Merge m-c to fx-team, a=merge
authorWes Kocher <wkocher@mozilla.com>
Mon, 25 Jan 2016 14:07:49 -0800
changeset 325607 f7e9ad668e37124bf15503f881f4868fb5df6a06
parent 325606 e93d49248f6972e100d089aeeca10a0ab50e375c (current diff)
parent 325588 aa90f482e16db77cdb7dea84564ea1cbd8f7f6b3 (diff)
child 325608 4f5aafee00a612ecda353b28017c86de3ddc7cf3
push id10011
push usercmanchester@mozilla.com
push dateTue, 26 Jan 2016 02:20:25 +0000
reviewersmerge
milestone47.0a1
Merge m-c to fx-team, a=merge
security/nss/cmd/checkcert/Makefile
security/nss/cmd/checkcert/checkcert.c
security/nss/cmd/checkcert/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
security/nss/tests/ssl_gtests/parsereport.sed
--- a/.hgtags
+++ b/.hgtags
@@ -118,8 +118,9 @@ 2c951493eef5b50b8085ef78ffe0d7902ff3d593
 98086da94ccdc88f6de86774ce3d1fa258dc7c44 FIREFOX_AURORA_38_BASE
 1b6bf6612c0f4d4fee81d18bf18016e692f874e1 FIREFOX_AURORA_39_BASE
 66a95a483d2c77dfc387019336d18093acd6aac2 FIREFOX_AURORA_40_BASE
 312c68b16549de9cea1557f461d5d234bd5e0a7d FIREFOX_AURORA_41_BASE
 7a19194812eb767bee7cdf8fc36ba9a383c1bead FIREFOX_AURORA_42_BASE
 fcef8ded82219c89298b4e376cfbdfba79a1d35a FIREFOX_AURORA_43_BASE
 67a788db9f07822cfef52351bbbe3745dff8bd7f FIREFOX_AURORA_44_BASE
 99137d6d4061f408ae0869122649d8bdf489cc30 FIREFOX_AURORA_45_BASE
+67c66c2878aed17ae3096d7db483ddbb2293c503 FIREFOX_AURORA_46_BASE
--- a/CLOBBER
+++ b/CLOBBER
@@ -17,10 +17,10 @@
 #
 # Modifying this file will now automatically clobber the buildbot machines \o/
 #
 
 # Are you updating CLOBBER because you think it's needed for your WebIDL
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Bug 1240627 - Enable AVX2 optimizations in ffvpx on Mac
 
+Merge day clobber
\ No newline at end of file
--- a/browser/components/search/test/browser_contextmenu.js
+++ b/browser/components/search/test/browser_contextmenu.js
@@ -4,16 +4,19 @@
  * Test searching for the selected text using the context menu
  */
 
 add_task(function* () {
   const ss = Services.search;
   const ENGINE_NAME = "Foo";
   var contextMenu;
 
+  // We want select events to be fired.
+  yield new Promise(resolve => SpecialPowers.pushPrefEnv({"set": [["dom.select_events.enabled", true]]}, resolve));
+
   let envService = Cc["@mozilla.org/process/environment;1"].getService(Ci.nsIEnvironment);
   let originalValue = envService.get("XPCSHELL_TEST_PROFILE_DIR");
   envService.set("XPCSHELL_TEST_PROFILE_DIR", "1");
 
   let url = "chrome://mochitests/content/browser/browser/components/search/test/";
   let resProt = Services.io.getProtocolHandler("resource")
                         .QueryInterface(Ci.nsIResProtocolHandler);
   let originalSubstitution = resProt.getSubstitution("search-plugins");
--- a/browser/config/version.txt
+++ b/browser/config/version.txt
@@ -1,1 +1,1 @@
-46.0a1
+47.0a1
--- a/browser/config/version_display.txt
+++ b/browser/config/version_display.txt
@@ -1,1 +1,1 @@
-46.0a1
+47.0a1
--- a/config/milestone.txt
+++ b/config/milestone.txt
@@ -5,9 +5,9 @@
 #    x.x.x.x
 #    x.x.x+
 #
 # Referenced by milestone.py.
 # Hopefully I'll be able to automate replacement of *all*
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-46.0a1
+47.0a1
--- a/dom/bindings/BindingUtils.h
+++ b/dom/bindings/BindingUtils.h
@@ -2304,17 +2304,17 @@ public:
     Nullable<nsTArray<T> >* mNullableArray;
   };
 
   SequenceType mSequenceType;
 };
 
 // Rooter class for MozMap; this is what we mostly use in the codegen.
 template<typename T>
-class MOZ_RAII MozMapRooter : private JS::CustomAutoRooter
+class MOZ_RAII MozMapRooter final : private JS::CustomAutoRooter
 {
 public:
   MozMapRooter(JSContext *aCx, MozMap<T>* aMozMap
                MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
     : JS::CustomAutoRooter(aCx MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT),
       mMozMap(aMozMap),
       mMozMapType(eMozMap)
   {
--- a/dom/bindings/TypedArray.h
+++ b/dom/bindings/TypedArray.h
@@ -407,18 +407,18 @@ public:
   }
 
 private:
   Nullable<ArrayType>* const mArray;
 };
 
 // Class for easily setting up a rooted typed array object on the stack
 template<typename ArrayType>
-class MOZ_RAII RootedTypedArray : public ArrayType,
-                                  private TypedArrayRooter<ArrayType>
+class MOZ_RAII RootedTypedArray final : public ArrayType,
+                                        private TypedArrayRooter<ArrayType>
 {
 public:
   explicit RootedTypedArray(JSContext* cx MOZ_GUARD_OBJECT_NOTIFIER_PARAM) :
     ArrayType(),
     TypedArrayRooter<ArrayType>(cx, this
                                 MOZ_GUARD_OBJECT_NOTIFIER_PARAM_TO_PARENT)
   {
   }
--- a/gfx/layers/basic/BasicCompositor.cpp
+++ b/gfx/layers/basic/BasicCompositor.cpp
@@ -544,16 +544,19 @@ BasicCompositor::BeginFrame(const nsIntR
 
   if (mTarget) {
     // If we have a copy target, then we don't have a widget-provided mDrawTarget (currently). Use a dummy
     // placeholder so that CreateRenderTarget() works.
     mDrawTarget = gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
   } else {
     // StartRemoteDrawingInRegion can mutate mInvalidRegion.
     mDrawTarget = mWidget->StartRemoteDrawingInRegion(mInvalidRegion);
+    if (!mDrawTarget) {
+      return;
+    }
     mInvalidRect = mInvalidRegion.GetBounds();
     if (mInvalidRect.IsEmpty()) {
       mWidget->EndRemoteDrawingInRegion(mDrawTarget, mInvalidRegion);
       return;
     }
   }
 
   if (!mDrawTarget || mInvalidRect.IsEmpty()) {
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -2082,17 +2082,17 @@ RangeAnalysis::analyzeLoopPhi(MBasicBloc
         return;
 
     SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand());
 
     if (modified.term != phi || modified.constant == 0)
         return;
 
     if (!phi->range())
-        phi->setRange(new(alloc()) Range());
+        phi->setRange(new(alloc()) Range(phi));
 
     LinearSum initialSum(alloc());
     if (!initialSum.add(initial, 1))
         return;
 
