don't use */
+SSL_ERROR_SOCKET_WRITE_FAILURE          = (SSL_ERROR_BASE + 72),
 
-SSL_ERROR_MD5_DIGEST_FAILURE		= (SSL_ERROR_BASE + 73),
-SSL_ERROR_SHA_DIGEST_FAILURE		= (SSL_ERROR_BASE + 74),
-SSL_ERROR_MAC_COMPUTATION_FAILURE	= (SSL_ERROR_BASE + 75),
-SSL_ERROR_SYM_KEY_CONTEXT_FAILURE	= (SSL_ERROR_BASE + 76),
-SSL_ERROR_SYM_KEY_UNWRAP_FAILURE	= (SSL_ERROR_BASE + 77),
-SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED	= (SSL_ERROR_BASE + 78),
-SSL_ERROR_IV_PARAM_FAILURE		= (SSL_ERROR_BASE + 79),
-SSL_ERROR_INIT_CIPHER_SUITE_FAILURE	= (SSL_ERROR_BASE + 80),
-SSL_ERROR_SESSION_KEY_GEN_FAILURE	= (SSL_ERROR_BASE + 81),
-SSL_ERROR_NO_SERVER_KEY_FOR_ALG		= (SSL_ERROR_BASE + 82),
-SSL_ERROR_TOKEN_INSERTION_REMOVAL	= (SSL_ERROR_BASE + 83),
-SSL_ERROR_TOKEN_SLOT_NOT_FOUND		= (SSL_ERROR_BASE + 84),
-SSL_ERROR_NO_COMPRESSION_OVERLAP	= (SSL_ERROR_BASE + 85),
-SSL_ERROR_HANDSHAKE_NOT_COMPLETED	= (SSL_ERROR_BASE + 86),
-SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE	= (SSL_ERROR_BASE + 87),
-SSL_ERROR_CERT_KEA_MISMATCH		= (SSL_ERROR_BASE + 88),
+SSL_ERROR_MD5_DIGEST_FAILURE            = (SSL_ERROR_BASE + 73),
+SSL_ERROR_SHA_DIGEST_FAILURE            = (SSL_ERROR_BASE + 74),
+SSL_ERROR_MAC_COMPUTATION_FAILURE       = (SSL_ERROR_BASE + 75),
+SSL_ERROR_SYM_KEY_CONTEXT_FAILURE       = (SSL_ERROR_BASE + 76),
+SSL_ERROR_SYM_KEY_UNWRAP_FAILURE        = (SSL_ERROR_BASE + 77),
+SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED   = (SSL_ERROR_BASE + 78),
+SSL_ERROR_IV_PARAM_FAILURE              = (SSL_ERROR_BASE + 79),
+SSL_ERROR_INIT_CIPHER_SUITE_FAILURE     = (SSL_ERROR_BASE + 80),
+SSL_ERROR_SESSION_KEY_GEN_FAILURE       = (SSL_ERROR_BASE + 81),
+SSL_ERROR_NO_SERVER_KEY_FOR_ALG         = (SSL_ERROR_BASE + 82),
+SSL_ERROR_TOKEN_INSERTION_REMOVAL       = (SSL_ERROR_BASE + 83),
+SSL_ERROR_TOKEN_SLOT_NOT_FOUND          = (SSL_ERROR_BASE + 84),
+SSL_ERROR_NO_COMPRESSION_OVERLAP        = (SSL_ERROR_BASE + 85),
+SSL_ERROR_HANDSHAKE_NOT_COMPLETED       = (SSL_ERROR_BASE + 86),
+SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      = (SSL_ERROR_BASE + 87),
+SSL_ERROR_CERT_KEA_MISMATCH             = (SSL_ERROR_BASE + 88),
 /* SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA became obsolete in NSS 3.14. */
-SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	= (SSL_ERROR_BASE + 89),
-SSL_ERROR_SESSION_NOT_FOUND		= (SSL_ERROR_BASE + 90),
+SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA      = (SSL_ERROR_BASE + 89),
+SSL_ERROR_SESSION_NOT_FOUND             = (SSL_ERROR_BASE + 90),
 
-SSL_ERROR_DECRYPTION_FAILED_ALERT	= (SSL_ERROR_BASE + 91),
-SSL_ERROR_RECORD_OVERFLOW_ALERT		= (SSL_ERROR_BASE + 92),
-SSL_ERROR_UNKNOWN_CA_ALERT		= (SSL_ERROR_BASE + 93),
-SSL_ERROR_ACCESS_DENIED_ALERT		= (SSL_ERROR_BASE + 94),
-SSL_ERROR_DECODE_ERROR_ALERT		= (SSL_ERROR_BASE + 95),
-SSL_ERROR_DECRYPT_ERROR_ALERT		= (SSL_ERROR_BASE + 96),
-SSL_ERROR_EXPORT_RESTRICTION_ALERT	= (SSL_ERROR_BASE + 97),
-SSL_ERROR_PROTOCOL_VERSION_ALERT	= (SSL_ERROR_BASE + 98),
-SSL_ERROR_INSUFFICIENT_SECURITY_ALERT	= (SSL_ERROR_BASE + 99),
-SSL_ERROR_INTERNAL_ERROR_ALERT		= (SSL_ERROR_BASE + 100),
-SSL_ERROR_USER_CANCELED_ALERT		= (SSL_ERROR_BASE + 101),
-SSL_ERROR_NO_RENEGOTIATION_ALERT	= (SSL_ERROR_BASE + 102),
+SSL_ERROR_DECRYPTION_FAILED_ALERT       = (SSL_ERROR_BASE + 91),
+SSL_ERROR_RECORD_OVERFLOW_ALERT         = (SSL_ERROR_BASE + 92),
+SSL_ERROR_UNKNOWN_CA_ALERT              = (SSL_ERROR_BASE + 93),
+SSL_ERROR_ACCESS_DENIED_ALERT           = (SSL_ERROR_BASE + 94),
+SSL_ERROR_DECODE_ERROR_ALERT            = (SSL_ERROR_BASE + 95),
+SSL_ERROR_DECRYPT_ERROR_ALERT           = (SSL_ERROR_BASE + 96),
+SSL_ERROR_EXPORT_RESTRICTION_ALERT      = (SSL_ERROR_BASE + 97),
+SSL_ERROR_PROTOCOL_VERSION_ALERT        = (SSL_ERROR_BASE + 98),
+SSL_ERROR_INSUFFICIENT_SECURITY_ALERT   = (SSL_ERROR_BASE + 99),
+SSL_ERROR_INTERNAL_ERROR_ALERT          = (SSL_ERROR_BASE + 100),
+SSL_ERROR_USER_CANCELED_ALERT           = (SSL_ERROR_BASE + 101),
+SSL_ERROR_NO_RENEGOTIATION_ALERT        = (SSL_ERROR_BASE + 102),
 
-SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED	= (SSL_ERROR_BASE + 103),
+SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED   = (SSL_ERROR_BASE + 103),
 
-SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT		= (SSL_ERROR_BASE + 104),
-SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT	= (SSL_ERROR_BASE + 105),
-SSL_ERROR_UNRECOGNIZED_NAME_ALERT		= (SSL_ERROR_BASE + 106),
-SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT	= (SSL_ERROR_BASE + 107),
-SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT		= (SSL_ERROR_BASE + 108),
+SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT   = (SSL_ERROR_BASE + 104),
+SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT = (SSL_ERROR_BASE + 105),
+SSL_ERROR_UNRECOGNIZED_NAME_ALERT       = (SSL_ERROR_BASE + 106),
+SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT = (SSL_ERROR_BASE + 107),
+SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT     = (SSL_ERROR_BASE + 108),
 
 SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 109),
-SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET  = (SSL_ERROR_BASE + 110),
+SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET = (SSL_ERROR_BASE + 110),
 
-SSL_ERROR_DECOMPRESSION_FAILURE		= (SSL_ERROR_BASE + 111),
+SSL_ERROR_DECOMPRESSION_FAILURE         = (SSL_ERROR_BASE + 111),
 SSL_ERROR_RENEGOTIATION_NOT_ALLOWED     = (SSL_ERROR_BASE + 112),
 SSL_ERROR_UNSAFE_NEGOTIATION            = (SSL_ERROR_BASE + 113),
 
-SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD	= (SSL_ERROR_BASE + 114),
+SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
 
 SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY  = (SSL_ERROR_BASE + 115),
 
-SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID	= (SSL_ERROR_BASE + 116),
+SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID    = (SSL_ERROR_BASE + 116),
 
 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117),
 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
 
-SSL_ERROR_INVALID_VERSION_RANGE		= (SSL_ERROR_BASE + 120),
-SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION	= (SSL_ERROR_BASE + 121),
+SSL_ERROR_INVALID_VERSION_RANGE         = (SSL_ERROR_BASE + 120),
+SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION = (SSL_ERROR_BASE + 121),
 
 SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122),
 SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
 
 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
 
 SSL_ERROR_RX_UNEXPECTED_CERT_STATUS     = (SSL_ERROR_BASE + 125),
 
-SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (SSL_ERROR_BASE + 126),
-SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
+SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM    = (SSL_ERROR_BASE + 126),
+SSL_ERROR_DIGEST_FAILURE                = (SSL_ERROR_BASE + 127),
 SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
 
-SSL_ERROR_END_OF_LIST	/* let the c compiler determine the value of this. */
+SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
 
 #endif /* __SSL_ERR_H_ */
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -1,10 +1,10 @@
 /*
- * vtables (and methods that call through them) for the 4 types of 
+ * vtables (and methods that call through them) for the 4 types of
  * SSLSockets supported.  Only one type is still supported.
  * Various other functions.
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "seccomon.h"
 #include "cert.h"
@@ -16,32 +16,32 @@
 #include "private/pprio.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
 
-static const sslSocketOps ssl_default_ops = {	/* No SSL. */
+static const sslSocketOps ssl_default_ops = {   /* No SSL. */
     ssl_DefConnect,
     NULL,
     ssl_DefBind,
     ssl_DefListen,
     ssl_DefShutdown,
     ssl_DefClose,
     ssl_DefRecv,
     ssl_DefSend,
     ssl_DefRead,
     ssl_DefWrite,
     ssl_DefGetpeername,
     ssl_DefGetsockname
 };
 
-static const sslSocketOps ssl_secure_ops = {	/* SSL. */
+static const sslSocketOps ssl_secure_ops = {    /* SSL. */
     ssl_SecureConnect,
     NULL,
     ssl_DefBind,
     ssl_DefListen,
     ssl_SecureShutdown,
     ssl_SecureClose,
     ssl_SecureRecv,
     ssl_SecureSend,
@@ -51,29 +51,29 @@ static const sslSocketOps ssl_secure_ops
     ssl_DefGetsockname
 };
 
 /*
 ** default settings for socket enables
 */
 static sslOptions ssl_defaults = {
     { siBuffer, NULL, 0 }, /* nextProtoNego */
-    PR_TRUE, 	/* useSecurity        */
-    PR_FALSE,	/* useSocks           */
-    PR_FALSE,	/* requestCertificate */
-    2,	        /* requireCertificate */
-    PR_FALSE,	/* handshakeAsClient  */
-    PR_FALSE,	/* handshakeAsServer  */
-    PR_FALSE,	/* enableSSL2         */ /* now defaults to off in NSS 3.13 */
-    PR_FALSE,	/* unusedBit9         */
-    PR_FALSE, 	/* unusedBit10        */
-    PR_FALSE,	/* noCache            */
-    PR_FALSE,	/* fdx                */
-    PR_FALSE,	/* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
-    PR_TRUE,	/* detectRollBack     */
+    PR_TRUE,    /* useSecurity        */
+    PR_FALSE,   /* useSocks           */
+    PR_FALSE,   /* requestCertificate */
+    2,          /* requireCertificate */
+    PR_FALSE,   /* handshakeAsClient  */
+    PR_FALSE,   /* handshakeAsServer  */
+    PR_FALSE,   /* enableSSL2         */ /* now defaults to off in NSS 3.13 */
+    PR_FALSE,   /* unusedBit9         */
+    PR_FALSE,   /* unusedBit10        */
+    PR_FALSE,   /* noCache            */
+    PR_FALSE,   /* fdx                */
+    PR_FALSE,   /* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
+    PR_TRUE,    /* detectRollBack     */
     PR_FALSE,   /* noStepDown         */
     PR_FALSE,   /* bypassPKCS11       */
     PR_FALSE,   /* noLocks            */
     PR_FALSE,   /* enableSessionTickets */
     PR_FALSE,   /* enableDeflate      */
     2,          /* enableRenegotiation (default: requires extension) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
@@ -102,19 +102,19 @@ static SSLVersionRange versions_defaults
 
 sslSessionIDLookupFunc  ssl_sid_lookup;
 sslSessionIDCacheFunc   ssl_sid_cache;
 sslSessionIDUncacheFunc ssl_sid_uncache;
 
 static PRBool ssl_inited = PR_FALSE;
 static PRDescIdentity ssl_layer_id;
 
-PRBool                  locksEverDisabled; 	/* implicitly PR_FALSE */
-PRBool			ssl_force_locks;  	/* implicitly PR_FALSE */
-int                     ssl_lock_readers	= 1;	/* default true. */
+PRBool                  locksEverDisabled;      /* implicitly PR_FALSE */
+PRBool                  ssl_force_locks;        /* implicitly PR_FALSE */
+int                     ssl_lock_readers        = 1;    /* default true. */
 char                    ssl_debug;
 char                    ssl_trace;
 FILE *                  ssl_trace_iob;
 FILE *                  ssl_keylog_iob;
 char lockStatus[] = "Locks are ENABLED.  ";
 #define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */
 
 /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */
@@ -123,17 +123,17 @@ static const PRUint16 srtpCiphers[] = {
     SRTP_AES128_CM_HMAC_SHA1_32,
     0
 };
 
 /* forward declarations. */
 static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant);
 static SECStatus  ssl_MakeLocks(sslSocket *ss);
 static void       ssl_SetDefaultsFromEnvironment(void);
-static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, 
+static PRStatus   ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
                                   PRDescIdentity id);
 
 /************************************************************************/
 
 /*
 ** Lookup a socket structure from a file descriptor.
 ** Only functions called through the PRIOMethods table should use this.
 ** Other app-callable functions should use ssl_FindSocket.
@@ -144,48 +144,48 @@ ssl_GetPrivate(PRFileDesc *fd)
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
     PORT_Assert(fd->identity == ssl_layer_id);
 
     if (fd->methods->file_type != PR_DESC_LAYERED ||
         fd->identity != ssl_layer_id) {
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return NULL;
+        PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+        return NULL;
     }
 
     ss = (sslSocket *)fd->secret;
     /* Set ss->fd lazily. We can't rely on the value of ss->fd set by
      * ssl_PushIOLayer because another PR_PushIOLayer call will switch the
      * contents of the PRFileDesc pointed by ss->fd and the new layer.
      * See bug 807250.
      */
     ss->fd = fd;
     return ss;
 }
 
-/* This function tries to find the SSL layer in the stack. 
+/* This function tries to find the SSL layer in the stack.
  * It searches for the first SSL layer at or below the argument fd,
- * and failing that, it searches for the nearest SSL layer above the 
+ * and failing that, it searches for the nearest SSL layer above the
  * argument fd.  It returns the private sslSocket from the found layer.
  */
 sslSocket *
 ssl_FindSocket(PRFileDesc *fd)
 {
     PRFileDesc *layer;
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(ssl_layer_id != 0);
 
     layer = PR_GetIdentitiesLayer(fd, ssl_layer_id);
     if (layer == NULL) {
-	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
-	return NULL;
+        PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+        return NULL;
     }
 
     ss = (sslSocket *)layer->secret;
     /* Set ss->fd lazily. We can't rely on the value of ss->fd set by
      * ssl_PushIOLayer because another PR_PushIOLayer call will switch the
      * contents of the PRFileDesc pointed by ss->fd and the new layer.
      * See bug 807250.
      */
@@ -196,144 +196,144 @@ ssl_FindSocket(PRFileDesc *fd)
 static sslSocket *
 ssl_DupSocket(sslSocket *os)
 {
     sslSocket *ss;
     SECStatus rv;
 
     ss = ssl_NewSocket((PRBool)(!os->opt.noLocks), os->protocolVariant);
     if (ss) {
-	ss->opt                = os->opt;
-	ss->opt.useSocks       = PR_FALSE;
-	ss->vrange             = os->vrange;
-
-	ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
-	ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
-
-	ss->ops      = os->ops;
-	ss->rTimeout = os->rTimeout;
-	ss->wTimeout = os->wTimeout;
-	ss->cTimeout = os->cTimeout;
-	ss->dbHandle = os->dbHandle;
-
-	/* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
-	ss->allowedByPolicy	= os->allowedByPolicy;
-	ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
-	ss->chosenPreference 	= os->chosenPreference;
-	PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
-	PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
-		    sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
-	ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
-
-	if (os->cipherSpecs) {
-	    ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
-	    if (ss->cipherSpecs) 
-	    	PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs, 
-		            os->sizeCipherSpecs);
-	    ss->sizeCipherSpecs    = os->sizeCipherSpecs;
-	    ss->preferredCipher    = os->preferredCipher;
-	} else {
-	    ss->cipherSpecs        = NULL;  /* produced lazily */
-	    ss->sizeCipherSpecs    = 0;
-	    ss->preferredCipher    = NULL;
-	}
-	if (ss->opt.useSecurity) {
-	    /* This int should be SSLKEAType, but CC on Irix complains,
-	     * during the for loop.
-	     */
-	    int i;
-	    sslServerCerts * oc = os->serverCerts;
-	    sslServerCerts * sc = ss->serverCerts;
-            
-	    for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
-		if (oc->serverCert && oc->serverCertChain) {
-		    sc->serverCert      = CERT_DupCertificate(oc->serverCert);
-		    sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
-		    if (!sc->serverCertChain) 
-		    	goto loser;
-		} else {
-		    sc->serverCert      = NULL;
-		    sc->serverCertChain = NULL;
-		}
-		sc->serverKeyPair = oc->serverKeyPair ?
-				ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
-		if (oc->serverKeyPair && !sc->serverKeyPair)
-		    goto loser;
-	        sc->serverKeyBits = oc->serverKeyBits;
-		ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL :
-				SECITEM_DupArray(NULL, os->certStatusArray[i]);
-	    }
-	    ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
-		                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
-	    ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
-		                  ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
+        ss->opt                = os->opt;
+        ss->opt.useSocks       = PR_FALSE;
+        ss->vrange             = os->vrange;
+
+        ss->peerID             = !os->peerID ? NULL : PORT_Strdup(os->peerID);
+        ss->url                = !os->url    ? NULL : PORT_Strdup(os->url);
+
+        ss->ops      = os->ops;
+        ss->rTimeout = os->rTimeout;
+        ss->wTimeout = os->wTimeout;
+        ss->cTimeout = os->cTimeout;
+        ss->dbHandle = os->dbHandle;
+
+        /* copy ssl2&3 policy & prefs, even if it's not selected (yet) */
+        ss->allowedByPolicy     = os->allowedByPolicy;
+        ss->maybeAllowedByPolicy= os->maybeAllowedByPolicy;
+        ss->chosenPreference    = os->chosenPreference;
+        PORT_Memcpy(ss->cipherSuites, os->cipherSuites, sizeof os->cipherSuites);
+        PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, os->ssl3.dtlsSRTPCiphers,
+                    sizeof(PRUint16) * os->ssl3.dtlsSRTPCipherCount);
+        ss->ssl3.dtlsSRTPCipherCount = os->ssl3.dtlsSRTPCipherCount;
+
+        if (os->cipherSpecs) {
+            ss->cipherSpecs  = (unsigned char*)PORT_Alloc(os->sizeCipherSpecs);
+            if (ss->cipherSpecs)
+                PORT_Memcpy(ss->cipherSpecs, os->cipherSpecs,
+                            os->sizeCipherSpecs);
+            ss->sizeCipherSpecs    = os->sizeCipherSpecs;
+            ss->preferredCipher    = os->preferredCipher;
+        } else {
+            ss->cipherSpecs        = NULL;  /* produced lazily */
+            ss->sizeCipherSpecs    = 0;
+            ss->preferredCipher    = NULL;
+        }
+        if (ss->opt.useSecurity) {
+            /* This int should be SSLKEAType, but CC on Irix complains,
+             * during the for loop.
+             */
+            int i;
+            sslServerCerts * oc = os->serverCerts;
+            sslServerCerts * sc = ss->serverCerts;
+
+            for (i=kt_null; i < kt_kea_size; i++, oc++, sc++) {
+                if (oc->serverCert && oc->serverCertChain) {
+                    sc->serverCert      = CERT_DupCertificate(oc->serverCert);
+                    sc->serverCertChain = CERT_DupCertList(oc->serverCertChain);
+                    if (!sc->serverCertChain)
+                        goto loser;
+                } else {
+                    sc->serverCert      = NULL;
+                    sc->serverCertChain = NULL;
+                }
+                sc->serverKeyPair = oc->serverKeyPair ?
+                                ssl3_GetKeyPairRef(oc->serverKeyPair) : NULL;
+                if (oc->serverKeyPair && !sc->serverKeyPair)
+                    goto loser;
+                sc->serverKeyBits = oc->serverKeyBits;
+                ss->certStatusArray[i] = !os->certStatusArray[i] ? NULL :
+                                SECITEM_DupArray(NULL, os->certStatusArray[i]);
+            }
+            ss->stepDownKeyPair = !os->stepDownKeyPair ? NULL :
+                                  ssl3_GetKeyPairRef(os->stepDownKeyPair);
+            ss->ephemeralECDHKeyPair = !os->ephemeralECDHKeyPair ? NULL :
+                                  ssl3_GetKeyPairRef(os->ephemeralECDHKeyPair);
 /*
  * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
  * XXX We should detect this, and not just march on with NULL pointers.
  */
-	    ss->authCertificate       = os->authCertificate;
-	    ss->authCertificateArg    = os->authCertificateArg;
-	    ss->getClientAuthData     = os->getClientAuthData;
-	    ss->getClientAuthDataArg  = os->getClientAuthDataArg;
+            ss->authCertificate       = os->authCertificate;
+            ss->authCertificateArg    = os->authCertificateArg;
+            ss->getClientAuthData     = os->getClientAuthData;
+            ss->getClientAuthDataArg  = os->getClientAuthDataArg;
             ss->sniSocketConfig       = os->sniSocketConfig;
             ss->sniSocketConfigArg    = os->sniSocketConfigArg;
-	    ss->handleBadCert         = os->handleBadCert;
-	    ss->badCertArg            = os->badCertArg;
-	    ss->handshakeCallback     = os->handshakeCallback;
-	    ss->handshakeCallbackData = os->handshakeCallbackData;
-	    ss->canFalseStartCallback = os->canFalseStartCallback;
-	    ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
-	    ss->pkcs11PinArg          = os->pkcs11PinArg;
-    
-	    /* Create security data */
-	    rv = ssl_CopySecurityInfo(ss, os);
-	    if (rv != SECSuccess) {
-		goto loser;
-	    }
-	}
+            ss->handleBadCert         = os->handleBadCert;
+            ss->badCertArg            = os->badCertArg;
+            ss->handshakeCallback     = os->handshakeCallback;
+            ss->handshakeCallbackData = os->handshakeCallbackData;
+            ss->canFalseStartCallback = os->canFalseStartCallback;
+            ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
+            ss->pkcs11PinArg          = os->pkcs11PinArg;
+
+            /* Create security data */
+            rv = ssl_CopySecurityInfo(ss, os);
+            if (rv != SECSuccess) {
+                goto loser;
+            }
+        }
     }
     return ss;
 
 loser:
     ssl_FreeSocket(ss);
     return NULL;
 }
 
 static void
 ssl_DestroyLocks(sslSocket *ss)
 {
     /* Destroy locks. */
     if (ss->firstHandshakeLock) {
-    	PZ_DestroyMonitor(ss->firstHandshakeLock);
-	ss->firstHandshakeLock = NULL;
+        PZ_DestroyMonitor(ss->firstHandshakeLock);
+        ss->firstHandshakeLock = NULL;
     }
     if (ss->ssl3HandshakeLock) {
-    	PZ_DestroyMonitor(ss->ssl3HandshakeLock);
-	ss->ssl3HandshakeLock = NULL;
+        PZ_DestroyMonitor(ss->ssl3HandshakeLock);
+        ss->ssl3HandshakeLock = NULL;
     }
     if (ss->specLock) {
-    	NSSRWLock_Destroy(ss->specLock);
-	ss->specLock = NULL;
+        NSSRWLock_Destroy(ss->specLock);
+        ss->specLock = NULL;
     }
 
     if (ss->recvLock) {
-    	PZ_DestroyLock(ss->recvLock);
-	ss->recvLock = NULL;
+        PZ_DestroyLock(ss->recvLock);
+        ss->recvLock = NULL;
     }
     if (ss->sendLock) {
-    	PZ_DestroyLock(ss->sendLock);
-	ss->sendLock = NULL;
+        PZ_DestroyLock(ss->sendLock);
+        ss->sendLock = NULL;
     }
     if (ss->xmitBufLock) {
-    	PZ_DestroyMonitor(ss->xmitBufLock);
-	ss->xmitBufLock = NULL;
+        PZ_DestroyMonitor(ss->xmitBufLock);
+        ss->xmitBufLock = NULL;
     }
     if (ss->recvBufLock) {
-    	PZ_DestroyMonitor(ss->recvBufLock);
-	ss->recvBufLock = NULL;
+        PZ_DestroyMonitor(ss->recvBufLock);
+        ss->recvBufLock = NULL;
     }
 }
 
 /* Caller holds any relevant locks */
 static void
 ssl_DestroySocketContents(sslSocket *ss)
 {
     /* "i" should be of type SSLKEAType, but CC on IRIX complains during
@@ -346,46 +346,46 @@ ssl_DestroySocketContents(sslSocket *ss)
 
     ssl3_DestroySSL3Info(ss);
 
     PORT_Free(ss->saveBuf.buf);
     PORT_Free(ss->pendingBuf.buf);
     ssl_DestroyGather(&ss->gs);
 
     if (ss->peerID != NULL)
-	PORT_Free(ss->peerID);
+        PORT_Free(ss->peerID);
     if (ss->url != NULL)
-	PORT_Free((void *)ss->url);	/* CONST */
+        PORT_Free((void *)ss->url);     /* CONST */
     if (ss->cipherSpecs) {
-	PORT_Free(ss->cipherSpecs);
-	ss->cipherSpecs     = NULL;
-	ss->sizeCipherSpecs = 0;
+        PORT_Free(ss->cipherSpecs);
+        ss->cipherSpecs     = NULL;
+        ss->sizeCipherSpecs = 0;
     }
 
     /* Clean up server configuration */
     for (i=kt_null; i < kt_kea_size; i++) {
-	sslServerCerts * sc = ss->serverCerts + i;
-	if (sc->serverCert != NULL)
-	    CERT_DestroyCertificate(sc->serverCert);
-	if (sc->serverCertChain != NULL)
-	    CERT_DestroyCertificateList(sc->serverCertChain);
-	if (sc->serverKeyPair != NULL)
-	    ssl3_FreeKeyPair(sc->serverKeyPair);
-	if (ss->certStatusArray[i] != NULL) {
-	    SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
-	    ss->certStatusArray[i] = NULL;
-	}
+        sslServerCerts * sc = ss->serverCerts + i;
+        if (sc->serverCert != NULL)
+            CERT_DestroyCertificate(sc->serverCert);
+        if (sc->serverCertChain != NULL)
+            CERT_DestroyCertificateList(sc->serverCertChain);
+        if (sc->serverKeyPair != NULL)
+            ssl3_FreeKeyPair(sc->serverKeyPair);
+        if (ss->certStatusArray[i] != NULL) {
+            SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
+            ss->certStatusArray[i] = NULL;
+        }
     }
     if (ss->stepDownKeyPair) {
-	ssl3_FreeKeyPair(ss->stepDownKeyPair);
-	ss->stepDownKeyPair = NULL;
+        ssl3_FreeKeyPair(ss->stepDownKeyPair);
+        ss->stepDownKeyPair = NULL;
     }
     if (ss->ephemeralECDHKeyPair) {
-	ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
-	ss->ephemeralECDHKeyPair = NULL;
+        ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
+        ss->ephemeralECDHKeyPair = NULL;
     }
     SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
     PORT_Assert(!ss->xtnData.sniNameArr);
     if (ss->xtnData.sniNameArr) {
         PORT_Free(ss->xtnData.sniNameArr);
         ss->xtnData.sniNameArr = NULL;
     }
 }
@@ -423,17 +423,17 @@ ssl_FreeSocket(sslSocket *ss)
 #ifdef DEBUG
     PORT_Memset(ss, 0x1f, sizeof *ss);
 #endif
     PORT_Free(ss);
     return;
 }
 
 /************************************************************************/
-SECStatus 
+SECStatus
 ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled)
 {
     PRFileDesc *       osfd = ss->fd->lower;
     SECStatus         rv = SECFailure;
     PRSocketOptionData opt;
 
     opt.option         = PR_SockOpt_NoDelay;
     opt.value.no_delay = (PRBool)!enabled;
@@ -501,433 +501,433 @@ static PRStatus SSL_BypassSetup(void)
 
 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_TLS, on) described in
  * ssl.h in the section "SSL version range setting API".
  */
 static void
 ssl_EnableTLS(SSLVersionRange *vrange, PRBool on)
 {
     if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
-	if (on) {
-	    vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
-	    vrange->max = SSL_LIBRARY_VERSION_TLS_1_0;
-	} /* else don't change anything */
-	return;
+        if (on) {
+            vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
+            vrange->max = SSL_LIBRARY_VERSION_TLS_1_0;
+        } /* else don't change anything */
+        return;
     }
 
     if (on) {
-	/* Expand the range of enabled version to include TLS 1.0 */
-	vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
-	vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0);
+        /* Expand the range of enabled version to include TLS 1.0 */
+        vrange->min = PR_MIN(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
+        vrange->max = PR_MAX(vrange->max, SSL_LIBRARY_VERSION_TLS_1_0);
     } else {
-	/* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */
-	if (vrange->min == SSL_LIBRARY_VERSION_3_0) {
-	    vrange->max = SSL_LIBRARY_VERSION_3_0;
-	} else {
-	    /* Only TLS was enabled, so now no versions are. */
-	    vrange->min = SSL_LIBRARY_VERSION_NONE;
-	    vrange->max = SSL_LIBRARY_VERSION_NONE;
-	}
+        /* Disable all TLS versions, leaving only SSL 3.0 if it was enabled */
+        if (vrange->min == SSL_LIBRARY_VERSION_3_0) {
+            vrange->max = SSL_LIBRARY_VERSION_3_0;
+        } else {
+            /* Only TLS was enabled, so now no versions are. */
+            vrange->min = SSL_LIBRARY_VERSION_NONE;
+            vrange->max = SSL_LIBRARY_VERSION_NONE;
+        }
     }
 }
 
 /* Implements the semantics for SSL_OptionSet(SSL_ENABLE_SSL3, on) described in
  * ssl.h in the section "SSL version range setting API".
  */
 static void
 ssl_EnableSSL3(SSLVersionRange *vrange, PRBool on)
 {
    if (SSL3_ALL_VERSIONS_DISABLED(vrange)) {
-	if (on) {
-	    vrange->min = SSL_LIBRARY_VERSION_3_0;
-	    vrange->max = SSL_LIBRARY_VERSION_3_0;
-	} /* else don't change anything */
-	return;
+        if (on) {
+            vrange->min = SSL_LIBRARY_VERSION_3_0;
+            vrange->max = SSL_LIBRARY_VERSION_3_0;
+        } /* else don't change anything */
+        return;
     }
 
    if (on) {
-	/* Expand the range of enabled versions to include SSL 3.0. We know
-	 * SSL 3.0 or some version of TLS is already enabled at this point, so
-	 * we don't need to change vrange->max.
-	 */
-	vrange->min = SSL_LIBRARY_VERSION_3_0;
+        /* Expand the range of enabled versions to include SSL 3.0. We know
+         * SSL 3.0 or some version of TLS is already enabled at this point, so
+         * we don't need to change vrange->max.
+         */
+        vrange->min = SSL_LIBRARY_VERSION_3_0;
    } else {
-	/* Disable SSL 3.0, leaving TLS unaffected. */
-	if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
-	    vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
-	} else {
-	    /* Only SSL 3.0 was enabled, so now no versions are. */
-	    vrange->min = SSL_LIBRARY_VERSION_NONE;
-	    vrange->max = SSL_LIBRARY_VERSION_NONE;
-	}
+        /* Disable SSL 3.0, leaving TLS unaffected. */
+        if (vrange->max > SSL_LIBRARY_VERSION_3_0) {
+            vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
+        } else {
+            /* Only SSL 3.0 was enabled, so now no versions are. */
+            vrange->min = SSL_LIBRARY_VERSION_NONE;
+            vrange->max = SSL_LIBRARY_VERSION_NONE;
+        }
     }
 }
 
 SECStatus
 SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
 {
     sslSocket *ss = ssl_FindSocket(fd);
     SECStatus  rv = SECSuccess;
     PRBool     holdingLocks;
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     holdingLocks = (!ss->opt.noLocks);
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     switch (which) {
       case SSL_SOCKS:
-	ss->opt.useSocks = PR_FALSE;
-	rv = PrepareSocket(ss);
-	if (on) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-	break;
+        ss->opt.useSocks = PR_FALSE;
+        rv = PrepareSocket(ss);
+        if (on) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+        }
+        break;
 
       case SSL_SECURITY:
-	ss->opt.useSecurity = on;
-	rv = PrepareSocket(ss);
-	break;
+        ss->opt.useSecurity = on;
+        rv = PrepareSocket(ss);
+        break;
 
       case SSL_REQUEST_CERTIFICATE:
-	ss->opt.requestCertificate = on;
-	break;
+        ss->opt.requestCertificate = on;
+        break;
 
       case SSL_REQUIRE_CERTIFICATE:
-	ss->opt.requireCertificate = on;
-	break;
+        ss->opt.requireCertificate = on;
+        break;
 
       case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ss->opt.handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->opt.handshakeAsClient = on;
-	break;
+        if ( ss->opt.handshakeAsServer && on ) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+            break;
+        }
+        ss->opt.handshakeAsClient = on;
+        break;
 
       case SSL_HANDSHAKE_AS_SERVER:
-	if ( ss->opt.handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	    break;
-	}
-	ss->opt.handshakeAsServer = on;
-	break;
+        if ( ss->opt.handshakeAsClient && on ) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+            break;
+        }
+        ss->opt.handshakeAsServer = on;
+        break;
 
       case SSL_ENABLE_TLS:
         if (IS_DTLS(ss)) {
-	    if (on) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		rv = SECFailure; /* not allowed */
-	    }
-	    break;
-	}
-	ssl_EnableTLS(&ss->vrange, on);
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
+            if (on) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                rv = SECFailure; /* not allowed */
+            }
+            break;
+        }
+        ssl_EnableTLS(&ss->vrange, on);
+        ss->preferredCipher     = NULL;
+        if (ss->cipherSpecs) {
+            PORT_Free(ss->cipherSpecs);
+            ss->cipherSpecs     = NULL;
+            ss->sizeCipherSpecs = 0;
+        }
+        break;
 
       case SSL_ENABLE_SSL3:
         if (IS_DTLS(ss)) {
-	    if (on) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		rv = SECFailure; /* not allowed */
-	    }
-	    break;
-	}
-	ssl_EnableSSL3(&ss->vrange, on);
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
+            if (on) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                rv = SECFailure; /* not allowed */
+            }
+            break;
+        }
+        ssl_EnableSSL3(&ss->vrange, on);
+        ss->preferredCipher     = NULL;
+        if (ss->cipherSpecs) {
+            PORT_Free(ss->cipherSpecs);
+            ss->cipherSpecs     = NULL;
+            ss->sizeCipherSpecs = 0;
+        }
+        break;
 
       case SSL_ENABLE_SSL2:
         if (IS_DTLS(ss)) {
-	    if (on) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		rv = SECFailure; /* not allowed */
-	    }
-	    break;
-	}
-	ss->opt.enableSSL2       = on;
-	if (on) {
-	    ss->opt.v2CompatibleHello = on;
-	}
-	ss->preferredCipher     = NULL;
-	if (ss->cipherSpecs) {
-	    PORT_Free(ss->cipherSpecs);
-	    ss->cipherSpecs     = NULL;
-	    ss->sizeCipherSpecs = 0;
-	}
-	break;
+            if (on) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                rv = SECFailure; /* not allowed */
+            }
+            break;
+        }
+        ss->opt.enableSSL2       = on;
+        if (on) {
+            ss->opt.v2CompatibleHello = on;
+        }
+        ss->preferredCipher     = NULL;
+        if (ss->cipherSpecs) {
+            PORT_Free(ss->cipherSpecs);
+            ss->cipherSpecs     = NULL;
+            ss->sizeCipherSpecs = 0;
+        }
+        break;
 
       case SSL_NO_CACHE:
-	ss->opt.noCache = on;
-	break;
+        ss->opt.noCache = on;
+        break;
 
       case SSL_ENABLE_FDX:
-	if (on && ss->opt.noLocks) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-      	ss->opt.fdx = on;
-	break;
+        if (on && ss->opt.noLocks) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+        }
+        ss->opt.fdx = on;
+        break;
 
       case SSL_V2_COMPATIBLE_HELLO:
         if (IS_DTLS(ss)) {
-	    if (on) {
-		PORT_SetError(SEC_ERROR_INVALID_ARGS);
-		rv = SECFailure; /* not allowed */
-	    }
-	    break;
-	}
-      	ss->opt.v2CompatibleHello = on;
-	if (!on) {
-	    ss->opt.enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ss->opt.detectRollBack = on;
+            if (on) {
+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
+                rv = SECFailure; /* not allowed */
+            }
+            break;
+        }
+        ss->opt.v2CompatibleHello = on;
+        if (!on) {
+            ss->opt.enableSSL2    = on;
+        }
         break;
 