     // The phi may change by N each iteration, and is either nondecreasing or
     // nonincreasing. initial(phi) is either a lower or upper bound for the
     // phi, and initial(phi) + loopBound * N is either an upper or lower bound,
new file mode 100644
--- /dev/null
+++ b/security/nss/.clang-format
@@ -0,0 +1,64 @@
+---
+Language:        Cpp
+# BasedOnStyle:  Mozilla
+AccessModifierOffset: -2
+AlignAfterOpenBracket: true
+AlignEscapedNewlinesLeft: false
+AlignOperands:   true
+AlignTrailingComments: true
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: All
+AlwaysBreakAfterDefinitionReturnType: true
+AlwaysBreakTemplateDeclarations: false
+AlwaysBreakBeforeMultilineStrings: false
+BreakBeforeBinaryOperators: None
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BinPackParameters: true
+BinPackArguments: true
+ColumnLimit:     0
+ConstructorInitializerAllOnOneLineOrOnePerLine: true
+ConstructorInitializerIndentWidth: 4
+DerivePointerAlignment: true
+ExperimentalAutoDetectBinPacking: false
+IndentCaseLabels: true
+IndentWrappedFunctionNames: false
+IndentFunctionDeclarationAfterType: false
+MaxEmptyLinesToKeep: 1
+KeepEmptyLinesAtTheStartOfBlocks: true
+NamespaceIndentation: None
+ObjCBlockIndentWidth: 2
+ObjCSpaceAfterProperty: true
+ObjCSpaceBeforeProtocolList: false
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakString: 1000
+PenaltyBreakFirstLessLess: 120
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 200
+PointerAlignment: Right
+SpacesBeforeTrailingComments: 1
+Cpp11BracedListStyle: false
+Standard:        Cpp03
+IndentWidth:     4
+TabWidth:        8
+UseTab:          Never
+BreakBeforeBraces: Linux
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpacesInAngles:  false
+SpaceInEmptyParentheses: false
+SpacesInCStyleCastParentheses: false
+SpaceAfterCStyleCast: false
+SpacesInContainerLiterals: true
+SpaceBeforeAssignmentOperators: true
+ContinuationIndentWidth: 4
+CommentPragmas:  '^ IWYU pragma:'
+ForEachMacros:   [ foreach, Q_FOREACH, BOOST_FOREACH ]
+SpaceBeforeParens: ControlStatements
+DisableFormat:   false
+...
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_21_RTM
+NSS_3_22_BETA2
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -3491,16 +3491,19 @@ shutdown:
 	PR_Close(outFile);
     }
     SECITEM_FreeItem(&certReqDER, PR_FALSE);
     SECITEM_FreeItem(&certDER, PR_FALSE);
     if (pwdata.data && pwdata.source == PW_PLAINTEXT) {
 	/* Allocated by a PL_strdup call in SECU_GetModulePassword. */
 	PL_strfree(pwdata.data);
     }
+    if (email) {
+	PL_strfree(email);
+    }
 
     /* Open the batch command file.
      *
      * - If -B <command line> option is specified, the contents in the
      * command file will be interpreted as subsequent certutil
      * commands to be executed in the current certutil process
      * context after the current certutil command has been executed.
      * - Each line in the command file consists of the command
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -37,17 +37,17 @@ extern char *sys_errlist[];
 
 #define ERROR_BREAK rv = SECFailure;break;
 
 const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
+    { 0 }
 };
 
 /* returns 0 for success, -1 for failure (EOF encountered) */
 static int
 UpdateRNG(void)
 {
     char           randbuf[RAND_BUF_SIZE];
     int            fd,  count;
deleted file mode 100644
--- a/security/nss/cmd/checkcert/Makefile
+++ /dev/null
@@ -1,48 +0,0 @@
-#! gmake
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
-
-
-include ../platrules.mk
-
deleted file mode 100644
--- a/security/nss/cmd/checkcert/checkcert.c
+++ /dev/null
@@ -1,575 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "secutil.h"
-#include "plgetopt.h"
-#include "cert.h"
-#include "secoid.h"
-#include "cryptohi.h"
-
-/* maximum supported modulus length in bits (indicate problem if over this) */
-#define MAX_MODULUS (1024)
-
-
-static void Usage(char *progName)
-{
-    fprintf(stderr, "Usage: %s [aAvf] [certtocheck] [issuingcert]\n",
-	    progName);
-    fprintf(stderr, "%-20s Cert to check is base64 encoded\n",
-	    "-a");
-    fprintf(stderr, "%-20s Issuer's cert is base64 encoded\n",
-	    "-A");
-    fprintf(stderr, "%-20s Verbose (indicate decoding progress etc.)\n",
-	    "-v");
-    fprintf(stderr, "%-20s Force sanity checks even if pretty print fails.\n",
-	    "-f");
-    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
-	    "-o output");
-    fprintf(stderr, "%-20s Specify the input type (no default)\n",
-	    "-t type");
-    exit(-1);
-}
-
-
-/*
- * Check integer field named fieldName, printing out results and
- * returning the length of the integer in bits
- */   
-
-static
-int checkInteger(SECItem *intItem, char *fieldName, int verbose) 
-{
-    int len, bitlen;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    len = intItem->len;
-
-    if (len && (intItem->data[0] & 0x80)) {
-	printf("PROBLEM: %s is NEGATIVE 2's-complement integer.\n",
-	       fieldName);
-    }
-
-
-    /* calculate bit length and check for unnecessary leading zeros */
-    bitlen = len << 3;
-    if (len > 1 && intItem->data[0] == 0) {
-	/* leading zero byte(s) */
-	if (!(intItem->data[1] & 0x80)) {
-	    printf("PROBLEM: %s has unneeded leading zeros.  Violates DER.\n",
-		   fieldName);
-	}
-	/* strip leading zeros in length calculation */
-	{
-	    int i=0;
-	    while (bitlen > 8 && intItem->data[i] == 0) {
-		bitlen -= 8;
-		i++;
-	    }
-	}
-    }
-    return bitlen;
-}
-
-
-
-
-static
-void checkName(CERTName *n, char *fieldName, int verbose)
-{
-    char *v=0;
-    if (verbose) {
-	printf("Checking %s\n", fieldName);
-    }
-
-    v = CERT_GetCountryName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Country Name (C)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Organization Name (O)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-
-    v = CERT_GetOrgUnitName(n);
-    if (!v) {
-	printf("WARNING: %s lacks Organization Unit Name (OU)\n",
-	       fieldName);
-    }
-    PORT_Free(v);	
-
-    v = CERT_GetCommonName(n);
-    if (!v) {
-	printf("PROBLEM: %s lacks Common Name (CN)\n",
-	       fieldName);
-    }
-    PORT_Free(v);
-}
-
-
-static
-SECStatus
-OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
-	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
-{
-    SECStatus rv;
-    VFYContext *cx;
-    SECOidData *sigAlgOid, *oiddata;
-    SECOidTag hashAlgTag;
-    int showDigestOid=0;
-
-    cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
-                                          NULL);
-    if (cx == NULL)
-	return SECFailure;
-
-    sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
-    if (sigAlgOid == 0)
-	return SECFailure;
-
-    if (showDigestOid) {
-	oiddata = SECOID_FindOIDByTag(hashAlgTag);
-	if ( oiddata ) {
-	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
-	} else {
-	    SECU_PrintAsHex(stdout,
-			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
-	}
-    }
-
-    rv = VFY_Begin(cx);
-    if (rv == SECSuccess) {
-	rv = VFY_Update(cx, buf, len);
-	if (rv == SECSuccess)
-	    rv = VFY_End(cx);
-    }
-
-    VFY_DestroyContext(cx, PR_TRUE);
-    return rv;
-}
-
-
-
-static
-SECStatus
-OurVerifySignedData(CERTSignedData *sd, CERTCertificate *cert)
-{
-    SECItem sig;
-    SECKEYPublicKey *pubKey = 0;
-    SECStatus rv;
-
-    /* check the certificate's validity */
-    rv = CERT_CertTimesValid(cert);
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    /* get cert's public key */
-    pubKey = CERT_ExtractPublicKey(cert);
-    if ( !pubKey ) {
-	return(SECFailure);
-    }
-
-    /* check the signature */
-    sig = sd->signature;
-    DER_ConvertBitString(&sig);
-    rv = OurVerifyData(sd->data.data, sd->data.len, pubKey, &sig,
-		       &sd->signatureAlgorithm);
-
-    SECKEY_DestroyPublicKey(pubKey);
-
-    if ( rv ) {
-	return(SECFailure);
-    }
-
-    return(SECSuccess);
-}
-
-
-
-
-static
-CERTCertificate *createEmptyCertificate(void)
-{
-    PLArenaPool *arena = 0;
-    CERTCertificate *c = 0;
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if ( !arena ) {
-	return 0;
-    }
-
-
-    c = (CERTCertificate *) PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
-
-    if (c) {
-	c->referenceCount = 1;
-	c->arena = arena;
-    } else {
-	PORT_FreeArena(arena,PR_TRUE);
-    }
-
-    return c;
-}
-
-
-int main(int argc, char **argv)
-{
-    int verbose=0, force=0;
-    int ascii=0, issuerAscii=0;
-    char *progName=0;
-    PRFileDesc *inFile=0, *issuerCertFile=0;
-    SECItem derCert, derIssuerCert;
-    PLArenaPool *arena=0;
-    CERTSignedData *signedData=0;
-    CERTCertificate *cert=0, *issuerCert=0;
-    SECKEYPublicKey *rsapubkey=0;
-    SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
-    SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
-    SECItem spk;
-    int selfSigned=0;
-    int invalid=0;
-    char *inFileName = NULL, *issuerCertFileName = NULL;
-    PLOptState *optstate;
-    PLOptStatus status;
-    SECStatus rv;
-
-    PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
-    PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
-    PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
-    PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
-
-    progName = strrchr(argv[0], '/');
-    progName = progName ? progName+1 : argv[0];
-
-    optstate = PL_CreateOptState(argc, argv, "aAvf");
-    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
-	switch (optstate->option) {
-	  case 'v':
-	    verbose = 1;
-	    break;
-
-	  case 'f':
-	    force = 1;
-	    break;
-
-	  case 'a':
-	    ascii = 1;
-	    break;
-
-	  case 'A':
-	    issuerAscii = 1;
-	    break;
-
-	  case '\0':
-	    if (!inFileName)
-		inFileName = PL_strdup(optstate->value);
-	    else if (!issuerCertFileName)
-		issuerCertFileName = PL_strdup(optstate->value);
-	    else
-		Usage(progName);
-	    break;
-	}
-    }
-
-    if (!inFileName || !issuerCertFileName || status == PL_OPT_BAD) {
-	/* insufficient or excess args */
-	Usage(progName);
-    }
-
-    inFile = PR_Open(inFileName, PR_RDONLY, 0);
-    if (!inFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, inFileName);
-	exit(1);
-    }
-
-    issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
-    if (!issuerCertFile) {
-	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
-	                 progName, issuerCertFileName);
-	exit(1);
-    }
-
-    if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) {
-	printf("Couldn't read input certificate as DER binary or base64\n");
-	exit(1);
-    }
-
-    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    if (arena == 0) {
-	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
-	exit(1);
-    }
-
-    if (issuerCertFile) {
-	CERTSignedData *issuerCertSD=0;
-	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii,
-	                         PR_FALSE) != SECSuccess) {
-	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
-	    exit(1);
-	}
-	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
-	if (!issuerCertSD) {
-	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
-	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
-				&derIssuerCert);
-	if (rv) {
-	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
-		    progName);
-	    exit(1);
-	}
-	issuerCert = createEmptyCertificate();
-	if (!issuerCert) {
-	    printf("%s: can't allocate space for issuer cert.", progName);
-	    exit(1);
-	}
-	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
-	                    SEC_ASN1_GET(CERT_CertificateTemplate),
-			    &issuerCertSD->data);
-	if (rv) {
-	    printf("%s: Does not appear to be an X509 Certificate.\n",
-		   progName);
-	    exit(1);
-	}
-    }
-
-    signedData =  PORT_ArenaZNew(arena,CERTSignedData);
-    if (!signedData) {
-	fprintf(stderr,"%s: can't allocate signedData!", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, signedData, 
-                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
-			    &derCert);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
-		progName);
-	exit(1);
-    }
-
-    if (verbose) {
-	printf("Decoded ok as X509 SIGNED data.\n");
-    }
-
-    cert = createEmptyCertificate();
-    if (!cert) {
-	fprintf(stderr, "%s: can't allocate cert", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, cert, 
-                        SEC_ASN1_GET(CERT_CertificateTemplate), 
-			&signedData->data);
-    if (rv) {
-	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
-		progName);
-	exit(1);
-    }
-
-
-    if (verbose) {
-	printf("Decoded ok as an X509 certificate.\n");
-    }
-
-    SECU_RegisterDynamicOids();
-    rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
-			      (SECU_PPFunc)SECU_PrintCertificate);
-
-    if (rv) {
-	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
-		progName, PORT_GetError());
-	if (!force) {
-	    exit(1);
-	}
-    }
-
-
-    /* Do various checks on the cert */
-
-    printf("\n");
-
-    /* Check algorithms */
-    rv = SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
-		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
-		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
-		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    rv = SECOID_SetAlgorithmID(arena, &rsaEncryption,
-		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
-    if (rv) {
-	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_RSA_ENCRYPTION.\n",
-                progName);
-	exit(1);
-    }
-
-    {
-	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md5WithRSAEncryption) == 0);
-	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &md2WithRSAEncryption) == 0);
-	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
-					       &sha1WithRSAEncryption) == 0);
-
-	if (verbose) {
-	    printf("\nDoing algorithm checks.\n");
-	}
-
-	if (!(isMD5RSA || isMD2RSA || isSHA1RSA)) {
-	    printf("PROBLEM: Signature not PKCS1 MD5, MD2, or SHA1 + RSA.\n");
-	} else if (!isMD5RSA) {
-	    printf("WARNING: Signature not PKCS1 MD5 with RSA Encryption\n");
-	}
-
-	if (SECOID_CompareAlgorithmID(&cert->signature,
-				   &signedData->signatureAlgorithm)) {
-	    printf("PROBLEM: Algorithm in sig and certInfo don't match.\n");
-	}
-    }
-
-    if (SECOID_CompareAlgorithmID(&cert->subjectPublicKeyInfo.algorithm,
-			       &rsaEncryption)) {
-	printf("PROBLEM: Public key algorithm is not PKCS1 RSA Encryption.\n");
-    }
-
-    /* Check further public key properties */
-    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
-    DER_ConvertBitString(&spk);
-
-    if (verbose) {
-	printf("\nsubjectPublicKey DER\n");
-	rv = DER_PrettyPrint(stdout, &spk, PR_FALSE);
-	printf("\n");
-    }
-
-    rsapubkey = (SECKEYPublicKey *) 
-	             PORT_ArenaZAlloc(arena,sizeof(SECKEYPublicKey));
-    if (!rsapubkey) {
-	fprintf(stderr, "%s: rsapubkey allocation failed.\n", progName);
-	exit(1);
-    }
-
-    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
-                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
-    if (rv) {
-	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
-    } else {
-	int mlen;
-	int pubexp;
-	if (verbose) {
-	    printf("Decoded RSA Public Key ok.  Doing key checks.\n");
-	}
-	PORT_Assert(rsapubkey->keyType == rsaKey); /* XXX RSA */
-	mlen = checkInteger(&rsapubkey->u.rsa.modulus, "Modulus", verbose);
-	printf("INFO: Public Key modulus length in bits: %d\n", mlen);
-	if (mlen > MAX_MODULUS) {
-	    printf("PROBLEM: Modulus length exceeds %d bits.\n",
-		   MAX_MODULUS);
-	}
-	if (mlen < 512) {
-	    printf("WARNING: Short modulus.\n");
-	}
-	if (mlen != (1 << (ffs(mlen)-1))) {
-	    printf("WARNING: Unusual modulus length (not a power of two).\n");
-	}
-	checkInteger(&rsapubkey->u.rsa.publicExponent, "Public Exponent",
-                     verbose);
-	pubexp = DER_GetInteger(&rsapubkey->u.rsa.publicExponent);
-	if (pubexp != 17 && pubexp != 3 && pubexp != 65537) {
-	    printf("WARNING: Public exponent not any of: 3, 17, 65537\n");
-	}
-    }
-
-
-    /* Name checks */
-    checkName(&cert->issuer, "Issuer Name", verbose);
-    checkName(&cert->subject, "Subject Name", verbose);
-
-    if (issuerCert) {
-	SECComparison c =
-	    CERT_CompareName(&cert->issuer, &issuerCert->subject);
-	if (c) {
-         printf("PROBLEM: Issuer Name and Subject in Issuing Cert differ\n");
-        }
-    }
-
-    /* Check if self-signed */
-    selfSigned = (CERT_CompareName(&cert->issuer, &cert->subject) == 0);
-    if (selfSigned) {
-	printf("INFO: Certificate is self signed.\n");
-    } else {
-	printf("INFO: Certificate is NOT self-signed.\n");
-    }
-
-
-    /* Validity time check */
-    if (CERT_CertTimesValid(cert) == SECSuccess) {
-	printf("INFO: Inside validity period of certificate.\n");
-    } else {
-	printf("PROBLEM: Not in validity period of certificate.\n");
-	invalid = 1;
-    }
-
-    /* Signature check if self-signed */
-    if (selfSigned && !invalid) {
-	if (rsapubkey->u.rsa.modulus.len) {
-	    SECStatus ver;
-	    if (verbose) {
-		printf("Checking self signature.\n");
-	    }
-	    ver = OurVerifySignedData(signedData, cert);
-	    if (ver != SECSuccess) {
-		printf("PROBLEM: Verification of self-signature failed!\n");
-	    } else {
-		printf("INFO: Self-signature verifies ok.\n");
-	    }
-	} else {
-	    printf("INFO: Not checking signature due to key problems.\n");
-	}
-    } else if (!selfSigned && !invalid && issuerCert) {
-	SECStatus ver;
-	ver = OurVerifySignedData(signedData, issuerCert);
-	if (ver != SECSuccess) {
-	    printf("PROBLEM: Verification of issuer's signature failed!\n");
-	} else {
-	    printf("INFO: Issuer's signature verifies ok.\n");
-	}
-    } else {
-	printf("INFO: Not checking signature.\n");
-    }
-
-    return 0;    
-}
-
-
-
deleted file mode 100644
--- a/security/nss/cmd/checkcert/manifest.mn
+++ /dev/null
@@ -1,19 +0,0 @@
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-CORE_DEPTH	= ../..
-
-# MODULE public and private header  directories are implicitly REQUIRED.
-MODULE = nss 
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm 
-
-DEFINES = -DNSPR20
-
-CSRCS = checkcert.c
-
-PROGRAM	= checkcert
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -5339,19 +5339,19 @@ rsa_siggen_test(char *reqfn)
 