-      case SSL_NO_STEP_DOWN:        
-	ss->opt.noStepDown     = on;         
-	if (on) 
-	    SSL_DisableExportCipherSuites(fd);
-	break;
+      case SSL_ROLLBACK_DETECTION:
+        ss->opt.detectRollBack = on;
+        break;
+
+      case SSL_NO_STEP_DOWN:
+        ss->opt.noStepDown     = on;
+        if (on)
+            SSL_DisableExportCipherSuites(fd);
+        break;
 
       case SSL_BYPASS_PKCS11:
-	if (ss->handshakeBegun) {
-	    PORT_SetError(PR_INVALID_STATE_ERROR);
-	    rv = SECFailure;
-	} else {
+        if (ss->handshakeBegun) {
+            PORT_SetError(PR_INVALID_STATE_ERROR);
+            rv = SECFailure;
+        } else {
             if (PR_FALSE != on) {
                 if (PR_SUCCESS == SSL_BypassSetup() ) {
 #ifdef NO_PKCS11_BYPASS
                     ss->opt.bypassPKCS11 = PR_FALSE;
 #else
                     ss->opt.bypassPKCS11 = on;
 #endif
                 } else {
                     rv = SECFailure;
                 }
             } else {
                 ss->opt.bypassPKCS11 = PR_FALSE;
             }
-	}
-	break;
+        }
+        break;
 
       case SSL_NO_LOCKS:
-	if (on && ss->opt.fdx) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    rv = SECFailure;
-	}
-	if (on && ssl_force_locks) 
-	    on = PR_FALSE;	/* silent override */
-	ss->opt.noLocks   = on;
-	if (on) {
-	    locksEverDisabled = PR_TRUE;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
-	} else if (!holdingLocks) {
-	    rv = ssl_MakeLocks(ss);
-	    if (rv != SECSuccess) {
-		ss->opt.noLocks   = PR_TRUE;
-	    }
-	}
-	break;
+        if (on && ss->opt.fdx) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            rv = SECFailure;
+        }
+        if (on && ssl_force_locks)
+            on = PR_FALSE;      /* silent override */
+        ss->opt.noLocks   = on;
+        if (on) {
+            locksEverDisabled = PR_TRUE;
+            strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+        } else if (!holdingLocks) {
+            rv = ssl_MakeLocks(ss);
+            if (rv != SECSuccess) {
+                ss->opt.noLocks   = PR_TRUE;
+            }
+        }
+        break;
 
       case SSL_ENABLE_SESSION_TICKETS:
-	ss->opt.enableSessionTickets = on;
-	break;
+        ss->opt.enableSessionTickets = on;
+        break;
 
       case SSL_ENABLE_DEFLATE:
-	ss->opt.enableDeflate = on;
-	break;
+        ss->opt.enableDeflate = on;
+        break;
 
       case SSL_ENABLE_RENEGOTIATION:
-	ss->opt.enableRenegotiation = on;
-	break;
+        ss->opt.enableRenegotiation = on;
+        break;
 
       case SSL_REQUIRE_SAFE_NEGOTIATION:
-	ss->opt.requireSafeNegotiation = on;
-	break;
+        ss->opt.requireSafeNegotiation = on;
+        break;
 
       case SSL_ENABLE_FALSE_START:
-	ss->opt.enableFalseStart = on;
-	break;
+        ss->opt.enableFalseStart = on;
+        break;
 
       case SSL_CBC_RANDOM_IV:
-	ss->opt.cbcRandomIV = on;
-	break;
+        ss->opt.cbcRandomIV = on;
+        break;
 
       case SSL_ENABLE_OCSP_STAPLING:
        ss->opt.enableOCSPStapling = on;
        break;
 
       case SSL_ENABLE_NPN:
-	ss->opt.enableNPN = on;
-	break;
+        ss->opt.enableNPN = on;
+        break;
 
       case SSL_ENABLE_ALPN:
-	ss->opt.enableALPN = on;
-	break;
+        ss->opt.enableALPN = on;
+        break;
 
       default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
     }
 
     /* We can't use the macros for releasing the locks here,
      * because ss->opt.noLocks might have changed just above.
      * We must release these locks (monitors) here, if we aquired them above,
      * regardless of the current value of ss->opt.noLocks.
      */
     if (holdingLocks) {
-	PZ_ExitMonitor((ss)->ssl3HandshakeLock);
-	PZ_ExitMonitor((ss)->firstHandshakeLock);
+        PZ_ExitMonitor((ss)->ssl3HandshakeLock);
+        PZ_ExitMonitor((ss)->firstHandshakeLock);
     }
 
     return rv;
 }
 
 SECStatus
 SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
 {
     sslSocket *ss = ssl_FindSocket(fd);
     SECStatus  rv = SECSuccess;
     PRBool     on = PR_FALSE;
 
     if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
-	*pOn = PR_FALSE;
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in Enable", SSL_GETPID(), fd));
+        *pOn = PR_FALSE;
+        return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     switch (which) {
     case SSL_SOCKS:               on = PR_FALSE;               break;
     case SSL_SECURITY:            on = ss->opt.useSecurity;        break;
     case SSL_REQUEST_CERTIFICATE: on = ss->opt.requestCertificate; break;
     case SSL_REQUIRE_CERTIFICATE: on = ss->opt.requireCertificate; break;
     case SSL_HANDSHAKE_AS_CLIENT: on = ss->opt.handshakeAsClient;  break;
     case SSL_HANDSHAKE_AS_SERVER: on = ss->opt.handshakeAsServer;  break;
     case SSL_ENABLE_TLS:
-	on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
-	break;
+        on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+        break;
     case SSL_ENABLE_SSL3:
-	on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
-	break;
+        on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
+        break;
     case SSL_ENABLE_SSL2:         on = ss->opt.enableSSL2;         break;
     case SSL_NO_CACHE:            on = ss->opt.noCache;            break;
     case SSL_ENABLE_FDX:          on = ss->opt.fdx;                break;
     case SSL_V2_COMPATIBLE_HELLO: on = ss->opt.v2CompatibleHello;  break;
     case SSL_ROLLBACK_DETECTION:  on = ss->opt.detectRollBack;     break;
     case SSL_NO_STEP_DOWN:        on = ss->opt.noStepDown;         break;
     case SSL_BYPASS_PKCS11:       on = ss->opt.bypassPKCS11;       break;
     case SSL_NO_LOCKS:            on = ss->opt.noLocks;            break;
     case SSL_ENABLE_SESSION_TICKETS:
-	on = ss->opt.enableSessionTickets;
-	break;
+        on = ss->opt.enableSessionTickets;
+        break;
     case SSL_ENABLE_DEFLATE:      on = ss->opt.enableDeflate;      break;
-    case SSL_ENABLE_RENEGOTIATION:     
+    case SSL_ENABLE_RENEGOTIATION:
                                   on = ss->opt.enableRenegotiation; break;
-    case SSL_REQUIRE_SAFE_NEGOTIATION: 
+    case SSL_REQUIRE_SAFE_NEGOTIATION:
                                   on = ss->opt.requireSafeNegotiation; break;
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
     case SSL_ENABLE_NPN:          on = ss->opt.enableNPN;          break;
     case SSL_ENABLE_ALPN:         on = ss->opt.enableALPN;         break;
 
     default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
     }
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
     *pOn = on;
     return rv;
 }
 
 SECStatus
 SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
 {
     SECStatus  rv = SECSuccess;
     PRBool     on = PR_FALSE;
 
     if (!pOn) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     ssl_SetDefaultsFromEnvironment();
 
     switch (which) {
     case SSL_SOCKS:               on = PR_FALSE;                        break;
     case SSL_SECURITY:            on = ssl_defaults.useSecurity;        break;
     case SSL_REQUEST_CERTIFICATE: on = ssl_defaults.requestCertificate; break;
     case SSL_REQUIRE_CERTIFICATE: on = ssl_defaults.requireCertificate; break;
     case SSL_HANDSHAKE_AS_CLIENT: on = ssl_defaults.handshakeAsClient;  break;
     case SSL_HANDSHAKE_AS_SERVER: on = ssl_defaults.handshakeAsServer;  break;
     case SSL_ENABLE_TLS:
-	on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
-	break;
+        on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
+        break;
     case SSL_ENABLE_SSL3:
-	on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
-	break;
+        on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
+        break;
     case SSL_ENABLE_SSL2:         on = ssl_defaults.enableSSL2;         break;
-    case SSL_NO_CACHE:            on = ssl_defaults.noCache;		break;
+    case SSL_NO_CACHE:            on = ssl_defaults.noCache;            break;
     case SSL_ENABLE_FDX:          on = ssl_defaults.fdx;                break;
     case SSL_V2_COMPATIBLE_HELLO: on = ssl_defaults.v2CompatibleHello;  break;
     case SSL_ROLLBACK_DETECTION:  on = ssl_defaults.detectRollBack;     break;
     case SSL_NO_STEP_DOWN:        on = ssl_defaults.noStepDown;         break;
     case SSL_BYPASS_PKCS11:       on = ssl_defaults.bypassPKCS11;       break;
     case SSL_NO_LOCKS:            on = ssl_defaults.noLocks;            break;
     case SSL_ENABLE_SESSION_TICKETS:
-	on = ssl_defaults.enableSessionTickets;
-	break;
+        on = ssl_defaults.enableSessionTickets;
+        break;
     case SSL_ENABLE_DEFLATE:      on = ssl_defaults.enableDeflate;      break;
-    case SSL_ENABLE_RENEGOTIATION:     
+    case SSL_ENABLE_RENEGOTIATION:
                                   on = ssl_defaults.enableRenegotiation; break;
-    case SSL_REQUIRE_SAFE_NEGOTIATION: 
-                                  on = ssl_defaults.requireSafeNegotiation; 
-				  break;
+    case SSL_REQUIRE_SAFE_NEGOTIATION:
+                                  on = ssl_defaults.requireSafeNegotiation;
+                                  break;
     case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ssl_defaults.cbcRandomIV;        break;
     case SSL_ENABLE_OCSP_STAPLING:
        on = ssl_defaults.enableOCSPStapling;
        break;
     case SSL_ENABLE_NPN:          on = ssl_defaults.enableNPN;          break;
     case SSL_ENABLE_ALPN:         on = ssl_defaults.enableALPN;         break;
 
     default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	rv = SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
     }
 
     *pOn = on;
     return rv;
 }
 
 /* XXX Use Global Lock to protect this stuff. */
 SECStatus
@@ -937,370 +937,370 @@ SSL_EnableDefault(int which, PRBool on)
 }
 
 SECStatus
 SSL_OptionSetDefault(PRInt32 which, PRBool on)
 {
     SECStatus status = ssl_Init();
 
     if (status != SECSuccess) {
-	return status;
+        return status;
     }
 
     ssl_SetDefaultsFromEnvironment();
 
     switch (which) {
       case SSL_SOCKS:
-	ssl_defaults.useSocks = PR_FALSE;
-	if (on) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	break;
+        ssl_defaults.useSocks = PR_FALSE;
+        if (on) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        break;
 
       case SSL_SECURITY:
-	ssl_defaults.useSecurity = on;
-	break;
+        ssl_defaults.useSecurity = on;
+        break;
 
       case SSL_REQUEST_CERTIFICATE:
-	ssl_defaults.requestCertificate = on;
-	break;
+        ssl_defaults.requestCertificate = on;
+        break;
 
       case SSL_REQUIRE_CERTIFICATE:
-	ssl_defaults.requireCertificate = on;
-	break;
+        ssl_defaults.requireCertificate = on;
+        break;
 
       case SSL_HANDSHAKE_AS_CLIENT:
-	if ( ssl_defaults.handshakeAsServer && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsClient = on;
-	break;
+        if ( ssl_defaults.handshakeAsServer && on ) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        ssl_defaults.handshakeAsClient = on;
+        break;
 
       case SSL_HANDSHAKE_AS_SERVER:
-	if ( ssl_defaults.handshakeAsClient && on ) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	ssl_defaults.handshakeAsServer = on;
-	break;
+        if ( ssl_defaults.handshakeAsClient && on ) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        ssl_defaults.handshakeAsServer = on;
+        break;
 
       case SSL_ENABLE_TLS:
-	ssl_EnableTLS(&versions_defaults_stream, on);
-	break;
+        ssl_EnableTLS(&versions_defaults_stream, on);
+        break;
 
       case SSL_ENABLE_SSL3:
-	ssl_EnableSSL3(&versions_defaults_stream, on);
-	break;
+        ssl_EnableSSL3(&versions_defaults_stream, on);
+        break;
 
       case SSL_ENABLE_SSL2:
-	ssl_defaults.enableSSL2 = on;
-	if (on) {
-	    ssl_defaults.v2CompatibleHello = on;
-	}
-	break;
+        ssl_defaults.enableSSL2 = on;
+        if (on) {
+            ssl_defaults.v2CompatibleHello = on;
+        }
+        break;
 
       case SSL_NO_CACHE:
-	ssl_defaults.noCache = on;
-	break;
+        ssl_defaults.noCache = on;
+        break;
 
       case SSL_ENABLE_FDX:
-	if (on && ssl_defaults.noLocks) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-      	ssl_defaults.fdx = on;
-	break;
+        if (on && ssl_defaults.noLocks) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        ssl_defaults.fdx = on;
+        break;
 
       case SSL_V2_COMPATIBLE_HELLO:
-      	ssl_defaults.v2CompatibleHello = on;
-	if (!on) {
-	    ssl_defaults.enableSSL2    = on;
-	}
-	break;
-
-      case SSL_ROLLBACK_DETECTION:  
-	ssl_defaults.detectRollBack = on;
-	break;
-
-      case SSL_NO_STEP_DOWN:        
-	ssl_defaults.noStepDown     = on;         
-	if (on)
-	    SSL_DisableDefaultExportCipherSuites();
-	break;
+        ssl_defaults.v2CompatibleHello = on;
+        if (!on) {
+            ssl_defaults.enableSSL2    = on;
+        }
+        break;
+
+      case SSL_ROLLBACK_DETECTION:
+        ssl_defaults.detectRollBack = on;
+        break;
+
+      case SSL_NO_STEP_DOWN:
+        ssl_defaults.noStepDown     = on;
+        if (on)
+            SSL_DisableDefaultExportCipherSuites();
+        break;
 
       case SSL_BYPASS_PKCS11:
         if (PR_FALSE != on) {
             if (PR_SUCCESS == SSL_BypassSetup()) {
 #ifdef NO_PKCS11_BYPASS
                 ssl_defaults.bypassPKCS11   = PR_FALSE;
 #else
                 ssl_defaults.bypassPKCS11   = on;
 #endif
             } else {
                 return SECFailure;
             }
         } else {
             ssl_defaults.bypassPKCS11   = PR_FALSE;
         }
-	break;
+        break;
 
       case SSL_NO_LOCKS:
-	if (on && ssl_defaults.fdx) {
-	    PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	    return SECFailure;
-	}
-	if (on && ssl_force_locks) 
-	    on = PR_FALSE;		/* silent override */
-	ssl_defaults.noLocks        = on;
-	if (on) {
-	    locksEverDisabled = PR_TRUE;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
-	}
-	break;
+        if (on && ssl_defaults.fdx) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+        if (on && ssl_force_locks)
+            on = PR_FALSE;              /* silent override */
+        ssl_defaults.noLocks        = on;
+        if (on) {
+            locksEverDisabled = PR_TRUE;
+            strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED.");
+        }
+        break;
 
       case SSL_ENABLE_SESSION_TICKETS:
-	ssl_defaults.enableSessionTickets = on;
-	break;
+        ssl_defaults.enableSessionTickets = on;
+        break;
 
       case SSL_ENABLE_DEFLATE:
-	ssl_defaults.enableDeflate = on;
-	break;
+        ssl_defaults.enableDeflate = on;
+        break;
 
       case SSL_ENABLE_RENEGOTIATION:
-	ssl_defaults.enableRenegotiation = on;
-	break;
+        ssl_defaults.enableRenegotiation = on;
+        break;
 
       case SSL_REQUIRE_SAFE_NEGOTIATION:
-	ssl_defaults.requireSafeNegotiation = on;
-	break;
+        ssl_defaults.requireSafeNegotiation = on;
+        break;
 
       case SSL_ENABLE_FALSE_START:
-	ssl_defaults.enableFalseStart = on;
-	break;
+        ssl_defaults.enableFalseStart = on;
+        break;
 
       case SSL_CBC_RANDOM_IV:
-	ssl_defaults.cbcRandomIV = on;
-	break;
+        ssl_defaults.cbcRandomIV = on;
+        break;
 
       case SSL_ENABLE_OCSP_STAPLING:
        ssl_defaults.enableOCSPStapling = on;
        break;
 
       case SSL_ENABLE_NPN:
-	ssl_defaults.enableNPN = on;
-	break;
+        ssl_defaults.enableNPN = on;
+        break;
 
       case SSL_ENABLE_ALPN:
-	ssl_defaults.enableALPN = on;
-	break;
+        ssl_defaults.enableALPN = on;
+        break;
 
       default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     return SECSuccess;
 }
 
 /* function tells us if the cipher suite is one that we no longer support. */
-static PRBool 
+static PRBool
 ssl_IsRemovedCipherSuite(PRInt32 suite)
 {
     switch (suite) {
     case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
     case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
-    	return PR_TRUE;
+        return PR_TRUE;
     default:
-    	return PR_FALSE;
+        return PR_FALSE;
     }
 }
 
 /* Part of the public NSS API.
  * Since this is a global (not per-socket) setting, we cannot use the
  * HandshakeLock to protect this.  Probably want a global lock.
  */
 SECStatus
 SSL_SetPolicy(long which, int policy)
 {
     if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+        /* one of the two old FIPS ciphers */
+        if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
+            which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+        else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+            which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
     }
     if (ssl_IsRemovedCipherSuite(which))
-    	return SECSuccess;
+        return SECSuccess;
     return SSL_CipherPolicySet(which, policy);
 }
 
 SECStatus
 SSL_CipherPolicySet(PRInt32 which, PRInt32 policy)
 {
     SECStatus rv = ssl_Init();
 
     if (rv != SECSuccess) {
-	return rv;
+        return rv;
     }
 
     if (ssl_IsRemovedCipherSuite(which)) {
-    	rv = SECSuccess;
+        rv = SECSuccess;
     } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_SetPolicy(which, policy);
+        rv = ssl2_SetPolicy(which, policy);
     } else {
-	rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+        rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
     }
     return rv;
 }
 
 SECStatus
 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
 {
     SECStatus rv;
 
     if (!oPolicy) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (ssl_IsRemovedCipherSuite(which)) {
-	*oPolicy = SSL_NOT_ALLOWED;
-    	rv = SECSuccess;
+        *oPolicy = SSL_NOT_ALLOWED;
+        rv = SECSuccess;
     } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_GetPolicy(which, oPolicy);
+        rv = ssl2_GetPolicy(which, oPolicy);
     } else {
-	rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
+        rv = ssl3_GetPolicy((ssl3CipherSuite)which, oPolicy);
     }
     return rv;
 }
 
 /* Part of the public NSS API.
  * Since this is a global (not per-socket) setting, we cannot use the
  * HandshakeLock to protect this.  Probably want a global lock.
- * These changes have no effect on any sslSockets already created. 
+ * These changes have no effect on any sslSockets already created.
  */
 SECStatus
 SSL_EnableCipher(long which, PRBool enabled)
 {
     if ((which & 0xfffe) == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) {
-    	/* one of the two old FIPS ciphers */
-	if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA) 
-	    which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
-	else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
-	    which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
+        /* one of the two old FIPS ciphers */
+        if (which == SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA)
+            which = SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA;
+        else if (which == SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA)
+            which = SSL_RSA_FIPS_WITH_DES_CBC_SHA;
     }
     if (ssl_IsRemovedCipherSuite(which))
-    	return SECSuccess;
+        return SECSuccess;
     return SSL_CipherPrefSetDefault(which, enabled);
 }
 
 SECStatus
 SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
 {
     SECStatus rv = ssl_Init();
 
     if (rv != SECSuccess) {
-	return rv;
+        return rv;
     }
 
     if (ssl_IsRemovedCipherSuite(which))
-    	return SECSuccess;
+        return SECSuccess;
     if (enabled && ssl_defaults.noStepDown && SSL_IsExportCipherSuite(which)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
     }
     if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSetDefault(which, enabled);
+        rv = ssl2_CipherPrefSetDefault(which, enabled);
     } else {
-	rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
+        rv = ssl3_CipherPrefSetDefault((ssl3CipherSuite)which, enabled);
     }
     return rv;
 }
 
-SECStatus 
+SECStatus
 SSL_CipherPrefGetDefault(PRInt32 which, PRBool *enabled)
 {
     SECStatus  rv;
-    
+
     if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (ssl_IsRemovedCipherSuite(which)) {
-	*enabled = PR_FALSE;
-    	rv = SECSuccess;
+        *enabled = PR_FALSE;
+        rv = SECSuccess;
     } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGetDefault(which, enabled);
+        rv = ssl2_CipherPrefGetDefault(which, enabled);
     } else {
-	rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
+        rv = ssl3_CipherPrefGetDefault((ssl3CipherSuite)which, enabled);
     }
     return rv;
 }
 
 SECStatus
 SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
 {
     SECStatus rv;
     sslSocket *ss = ssl_FindSocket(fd);
-    
+
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
+        return SECFailure;
     }
     if (ssl_IsRemovedCipherSuite(which))
-    	return SECSuccess;
+        return SECSuccess;
     if (enabled && ss->opt.noStepDown && SSL_IsExportCipherSuite(which)) {
-    	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        return SECFailure;
     }
     if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefSet(ss, which, enabled);
+        rv = ssl2_CipherPrefSet(ss, which, enabled);
     } else {
-	rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
+        rv = ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
     }
     return rv;
 }
 
-SECStatus 
+SECStatus
 SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
 {
     SECStatus  rv;
     sslSocket *ss = ssl_FindSocket(fd);
-    
+
     if (!enabled) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
-	*enabled = PR_FALSE;
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefGet", SSL_GETPID(), fd));
+        *enabled = PR_FALSE;
+        return SECFailure;
     }
     if (ssl_IsRemovedCipherSuite(which)) {
-	*enabled = PR_FALSE;
-    	rv = SECSuccess;
+        *enabled = PR_FALSE;
+        rv = SECSuccess;
     } else if (SSL_IS_SSL2_CIPHER(which)) {
-	rv = ssl2_CipherPrefGet(ss, which, enabled);
+        rv = ssl2_CipherPrefGet(ss, which, enabled);
     } else {
-	rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
+        rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
     }
     return rv;
 }
 