             unsigned char msg[128]; /* MAX msg 128 */
             unsigned int rsa_bytes_signed;
             unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
             SECStatus       rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPrivateKey * rsa_private_key;
             NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
+                                                NSSLOWKEYRSAKey };
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                NSSLOWKEYRSAKey, };
+                                                NSSLOWKEYRSAKey };
 
             low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
             low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
 
             rsa_private_key = &low_RSA_private_key;
             rsa_public_key = &low_RSA_public_key;
 
             memset(sha, 0, sizeof sha);
@@ -5605,17 +5605,17 @@ rsa_sigver_test(char *reqfn)
 
         }
 
         /* S = ... */
         if (buf[0] == 'S') {
             SECStatus rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                  NSSLOWKEYRSAKey, };
+                                                  NSSLOWKEYRSAKey };
 
             /* convert to a low RSA public key */
             low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
             rsa_public_key = &low_RSA_public_key;
 
             memset(signature, 0, sizeof(signature));
             i = 1;
             while (isspace(buf[i]) || buf[i] == '=') {
--- a/security/nss/cmd/lib/derprint.c
+++ b/security/nss/cmd/lib/derprint.c
@@ -25,16 +25,23 @@ getInteger256(const unsigned char *data,
 	break;
       case 2:
 	val = (data[0] << 8) | data[1];
 	break;
       case 3:
 	val = (data[0] << 16) | (data[1] << 8) | data[2];
 	break;
       case 4:
+	/* If the most significant bit of data[0] is 1, val would be negative.
+	 * Treat it as an error.
+	 */
+	if (data[0] & 0x80) {
+	    PORT_SetError(SEC_ERROR_BAD_DER);
+	    return -1;
+	}
 	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
 	break;
       default:
 	PORT_SetError(SEC_ERROR_BAD_DER);
 	return -1;
     }
 
     return val;
@@ -227,16 +234,20 @@ prettyPrintObjectID(FILE *out, const uns
     /*
      * First print the Object Id in numeric format
      */
 
     rv = prettyIndent(out, level);
     if (rv < 0)
 	return rv;
 
+    if (len == 0) {
+	PORT_SetError(SEC_ERROR_BAD_DER);
+	return -1;
+    }
     val = data[0];
     i   = val % 40;
     val = val / 40;
     rv = fprintf(out, "%lu %u ", val, i);
     if (rv < 0) {
 	PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
@@ -277,34 +288,27 @@ prettyPrintObjectID(FILE *out, const uns
 
 	rv = fprintf(out, "(%s)", oiddata->desc);
 	if (rv < 0) {
 	    PORT_SetError(SEC_ERROR_IO);
 	    return rv;
 	}
     }
 
-    /*
-     * Finally, on a new line, print the raw bytes (if requested).
-     */
+    rv = prettyNewline(out);
+    if (rv < 0)
+	return rv;
+
     if (raw) {
-	rv = prettyNewline(out);
-	if (rv < 0) {
-	    PORT_SetError(SEC_ERROR_IO);
+	rv = prettyPrintLeaf(out, data, len, level);
+	if (rv < 0)
 	    return rv;
-	}
-
-	for (i = 0; i < len; i++) {
-	    rv = prettyPrintByte(out, *data++, level);
-	    if (rv < 0)
-		return rv;
-	}
     }
 
-    return prettyNewline(out);
+    return 0;
 }
 
 static char *prettyTagType [32] = {
   "End of Contents",
   "Boolean",
   "Integer",
   "Bit String",
   "Octet String",
@@ -418,16 +422,17 @@ prettyPrintLength(FILE *out, const unsig
     if (rv < 0) {
         PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
 
     *indefinitep = PR_FALSE;
 
     lbyte = *data++;
+    lenLen = 1;
     if (lbyte >= 0x80) {
 	/* Multibyte length */
 	unsigned nb = (unsigned) (lbyte & 0x7f);
 	if (nb > 4) {
 	    PORT_SetError(SEC_ERROR_BAD_DER);
 	    return -1;
 	}
 	if (nb > 0) {
@@ -439,32 +444,31 @@ prettyPrintLength(FILE *out, const unsig
 	    }
 	    il = getInteger256(data, nb);
 	    if (il < 0) return -1;
 	    *lenp = (unsigned) il;
 	} else {
 	    *lenp = 0;
 	    *indefinitep = PR_TRUE;
 	}
-	lenLen = nb + 1;
+	lenLen += nb;
 	if (raw) {
 	    unsigned int i;
 
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	    for (i = 0; i < nb; i++) {
 		rv = prettyPrintByte(out, data[i], lv);
 		if (rv < 0)
 		    return rv;
 	    }
 	}
     } else {
 	*lenp = lbyte;
-	lenLen = 1;
 	if (raw) {
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	}
     }
     if (*indefinitep)
 	rv = fprintf(out, "(indefinite)\n");
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -415,16 +415,19 @@ SECU_DefaultSSLDir(void)
 {
     char *dir;
     static char sslDir[1000];
 
     dir = PR_GetEnv("SSL_DIR");
     if (!dir)
 	return NULL;
 