 SECStatus
 NSS_SetDomesticPolicy(void)
 {
     SECStatus      status = SECSuccess;
     const PRUint16 *cipher;
 
     for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
-	status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
-	if (status != SECSuccess)
-	    break;
+        status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+        if (status != SECSuccess)
+            break;
     }
     return status;
 }
 
 SECStatus
 NSS_SetExportPolicy(void)
 {
     return NSS_SetDomesticPolicy();
@@ -1316,47 +1316,47 @@ NSS_SetFrancePolicy(void)
 
 /* LOCKS ??? XXX */
 static PRFileDesc *
 ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
 {
     sslSocket * ns = NULL;
     PRStatus    rv;
     PRNetAddr   addr;
-    SECStatus	status = ssl_Init();
+    SECStatus   status = ssl_Init();
 
     if (status != SECSuccess) {
-	return NULL;
+        return NULL;
     }
 
     if (model == NULL) {
-	/* Just create a default socket if we're given NULL for the model */
-	ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant);
+        /* Just create a default socket if we're given NULL for the model */
+        ns = ssl_NewSocket((PRBool)(!ssl_defaults.noLocks), variant);
     } else {
-	sslSocket * ss = ssl_FindSocket(model);
-	if (ss == NULL || ss->protocolVariant != variant) {
-	    SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD", 
-	    	      SSL_GETPID(), model));
-	    return NULL;
-	}
-	ns = ssl_DupSocket(ss);
+        sslSocket * ss = ssl_FindSocket(model);
+        if (ss == NULL || ss->protocolVariant != variant) {
+            SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ImportFD",
+                      SSL_GETPID(), model));
+            return NULL;
+        }
+        ns = ssl_DupSocket(ss);
     }
     if (ns == NULL)
-    	return NULL;
+        return NULL;
 
     rv = ssl_PushIOLayer(ns, fd, PR_TOP_IO_LAYER);
     if (rv != PR_SUCCESS) {
-	ssl_FreeSocket(ns);
-	SET_ERROR_CODE
-	return NULL;
+        ssl_FreeSocket(ns);
+        SET_ERROR_CODE
+        return NULL;
     }
 #if defined(DEBUG) || defined(FORCE_PR_ASSERT)
     {
-	sslSocket * ss = ssl_FindSocket(fd);
-	PORT_Assert(ss == ns);
+        sslSocket * ss = ssl_FindSocket(fd);
+        PORT_Assert(ss == ns);
     }
 #endif
     ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
     return fd;
 }
 
 PRFileDesc *
 SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
@@ -1367,215 +1367,215 @@ SSL_ImportFD(PRFileDesc *model, PRFileDe
 PRFileDesc *
 DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd)
 {
     return ssl_ImportFD(model, fd, ssl_variant_datagram);
 }
 
 SECStatus
 SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback,
-			 void *arg)
+                         void *arg)
 {
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETPID(),
-		 fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoCallback", SSL_GETPID(),
+                 fd));
+        return SECFailure;
     }
 
     ssl_GetSSL3HandshakeLock(ss);
     ss->nextProtoCallback = callback;
     ss->nextProtoArg = arg;
     ssl_ReleaseSSL3HandshakeLock(ss);
 
     return SECSuccess;
 }
 
 /* ssl_NextProtoNegoCallback is set as an NPN callback for the case when
  * SSL_SetNextProtoNego is used.
  */
 static SECStatus
 ssl_NextProtoNegoCallback(void *arg, PRFileDesc *fd,
-			  const unsigned char *protos, unsigned int protos_len,
-			  unsigned char *protoOut, unsigned int *protoOutLen,
-			  unsigned int protoMaxLen)
+                          const unsigned char *protos, unsigned int protos_len,
+                          unsigned char *protoOut, unsigned int *protoOutLen,
+                          unsigned int protoMaxLen)
 {
     unsigned int i, j;
     const unsigned char *result;
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback",
-		 SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in ssl_NextProtoNegoCallback",
+                 SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (protos_len == 0) {
-	/* The server supports the extension, but doesn't have any protocols
-	 * configured. In this case we request our favoured protocol. */
-	goto pick_first;
+        /* The server supports the extension, but doesn't have any protocols
+         * configured. In this case we request our favoured protocol. */
+        goto pick_first;
     }
 
     /* For each protocol in server preference, see if we support it. */
     for (i = 0; i < protos_len; ) {
-	for (j = 0; j < ss->opt.nextProtoNego.len; ) {
-	    if (protos[i] == ss->opt.nextProtoNego.data[j] &&
-		PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1],
-			     protos[i]) == 0) {
-		/* We found a match. */
-		ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
-		result = &protos[i];
-		goto found;
-	    }
-	    j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
-	}
-	i += 1 + (unsigned int)protos[i];
+        for (j = 0; j < ss->opt.nextProtoNego.len; ) {
+            if (protos[i] == ss->opt.nextProtoNego.data[j] &&
+                PORT_Memcmp(&protos[i+1], &ss->opt.nextProtoNego.data[j+1],
+                             protos[i]) == 0) {
+                /* We found a match. */
+                ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
+                result = &protos[i];
+                goto found;
+            }
+            j += 1 + (unsigned int)ss->opt.nextProtoNego.data[j];
+        }
+        i += 1 + (unsigned int)protos[i];
     }
 
 pick_first:
     ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP;
     result = ss->opt.nextProtoNego.data;
 
 found:
     if (protoMaxLen < result[0]) {
-	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
     }
     memcpy(protoOut, result + 1, result[0]);
     *protoOutLen = result[0];
     return SECSuccess;
 }
 
 SECStatus
 SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
-		     unsigned int length)
+                     unsigned int length)
 {
     sslSocket *ss;
     SECStatus rv;
     SECItem dataItem = { siBuffer, (unsigned char *) data, length };
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego",
-		 SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego",
+                 SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
-	return SECFailure;
+        return SECFailure;
 
     ssl_GetSSL3HandshakeLock(ss);
     SECITEM_FreeItem(&ss->opt.nextProtoNego, PR_FALSE);
     rv = SECITEM_CopyItem(NULL, &ss->opt.nextProtoNego, &dataItem);
     ssl_ReleaseSSL3HandshakeLock(ss);
 
     if (rv != SECSuccess)
-	return rv;
+        return rv;
 
     return SSL_SetNextProtoCallback(fd, ssl_NextProtoNegoCallback, NULL);
 }
 
 SECStatus
 SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf,
-		 unsigned int *bufLen, unsigned int bufLenMax)
+                 unsigned int *bufLen, unsigned int bufLenMax)
 {
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(),
-		 fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(),
+                 fd));
+        return SECFailure;
     }
 
     if (!state || !buf || !bufLen) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     *state = ss->ssl3.nextProtoState;
 
     if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
-	ss->ssl3.nextProto.data) {
-	if (ss->ssl3.nextProto.len > bufLenMax) {
-	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    return SECFailure;
-	}
-	PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
-	*bufLen = ss->ssl3.nextProto.len;
+        ss->ssl3.nextProto.data) {
+        if (ss->ssl3.nextProto.len > bufLenMax) {
+            PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+            return SECFailure;
+        }
+        PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
+        *bufLen = ss->ssl3.nextProto.len;
     } else {
-	*bufLen = 0;
+        *bufLen = 0;
     }
 
     return SECSuccess;
 }
 
 SECStatus SSL_SetSRTPCiphers(PRFileDesc *fd,
-			     const PRUint16 *ciphers,
-			     unsigned int numCiphers)
+                             const PRUint16 *ciphers,
+                             unsigned int numCiphers)
 {
     sslSocket *ss;
     unsigned int i;
 
     ss = ssl_FindSocket(fd);
     if (!ss || !IS_DTLS(ss)) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers",
-		 SSL_GETPID(), fd));
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSRTPCiphers",
+                 SSL_GETPID(), fd));
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     if (numCiphers > MAX_DTLS_SRTP_CIPHER_SUITES) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     ss->ssl3.dtlsSRTPCipherCount = 0;
     for (i = 0; i < numCiphers; i++) {
-	const PRUint16 *srtpCipher = srtpCiphers;
-
-	while (*srtpCipher) {
-	    if (ciphers[i] == *srtpCipher)
-		break;
-	    srtpCipher++;
-	}
-	if (*srtpCipher) {
-	    ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] =
-		ciphers[i];
-	} else {
-	    SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
-		    "suite specified: 0x%04hx", SSL_GETPID(), fd,
-		    ciphers[i]));
-	}
+        const PRUint16 *srtpCipher = srtpCiphers;
+
+        while (*srtpCipher) {
+            if (ciphers[i] == *srtpCipher)
+                break;
+            srtpCipher++;
+        }
+        if (*srtpCipher) {
+            ss->ssl3.dtlsSRTPCiphers[ss->ssl3.dtlsSRTPCipherCount++] =
+                ciphers[i];
+        } else {
+            SSL_DBG(("%d: SSL[%d]: invalid or unimplemented SRTP cipher "
+                    "suite specified: 0x%04hx", SSL_GETPID(), fd,
+                    ciphers[i]));
+        }
     }
 
     if (ss->ssl3.dtlsSRTPCipherCount == 0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     return SECSuccess;
 }
 
 SECStatus
 SSL_GetSRTPCipher(PRFileDesc *fd, PRUint16 *cipher)
 {
     sslSocket * ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher",
-		 SSL_GETPID(), fd));
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetSRTPCipher",
+                 SSL_GETPID(), fd));
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     if (!ss->ssl3.dtlsSRTPCipherSuite) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     *cipher = ss->ssl3.dtlsSRTPCipherSuite;
     return SECSuccess;
 }
 
 PRFileDesc *
 SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
@@ -1586,27 +1586,27 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
     sslServerCerts * sc = NULL;
 
     if (model == NULL) {
         PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
         return NULL;
     }
     sm = ssl_FindSocket(model);
     if (sm == NULL) {
-        SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD", 
+        SSL_DBG(("%d: SSL[%d]: bad model socket in ssl_ReconfigFD",
                  SSL_GETPID(), model));
         return NULL;
     }
     ss = ssl_FindSocket(fd);
     PORT_Assert(ss);
     if (ss == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
-    
+
     ss->opt  = sm->opt;
     ss->vrange = sm->vrange;
     PORT_Memcpy(ss->cipherSuites, sm->cipherSuites, sizeof sm->cipherSuites);
     PORT_Memcpy(ss->ssl3.dtlsSRTPCiphers, sm->ssl3.dtlsSRTPCiphers,
                 sizeof(PRUint16) * sm->ssl3.dtlsSRTPCipherCount);
     ss->ssl3.dtlsSRTPCipherCount = sm->ssl3.dtlsSRTPCipherCount;
 
     if (!ss->opt.useSecurity) {
@@ -1625,25 +1625,25 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
             }
             sc->serverCert      = CERT_DupCertificate(mc->serverCert);
             if (sc->serverCertChain) {
                 CERT_DestroyCertificateList(sc->serverCertChain);
             }
             sc->serverCertChain = CERT_DupCertList(mc->serverCertChain);
             if (!sc->serverCertChain)
                 goto loser;
-	    if (sm->certStatusArray[i]) {
-		if (ss->certStatusArray[i]) {
-		    SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
-		    ss->certStatusArray[i] = NULL;
-		}
-		ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusArray[i]);
-		if (!ss->certStatusArray[i])
-		    goto loser;
-	    }
+            if (sm->certStatusArray[i]) {
+                if (ss->certStatusArray[i]) {
+                    SECITEM_FreeArray(ss->certStatusArray[i], PR_TRUE);
+                    ss->certStatusArray[i] = NULL;
+                }
+                ss->certStatusArray[i] = SECITEM_DupArray(NULL, sm->certStatusArray[i]);
+                if (!ss->certStatusArray[i])
+                    goto loser;
+            }
         }
         if (mc->serverKeyPair) {
             if (sc->serverKeyPair) {
                 ssl3_FreeKeyPair(sc->serverKeyPair);
             }
             sc->serverKeyPair = ssl3_GetKeyPairRef(mc->serverKeyPair);
             sc->serverKeyBits = mc->serverKeyBits;
         }
@@ -1666,17 +1666,17 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
         if (ss->ssl3.ca_list) {
             CERT_FreeDistNames(ss->ssl3.ca_list);
         }
         ss->ssl3.ca_list = CERT_DupDistNames(sm->ssl3.ca_list);
         if (!ss->ssl3.ca_list) {
             goto loser;
         }
     }
-    
+
     if (sm->authCertificate)
         ss->authCertificate       = sm->authCertificate;
     if (sm->authCertificateArg)
         ss->authCertificateArg    = sm->authCertificateArg;
     if (sm->getClientAuthData)
         ss->getClientAuthData     = sm->getClientAuthData;
     if (sm->getClientAuthDataArg)
         ss->getClientAuthDataArg  = sm->getClientAuthDataArg;
@@ -1696,114 +1696,114 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
         ss->pkcs11PinArg          = sm->pkcs11PinArg;
     return fd;
 loser:
     return NULL;
 }
 
 PRBool
 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
-			SSL3ProtocolVersion version)
+                        SSL3ProtocolVersion version)
 {
     switch (protocolVariant) {
     case ssl_variant_stream:
-	return (version >= SSL_LIBRARY_VERSION_3_0 &&
-		version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+        return (version >= SSL_LIBRARY_VERSION_3_0 &&
+                version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
     case ssl_variant_datagram:
-	return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
-		version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+        return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
+                version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
     default:
-	/* Can't get here */
-	PORT_Assert(PR_FALSE);
-	return PR_FALSE;
+        /* Can't get here */
+        PORT_Assert(PR_FALSE);
+        return PR_FALSE;
     }
 }
 
 /* Returns PR_TRUE if the given version range is valid and
 ** fully supported; otherwise, returns PR_FALSE.
 */
 static PRBool
 ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
-			 const SSLVersionRange *vrange)
+                         const SSLVersionRange *vrange)
 {
     return vrange &&
-	   vrange->min <= vrange->max &&
-	   ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
-	   ssl3_VersionIsSupported(protocolVariant, vrange->max);
+           vrange->min <= vrange->max &&
+           ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
+           ssl3_VersionIsSupported(protocolVariant, vrange->max);
 }
 
 SECStatus
 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
-			     SSLVersionRange *vrange)
+                             SSLVersionRange *vrange)
 {
     if (!vrange) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     switch (protocolVariant) {
     case ssl_variant_stream:
-	vrange->min = SSL_LIBRARY_VERSION_3_0;
-	vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
-	break;
+        vrange->min = SSL_LIBRARY_VERSION_3_0;
+        vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+        break;
     case ssl_variant_datagram:
-	vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
-	vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
-	break;
+        vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
+        vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+        break;
     default:
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     return SECSuccess;
 }
 
 SECStatus
 SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
-			   SSLVersionRange *vrange)
+                           SSLVersionRange *vrange)
 {
     if ((protocolVariant != ssl_variant_stream &&
-	 protocolVariant != ssl_variant_datagram) || !vrange) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+         protocolVariant != ssl_variant_datagram) || !vrange) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     *vrange = *VERSIONS_DEFAULTS(protocolVariant);
 
     return SECSuccess;
 }
 
 SECStatus
 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
-			   const SSLVersionRange *vrange)
+                           const SSLVersionRange *vrange)
 {
     if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
-	PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+        return SECFailure;
     }
 
     *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
 
     return SECSuccess;
 }
 
 SECStatus
 SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
 {
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet",
-		SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeGet",
+                SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (!vrange) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-	return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     *vrange = ss->vrange;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
@@ -1813,24 +1813,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
 }
 
 SECStatus
 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
 {
     sslSocket *ss = ssl_FindSocket(fd);
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet",
-		SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL3_VersionRangeSet",
+                SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
-	PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
-	return SECFailure;
+        PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+        return SECFailure;
     }
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     ss->vrange = *vrange;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
@@ -1849,106 +1849,106 @@ SSL_PeerStapledOCSPResponses(PRFileDesc 
                 SSL_GETPID(), fd));
        return NULL;
     }
 
     if (!ss->sec.ci.sid) {
        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
        return NULL;
     }
-    
+
     return &ss->sec.ci.sid->peerCertStatus;
 }
 
 /************************************************************************/
 /* The following functions are the TOP LEVEL SSL functions.
 ** They all get called through the NSPRIOMethods table below.
 */
 
 static PRFileDesc * PR_CALLBACK
 ssl_Accept(PRFileDesc *fd, PRNetAddr *sockaddr, PRIntervalTime timeout)
 {
     sslSocket  *ss;
-    sslSocket  *ns 	= NULL;
-    PRFileDesc *newfd 	= NULL;
+    sslSocket  *ns      = NULL;
+    PRFileDesc *newfd   = NULL;
     PRFileDesc *osfd;
     PRStatus    status;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
-	return NULL;
+        SSL_DBG(("%d: SSL[%d]: bad socket in accept", SSL_GETPID(), fd));
+        return NULL;
     }
 
     /* IF this is a listen socket, there shouldn't be any I/O going on */
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
 
     ss->cTimeout = timeout;
 
     osfd = ss->fd->lower;
 
     /* First accept connection */
     newfd = osfd->methods->accept(osfd, sockaddr, timeout);
     if (newfd == NULL) {
-	SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
-		 SSL_GETPID(), ss->fd, PORT_GetError()));
+        SSL_DBG(("%d: SSL[%d]: accept failed, errno=%d",
+                 SSL_GETPID(), ss->fd, PORT_GetError()));
     } else {
-	/* Create ssl module */
-	ns = ssl_DupSocket(ss);
+        /* Create ssl module */
+        ns = ssl_DupSocket(ss);
     }
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
     SSL_UNLOCK_WRITER(ss);
-    SSL_UNLOCK_READER(ss);			/* ss isn't used below here. */
+    SSL_UNLOCK_READER(ss);                      /* ss isn't used below here. */
 
     if (ns == NULL)
-	goto loser;
+        goto loser;
 
     /* push ssl module onto the new socket */
     status = ssl_PushIOLayer(ns, newfd, PR_TOP_IO_LAYER);
     if (status != PR_SUCCESS)
-	goto loser;
+        goto loser;
 
     /* Now start server connection handshake with client.
     ** Don't need locks here because nobody else has a reference to ns yet.
     */
     if ( ns->opt.useSecurity ) {
-	if ( ns->opt.handshakeAsClient ) {
-	    ns->handshake = ssl2_BeginClientHandshake;
-	    ss->handshaking = sslHandshakingAsClient;
-	} else {
-	    ns->handshake = ssl2_BeginServerHandshake;
-	    ss->handshaking = sslHandshakingAsServer;
-	}
+        if ( ns->opt.handshakeAsClient ) {
+            ns->handshake = ssl2_BeginClientHandshake;
+            ss->handshaking = sslHandshakingAsClient;
+        } else {
+            ns->handshake = ssl2_BeginServerHandshake;
+            ss->handshaking = sslHandshakingAsServer;
+        }
     }
     ns->TCPconnected = 1;
     return newfd;
 
 loser:
     if (ns != NULL)
-	ssl_FreeSocket(ns);
+        ssl_FreeSocket(ns);
     if (newfd != NULL)
-	PR_Close(newfd);
+        PR_Close(newfd);
     return NULL;
 }
 
 static PRStatus PR_CALLBACK
 ssl_Connect(PRFileDesc *fd, const PRNetAddr *sockaddr, PRIntervalTime timeout)
 {
     sslSocket *ss;
     PRStatus   rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in connect", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
 
     /* IF this is a listen socket, there shouldn't be any I/O going on */
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     ss->cTimeout = timeout;
     rv = (PRStatus)(*ss->ops->connect)(ss, sockaddr);
@@ -1961,18 +1961,18 @@ ssl_Connect(PRFileDesc *fd, const PRNetA
 
 static PRStatus PR_CALLBACK
 ssl_Bind(PRFileDesc *fd, const PRNetAddr *addr)
 {
     sslSocket * ss = ssl_GetPrivate(fd);
     PRStatus    rv;
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in bind", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     rv = (PRStatus)(*ss->ops->bind)(ss, addr);
 