+    if (strlen(dir) >= PR_ARRAY_SIZE(sslDir)) {
+	return NULL;
+    }
     sprintf(sslDir, "%s", dir);
 
     if (sslDir[strlen(sslDir)-1] == '/')
 	sslDir[strlen(sslDir)-1] = 0;
 
     return sslDir;
 }
 
@@ -3295,16 +3298,17 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case KU_KEY_CERT_SIGN:
 		    errstr = "Cert cannot sign other certs.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
+		break;
 	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
 		flags = (unsigned int)((char *)node->arg - (char *)NULL);
 		switch (flags) {
 		case NS_CERT_TYPE_SSL_CLIENT:
 		case NS_CERT_TYPE_SSL_SERVER:
 		    errstr = "Cert cannot be used for SSL.";
 		    break;
 		case NS_CERT_TYPE_SSL_CA:
@@ -3321,16 +3325,17 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 		    errstr = "Cert cannot be used as an object signing CA.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
+		break;
 	    case SEC_ERROR_UNKNOWN_ISSUER:
 	    case SEC_ERROR_UNTRUSTED_ISSUER:
 	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 		errstr = node->cert->issuerName;
 		break;
 	    default:
 		break;
 	    }
--- a/security/nss/cmd/libpkix/pkixutil/pkixutil.c
+++ b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
@@ -149,17 +149,17 @@ testFunctionRef testFnRefTable[] = {
     {"test_hashtable",                 test_hashtable},
     {"test_mem",                       test_mem},
     {"test_monitorlock",               test_monitorlock},
     {"test_mutex",                     test_mutex},
     {"test_mutex2",                    test_mutex2},
     {"test_mutex3",                    test_mutex3},
     {"test_object",                    test_object},
     {"test_oid",                       test_oid},
-/*  {"test_rwlock",                    test_rwlock, }*/
+/*  {"test_rwlock",                    test_rwlock }*/
     {"test_string",                    test_string},
     {"test_string2",                   test_string2},
     {"build_chain",                    build_chain},
     {"dumpcert",                       dumpcert},
     {"dumpcrl",                        dumpcrl},
     {"validate_chain",                 validate_chain},
     {NULL,                             NULL },
 };
--- a/security/nss/cmd/makepqg/makepqg.c
+++ b/security/nss/cmd/makepqg/makepqg.c
@@ -23,17 +23,17 @@
 char  *progName;
 
 
 const SEC_ASN1Template seckey_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0, }
+    { 0 }
 };
 
 
 
 void
 Usage(void)
 {
     fprintf(stderr, "Usage:  %s\n", progName);
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -1,35 +1,53 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DEPTH	= ..
 # MODULE	= seccmd
 
+SOFTOKEN_SRCDIRS=
+NSS_SRCDIRS=
+LIB_SRCDIRS=
+
+ifdef NSS_BUILD_UTIL_ONLY
+REQUIRES = nspr
+else
 REQUIRES = nss nspr libdbm
+LIB_SRCDIRS = \
+ lib \
+ $(NULL)
+endif
 
-DIRS = lib  \
+ifndef NSS_BUILD_UTIL_ONLY
+SOFTOKEN_SRCDIRS = \
+ $(BLTEST_SRCDIR) \
+ $(FIPSTEST_SRCDIR)  \
+ $(LOWHASHTEST_SRCDIR)  \
+ $(SHLIBSIGN_SRCDIR) \
+ $(NULL)
+endif
+
+ifndef NSS_BUILD_SOFTOKEN_ONLY
+ifndef NSS_BUILD_UTIL_ONLY
+NSS_SRCDIRS = \
  addbuiltin \
  atob  \
- $(BLTEST_SRCDIR) \
  btoa  \
  certcgi \
  certutil  \
- checkcert  \
  chktest  \
  crlutil  \
  crmftest \
  dbtest \
  derdump  \
  digest  \
  httpserv  \
- $(FIPSTEST_SRCDIR)  \
- $(LOWHASHTEST_SRCDIR)  \
  listsuites \
  makepqg  \
  multinit \
  ocspclnt  \
  ocspresp \
  oidcalc  \
  p7content  \
  p7env  \
@@ -42,27 +60,33 @@ DIRS = lib  \
  pkix-errcodes \
  pp  \
  pwdecrypt \
  rsaperf \
  sdrtest \
  selfserv  \
  signtool \
  signver \
- $(SHLIBSIGN_SRCDIR) \
  smimetools  \
  ssltap  \
  strsclnt \
  symkeyutil \
  tests \
  tstclnt  \
  vfychain \
  vfyserv \
  modutil \
  $(NULL)
+endif
+endif
+
+DIRS = \
+ $(LIB_SRCDIRS) \
+ $(SOFTOKEN_SRCDIRS) \
+ $(NSS_SRCDIRS)
 
 TEMPORARILY_DONT_BUILD = \
  $(NULL)
 
 # rsaperf  \
 #
 #       needs to look at what needs to happen to make jar build in
 # the binary release environment.
--- a/security/nss/cmd/modutil/install-ds.c
+++ b/security/nss/cmd/modutil/install-ds.c
@@ -188,31 +188,29 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_RELATIVE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->relativePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 
 				/* Absolute directory */
 			} else if( !PORT_Strcasecmp(subpair->key, ABSOLUTE_DIR_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_ABSOLUTE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->absolutePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 
 			/* file permissions */
 			} else if( !PORT_Strcasecmp(subpair->key,
                                      FILE_PERMISSIONS_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE) ||
 				   !subval->string || !subval->string[0]){
@@ -222,18 +220,17 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				}
 				_this->permissions = (int) strtol(subval->string, &endp, 8);
 				if(*endp != '\0') {
 					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
                                     _this->jarPath);
 					goto loser;
 				}
 				gotPerms = PR_TRUE;
-				Pk11Install_ListIter_delete(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			}
 		} else {
 			if(!PORT_Strcasecmp(val->string, EXECUTABLE_STRING)) {
 				_this->executable = PR_TRUE;
 			}
 		}
 	}
 
@@ -255,22 +252,20 @@ Pk11Install_File_Generate(Pk11Install_Fi
 	if(!_this->absolutePath) {
 		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
 		goto loser;
 	}
 #endif
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
+		Pk11Install_ListIter_delete(&iter);
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
+		Pk11Install_ListIter_delete(&subiter);
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_File
@@ -631,22 +626,25 @@ Pk11Install_PlatformName_GetVerString(Pk
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_PlatformName
 */
 void
 Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad)
 {
+	char *str = NULL;
 	PAD(pad); printf("OS: %s\n", _this->OS ? _this->OS : "<NULL>");
 	PAD(pad); printf("Digits: ");
 	if(_this->numDigits == 0) {
 		printf("None\n");
 	} else {
-		printf("%s\n", Pk11Install_PlatformName_GetVerString(_this));
+		str = Pk11Install_PlatformName_GetVerString(_this);
+		printf("%s\n", str);
+		PR_Free(str);
 	}
 	PAD(pad); printf("arch: %s\n", _this->arch ? _this->arch : "<NULL>");
 }
 