     SSL_UNLOCK_WRITER(ss);
     SSL_UNLOCK_READER(ss);
@@ -1981,18 +1981,18 @@ ssl_Bind(PRFileDesc *fd, const PRNetAddr
 
 static PRStatus PR_CALLBACK
 ssl_Listen(PRFileDesc *fd, PRIntn backlog)
 {
     sslSocket * ss = ssl_GetPrivate(fd);
     PRStatus    rv;
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in listen", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
     rv = (PRStatus)(*ss->ops->listen)(ss, backlog);
 
     SSL_UNLOCK_WRITER(ss);
     SSL_UNLOCK_READER(ss);
@@ -2001,155 +2001,155 @@ ssl_Listen(PRFileDesc *fd, PRIntn backlo
 
 static PRStatus PR_CALLBACK
 ssl_Shutdown(PRFileDesc *fd, PRIntn how)
 {
     sslSocket * ss = ssl_GetPrivate(fd);
     PRStatus    rv;
 
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in shutdown", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
     if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_READER(ss);
+        SSL_LOCK_READER(ss);
     }
     if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_LOCK_WRITER(ss);
+        SSL_LOCK_WRITER(ss);
     }
 
     rv = (PRStatus)(*ss->ops->shutdown)(ss, how);
 
     if (how == PR_SHUTDOWN_SEND || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_WRITER(ss);
+        SSL_UNLOCK_WRITER(ss);
     }
     if (how == PR_SHUTDOWN_RCV || how == PR_SHUTDOWN_BOTH) {
-    	SSL_UNLOCK_READER(ss);
+        SSL_UNLOCK_READER(ss);
     }
     return rv;
 }
 
 static PRStatus PR_CALLBACK
 ssl_Close(PRFileDesc *fd)
 {
     sslSocket *ss;
     PRStatus   rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in close", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
 
     /* There must not be any I/O going on */
     SSL_LOCK_READER(ss);
     SSL_LOCK_WRITER(ss);
 
-    /* By the time this function returns, 
-    ** ss is an invalid pointer, and the locks to which it points have 
+    /* By the time this function returns,
+    ** ss is an invalid pointer, and the locks to which it points have
     ** been unlocked and freed.  So, this is the ONE PLACE in all of SSL
     ** where the LOCK calls and the corresponding UNLOCK calls are not in
     ** the same function scope.  The unlock calls are in ssl_FreeSocket().
     */
     rv = (PRStatus)(*ss->ops->close)(ss);
 
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
+         PRIntervalTime timeout)
 {
     sslSocket *ss;
     int        rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in recv", SSL_GETPID(), fd));
+        return SECFailure;
     }
     SSL_LOCK_READER(ss);
     ss->rTimeout = timeout;
     if (!ss->opt.fdx)
-	ss->wTimeout = timeout;
+        ss->wTimeout = timeout;
     rv = (*ss->ops->recv)(ss, (unsigned char*)buf, len, flags);
     SSL_UNLOCK_READER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
-	 PRIntervalTime timeout)
+         PRIntervalTime timeout)
 {
     sslSocket *ss;
     int        rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in send", SSL_GETPID(), fd));
+        return SECFailure;
     }
     SSL_LOCK_WRITER(ss);
     ss->wTimeout = timeout;
     if (!ss->opt.fdx)
-	ss->rTimeout = timeout;
+        ss->rTimeout = timeout;
     rv = (*ss->ops->send)(ss, (const unsigned char*)buf, len, flags);
     SSL_UNLOCK_WRITER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Read(PRFileDesc *fd, void *buf, PRInt32 len)
 {
     sslSocket *ss;
     int        rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in read", SSL_GETPID(), fd));
+        return SECFailure;
     }
     SSL_LOCK_READER(ss);
     ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
     if (!ss->opt.fdx)
-	ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
+        ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
     rv = (*ss->ops->read)(ss, (unsigned char*)buf, len);
     SSL_UNLOCK_READER(ss);
     return rv;
 }
 
 static int PR_CALLBACK
 ssl_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
 {
     sslSocket *ss;
     int        rv;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in write", SSL_GETPID(), fd));
+        return SECFailure;
     }
     SSL_LOCK_WRITER(ss);
     ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;
     if (!ss->opt.fdx)
-	ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
+        ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
     rv = (*ss->ops->write)(ss, (const unsigned char*)buf, len);
     SSL_UNLOCK_WRITER(ss);
     return rv;
 }
 
 static PRStatus PR_CALLBACK
 ssl_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
 {
     sslSocket *ss;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in getpeername", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
     return (PRStatus)(*ss->ops->getpeername)(ss, addr);
 }
 
 /*
 */
 SECStatus
 ssl_GetPeerInfo(sslSocket *ss)
@@ -2158,221 +2158,221 @@ ssl_GetPeerInfo(sslSocket *ss)
     int               rv;
     PRNetAddr         sin;
 
     osfd = ss->fd->lower;
 
     PORT_Memset(&sin, 0, sizeof(sin));
     rv = osfd->methods->getpeername(osfd, &sin);
     if (rv < 0) {
-	return SECFailure;
+        return SECFailure;
     }
     ss->TCPconnected = 1;
     if (sin.inet.family == PR_AF_INET) {
         PR_ConvertIPv4AddrToIPv6(sin.inet.ip, &ss->sec.ci.peer);
-	ss->sec.ci.port = sin.inet.port;
+        ss->sec.ci.port = sin.inet.port;
     } else if (sin.ipv6.family == PR_AF_INET6) {
-	ss->sec.ci.peer = sin.ipv6.ip;
-	ss->sec.ci.port = sin.ipv6.port;
+        ss->sec.ci.peer = sin.ipv6.ip;
+        ss->sec.ci.port = sin.ipv6.port;
     } else {
-	PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
-    	return SECFailure;
+        PORT_SetError(PR_ADDRESS_NOT_SUPPORTED_ERROR);
+        return SECFailure;
     }
     return SECSuccess;
 }
 
 static PRStatus PR_CALLBACK
 ssl_GetSockName(PRFileDesc *fd, PRNetAddr *name)
 {
     sslSocket *ss;
 
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
-	return PR_FAILURE;
+        SSL_DBG(("%d: SSL[%d]: bad socket in getsockname", SSL_GETPID(), fd));
+        return PR_FAILURE;
     }
     return (PRStatus)(*ss->ops->getsockname)(ss, name);
 }
 
 SECStatus
 SSL_SetStapledOCSPResponses(PRFileDesc *fd, const SECItemArray *responses,
-			    SSLKEAType kea)
+                            SSLKEAType kea)
 {
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses",
-		 SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetStapledOCSPResponses",
+                 SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if ( kea <= 0 || kea >= kt_kea_size) {
-	SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses",
-		 SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: invalid key in SSL_SetStapledOCSPResponses",
+                 SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (ss->certStatusArray[kea]) {
         SECITEM_FreeArray(ss->certStatusArray[kea], PR_TRUE);
         ss->certStatusArray[kea] = NULL;
     }
     if (responses) {
-	ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses);
+        ss->certStatusArray[kea] = SECITEM_DupArray(NULL, responses);
     }
     return (ss->certStatusArray[kea] || !responses) ? SECSuccess : SECFailure;
 }
 
 SECStatus
 SSL_SetSockPeerID(PRFileDesc *fd, const char *peerID)
 {
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID",
-		 SSL_GETPID(), fd));
-	return SECFailure;
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetSockPeerID",
+                 SSL_GETPID(), fd));
+        return SECFailure;
     }
 
     if (ss->peerID) {
-    	PORT_Free(ss->peerID);
-	ss->peerID = NULL;
+        PORT_Free(ss->peerID);
+        ss->peerID = NULL;
     }
     if (peerID)
-	ss->peerID = PORT_Strdup(peerID);
+        ss->peerID = PORT_Strdup(peerID);
     return (ss->peerID || !peerID) ? SECSuccess : SECFailure;
 }
 
 #define PR_POLL_RW (PR_POLL_WRITE | PR_POLL_READ)
 
 static PRInt16 PR_CALLBACK
 ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
 {
     sslSocket *ss;
-    PRInt16    new_flags = how_flags;	/* should select on these flags. */
+    PRInt16    new_flags = how_flags;   /* should select on these flags. */
     PRNetAddr  addr;
 
     *p_out_flags = 0;
     ss = ssl_GetPrivate(fd);
     if (!ss) {
-	SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
-		 SSL_GETPID(), fd));
-	return 0;	/* don't poll on this socket */
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_Poll",
+                 SSL_GETPID(), fd));
+        return 0;       /* don't poll on this socket */
     }
 
-    if (ss->opt.useSecurity && 
-	ss->handshaking != sslHandshakingUndetermined &&
+    if (ss->opt.useSecurity &&
+        ss->handshaking != sslHandshakingUndetermined &&
         !ss->firstHsDone &&
-	(how_flags & PR_POLL_RW)) {
-	if (!ss->TCPconnected) {
-	    ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
-	}
-	/* If it's not connected, then presumably the application is polling
-	** on read or write appropriately, so don't change it. 
-	*/
-	if (ss->TCPconnected) {
-	    if (!ss->handshakeBegun) {
-		/* If the handshake has not begun, poll on read or write 
-		** based on the local application's role in the handshake,
-		** not based on what the application requested.
-		*/
-		new_flags &= ~PR_POLL_RW;
-		if (ss->handshaking == sslHandshakingAsClient) {
-		    new_flags |= PR_POLL_WRITE;
-		} else { /* handshaking as server */
-		    new_flags |= PR_POLL_READ;
-		}
-	    } else 
-	    /* First handshake is in progress */
-	    if (ss->lastWriteBlocked) {
-		if (new_flags & PR_POLL_READ) {
-		    /* The caller is waiting for data to be received, 
-		    ** but the initial handshake is blocked on write, or the 
-		    ** client's first handshake record has not been written.
-		    ** The code should select on write, not read.
-		    */
-		    new_flags ^=  PR_POLL_READ;	   /* don't select on read. */
-		    new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
-		}
-	    } else if (new_flags & PR_POLL_WRITE) {
-		    /* The caller is trying to write, but the handshake is 
-		    ** blocked waiting for data to read, and the first 
-		    ** handshake has been sent.  So do NOT to poll on write
-		    ** unless we did false start.
-		    */
-		    if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-			ss->ssl3.hs.canFalseStart)) {
-			new_flags ^= PR_POLL_WRITE; /* don't select on write. */
-		    }
-		    new_flags |= PR_POLL_READ;      /* do    select on read. */
-	    }
-	}
+        (how_flags & PR_POLL_RW)) {
+        if (!ss->TCPconnected) {
+            ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));
+        }
+        /* If it's not connected, then presumably the application is polling
+        ** on read or write appropriately, so don't change it.
+        */
+        if (ss->TCPconnected) {
+            if (!ss->handshakeBegun) {
+                /* If the handshake has not begun, poll on read or write
+                ** based on the local application's role in the handshake,
+                ** not based on what the application requested.
+                */
+                new_flags &= ~PR_POLL_RW;
+                if (ss->handshaking == sslHandshakingAsClient) {
+                    new_flags |= PR_POLL_WRITE;
+                } else { /* handshaking as server */
+                    new_flags |= PR_POLL_READ;
+                }
+            } else
+            /* First handshake is in progress */
+            if (ss->lastWriteBlocked) {
+                if (new_flags & PR_POLL_READ) {
+                    /* The caller is waiting for data to be received,
+                    ** but the initial handshake is blocked on write, or the
+                    ** client's first handshake record has not been written.
+                    ** The code should select on write, not read.
+                    */
+                    new_flags ^=  PR_POLL_READ;    /* don't select on read. */
+                    new_flags |=  PR_POLL_WRITE;   /* do    select on write. */
+                }
+            } else if (new_flags & PR_POLL_WRITE) {
+                    /* The caller is trying to write, but the handshake is
+                    ** blocked waiting for data to read, and the first
+                    ** handshake has been sent.  So do NOT to poll on write
+                    ** unless we did false start.
+                    */
+                    if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
+                        ss->ssl3.hs.canFalseStart)) {
+                        new_flags ^= PR_POLL_WRITE; /* don't select on write. */
+                    }
+                    new_flags |= PR_POLL_READ;      /* do    select on read. */
+            }
+        }
     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
-	*p_out_flags = PR_POLL_READ;	/* it's ready already. */
-	return new_flags;
+        *p_out_flags = PR_POLL_READ;    /* it's ready already. */
+        return new_flags;
     } else if ((ss->lastWriteBlocked) && (how_flags & PR_POLL_READ) &&
-	       (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
-	new_flags |=  PR_POLL_WRITE;   /* also select on write. */
+               (ss->pendingBuf.len != 0)) { /* write data waiting to be sent */
+        new_flags |=  PR_POLL_WRITE;   /* also select on write. */
     }
 
     if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-	ss->ssl3.hs.restartTarget != NULL) {
-	/* Read and write will block until the asynchronous callback completes
-	 * (e.g. until SSL_AuthCertificateComplete is called), so don't tell
-	 * the caller to poll the socket unless there is pending write data.
-	 */
-	if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) {
-	    /* Ignore any newly-received data on the socket, but do wait for
-	     * the socket to become writable again. Here, it is OK for an error
-	     * to be detected, because our logic for sending pending write data
-	     * will allow us to report the error to the caller without the risk
-	     * of the application spinning.
-	     */
-	    new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT);
-	} else {
-	    /* Unfortunately, clearing new_flags will make it impossible for
-	     * the application to detect errors that it would otherwise be
-	     * able to detect with PR_POLL_EXCEPT, until the asynchronous
-	     * callback completes. However, we must clear all the flags to
-	     * prevent the application from spinning (alternating between
-	     * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv
-	     * which won't actually report the I/O error while we are waiting
-	     * for the asynchronous callback to complete).
-	     */
-	    new_flags = 0;
-	}
+        ss->ssl3.hs.restartTarget != NULL) {
+        /* Read and write will block until the asynchronous callback completes
+         * (e.g. until SSL_AuthCertificateComplete is called), so don't tell
+         * the caller to poll the socket unless there is pending write data.
+         */
+        if (ss->lastWriteBlocked && ss->pendingBuf.len != 0) {
+            /* Ignore any newly-received data on the socket, but do wait for
+             * the socket to become writable again. Here, it is OK for an error
+             * to be detected, because our logic for sending pending write data
+             * will allow us to report the error to the caller without the risk
+             * of the application spinning.
+             */
+            new_flags &= (PR_POLL_WRITE | PR_POLL_EXCEPT);
+        } else {
+            /* Unfortunately, clearing new_flags will make it impossible for
+             * the application to detect errors that it would otherwise be
+             * able to detect with PR_POLL_EXCEPT, until the asynchronous
+             * callback completes. However, we must clear all the flags to
+             * prevent the application from spinning (alternating between
+             * calling PR_Poll that would return PR_POLL_EXCEPT, and send/recv
+             * which won't actually report the I/O error while we are waiting
+             * for the asynchronous callback to complete).
+             */
+            new_flags = 0;
+        }
     }
 
     if (new_flags && (fd->lower->methods->poll != NULL)) {
-	PRInt16    lower_out_flags = 0;
-	PRInt16    lower_new_flags;
-        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags, 
-					           &lower_out_flags);
-	if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
-	    PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
-	    if (lower_out_flags & PR_POLL_READ) 
-		out_flags |= PR_POLL_WRITE;
-	    if (lower_out_flags & PR_POLL_WRITE) 
-		out_flags |= PR_POLL_READ;
-	    *p_out_flags = out_flags;
-	    new_flags = how_flags;
-	} else {
-	    *p_out_flags = lower_out_flags;
-	    new_flags    = lower_new_flags;
-	}
+        PRInt16    lower_out_flags = 0;
+        PRInt16    lower_new_flags;
+        lower_new_flags = fd->lower->methods->poll(fd->lower, new_flags,
+                                                   &lower_out_flags);
+        if ((lower_new_flags & lower_out_flags) && (how_flags != new_flags)) {
+            PRInt16 out_flags = lower_out_flags & ~PR_POLL_RW;
+            if (lower_out_flags & PR_POLL_READ)
+                out_flags |= PR_POLL_WRITE;
+            if (lower_out_flags & PR_POLL_WRITE)
+                out_flags |= PR_POLL_READ;
+            *p_out_flags = out_flags;
+            new_flags = how_flags;
+        } else {
+            *p_out_flags = lower_out_flags;
+            new_flags    = lower_new_flags;
+        }
     }
 
     return new_flags;
 }
 
 static PRInt32 PR_CALLBACK
 ssl_TransmitFile(PRFileDesc *sd, PRFileDesc *fd,
-		 const void *headers, PRInt32 hlen,
-		 PRTransmitFileFlags flags, PRIntervalTime timeout)
+                 const void *headers, PRInt32 hlen,
+                 PRTransmitFileFlags flags, PRIntervalTime timeout)
 {
     PRSendFileData sfd;
 
     sfd.fd = fd;
     sfd.file_offset = 0;
     sfd.file_nbytes = 0;
     sfd.header = headers;
     sfd.hlen = hlen;
@@ -2388,164 +2388,164 @@ ssl_FdIsBlocking(PRFileDesc *fd)
 {
     PRSocketOptionData opt;
     PRStatus           status;
 
     opt.option             = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     status = PR_GetSocketOption(fd, &opt);
     if (status != PR_SUCCESS)
-	return PR_FALSE;
+        return PR_FALSE;
     return (PRBool)!opt.value.non_blocking;
 }
 
 PRBool
 ssl_SocketIsBlocking(sslSocket *ss)
 {
     return ssl_FdIsBlocking(ss->fd);
 }
 
 PRInt32  sslFirstBufSize = 8 * 1024;
 PRInt32  sslCopyLimit    = 1024;
 
 static PRInt32 PR_CALLBACK
-ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
+ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
            PRIntervalTime timeout)
 {
     PRInt32            i;
     PRInt32            bufLen;
     PRInt32            left;
     PRInt32            rv;
     PRInt32            sent      =  0;
     const PRInt32      first_len = sslFirstBufSize;
     const PRInt32      limit     = sslCopyLimit;
     PRBool             blocking;
-    PRIOVec            myIov	 = { 0, 0 };
+    PRIOVec            myIov     = { 0, 0 };
     char               buf[MAX_FRAGMENT_LENGTH];
 
     if (vectors < 0) {
-    	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	return -1;
+        PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+        return -1;
     }
     if (vectors > PR_MAX_IOVECTOR_SIZE) {
-    	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
-	return -1;
+        PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+        return -1;
     }
     for (i = 0; i < vectors; i++) {
-	if (iov[i].iov_len < 0) {
-	    PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-	    return -1;
-	}
+        if (iov[i].iov_len < 0) {
+            PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+            return -1;
+        }
     }
     blocking = ssl_FdIsBlocking(fd);
 
 #define K16 sizeof(buf)
 #define KILL_VECTORS while (vectors && !iov->iov_len) { ++iov; --vectors; }
 #define GET_VECTOR   do { myIov = *iov++; --vectors; KILL_VECTORS } while (0)
 #define HANDLE_ERR(rv, len) \
     if (rv != len) { \
-	if (rv < 0) { \
-	    if (!blocking \
-		&& (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
-		&& (sent > 0)) { \
-		return sent; \
-	    } else { \
-		return -1; \
-	    } \
-	} \
-	/* Only a nonblocking socket can have partial sends */ \
-	PR_ASSERT(!blocking); \
-	return sent + rv; \
-    } 
+        if (rv < 0) { \
+            if (!blocking \
+                && (PR_GetError() == PR_WOULD_BLOCK_ERROR) \
+                && (sent > 0)) { \
+                return sent; \
+            } else { \
+                return -1; \
+            } \
+        } \
+        /* Only a nonblocking socket can have partial sends */ \
+        PR_ASSERT(!blocking); \
+        return sent + rv; \
+    }
 #define SEND(bfr, len) \
     do { \
-	rv = ssl_Send(fd, bfr, len, 0, timeout); \
-	HANDLE_ERR(rv, len) \
-	sent += len; \
+        rv = ssl_Send(fd, bfr, len, 0, timeout); \
+        HANDLE_ERR(rv, len) \
+        sent += len; \
     } while (0)
 