 Pk11Install_Platform*
 Pk11Install_Platform_new()
 {
 	Pk11Install_Platform* new_this;
@@ -765,37 +763,33 @@ Pk11Install_Platform_Generate(Pk11Instal
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_FILE],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleFile = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotModuleFile = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MODULE_NAME_STRING)){
 				if(gotModuleName) {
 					errStr = PR_smprintf(errString[REPEAT_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleName = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotModuleName = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MECH_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotMech) {
 					errStr = PR_smprintf(errString[REPEAT_MECH],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -808,19 +802,17 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->mechFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotMech = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key,CIPHER_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotCipher) {
 					errStr = PR_smprintf(errString[REPEAT_CIPHER],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -833,19 +825,17 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->cipherFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter=NULL;
+				Pk11Install_ListIter_delete(&subiter);
 				gotCipher = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, FILES_STRING)) {
 				if(gotFiles) {
 					errStr = PR_smprintf(errString[REPEAT_FILES],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
@@ -1084,19 +1074,17 @@ Pk11Install_Info_Generate(Pk11Install_In
 					if(subval->type == STRING_VALUE) {
 						errStr = Pk11Install_PlatformName_Generate(
                               &_this->forwardCompatible[i], subval->string);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			} else if(!PORT_Strcasecmp(pair->key, PLATFORMS_STRING)) {
 				subiter = Pk11Install_ListIter_new(pair->list);
 				_this->numPlatforms = pair->list->numPairs;
 				_this->platforms = (Pk11Install_Platform*)
                             PR_Malloc(sizeof(Pk11Install_Platform)*
                             _this->numPlatforms);
 				for(i=0; i < _this->numPlatforms; i++, 
                        Pk11Install_ListIter_nextItem(subiter)) {
@@ -1104,19 +1092,17 @@ Pk11Install_Info_Generate(Pk11Install_In
 					subval = subiter->current;
 					if(subval->type == PAIR_VALUE) {
 						errStr = Pk11Install_Platform_Generate(&_this->platforms[i],subval->pair);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(subiter);
-				PR_Free(subiter);
-				subiter = NULL;
+				Pk11Install_ListIter_delete(&subiter);
 			}
 		}
 	}
 
 	if(_this->numPlatforms == 0) {
 		errStr = PR_smprintf(errString[NO_PLATFORMS]);
 		goto loser;
 	}
@@ -1187,24 +1173,20 @@ Pk11Install_Info_Generate(Pk11Install_In
 				first = first->equiv;
 			}
 			_this->platforms[i].equiv = first;
 		}
 	}
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(iter);
-		PR_Free(iter);
-		iter = NULL;
+		Pk11Install_ListIter_delete(&iter);
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(subiter);
-		PR_Free(subiter);
-		subiter = NULL;
+		Pk11Install_ListIter_delete(&subiter);
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:		GetBestPlatform
 // Class:		Pk11Install_Info
@@ -1343,20 +1325,22 @@ Pk11Install_ListIter_new(const Pk11Insta
                     PR_Malloc(sizeof(Pk11Install_ListIter));
 	new_this->list = _list;
 	new_this->current = _list->head;
 	return new_this;
 }
 
 /****************************************************************************/
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this)
+Pk11Install_ListIter_delete(Pk11Install_ListIter** _this)
 {
-	_this->list=NULL;
-	_this->current=NULL;
+	(*_this)->list=NULL;
+	(*_this)->current=NULL;
+	PR_Free(*_this);
+	*_this=NULL;
 }
 
 /****************************************************************************/
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this)
 {
 	if(_this->list) {
 		_this->current = _this->list->head;
--- a/security/nss/cmd/modutil/install-ds.h
+++ b/security/nss/cmd/modutil/install-ds.h
@@ -119,17 +119,17 @@ struct Pk11Install_ListIter_str {
 
 Pk11Install_ListIter* 
 Pk11Install_ListIter_new_default();
 void
 Pk11Install_ListIter_init(Pk11Install_ListIter* _this);
 Pk11Install_ListIter*
 Pk11Install_ListIter_new(const Pk11Install_ValueList* _list);
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter* _this);
+Pk11Install_ListIter_delete(Pk11Install_ListIter** _this);
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this);
 Pk11Install_Value*
 Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this);
 
 /************************************************************************
  *
  * Pk11Install_File
--- a/security/nss/cmd/pk1sign/pk1sign.c
+++ b/security/nss/cmd/pk1sign/pk1sign.c
@@ -39,18 +39,18 @@ SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplat
 SEC_ASN1Template CERTSignatureDataTemplate[] =
 {
     { SEC_ASN1_SEQUENCE,
           0, NULL, sizeof(CERTSignedData) },
     { SEC_ASN1_INLINE,
           offsetof(CERTSignedData,signatureAlgorithm),
           SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_BIT_STRING,
-          offsetof(CERTSignedData,signature), },
-    { 0, }
+          offsetof(CERTSignedData,signature) },
+    { 0 }
 };
 
 
 static void
 Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -46,91 +46,140 @@ else
 CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 SOFTOKENLIB=
 EXTRA_SHARED_LIBS += \
 	-L$(SOFTOKEN_LIB_DIR) \
 	-lsoftokn3 \
 	$(NULL)
 endif
 
+ifndef NSS_BUILD_SOFTOKEN_ONLY
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
+endif
 
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
+NSS_LIBS_1=
+SECTOOL_LIB=
+NSS_LIBS_2=
+NSS_LIBS_3=
+NSS_LIBS_4=
+
+ifneq ($(NSS_BUILD_UTIL_ONLY),1)
+SECTOOL_LIB = \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+else
+SECTOOL_LIB = \
+	$(NULL)
+endif
+
+ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
 ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
+# breakdown for windows
+NSS_LIBS_1 = \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_2 = \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(SOFTOKENLIB) \
-	$(CRYPTOLIB) \
+	$(NULL)
+NSS_LIBS_3 = \
 	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(PKIXLIB) \
 	$(DBMLIB) \
+	$(NULL)
+NSS_LIBS_4 = \
 	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
 	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
+else
+# breakdown for others
+NSS_LIBS_1 = \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(NULL)
+SECTOOL_LIB = \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_2 = \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_3 = \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+NSS_LIBS_4 = \
+	$(DBMLIB) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(NULL)
+endif
+endif
+
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+ifeq ($(OS_ARCH), WINNT)
+
+EXTRA_LIBS += \
+	$(NSS_LIBS_1) \
+	$(SECTOOL_LIB) \
+	$(NSS_LIBS_2) \
+	$(SOFTOKENLIB) \
+	$(CRYPTOLIB) \
+	$(NSS_LIBS_3) \
+	$(NSS_LIBS_4) \
+	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
 
 EXTRA_LIBS += \
-	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(NSS_LIBS_1) \
+	$(SECTOOL_LIB) \
+	$(NSS_LIBS_2) \
 	$(SOFTOKENLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NSS_LIBS_3) \
 	$(CRYPTOLIB) \
-	$(DBMLIB) \
-	$(PKIXLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(NSS_LIBS_4) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -220,16 +220,17 @@ PrintParameterUsage()
 "           good, revoked, unknown, failure, badsig, corrupted\n"
 "   ocsp: fetch from external OCSP server using AIA, or none\n"
 "-A <ca> Nickname of a CA used to sign a stapled cert status\n"
 "-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
 "-H override default DHE server support, 0: disable, 1: enable\n"
 "-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
 "-c Restrict ciphers\n"
 "-Y prints cipher values allowed for parameter -c and exits\n"
+"-G enables the extended master secret extension [RFC7627]\n"
     , stderr);
 }
 
 static void
 Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -105,16 +105,17 @@ int renegotiationsDone = 0;
 static char *progName;
 
 secuPWData  pwdata          = { PW_NONE, 0 };
 
 void printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate * cert;
     const SECItemArray *csa;
+    const SECItem *scts;
     SSL3Statistics * ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo    channel;
     SSLCipherSuiteInfo suite;
 
     result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
     if (result == SECSuccess && 
         channel.length == sizeof channel && 
@@ -157,16 +158,21 @@ void printSecurityInfo(PRFileDesc *fd)
     	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
 	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
 
     csa = SSL_PeerStapledOCSPResponses(fd);
     if (csa) {
         fprintf(stderr, "Received %d Cert Status items (OCSP stapled data)\n",
                 csa->len);
     }
+    scts = SSL_PeerSignedCertTimestamps(fd);
+    if (scts && scts->len) {
+        fprintf(stderr, "Received a Signed Certificate Timestamp of length"
+                " %u\n", scts->len);
+    }
 }
 
 void
 handshakeCallback(PRFileDesc *fd, void *client_data)
 {
     const char *secondHandshakeName = (char *)client_data;
     if (secondHandshakeName) {
         SSL_SetURL(fd, secondHandshakeName);
@@ -179,17 +185,17 @@ handshakeCallback(PRFileDesc *fd, void *
 }
 
 static void PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
                     "[-D | -d certdir] [-C] [-b | -R root-module] \n"
 		    "[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
+                    "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
 