     /* Make sure the first write is at least 8 KB, if possible. */
     KILL_VECTORS
     if (!vectors)
-	return ssl_Send(fd, 0, 0, 0, timeout);
+        return ssl_Send(fd, 0, 0, 0, timeout);
     GET_VECTOR;
     if (!vectors) {
-	return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
+        return ssl_Send(fd, myIov.iov_base, myIov.iov_len, 0, timeout);
     }
     if (myIov.iov_len < first_len) {
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	left = first_len - bufLen;
-	while (vectors && left) {
-	    int toCopy;
-	    GET_VECTOR;
-	    toCopy = PR_MIN(left, myIov.iov_len);
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
-	    bufLen         += toCopy;
-	    left           -= toCopy;
-	    myIov.iov_base += toCopy;
-	    myIov.iov_len  -= toCopy;
-	}
-	SEND( buf, bufLen );
+        PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+        bufLen = myIov.iov_len;
+        left = first_len - bufLen;
+        while (vectors && left) {
+            int toCopy;
+            GET_VECTOR;
+            toCopy = PR_MIN(left, myIov.iov_len);
+            PORT_Memcpy(buf + bufLen, myIov.iov_base, toCopy);
+            bufLen         += toCopy;
+            left           -= toCopy;
+            myIov.iov_base += toCopy;
+            myIov.iov_len  -= toCopy;
+        }
+        SEND( buf, bufLen );
     }
 
     while (vectors || myIov.iov_len) {
-	PRInt32   addLen;
-	if (!myIov.iov_len) {
-	    GET_VECTOR;
-	}
-	while (myIov.iov_len >= K16) {
-	    SEND(myIov.iov_base, K16);
-	    myIov.iov_base += K16;
-	    myIov.iov_len  -= K16;
-	}
-	if (!myIov.iov_len)
-	    continue;
-
-	if (!vectors || myIov.iov_len > limit) {
-	    addLen = 0;
-	} else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
-	    /* Addlen is already computed. */;
-	} else if (vectors > 1 && 
-	     iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
-	     addLen = limit - myIov.iov_len;
-	} else 
-	    addLen = 0;
-
-	if (!addLen) {
-	    SEND( myIov.iov_base, myIov.iov_len );
-	    myIov.iov_len = 0;
-	    continue;
-	}
-	PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
-	bufLen = myIov.iov_len;
-	do {
-	    GET_VECTOR;
-	    PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
-	    myIov.iov_base += addLen;
-	    myIov.iov_len  -= addLen;
-	    bufLen         += addLen;
-
-	    left = PR_MIN( limit, K16 - bufLen);
-	    if (!vectors 		/* no more left */
-	    ||  myIov.iov_len > 0	/* we didn't use that one all up */
-	    ||  bufLen >= K16		/* it's full. */
-	    ) {
-		addLen = 0;
-	    } else if ((addLen = iov->iov_len % K16) <= left) {
-		/* Addlen is already computed. */;
-	    } else if (vectors > 1 && 
-		 iov[1].iov_len % K16 + addLen <= left + limit) {
-		 addLen = left;
-	    } else 
-		addLen = 0;
-
-	} while (addLen);
-	SEND( buf, bufLen );
-    } 
+        PRInt32   addLen;
+        if (!myIov.iov_len) {
+            GET_VECTOR;
+        }
+        while (myIov.iov_len >= K16) {
+            SEND(myIov.iov_base, K16);
+            myIov.iov_base += K16;
+            myIov.iov_len  -= K16;
+        }
+        if (!myIov.iov_len)
+            continue;
+
+        if (!vectors || myIov.iov_len > limit) {
+            addLen = 0;
+        } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
+            /* Addlen is already computed. */;
+        } else if (vectors > 1 &&
+             iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
+             addLen = limit - myIov.iov_len;
+        } else
+            addLen = 0;
+
+        if (!addLen) {
+            SEND( myIov.iov_base, myIov.iov_len );
+            myIov.iov_len = 0;
+            continue;
+        }
+        PORT_Memcpy(buf, myIov.iov_base, myIov.iov_len);
+        bufLen = myIov.iov_len;
+        do {
+            GET_VECTOR;
+            PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
+            myIov.iov_base += addLen;
+            myIov.iov_len  -= addLen;
+            bufLen         += addLen;
+
+            left = PR_MIN( limit, K16 - bufLen);
+            if (!vectors                /* no more left */
+            ||  myIov.iov_len > 0       /* we didn't use that one all up */
+            ||  bufLen >= K16           /* it's full. */
+            ) {
+                addLen = 0;
+            } else if ((addLen = iov->iov_len % K16) <= left) {
+                /* Addlen is already computed. */;
+            } else if (vectors > 1 &&
+                 iov[1].iov_len % K16 + addLen <= left + limit) {
+                 addLen = left;
+            } else
+                addLen = 0;
+
+        } while (addLen);
+        SEND( buf, bufLen );
+    }
     return sent;
 }
 
 /*
  * These functions aren't implemented.
  */
 
 static PRInt32 PR_CALLBACK
@@ -2605,69 +2605,69 @@ ssl_FileInfo64(PRFileDesc *fd, PRFileInf
 {
     PORT_Assert(0);
     PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     return PR_FAILURE;
 }
 
 static PRInt32 PR_CALLBACK
 ssl_RecvFrom(PRFileDesc *fd, void *buf, PRInt32 amount, PRIntn flags,
-	     PRNetAddr *addr, PRIntervalTime timeout)
+             PRNetAddr *addr, PRIntervalTime timeout)
 {
     PORT_Assert(0);
     PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     return SECFailure;
 }
 
 static PRInt32 PR_CALLBACK
 ssl_SendTo(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
-	   const PRNetAddr *addr, PRIntervalTime timeout)
+           const PRNetAddr *addr, PRIntervalTime timeout)
 {
     PORT_Assert(0);
     PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
     return SECFailure;
 }
 
 static const PRIOMethods ssl_methods = {
     PR_DESC_LAYERED,
-    ssl_Close,           	/* close        */
-    ssl_Read,            	/* read         */
-    ssl_Write,           	/* write        */
-    ssl_Available,       	/* available    */
-    ssl_Available64,     	/* available64  */
-    ssl_FSync,           	/* fsync        */
-    ssl_Seek,            	/* seek         */
-    ssl_Seek64,          	/* seek64       */
-    ssl_FileInfo,        	/* fileInfo     */
-    ssl_FileInfo64,      	/* fileInfo64   */
-    ssl_WriteV,          	/* writev       */
-    ssl_Connect,         	/* connect      */
-    ssl_Accept,          	/* accept       */
-    ssl_Bind,            	/* bind         */
-    ssl_Listen,          	/* listen       */
-    ssl_Shutdown,        	/* shutdown     */
-    ssl_Recv,            	/* recv         */
-    ssl_Send,            	/* send         */
-    ssl_RecvFrom,        	/* recvfrom     */
-    ssl_SendTo,          	/* sendto       */
-    ssl_Poll,            	/* poll         */
+    ssl_Close,                  /* close        */
+    ssl_Read,                   /* read         */
+    ssl_Write,                  /* write        */
+    ssl_Available,              /* available    */
+    ssl_Available64,            /* available64  */
+    ssl_FSync,                  /* fsync        */
+    ssl_Seek,                   /* seek         */
+    ssl_Seek64,                 /* seek64       */
+    ssl_FileInfo,               /* fileInfo     */
+    ssl_FileInfo64,             /* fileInfo64   */
+    ssl_WriteV,                 /* writev       */
+    ssl_Connect,                /* connect      */
+    ssl_Accept,                 /* accept       */
+    ssl_Bind,                   /* bind         */
+    ssl_Listen,                 /* listen       */
+    ssl_Shutdown,               /* shutdown     */
+    ssl_Recv,                   /* recv         */
+    ssl_Send,                   /* send         */
+    ssl_RecvFrom,               /* recvfrom     */
+    ssl_SendTo,                 /* sendto       */
+    ssl_Poll,                   /* poll         */
     PR_EmulateAcceptRead,       /* acceptread   */
     ssl_TransmitFile,           /* transmitfile */
-    ssl_GetSockName,     	/* getsockname  */
-    ssl_GetPeerName,     	/* getpeername  */
-    NULL,                	/* getsockopt   OBSOLETE */
-    NULL,                	/* setsockopt   OBSOLETE */
-    NULL,                	/* getsocketoption   */
-    NULL,                	/* setsocketoption   */
-    PR_EmulateSendFile, 	/* Send a (partial) file with header/trailer*/
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL,                	/* reserved for future use */
-    NULL                 	/* reserved for future use */
+    ssl_GetSockName,            /* getsockname  */
+    ssl_GetPeerName,            /* getpeername  */
+    NULL,                       /* getsockopt   OBSOLETE */
+    NULL,                       /* setsockopt   OBSOLETE */
+    NULL,                       /* getsocketoption   */
+    NULL,                       /* setsocketoption   */
+    PR_EmulateSendFile,         /* Send a (partial) file with header/trailer*/
+    NULL,                       /* reserved for future use */
+    NULL,                       /* reserved for future use */
+    NULL,                       /* reserved for future use */
+    NULL,                       /* reserved for future use */
+    NULL                        /* reserved for future use */
 };
 
 
 static PRIOMethods combined_methods;
 
 static void
 ssl_SetupIOMethods(void)
 {
@@ -2698,105 +2698,105 @@ ssl_SetupIOMethods(void)
     new_methods->send              = my_methods->send;
     new_methods->recvfrom          = my_methods->recvfrom;
     new_methods->sendto            = my_methods->sendto;
     new_methods->poll              = my_methods->poll;
     new_methods->acceptread        = my_methods->acceptread;
     new_methods->transmitfile      = my_methods->transmitfile;
     new_methods->getsockname       = my_methods->getsockname;
     new_methods->getpeername       = my_methods->getpeername;
-/*  new_methods->getsocketoption   = my_methods->getsocketoption;	*/
-/*  new_methods->setsocketoption   = my_methods->setsocketoption;	*/
+/*  new_methods->getsocketoption   = my_methods->getsocketoption;       */
+/*  new_methods->setsocketoption   = my_methods->setsocketoption;       */
     new_methods->sendfile          = my_methods->sendfile;
 
 }
 
 static PRCallOnceType initIoLayerOnce;
 
-static PRStatus  
+static PRStatus
 ssl_InitIOLayer(void)
 {
     ssl_layer_id = PR_GetUniqueIdentity("SSL");
     ssl_SetupIOMethods();
     ssl_inited = PR_TRUE;
     return PR_SUCCESS;
 }
 
 static PRStatus
 ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id)
 {
-    PRFileDesc *layer	= NULL;
+    PRFileDesc *layer   = NULL;
     PRStatus    status;
 
     if (!ssl_inited) {
-	status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
-	if (status != PR_SUCCESS)
-	    goto loser;
+        status = PR_CallOnce(&initIoLayerOnce, &ssl_InitIOLayer);
+        if (status != PR_SUCCESS)
+            goto loser;
     }
 
     if (ns == NULL)
-	goto loser;
+        goto loser;
 
     layer = PR_CreateIOLayerStub(ssl_layer_id, &combined_methods);
     if (layer == NULL)
-	goto loser;
+        goto loser;
     layer->secret = (PRFilePrivate *)ns;
 
     /* Here, "stack" points to the PRFileDesc on the top of the stack.
     ** "layer" points to a new FD that is to be inserted into the stack.
-    ** If layer is being pushed onto the top of the stack, then 
+    ** If layer is being pushed onto the top of the stack, then
     ** PR_PushIOLayer switches the contents of stack and layer, and then
-    ** puts stack on top of layer, so that after it is done, the top of 
-    ** stack is the same "stack" as it was before, and layer is now the 
+    ** puts stack on top of layer, so that after it is done, the top of
+    ** stack is the same "stack" as it was before, and layer is now the
     ** FD for the former top of stack.
     ** After this call, stack always points to the top PRFD on the stack.
-    ** If this function fails, the contents of stack and layer are as 
+    ** If this function fails, the contents of stack and layer are as
     ** they were before the call.
     */
     status = PR_PushIOLayer(stack, id, layer);
     if (status != PR_SUCCESS)
-	goto loser;
+        goto loser;
 
     ns->fd = (id == PR_TOP_IO_LAYER) ? stack : layer;
     return PR_SUCCESS;
 
 loser:
     if (layer) {
-	layer->dtor(layer); /* free layer */
+        layer->dtor(layer); /* free layer */
     }
     return PR_FAILURE;
 }
 
 /* if this fails, caller must destroy socket. */
 static SECStatus
 ssl_MakeLocks(sslSocket *ss)
 {
     ss->firstHandshakeLock = PZ_NewMonitor(nssILockSSL);
-    if (!ss->firstHandshakeLock) 
-	goto loser;
+    if (!ss->firstHandshakeLock)
+        goto loser;
     ss->ssl3HandshakeLock  = PZ_NewMonitor(nssILockSSL);
-    if (!ss->ssl3HandshakeLock) 
-	goto loser;
+    if (!ss->ssl3HandshakeLock)
+        goto loser;
     ss->specLock           = NSSRWLock_New(SSL_LOCK_RANK_SPEC, NULL);
-    if (!ss->specLock) 
-	goto loser;
+    if (!ss->specLock)
+        goto loser;
     ss->recvBufLock        = PZ_NewMonitor(nssILockSSL);
-    if (!ss->recvBufLock) 
-	goto loser;
+    if (!ss->recvBufLock)
+        goto loser;
     ss->xmitBufLock        = PZ_NewMonitor(nssILockSSL);
-    if (!ss->xmitBufLock) 
-	goto loser;
+    if (!ss->xmitBufLock)
+        goto loser;
     ss->writerThread       = NULL;
     if (ssl_lock_readers) {
-	ss->recvLock       = PZ_NewLock(nssILockSSL);
-	if (!ss->recvLock) 
-	    goto loser;
-	ss->sendLock       = PZ_NewLock(nssILockSSL);
-	if (!ss->sendLock) 
-	    goto loser;
+        ss->recvLock       = PZ_NewLock(nssILockSSL);
+        if (!ss->recvLock)
+            goto loser;
+        ss->sendLock       = PZ_NewLock(nssILockSSL);
+        if (!ss->sendLock)
+            goto loser;
     }
     return SECSuccess;
 loser:
     ssl_DestroyLocks(ss);
     return SECFailure;
 }
 
 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS)
@@ -2807,171 +2807,170 @@ loser:
 
 static void
 ssl_SetDefaultsFromEnvironment(void)
 {
 #if defined( NSS_HAVE_GETENV )
     static int firsttime = 1;
 
     if (firsttime) {
-	char * ev;
-	firsttime = 0;
+        char * ev;
+        firsttime = 0;
 #ifdef DEBUG
-	ev = getenv("SSLDEBUGFILE");
-	if (ev && ev[0]) {
-	    ssl_trace_iob = fopen(ev, "w");
-	}
-	if (!ssl_trace_iob) {
-	    ssl_trace_iob = stderr;
-	}
+        ev = getenv("SSLDEBUGFILE");
+        if (ev && ev[0]) {
+            ssl_trace_iob = fopen(ev, "w");
+        }
+        if (!ssl_trace_iob) {
+            ssl_trace_iob = stderr;
+        }
 #ifdef TRACE
-	ev = getenv("SSLTRACE");
-	if (ev && ev[0]) {
-	    ssl_trace = atoi(ev);
-	    SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
-	}
+        ev = getenv("SSLTRACE");
+        if (ev && ev[0]) {
+            ssl_trace = atoi(ev);
+            SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
+        }
 #endif /* TRACE */
-	ev = getenv("SSLDEBUG");
-	if (ev && ev[0]) {
-	    ssl_debug = atoi(ev);
-	    SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
-	}
+        ev = getenv("SSLDEBUG");
+        if (ev && ev[0]) {
+            ssl_debug = atoi(ev);
+            SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
+        }
 #endif /* DEBUG */
-	ev = getenv("SSLKEYLOGFILE");
-	if (ev && ev[0]) {
-	    ssl_keylog_iob = fopen(ev, "a");
-	    if (!ssl_keylog_iob) {
-		SSL_TRACE(("SSL: failed to open key log file"));
-	    } else {
-		if (ftell(ssl_keylog_iob) == 0) {
-		    fputs("# SSL/TLS secrets log file, generated by NSS\n",
-			  ssl_keylog_iob);
-		}
-		SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
-	    }
-	}
+        ev = getenv("SSLKEYLOGFILE");
+        if (ev && ev[0]) {
+            ssl_keylog_iob = fopen(ev, "a");
+            if (!ssl_keylog_iob) {
+                SSL_TRACE(("SSL: failed to open key log file"));
+            } else {
+                if (ftell(ssl_keylog_iob) == 0) {
+                    fputs("# SSL/TLS secrets log file, generated by NSS\n",
+                          ssl_keylog_iob);
+                }
+                SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
+            }
+        }
 #ifndef NO_PKCS11_BYPASS
-	ev = getenv("SSLBYPASS");
-	if (ev && ev[0]) {
-	    ssl_defaults.bypassPKCS11 = (ev[0] == '1');
-	    SSL_TRACE(("SSL: bypass default set to %d", \
-		      ssl_defaults.bypassPKCS11));
-	}
+        ev = getenv("SSLBYPASS");
+        if (ev && ev[0]) {
+            ssl_defaults.bypassPKCS11 = (ev[0] == '1');
+            SSL_TRACE(("SSL: bypass default set to %d", \
+                      ssl_defaults.bypassPKCS11));
+        }
 #endif /* NO_PKCS11_BYPASS */
-	ev = getenv("SSLFORCELOCKS");
-	if (ev && ev[0] == '1') {
-	    ssl_force_locks = PR_TRUE;
-	    ssl_defaults.noLocks = 0;
-	    strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
-	    SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
-	}
-	ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
-	if (ev) {
-	    if (ev[0] == '1' || LOWER(ev[0]) == 'u')
-	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
-	    else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
-	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
-	    else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
-		ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
-	    else if (ev[0] == '3' || LOWER(ev[0]) == 't')
-	    	ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
-	    SSL_TRACE(("SSL: enableRenegotiation set to %d", 
-	               ssl_defaults.enableRenegotiation));
-	}
-	ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
-	if (ev && ev[0] == '1') {
-	    ssl_defaults.requireSafeNegotiation = PR_TRUE;
-	    SSL_TRACE(("SSL: requireSafeNegotiation set to %d", 
-	                PR_TRUE));
-	}
-	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
-	if (ev && ev[0] == '0') {
-	    ssl_defaults.cbcRandomIV = PR_FALSE;
-	    SSL_TRACE(("SSL: cbcRandomIV set to 0"));
-	}
+        ev = getenv("SSLFORCELOCKS");
+        if (ev && ev[0] == '1') {
+            ssl_force_locks = PR_TRUE;
+            ssl_defaults.noLocks = 0;
+            strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED.  ");
+            SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
+        }
+        ev = getenv("NSS_SSL_ENABLE_RENEGOTIATION");
+        if (ev) {
+            if (ev[0] == '1' || LOWER(ev[0]) == 'u')
+                ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
+            else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
+                ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
+            else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
+                ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
+            else if (ev[0] == '3' || LOWER(ev[0]) == 't')
+                ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
+            SSL_TRACE(("SSL: enableRenegotiation set to %d",
+                       ssl_defaults.enableRenegotiation));
+        }
+        ev = getenv("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
+        if (ev && ev[0] == '1') {
+            ssl_defaults.requireSafeNegotiation = PR_TRUE;
+            SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
+                        PR_TRUE));
+        }
+        ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+        if (ev && ev[0] == '0') {
+            ssl_defaults.cbcRandomIV = PR_FALSE;
+            SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+        }
     }
 #endif /* NSS_HAVE_GETENV */
 }
 
 /*
 ** Create a newsocket structure for a file descriptor.
 */
 static sslSocket *
 ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
 {
     sslSocket *ss;
 
     ssl_SetDefaultsFromEnvironment();
 
     if (ssl_force_locks)
-	makeLocks = PR_TRUE;
+        makeLocks = PR_TRUE;
 
     /* Make a new socket and get it ready */
     ss = (sslSocket*) PORT_ZAlloc(sizeof(sslSocket));
     if (ss) {
         /* This should be of type SSLKEAType, but CC on IRIX
-	 * complains during the for loop.
-	 */
-	int i;
-	SECStatus status;
- 
-	ss->opt                = ssl_defaults;
-	ss->opt.useSocks       = PR_FALSE;
-	ss->opt.noLocks        = !makeLocks;
-	ss->vrange             = *VERSIONS_DEFAULTS(protocolVariant);
-	ss->protocolVariant    = protocolVariant;
-
-	ss->peerID             = NULL;
-	ss->rTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->wTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cTimeout	       = PR_INTERVAL_NO_TIMEOUT;
-	ss->cipherSpecs        = NULL;
+         * complains during the for loop.
+         */
+        int i;
+        SECStatus status;
+
+        ss->opt                = ssl_defaults;
+        ss->opt.useSocks       = PR_FALSE;
+        ss->opt.noLocks        = !makeLocks;
+        ss->vrange             = *VERSIONS_DEFAULTS(protocolVariant);
+        ss->protocolVariant    = protocolVariant;
+
+        ss->peerID             = NULL;
+        ss->rTimeout           = PR_INTERVAL_NO_TIMEOUT;
+        ss->wTimeout           = PR_INTERVAL_NO_TIMEOUT;
+        ss->cTimeout           = PR_INTERVAL_NO_TIMEOUT;
+        ss->cipherSpecs        = NULL;
         ss->sizeCipherSpecs    = 0;  /* produced lazily */
         ss->preferredCipher    = NULL;
         ss->url                = NULL;
 
-	for (i=kt_null; i < kt_kea_size; i++) {
-	    sslServerCerts * sc = ss->serverCerts + i;
-	    sc->serverCert      = NULL;
-	    sc->serverCertChain = NULL;
-	    sc->serverKeyPair   = NULL;
-	    sc->serverKeyBits   = 0;
-	    ss->certStatusArray[i] = NULL;
-	}
-	ss->stepDownKeyPair    = NULL;
-	ss->dbHandle           = CERT_GetDefaultCertDB();
-
-	/* Provide default implementation of hooks */
-	ss->authCertificate    = SSL_AuthCertificate;
-	ss->authCertificateArg = (void *)ss->dbHandle;
+        for (i=kt_null; i < kt_kea_size; i++) {
+            sslServerCerts * sc = ss->serverCerts + i;
+            sc->serverCert      = NULL;
+            sc->serverCertChain = NULL;
+            sc->serverKeyPair   = NULL;
+            sc->serverKeyBits   = 0;
+            ss->certStatusArray[i] = NULL;
+        }
+        ss->stepDownKeyPair    = NULL;
+        ss->dbHandle           = CERT_GetDefaultCertDB();
+
+        /* Provide default implementation of hooks */
+        ss->authCertificate    = SSL_AuthCertificate;
+        ss->authCertificateArg = (void *)ss->dbHandle;
         ss->sniSocketConfig    = NULL;
         ss->sniSocketConfigArg = NULL;
-	ss->getClientAuthData  = NULL;
-	ss->handleBadCert      = NULL;
-	ss->badCertArg         = NULL;
-	ss->pkcs11PinArg       = NULL;
-	ss->ephemeralECDHKeyPair = NULL;
-
-	ssl_ChooseOps(ss);
-	ssl2_InitSocketPolicy(ss);
-	ssl3_InitSocketPolicy(ss);
-	PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
-
-	if (makeLocks) {
-	    status = ssl_MakeLocks(ss);
-	    if (status != SECSuccess)
-		goto loser;
-	}
-	status = ssl_CreateSecurityInfo(ss);
-	if (status != SECSuccess) 
-	    goto loser;
-	status = ssl_InitGather(&ss->gs);
-	if (status != SECSuccess) {
+        ss->getClientAuthData  = NULL;
+        ss->handleBadCert      = NULL;
+        ss->badCertArg         = NULL;
+        ss->pkcs11PinArg       = NULL;
+        ss->ephemeralECDHKeyPair = NULL;
+
+        ssl_ChooseOps(ss);
+        ssl2_InitSocketPolicy(ss);
+        ssl3_InitSocketPolicy(ss);
+        PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
+
+        if (makeLocks) {
+            status = ssl_MakeLocks(ss);
+            if (status != SECSuccess)
+                goto loser;
+        }
+        status = ssl_CreateSecurityInfo(ss);
+        if (status != SECSuccess)
+            goto loser;
+        status = ssl_InitGather(&ss->gs);
+        if (status != SECSuccess) {
 loser:
-	    ssl_DestroySocketContents(ss);
-	    ssl_DestroyLocks(ss);
-	    PORT_Free(ss);
-	    ss = NULL;
-	}
+            ssl_DestroySocketContents(ss);
+            ssl_DestroyLocks(ss);
+            PORT_Free(ss);
+            ss = NULL;
+        }
     }
     return ss;
 }
-
--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@@ -2,217 +2,217 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef __SEC_ERR_H_
 #define __SEC_ERR_H_
 
 #include "utilrename.h"
 
-#define SEC_ERROR_BASE				(-0x2000)
-#define SEC_ERROR_LIMIT				(SEC_ERROR_BASE + 1000)
+#define SEC_ERROR_BASE                          (-0x2000)
+#define SEC_ERROR_LIMIT                         (SEC_ERROR_BASE + 1000)
 
 #define IS_SEC_ERROR(code) \
     (((code) >= SEC_ERROR_BASE) && ((code) < SEC_ERROR_LIMIT))
 