 static void PrintParameterUsage(void)
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -227,16 +233,17 @@ static void PrintParameterUsage(void)
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
     fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
     fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
     fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
+    fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
     fprintf(stderr, "%-20s Enable the extended master secret extension (session hash).\n", "-G");
     fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
                     "%-20s -F once means: require for server cert only\n"
                     "%-20s -F twice means: require for intermediates, too\n"
                     "%-20s (Connect, handshake with server, disable dynamic download\n"
                     "%-20s  of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.)\n"
                     "%-20s Exit code:\n"
                     "%-20s 0: have fresh and valid revocation data, status good\n"
@@ -245,16 +252,17 @@ static void PrintParameterUsage(void)
                     "%-20s 3: have fresh and valid revocation data, status revoked\n",
                     "-F", "", "", "", "", "", "", "", "", "");
     fprintf(stderr, "%-20s Test -F allows 0=any (default), 1=only OCSP, 2=only CRL\n", "-M");
     fprintf(stderr, "%-20s Restrict ciphers\n", "-c ciphers");
     fprintf(stderr, "%-20s Print cipher values allowed for parameter -c and exit\n", "-Y");
     fprintf(stderr, "%-20s Enforce using an IPv4 destination address\n", "-4");
     fprintf(stderr, "%-20s Enforce using an IPv6 destination address\n", "-6");
     fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", "");
+    fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G");
 }
 
 static void Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
     exit(1);
 }
@@ -915,16 +923,17 @@ int main(int argc, char **argv)
     PRBool             enableSSL2 = PR_TRUE;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
     int                enableCertStatus = 0;
+    int                enableSignedCertTimestamps = 0;
     int                forceFallbackSCSV = 0;
     int                enableExtendedMasterSecret = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
     PRBool             allowIPv4 = PR_TRUE;
     PRBool             allowIPv6 = PR_TRUE;
     PRBool             pingServerFirst = PR_FALSE;
@@ -965,17 +974,17 @@ int main(int argc, char **argv)
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46BCDFGKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "46BCDFGKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
 
@@ -1018,16 +1027,18 @@ int main(int argc, char **argv)
                     break;
 
           case 'R': rootModule = PORT_Strdup(optstate->value); break;
 
           case 'S': skipProtoHeader = PR_TRUE;                 break;
 
           case 'T': enableCertStatus = 1;               break;
 
+          case 'U': enableSignedCertTimestamps = 1;               break;
+
           case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                             enabledVersions, enableSSL2,
                             &enabledVersions, &enableSSL2) != SECSuccess) {
                         Usage(progName);
                     }
                     break;
 
           case 'Y': PrintCipherUsage(progName); exit(0); break;
@@ -1395,16 +1406,24 @@ int main(int argc, char **argv)
     if  (enableExtendedMasterSecret) {
         rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
 	if (rv != SECSuccess) {
             SECU_PrintError(progName, "error enabling extended master secret");
             return 1;
 	}
     }
 
+    /* enable Signed Certificate Timestamps. */
+    rv = SSL_OptionSet(s, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
+              enableSignedCertTimestamps);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "error enabling signed cert timestamps");
+        return 1;
+    }
+
     SSL_SetPKCS11PinArg(s, &pwdata);
 
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -99,17 +99,17 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mwindows -mms-bitfields -Werror
+    OS_CFLAGS += -mwindows -mms-bitfields
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
--- a/security/nss/coreconf/Werror.mk
+++ b/security/nss/coreconf/Werror.mk
@@ -16,17 +16,17 @@ ifndef WARNING_CFLAGS
   disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
 
   WARNING_CFLAGS = -Wall
   ifeq ($(CC_NAME),clang)
     # -Qunused-arguments : clang objects to arguments that it doesn't understand
     #    and fixing this would require rearchitecture
     WARNING_CFLAGS += -Qunused-arguments
     # -Wno-parentheses-equality : because clang warns about macro expansions
-    OS_CFLAGS += $(call disable_warning,parentheses-equality)
+    WARNING_CFLAGS += $(call disable_warning,parentheses-equality)
     ifdef BUILD_OPT
       # clang is unable to handle glib's expansion of strcmp and similar for optimized
       # builds, so ignore the resulting errors.
       # See https://llvm.org/bugs/show_bug.cgi?id=20144
       WARNING_CFLAGS += $(call disable_warning,array-bounds)
       WARNING_CFLAGS += $(call disable_warning,unevaluated-expression)
     endif
   endif # if clang
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/external_tests/README
+++ b/security/nss/external_tests/README
@@ -1,14 +1,14 @@
 GTest-based Unit Tests
 
 This directory contains GTest-based unit tests for NSS libssl.
 
-These aren't built by default, because they require C++.
-To build them, set ``NSS_BUILD_GTESTS=1''
+If your environment doesn't have C++ compiler suitable to build these tests,
+you may disable them using ``NSS_DISABLE_GTESTS=1''
 
 Once built, they are run as part of running ``test/all.sh''
 You can run just the GTests by running ``tests/ssl_gtests/ssl_gtests.sh''
 
 They can be run standalone or under a debugger by invoking the ssl_gtest
 executable with a ``-d'' option pointing to the directory created by either
 of the above options.  You can find that in
 
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/common/gtest.mk
@@ -0,0 +1,27 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include ../../cmd/platlibs.mk
+include ../../cmd/platrules.mk
+
+MKPROG = $(CCC)
+MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+
+ifeq (WINNT,$(OS_ARCH))
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS += -EHsc -nologo
+    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
+    OS_CFLAGS += -DNOMINMAX
+
+    # Linking to winsock to get htonl
+    OS_LIBS += Ws2_32.lib
+
+    # On windows, we need to create the parent directory
+    # Needed because we include files from a subdirectory
+    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
+else
+    CXXFLAGS += -std=c++0x
+endif
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/common/scoped_ptrs.h
@@ -0,0 +1,45 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_h__
+#define scoped_ptrs_h__
+
+#include "keyhi.h"
+
+namespace nss_test {
+
+struct ScopedDelete {
+  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
+  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
+  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
+  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
+  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
+  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(CERTSubjectPublicKeyInfo* spki) {
+    SECKEY_DestroySubjectPublicKeyInfo(spki);
+  }
+};
+
+template<class T>
+struct ScopedMaybeDelete {
+  void operator()(T* ptr) { if (ptr) { ScopedDelete del; del(ptr); } }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped ## x
+
+SCOPED(PK11SlotInfo);
+SCOPED(SECItem);
+SCOPED(PK11SymKey);
+SCOPED(SECKEYPublicKey);
+SCOPED(SECKEYPrivateKey);
+SCOPED(SECAlgorithmID);
+SCOPED(CERTSubjectPublicKeyInfo);
+
+#undef SCOPED
+
+}  // namespace nss_test
+
+#endif
--- a/security/nss/external_tests/google_test/Makefile
+++ b/security/nss/external_tests/google_test/Makefile
@@ -21,32 +21,24 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
+include ../common/gtest.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
-
-MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
-ifeq (WINNT,$(OS_ARCH))
-    # -EHsc because gtest has exception handlers
-    OS_CFLAGS += -EHsc
-    # On windows, we need to create the parent directory
-    # Needed because we include files from a subdirectory
-    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
-endif
--- a/security/nss/external_tests/manifest.mn
+++ b/security/nss/external_tests/manifest.mn
@@ -2,10 +2,11 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ..
 DEPTH      = ..
 