 #ifndef NO_SECURITY_ERROR_ENUM
 typedef enum {
-SEC_ERROR_IO 				    =	SEC_ERROR_BASE + 0,
-SEC_ERROR_LIBRARY_FAILURE 		    =	SEC_ERROR_BASE + 1,
-SEC_ERROR_BAD_DATA 			    =	SEC_ERROR_BASE + 2,
-SEC_ERROR_OUTPUT_LEN 			    =	SEC_ERROR_BASE + 3,
-SEC_ERROR_INPUT_LEN 			    =	SEC_ERROR_BASE + 4,
-SEC_ERROR_INVALID_ARGS 			    =	SEC_ERROR_BASE + 5,
-SEC_ERROR_INVALID_ALGORITHM 		    =	SEC_ERROR_BASE + 6,
-SEC_ERROR_INVALID_AVA 			    =	SEC_ERROR_BASE + 7,
-SEC_ERROR_INVALID_TIME 			    =	SEC_ERROR_BASE + 8,
-SEC_ERROR_BAD_DER 			    =	SEC_ERROR_BASE + 9,
-SEC_ERROR_BAD_SIGNATURE 		    =	SEC_ERROR_BASE + 10,
-SEC_ERROR_EXPIRED_CERTIFICATE 		    =	SEC_ERROR_BASE + 11,
-SEC_ERROR_REVOKED_CERTIFICATE 		    =	SEC_ERROR_BASE + 12,
-SEC_ERROR_UNKNOWN_ISSUER 		    =	SEC_ERROR_BASE + 13,
-SEC_ERROR_BAD_KEY 			    =	SEC_ERROR_BASE + 14,
-SEC_ERROR_BAD_PASSWORD 			    =	SEC_ERROR_BASE + 15,
-SEC_ERROR_RETRY_PASSWORD 		    =	SEC_ERROR_BASE + 16,
-SEC_ERROR_NO_NODELOCK 			    =	SEC_ERROR_BASE + 17,
-SEC_ERROR_BAD_DATABASE 			    =	SEC_ERROR_BASE + 18,
-SEC_ERROR_NO_MEMORY 			    =	SEC_ERROR_BASE + 19,
-SEC_ERROR_UNTRUSTED_ISSUER 		    =	SEC_ERROR_BASE + 20,
-SEC_ERROR_UNTRUSTED_CERT 		    =	SEC_ERROR_BASE + 21,
-SEC_ERROR_DUPLICATE_CERT 		    =	(SEC_ERROR_BASE + 22),
-SEC_ERROR_DUPLICATE_CERT_NAME 		    =	(SEC_ERROR_BASE + 23),
-SEC_ERROR_ADDING_CERT 			    =	(SEC_ERROR_BASE + 24),
-SEC_ERROR_FILING_KEY 			    =	(SEC_ERROR_BASE + 25),
-SEC_ERROR_NO_KEY 			    =	(SEC_ERROR_BASE + 26),
-SEC_ERROR_CERT_VALID 			    =	(SEC_ERROR_BASE + 27),
-SEC_ERROR_CERT_NOT_VALID 		    =	(SEC_ERROR_BASE + 28),
-SEC_ERROR_CERT_NO_RESPONSE 		    =	(SEC_ERROR_BASE + 29),
-SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 	    =	(SEC_ERROR_BASE + 30),
-SEC_ERROR_CRL_EXPIRED 			    =	(SEC_ERROR_BASE + 31),
-SEC_ERROR_CRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 32),
-SEC_ERROR_CRL_INVALID 			    =	(SEC_ERROR_BASE + 33),
-SEC_ERROR_EXTENSION_VALUE_INVALID 	    = 	(SEC_ERROR_BASE + 34),
-SEC_ERROR_EXTENSION_NOT_FOUND 		    = 	(SEC_ERROR_BASE + 35),
-SEC_ERROR_CA_CERT_INVALID 		    = 	(SEC_ERROR_BASE + 36),
-SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID 	    = 	(SEC_ERROR_BASE + 37),
-SEC_ERROR_CERT_USAGES_INVALID 		    = 	(SEC_ERROR_BASE + 38),
-SEC_INTERNAL_ONLY 			    =	(SEC_ERROR_BASE + 39),
-SEC_ERROR_INVALID_KEY 			    =	(SEC_ERROR_BASE + 40),
-SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 	    = 	(SEC_ERROR_BASE + 41),
-SEC_ERROR_OLD_CRL 			    =	(SEC_ERROR_BASE + 42),
-SEC_ERROR_NO_EMAIL_CERT 		    =	(SEC_ERROR_BASE + 43),
-SEC_ERROR_NO_RECIPIENT_CERTS_QUERY 	    =	(SEC_ERROR_BASE + 44),
-SEC_ERROR_NOT_A_RECIPIENT 		    =	(SEC_ERROR_BASE + 45),
-SEC_ERROR_PKCS7_KEYALG_MISMATCH 	    =	(SEC_ERROR_BASE + 46),
-SEC_ERROR_PKCS7_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 47),
-SEC_ERROR_UNSUPPORTED_KEYALG 		    =	(SEC_ERROR_BASE + 48),
-SEC_ERROR_DECRYPTION_DISALLOWED 	    =	(SEC_ERROR_BASE + 49),
+SEC_ERROR_IO                                =   SEC_ERROR_BASE + 0,
+SEC_ERROR_LIBRARY_FAILURE                   =   SEC_ERROR_BASE + 1,
+SEC_ERROR_BAD_DATA                          =   SEC_ERROR_BASE + 2,
+SEC_ERROR_OUTPUT_LEN                        =   SEC_ERROR_BASE + 3,
+SEC_ERROR_INPUT_LEN                         =   SEC_ERROR_BASE + 4,
+SEC_ERROR_INVALID_ARGS                      =   SEC_ERROR_BASE + 5,
+SEC_ERROR_INVALID_ALGORITHM                 =   SEC_ERROR_BASE + 6,
+SEC_ERROR_INVALID_AVA                       =   SEC_ERROR_BASE + 7,
+SEC_ERROR_INVALID_TIME                      =   SEC_ERROR_BASE + 8,
+SEC_ERROR_BAD_DER                           =   SEC_ERROR_BASE + 9,
+SEC_ERROR_BAD_SIGNATURE                     =   SEC_ERROR_BASE + 10,
+SEC_ERROR_EXPIRED_CERTIFICATE               =   SEC_ERROR_BASE + 11,
+SEC_ERROR_REVOKED_CERTIFICATE               =   SEC_ERROR_BASE + 12,
+SEC_ERROR_UNKNOWN_ISSUER                    =   SEC_ERROR_BASE + 13,
+SEC_ERROR_BAD_KEY                           =   SEC_ERROR_BASE + 14,
+SEC_ERROR_BAD_PASSWORD                      =   SEC_ERROR_BASE + 15,
+SEC_ERROR_RETRY_PASSWORD                    =   SEC_ERROR_BASE + 16,
+SEC_ERROR_NO_NODELOCK                       =   SEC_ERROR_BASE + 17,
+SEC_ERROR_BAD_DATABASE                      =   SEC_ERROR_BASE + 18,
+SEC_ERROR_NO_MEMORY                         =   SEC_ERROR_BASE + 19,
+SEC_ERROR_UNTRUSTED_ISSUER                  =   SEC_ERROR_BASE + 20,
+SEC_ERROR_UNTRUSTED_CERT                    =   SEC_ERROR_BASE + 21,
+SEC_ERROR_DUPLICATE_CERT                    =   (SEC_ERROR_BASE + 22),
+SEC_ERROR_DUPLICATE_CERT_NAME               =   (SEC_ERROR_BASE + 23),
+SEC_ERROR_ADDING_CERT                       =   (SEC_ERROR_BASE + 24),
+SEC_ERROR_FILING_KEY                        =   (SEC_ERROR_BASE + 25),
+SEC_ERROR_NO_KEY                            =   (SEC_ERROR_BASE + 26),
+SEC_ERROR_CERT_VALID                        =   (SEC_ERROR_BASE + 27),
+SEC_ERROR_CERT_NOT_VALID                    =   (SEC_ERROR_BASE + 28),
+SEC_ERROR_CERT_NO_RESPONSE                  =   (SEC_ERROR_BASE + 29),
+SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE        =   (SEC_ERROR_BASE + 30),
+SEC_ERROR_CRL_EXPIRED                       =   (SEC_ERROR_BASE + 31),
+SEC_ERROR_CRL_BAD_SIGNATURE                 =   (SEC_ERROR_BASE + 32),
+SEC_ERROR_CRL_INVALID                       =   (SEC_ERROR_BASE + 33),
+SEC_ERROR_EXTENSION_VALUE_INVALID           =   (SEC_ERROR_BASE + 34),
+SEC_ERROR_EXTENSION_NOT_FOUND               =   (SEC_ERROR_BASE + 35),
+SEC_ERROR_CA_CERT_INVALID                   =   (SEC_ERROR_BASE + 36),
+SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID       =   (SEC_ERROR_BASE + 37),
+SEC_ERROR_CERT_USAGES_INVALID               =   (SEC_ERROR_BASE + 38),
+SEC_INTERNAL_ONLY                           =   (SEC_ERROR_BASE + 39),
+SEC_ERROR_INVALID_KEY                       =   (SEC_ERROR_BASE + 40),
+SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION        =   (SEC_ERROR_BASE + 41),
+SEC_ERROR_OLD_CRL                           =   (SEC_ERROR_BASE + 42),
+SEC_ERROR_NO_EMAIL_CERT                     =   (SEC_ERROR_BASE + 43),
+SEC_ERROR_NO_RECIPIENT_CERTS_QUERY          =   (SEC_ERROR_BASE + 44),
+SEC_ERROR_NOT_A_RECIPIENT                   =   (SEC_ERROR_BASE + 45),
+SEC_ERROR_PKCS7_KEYALG_MISMATCH             =   (SEC_ERROR_BASE + 46),
+SEC_ERROR_PKCS7_BAD_SIGNATURE               =   (SEC_ERROR_BASE + 47),
+SEC_ERROR_UNSUPPORTED_KEYALG                =   (SEC_ERROR_BASE + 48),
+SEC_ERROR_DECRYPTION_DISALLOWED             =   (SEC_ERROR_BASE + 49),
 /* Fortezza Alerts */
-XP_SEC_FORTEZZA_BAD_CARD 		    =	(SEC_ERROR_BASE + 50),
-XP_SEC_FORTEZZA_NO_CARD 		    =	(SEC_ERROR_BASE + 51),
-XP_SEC_FORTEZZA_NONE_SELECTED 		    =	(SEC_ERROR_BASE + 52),
-XP_SEC_FORTEZZA_MORE_INFO 		    =	(SEC_ERROR_BASE + 53),
-XP_SEC_FORTEZZA_PERSON_NOT_FOUND 	    =	(SEC_ERROR_BASE + 54),
-XP_SEC_FORTEZZA_NO_MORE_INFO 		    =	(SEC_ERROR_BASE + 55),
-XP_SEC_FORTEZZA_BAD_PIN 		    =	(SEC_ERROR_BASE + 56),
-XP_SEC_FORTEZZA_PERSON_ERROR 		    =	(SEC_ERROR_BASE + 57),
-SEC_ERROR_NO_KRL 			    =	(SEC_ERROR_BASE + 58),
-SEC_ERROR_KRL_EXPIRED 			    =	(SEC_ERROR_BASE + 59),
-SEC_ERROR_KRL_BAD_SIGNATURE 		    =	(SEC_ERROR_BASE + 60),
-SEC_ERROR_REVOKED_KEY 			    =	(SEC_ERROR_BASE + 61),
-SEC_ERROR_KRL_INVALID 			    =	(SEC_ERROR_BASE + 62),
-SEC_ERROR_NEED_RANDOM 			    =	(SEC_ERROR_BASE + 63),
-SEC_ERROR_NO_MODULE 			    =	(SEC_ERROR_BASE + 64),
-SEC_ERROR_NO_TOKEN 			    =	(SEC_ERROR_BASE + 65),
-SEC_ERROR_READ_ONLY 			    =	(SEC_ERROR_BASE + 66),
-SEC_ERROR_NO_SLOT_SELECTED 		    =	(SEC_ERROR_BASE + 67),
-SEC_ERROR_CERT_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 68),
-SEC_ERROR_KEY_NICKNAME_COLLISION 	    =	(SEC_ERROR_BASE + 69),
-SEC_ERROR_SAFE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 70),
-SEC_ERROR_BAGGAGE_NOT_CREATED 		    =	(SEC_ERROR_BASE + 71),
-XP_JAVA_REMOVE_PRINCIPAL_ERROR 		    =	(SEC_ERROR_BASE + 72),
-XP_JAVA_DELETE_PRIVILEGE_ERROR 		    =	(SEC_ERROR_BASE + 73),
-XP_JAVA_CERT_NOT_EXISTS_ERROR 		    =	(SEC_ERROR_BASE + 74),
-SEC_ERROR_BAD_EXPORT_ALGORITHM 		    =	(SEC_ERROR_BASE + 75),
-SEC_ERROR_EXPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 76),
-SEC_ERROR_IMPORTING_CERTIFICATES 	    =	(SEC_ERROR_BASE + 77),
-SEC_ERROR_PKCS12_DECODING_PFX 		    =	(SEC_ERROR_BASE + 78),
-SEC_ERROR_PKCS12_INVALID_MAC 		    =	(SEC_ERROR_BASE + 79),
-SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =	(SEC_ERROR_BASE + 80),
-SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =	(SEC_ERROR_BASE + 81),
-SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE 	    =	(SEC_ERROR_BASE + 82),
-SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  = 	(SEC_ERROR_BASE + 83),
-SEC_ERROR_PKCS12_UNSUPPORTED_VERSION 	    =	(SEC_ERROR_BASE + 84),
-SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =	(SEC_ERROR_BASE + 85),
-SEC_ERROR_PKCS12_CERT_COLLISION 	    =	(SEC_ERROR_BASE + 86),
-SEC_ERROR_USER_CANCELLED 		    =	(SEC_ERROR_BASE + 87),
-SEC_ERROR_PKCS12_DUPLICATE_DATA 	    =	(SEC_ERROR_BASE + 88),
-SEC_ERROR_MESSAGE_SEND_ABORTED 		    =	(SEC_ERROR_BASE + 89),
-SEC_ERROR_INADEQUATE_KEY_USAGE 		    =	(SEC_ERROR_BASE + 90),
-SEC_ERROR_INADEQUATE_CERT_TYPE 		    =	(SEC_ERROR_BASE + 91),
-SEC_ERROR_CERT_ADDR_MISMATCH 		    =	(SEC_ERROR_BASE + 92),
-SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY 	    =	(SEC_ERROR_BASE + 93),
-SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN 	    =	(SEC_ERROR_BASE + 94),
+XP_SEC_FORTEZZA_BAD_CARD                    =   (SEC_ERROR_BASE + 50),
+XP_SEC_FORTEZZA_NO_CARD                     =   (SEC_ERROR_BASE + 51),
+XP_SEC_FORTEZZA_NONE_SELECTED               =   (SEC_ERROR_BASE + 52),
+XP_SEC_FORTEZZA_MORE_INFO                   =   (SEC_ERROR_BASE + 53),
+XP_SEC_FORTEZZA_PERSON_NOT_FOUND            =   (SEC_ERROR_BASE + 54),
+XP_SEC_FORTEZZA_NO_MORE_INFO                =   (SEC_ERROR_BASE + 55),
+XP_SEC_FORTEZZA_BAD_PIN                     =   (SEC_ERROR_BASE + 56),
+XP_SEC_FORTEZZA_PERSON_ERROR                =   (SEC_ERROR_BASE + 57),
+SEC_ERROR_NO_KRL                            =   (SEC_ERROR_BASE + 58),
+SEC_ERROR_KRL_EXPIRED                       =   (SEC_ERROR_BASE + 59),
+SEC_ERROR_KRL_BAD_SIGNATURE                 =   (SEC_ERROR_BASE + 60),
+SEC_ERROR_REVOKED_KEY                       =   (SEC_ERROR_BASE + 61),
+SEC_ERROR_KRL_INVALID                       =   (SEC_ERROR_BASE + 62),
+SEC_ERROR_NEED_RANDOM                       =   (SEC_ERROR_BASE + 63),
+SEC_ERROR_NO_MODULE                         =   (SEC_ERROR_BASE + 64),
+SEC_ERROR_NO_TOKEN                          =   (SEC_ERROR_BASE + 65),
+SEC_ERROR_READ_ONLY                         =   (SEC_ERROR_BASE + 66),
+SEC_ERROR_NO_SLOT_SELECTED                  =   (SEC_ERROR_BASE + 67),
+SEC_ERROR_CERT_NICKNAME_COLLISION           =   (SEC_ERROR_BASE + 68),
+SEC_ERROR_KEY_NICKNAME_COLLISION            =   (SEC_ERROR_BASE + 69),
+SEC_ERROR_SAFE_NOT_CREATED                  =   (SEC_ERROR_BASE + 70),
+SEC_ERROR_BAGGAGE_NOT_CREATED               =   (SEC_ERROR_BASE + 71),
+XP_JAVA_REMOVE_PRINCIPAL_ERROR              =   (SEC_ERROR_BASE + 72),
+XP_JAVA_DELETE_PRIVILEGE_ERROR              =   (SEC_ERROR_BASE + 73),
+XP_JAVA_CERT_NOT_EXISTS_ERROR               =   (SEC_ERROR_BASE + 74),
+SEC_ERROR_BAD_EXPORT_ALGORITHM              =   (SEC_ERROR_BASE + 75),
+SEC_ERROR_EXPORTING_CERTIFICATES            =   (SEC_ERROR_BASE + 76),
+SEC_ERROR_IMPORTING_CERTIFICATES            =   (SEC_ERROR_BASE + 77),
+SEC_ERROR_PKCS12_DECODING_PFX               =   (SEC_ERROR_BASE + 78),
+SEC_ERROR_PKCS12_INVALID_MAC                =   (SEC_ERROR_BASE + 79),
+SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM  =   (SEC_ERROR_BASE + 80),
+SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE =   (SEC_ERROR_BASE + 81),
+SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE      =   (SEC_ERROR_BASE + 82),
+SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM  =   (SEC_ERROR_BASE + 83),
+SEC_ERROR_PKCS12_UNSUPPORTED_VERSION        =   (SEC_ERROR_BASE + 84),
+SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT =   (SEC_ERROR_BASE + 85),
+SEC_ERROR_PKCS12_CERT_COLLISION             =   (SEC_ERROR_BASE + 86),
+SEC_ERROR_USER_CANCELLED                    =   (SEC_ERROR_BASE + 87),
+SEC_ERROR_PKCS12_DUPLICATE_DATA             =   (SEC_ERROR_BASE + 88),
+SEC_ERROR_MESSAGE_SEND_ABORTED              =   (SEC_ERROR_BASE + 89),
+SEC_ERROR_INADEQUATE_KEY_USAGE              =   (SEC_ERROR_BASE + 90),
+SEC_ERROR_INADEQUATE_CERT_TYPE              =   (SEC_ERROR_BASE + 91),
+SEC_ERROR_CERT_ADDR_MISMATCH                =   (SEC_ERROR_BASE + 92),
+SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY       =   (SEC_ERROR_BASE + 93),
+SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN       =   (SEC_ERROR_BASE + 94),
 SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME = (SEC_ERROR_BASE + 95),
-SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY 	    =	(SEC_ERROR_BASE + 96),
-SEC_ERROR_PKCS12_UNABLE_TO_WRITE 	    = 	(SEC_ERROR_BASE + 97),
-SEC_ERROR_PKCS12_UNABLE_TO_READ 	    =	(SEC_ERROR_BASE + 98),
-SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED 	 = (SEC_ERROR_BASE + 99),
-SEC_ERROR_KEYGEN_FAIL 			    =	(SEC_ERROR_BASE + 100),
-SEC_ERROR_INVALID_PASSWORD 		    =	(SEC_ERROR_BASE + 101),
-SEC_ERROR_RETRY_OLD_PASSWORD 		    =	(SEC_ERROR_BASE + 102),
-SEC_ERROR_BAD_NICKNAME 			    =	(SEC_ERROR_BASE + 103),
-SEC_ERROR_NOT_FORTEZZA_ISSUER 		    = 	(SEC_ERROR_BASE + 104),
+SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY       =   (SEC_ERROR_BASE + 96),
+SEC_ERROR_PKCS12_UNABLE_TO_WRITE            =   (SEC_ERROR_BASE + 97),
+SEC_ERROR_PKCS12_UNABLE_TO_READ             =   (SEC_ERROR_BASE + 98),
+SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED = (SEC_ERROR_BASE + 99),
+SEC_ERROR_KEYGEN_FAIL                       =   (SEC_ERROR_BASE + 100),
+SEC_ERROR_INVALID_PASSWORD                  =   (SEC_ERROR_BASE + 101),
+SEC_ERROR_RETRY_OLD_PASSWORD                =   (SEC_ERROR_BASE + 102),
+SEC_ERROR_BAD_NICKNAME                      =   (SEC_ERROR_BASE + 103),
+SEC_ERROR_NOT_FORTEZZA_ISSUER               =   (SEC_ERROR_BASE + 104),
 SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY         =   (SEC_ERROR_BASE + 105),
-SEC_ERROR_JS_INVALID_MODULE_NAME 	    =	(SEC_ERROR_BASE + 106),
-SEC_ERROR_JS_INVALID_DLL 		    =	(SEC_ERROR_BASE + 107),
-SEC_ERROR_JS_ADD_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 108),
-SEC_ERROR_JS_DEL_MOD_FAILURE 		    =	(SEC_ERROR_BASE + 109),
-SEC_ERROR_OLD_KRL 			    =	(SEC_ERROR_BASE + 110),
-SEC_ERROR_CKL_CONFLICT 			    =	(SEC_ERROR_BASE + 111),
-SEC_ERROR_CERT_NOT_IN_NAME_SPACE 	    =	(SEC_ERROR_BASE + 112),
-SEC_ERROR_KRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 113),
-SEC_ERROR_CRL_NOT_YET_VALID 		    =	(SEC_ERROR_BASE + 114),
-SEC_ERROR_UNKNOWN_CERT 			    =	(SEC_ERROR_BASE + 115),
-SEC_ERROR_UNKNOWN_SIGNER 		    =	(SEC_ERROR_BASE + 116),
-SEC_ERROR_CERT_BAD_ACCESS_LOCATION 	    =	(SEC_ERROR_BASE + 117),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE 	    =	(SEC_ERROR_BASE + 118),
-SEC_ERROR_OCSP_BAD_HTTP_RESPONSE 	    =	(SEC_ERROR_BASE + 119),
-SEC_ERROR_OCSP_MALFORMED_REQUEST 	    =	(SEC_ERROR_BASE + 120),
-SEC_ERROR_OCSP_SERVER_ERROR 		    =	(SEC_ERROR_BASE + 121),
-SEC_ERROR_OCSP_TRY_SERVER_LATER 	    =	(SEC_ERROR_BASE + 122),
-SEC_ERROR_OCSP_REQUEST_NEEDS_SIG 	    =	(SEC_ERROR_BASE + 123),
-SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST 	    =	(SEC_ERROR_BASE + 124),
-SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS 	    =	(SEC_ERROR_BASE + 125),
-SEC_ERROR_OCSP_UNKNOWN_CERT 		    =	(SEC_ERROR_BASE + 126),
-SEC_ERROR_OCSP_NOT_ENABLED 		    =	(SEC_ERROR_BASE + 127),
-SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER 	    =	(SEC_ERROR_BASE + 128),
-SEC_ERROR_OCSP_MALFORMED_RESPONSE 	    =	(SEC_ERROR_BASE + 129),
-SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE 	    =	(SEC_ERROR_BASE + 130),
-SEC_ERROR_OCSP_FUTURE_RESPONSE 		    =	(SEC_ERROR_BASE + 131),
-SEC_ERROR_OCSP_OLD_RESPONSE 		    =	(SEC_ERROR_BASE + 132),
+SEC_ERROR_JS_INVALID_MODULE_NAME            =   (SEC_ERROR_BASE + 106),
+SEC_ERROR_JS_INVALID_DLL                    =   (SEC_ERROR_BASE + 107),
+SEC_ERROR_JS_ADD_MOD_FAILURE                =   (SEC_ERROR_BASE + 108),
+SEC_ERROR_JS_DEL_MOD_FAILURE                =   (SEC_ERROR_BASE + 109),
+SEC_ERROR_OLD_KRL                           =   (SEC_ERROR_BASE + 110),
+SEC_ERROR_CKL_CONFLICT                      =   (SEC_ERROR_BASE + 111),
+SEC_ERROR_CERT_NOT_IN_NAME_SPACE            =   (SEC_ERROR_BASE + 112),
+SEC_ERROR_KRL_NOT_YET_VALID                 =   (SEC_ERROR_BASE + 113),
+SEC_ERROR_CRL_NOT_YET_VALID                 =   (SEC_ERROR_BASE + 114),
+SEC_ERROR_UNKNOWN_CERT                      =   (SEC_ERROR_BASE + 115),
+SEC_ERROR_UNKNOWN_SIGNER                    =   (SEC_ERROR_BASE + 116),
+SEC_ERROR_CERT_BAD_ACCESS_LOCATION          =   (SEC_ERROR_BASE + 117),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE        =   (SEC_ERROR_BASE + 118),
+SEC_ERROR_OCSP_BAD_HTTP_RESPONSE            =   (SEC_ERROR_BASE + 119),
+SEC_ERROR_OCSP_MALFORMED_REQUEST            =   (SEC_ERROR_BASE + 120),
+SEC_ERROR_OCSP_SERVER_ERROR                 =   (SEC_ERROR_BASE + 121),
+SEC_ERROR_OCSP_TRY_SERVER_LATER             =   (SEC_ERROR_BASE + 122),
+SEC_ERROR_OCSP_REQUEST_NEEDS_SIG            =   (SEC_ERROR_BASE + 123),
+SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST         =   (SEC_ERROR_BASE + 124),
+SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS      =   (SEC_ERROR_BASE + 125),
+SEC_ERROR_OCSP_UNKNOWN_CERT                 =   (SEC_ERROR_BASE + 126),
+SEC_ERROR_OCSP_NOT_ENABLED                  =   (SEC_ERROR_BASE + 127),
+SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER         =   (SEC_ERROR_BASE + 128),
+SEC_ERROR_OCSP_MALFORMED_RESPONSE           =   (SEC_ERROR_BASE + 129),
+SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE        =   (SEC_ERROR_BASE + 130),
+SEC_ERROR_OCSP_FUTURE_RESPONSE              =   (SEC_ERROR_BASE + 131),
+SEC_ERROR_OCSP_OLD_RESPONSE                 =   (SEC_ERROR_BASE + 132),
 /* smime stuff */
-SEC_ERROR_DIGEST_NOT_FOUND		    =	(SEC_ERROR_BASE + 133),
-SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE	    =	(SEC_ERROR_BASE + 134),
-SEC_ERROR_MODULE_STUCK			    =	(SEC_ERROR_BASE + 135),
-SEC_ERROR_BAD_TEMPLATE			    =	(SEC_ERROR_BASE + 136),
-SEC_ERROR_CRL_NOT_FOUND 		    =	(SEC_ERROR_BASE + 137),
+SEC_ERROR_DIGEST_NOT_FOUND                  =   (SEC_ERROR_BASE + 133),
+SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE          =   (SEC_ERROR_BASE + 134),
+SEC_ERROR_MODULE_STUCK                      =   (SEC_ERROR_BASE + 135),
+SEC_ERROR_BAD_TEMPLATE                      =   (SEC_ERROR_BASE + 136),
+SEC_ERROR_CRL_NOT_FOUND                     =   (SEC_ERROR_BASE + 137),
 SEC_ERROR_REUSED_ISSUER_AND_SERIAL          =   (SEC_ERROR_BASE + 138),
 SEC_ERROR_BUSY                              =   (SEC_ERROR_BASE + 139),
 SEC_ERROR_EXTRA_INPUT                       =   (SEC_ERROR_BASE + 140),
 /* error codes used by elliptic curve code */
-SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE	    =	(SEC_ERROR_BASE + 141),
-SEC_ERROR_UNSUPPORTED_EC_POINT_FORM	    =	(SEC_ERROR_BASE + 142),
-SEC_ERROR_UNRECOGNIZED_OID		    =	(SEC_ERROR_BASE + 143),
-SEC_ERROR_OCSP_INVALID_SIGNING_CERT	    =   (SEC_ERROR_BASE + 144),
+SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE        =   (SEC_ERROR_BASE + 141),
+SEC_ERROR_UNSUPPORTED_EC_POINT_FORM         =   (SEC_ERROR_BASE + 142),
+SEC_ERROR_UNRECOGNIZED_OID                  =   (SEC_ERROR_BASE + 143),
+SEC_ERROR_OCSP_INVALID_SIGNING_CERT         =   (SEC_ERROR_BASE + 144),
 /* new revocation errors */
-SEC_ERROR_REVOKED_CERTIFICATE_CRL	    =	(SEC_ERROR_BASE + 145),
-SEC_ERROR_REVOKED_CERTIFICATE_OCSP	    =	(SEC_ERROR_BASE + 146),
-SEC_ERROR_CRL_INVALID_VERSION               =	(SEC_ERROR_BASE + 147),
-SEC_ERROR_CRL_V1_CRITICAL_EXTENSION         =	(SEC_ERROR_BASE + 148),
-SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION    =	(SEC_ERROR_BASE + 149),
-SEC_ERROR_UNKNOWN_OBJECT_TYPE               =	(SEC_ERROR_BASE + 150),
-SEC_ERROR_INCOMPATIBLE_PKCS11               =	(SEC_ERROR_BASE + 151),
-SEC_ERROR_NO_EVENT                          = 	(SEC_ERROR_BASE + 152),
-SEC_ERROR_CRL_ALREADY_EXISTS                = 	(SEC_ERROR_BASE + 153),
-SEC_ERROR_NOT_INITIALIZED                   = 	(SEC_ERROR_BASE + 154),
-SEC_ERROR_TOKEN_NOT_LOGGED_IN               = 	(SEC_ERROR_BASE + 155),
-SEC_ERROR_OCSP_RESPONDER_CERT_INVALID      =	(SEC_ERROR_BASE + 156),
-SEC_ERROR_OCSP_BAD_SIGNATURE               =	(SEC_ERROR_BASE + 157),
+SEC_ERROR_REVOKED_CERTIFICATE_CRL           =   (SEC_ERROR_BASE + 145),
+SEC_ERROR_REVOKED_CERTIFICATE_OCSP          =   (SEC_ERROR_BASE + 146),
+SEC_ERROR_CRL_INVALID_VERSION               =   (SEC_ERROR_BASE + 147),
+SEC_ERROR_CRL_V1_CRITICAL_EXTENSION         =   (SEC_ERROR_BASE + 148),
+SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION    =   (SEC_ERROR_BASE + 149),
+SEC_ERROR_UNKNOWN_OBJECT_TYPE               =   (SEC_ERROR_BASE + 150),
+SEC_ERROR_INCOMPATIBLE_PKCS11               =   (SEC_ERROR_BASE + 151),
+SEC_ERROR_NO_EVENT                          =   (SEC_ERROR_BASE + 152),
+SEC_ERROR_CRL_ALREADY_EXISTS                =   (SEC_ERROR_BASE + 153),
+SEC_ERROR_NOT_INITIALIZED                   =   (SEC_ERROR_BASE + 154),
+SEC_ERROR_TOKEN_NOT_LOGGED_IN               =   (SEC_ERROR_BASE + 155),
+SEC_ERROR_OCSP_RESPONDER_CERT_INVALID       =   (SEC_ERROR_BASE + 156),
+SEC_ERROR_OCSP_BAD_SIGNATURE                =   (SEC_ERROR_BASE + 157),
 
-SEC_ERROR_OUT_OF_SEARCH_LIMITS             =	(SEC_ERROR_BASE + 158),
-SEC_ERROR_INVALID_POLICY_MAPPING           =	(SEC_ERROR_BASE + 159),
-SEC_ERROR_POLICY_VALIDATION_FAILED         =	(SEC_ERROR_BASE + 160),
+SEC_ERROR_OUT_OF_SEARCH_LIMITS              =   (SEC_ERROR_BASE + 158),
+SEC_ERROR_INVALID_POLICY_MAPPING            =   (SEC_ERROR_BASE + 159),
+SEC_ERROR_POLICY_VALIDATION_FAILED          =   (SEC_ERROR_BASE + 160),
 /* No longer used.  Unknown AIA location types are now silently ignored. */
-SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE        =	(SEC_ERROR_BASE + 161),
-SEC_ERROR_BAD_HTTP_RESPONSE                =	(SEC_ERROR_BASE + 162),
-SEC_ERROR_BAD_LDAP_RESPONSE                =	(SEC_ERROR_BASE + 163),
-SEC_ERROR_FAILED_TO_ENCODE_DATA            =	(SEC_ERROR_BASE + 164),
-SEC_ERROR_BAD_INFO_ACCESS_LOCATION         =	(SEC_ERROR_BASE + 165), 
+SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE         =   (SEC_ERROR_BASE + 161),
+SEC_ERROR_BAD_HTTP_RESPONSE                 =   (SEC_ERROR_BASE + 162),
+SEC_ERROR_BAD_LDAP_RESPONSE                 =   (SEC_ERROR_BASE + 163),
+SEC_ERROR_FAILED_TO_ENCODE_DATA             =   (SEC_ERROR_BASE + 164),
+SEC_ERROR_BAD_INFO_ACCESS_LOCATION          =   (SEC_ERROR_BASE + 165),
 
-SEC_ERROR_LIBPKIX_INTERNAL                 =	(SEC_ERROR_BASE + 166),
+SEC_ERROR_LIBPKIX_INTERNAL                  =   (SEC_ERROR_BASE + 166),
 
-SEC_ERROR_PKCS11_GENERAL_ERROR             =	(SEC_ERROR_BASE + 167),
-SEC_ERROR_PKCS11_FUNCTION_FAILED           =	(SEC_ERROR_BASE + 168),
-SEC_ERROR_PKCS11_DEVICE_ERROR              =	(SEC_ERROR_BASE + 169),
+SEC_ERROR_PKCS11_GENERAL_ERROR              =   (SEC_ERROR_BASE + 167),
+SEC_ERROR_PKCS11_FUNCTION_FAILED            =   (SEC_ERROR_BASE + 168),
+SEC_ERROR_PKCS11_DEVICE_ERROR               =   (SEC_ERROR_BASE + 169),
 
-SEC_ERROR_BAD_INFO_ACCESS_METHOD           =    (SEC_ERROR_BASE + 170),
-SEC_ERROR_CRL_IMPORT_FAILED                =    (SEC_ERROR_BASE + 171),