 DIRS = \
 	google_test \
+        pk11_gtest \
         ssl_gtest \
 	$(NULL)
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/Makefile
@@ -0,0 +1,44 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/manifest.mn
@@ -0,0 +1,22 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+DEPTH      = ../..
+MODULE = nss
+
+CPPSRCS = \
+      pk11_pbkdf2_unittest.cc \
+      pk11_prf_unittest.cc \
+      pk11_rsapss_unittest.cc \
+      pk11_gtest.cc \
+      $(NULL)
+
+INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include \
+            -I$(CORE_DEPTH)/external_tests/common
+
+REQUIRES = nspr nss libdbm gtest
+
+PROGRAM = pk11_gtest
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX)
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_gtest.cc
@@ -0,0 +1,21 @@
+#include "nspr.h"
+#include "nss.h"
+#include "ssl.h"
+
+#include <cstdlib>
+
+#define GTEST_HAS_RTTI 0
+#include "gtest/gtest.h"
+
+int main(int argc, char **argv) {
+  // Start the tests
+  ::testing::InitGoogleTest(&argc, argv);
+
+  NSS_NoDB_Init(nullptr);
+  NSS_SetDomesticPolicy();
+  int rv = RUN_ALL_TESTS();
+
+  NSS_Shutdown();
+
+  return rv;
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -0,0 +1,100 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+static unsigned char* ToUcharPtr(std::string& str) {
+  return const_cast<unsigned char*>(
+    reinterpret_cast<const unsigned char*>(str.c_str()));
+}
+
+class Pkcs11Pbkdf2Test : public ::testing::Test {
+ public:
+  void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg)
+  {
+    // Shared between test vectors.
+    const unsigned int iterations = 4096;
+    std::string pass("passwordPASSWORDpassword");
+    std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt");
+
+    // Derivation must succeed with the right values.
+    EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the password is bogus.
+    std::string bogusPass("PasswordPASSWORDpassword");
+    EXPECT_FALSE(DeriveBytes(bogusPass, salt, derived, hash_alg, iterations));
+
+    // Derivation must fail when the salt is bogus.
+    std::string bogusSalt("SaltSALTsaltSALTsaltSALTsaltSALTsalt");
+    EXPECT_FALSE(DeriveBytes(pass, bogusSalt, derived, hash_alg, iterations));
+
+    // Derivation must fail when using the wrong hash function.
+    SECOidTag next_hash_alg = static_cast<SECOidTag>(hash_alg + 1);
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, iterations));
+
+    // Derivation must fail when using the wrong number of iterations.
+    EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, iterations + 1));
+  }
+
+ private:
+  bool DeriveBytes(std::string& pass, std::string& salt,
+                   std::vector<uint8_t>& derived, SECOidTag hash_alg,
+                   unsigned int iterations)
+  {
+    SECItem passItem = { siBuffer, ToUcharPtr(pass),
+                         static_cast<unsigned int>(pass.length()) };
+    SECItem saltItem = { siBuffer, ToUcharPtr(salt),
+                         static_cast<unsigned int>(salt.length()) };
+
+    // Set up PBKDF2 params.
+    ScopedSECAlgorithmID alg_id(
+      PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
+                                  derived.size(), iterations, &saltItem));
+
+    // Derive.
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    ScopedPK11SymKey symKey(
+      PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
+
+    SECStatus rv = PK11_ExtractKeyValue(symKey.get());
+    EXPECT_EQ(rv, SECSuccess);
+
+    SECItem* keyData = PK11_GetKeyData(symKey.get());
+    return !memcmp(&derived[0], keyData->data, keyData->len);
+  }
+};
+
+// RFC 6070 <http://tools.ietf.org/html/rfc6070>
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
+  std::vector<uint8_t> derived = {
+    0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36,
+    0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38
+  };
+
+  Derive(derived, SEC_OID_HMAC_SHA1);
+}
+
+// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
+TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
+  std::vector<uint8_t> derived = {
+    0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
+    0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
+    0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c,
+    0x7d, 0xac, 0x47, 0xe9
+  };
+
+  Derive(derived, SEC_OID_HMAC_SHA256);
+}
+
+}  // namespace nss_test
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
@@ -0,0 +1,250 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const size_t kPmsSize = 48;
+const size_t kMasterSecretSize = 48;
+const size_t kPrfSeedSizeSha256 = 32;
+const size_t kPrfSeedSizeTlsPrf = 36;
+
+// This is not the right size for anything
+const size_t kIncorrectSize = 17;
+
+const uint8_t kPmsData[] = {
+  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
+  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
+  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
+};
+
+const uint8_t kPrfSeed[] = {
+  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
+  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
+  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
+  0xd0,0xd1,0xd2,0xd3
+};
+
+const uint8_t kExpectedOutputEmsSha256[] = {
+  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
+  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
+  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
+  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
+  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
+  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
+};
+
+const uint8_t kExpectedOutputEmsTlsPrf[] = {
+  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
+  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
+  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
+  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
+  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
+  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
+};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(
+    static_cast<const unsigned char *>(v));
+}
+
+class TlsPrfTest : public ::testing::Test {
+ public:
+  TlsPrfTest()
+    : params_({siBuffer, nullptr, 0})
+    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
+    , key_mech_(0)
+    , slot_(nullptr)
+    , pms_(nullptr)
+    , ms_(nullptr)
+    , pms_version_({0, 0}) {}
+
+  ~TlsPrfTest() {
+    if (slot_) { PK11_FreeSlot(slot_); }
+    ClearTempVars();
+  }
+
+  void ClearTempVars() {
+    if (pms_) { PK11_FreeSymKey(pms_); }
+    if (ms_)  { PK11_FreeSymKey(ms_);  }
+  }
+
+  void Init() {
+    params_.type = siBuffer;
+
+    pms_item_.type = siBuffer;
+    pms_item_.data = const_cast<unsigned char*>(
+                        static_cast<const unsigned char *>(kPmsData));
+
+    slot_ = PK11_GetInternalSlot();
+    ASSERT_NE(nullptr, slot_);
+  }
+
+  void CheckForError(CK_MECHANISM_TYPE hash_mech,
+                     size_t seed_len,
+                     size_t pms_len,
+                     size_t output_len) {
+    // Error tests don't depend on the derivation mechansim
+    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
+          seed_len, pms_len, output_len, nullptr, nullptr);
+  }
+
+  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
+                          CK_MECHANISM_TYPE hash_mech,
+                          CK_VERSION* version,
+                          const uint8_t* expected) {
+    // Infer seed length from mechanism
+    int seed_len = 0;
+    switch (hash_mech) {
+      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
+      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    Inner(derive_mech, hash_mech, seed_len,
+          kPmsSize, 0, version, expected);
+  }
+
+
+  // Set output == nullptr to test when errors occur
+  void Inner(
+      CK_MECHANISM_TYPE derive_mech,
+      CK_MECHANISM_TYPE hash_mech,
+      size_t seed_len,
+      size_t pms_len,
+      size_t output_len,
+      CK_VERSION* version,
+      const uint8_t* expected) {
+    ClearTempVars();
+
+    // Infer the key mechanism from the hash type
+    switch (hash_mech) {
+      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
+      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    // Import the params
+    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
+      hash_mech,
+      toUcharPtr(kPrfSeed),
+      static_cast<CK_ULONG>(seed_len),
+      version
+    };
+    params_.data = reinterpret_cast<unsigned char*>(&master_params);
+    params_.len = sizeof(master_params);
+
+    // Import the PMS
+    pms_item_.len = pms_len;
+    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
+                            CKA_DERIVE, &pms_item_, NULL);
+    ASSERT_NE(nullptr, pms_);
+
+
+    // Compute the EMS
+    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
+        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
+
+    // Verify the EMS has the expected value (null or otherwise)
+    if (!expected) {
+      EXPECT_EQ(nullptr, ms_);
+    } else {
+      ASSERT_NE(nullptr, ms_);
+
+      SECStatus rv = PK11_ExtractKeyValue(ms_);
+      ASSERT_EQ(SECSuccess, rv);
+
+      SECItem *msData = PK11_GetKeyData(ms_);
+      ASSERT_NE(nullptr, msData);
+
+      ASSERT_EQ(kMasterSecretSize, msData->len);
+      EXPECT_EQ(0,
+                memcmp(msData->data, expected, kMasterSecretSize));
+    }
+  }
+
+ protected:
+  SECItem params_;
+  SECItem pms_item_;
+  CK_MECHANISM_TYPE key_mech_;
+  PK11SlotInfo *slot_;
+  PK11SymKey *pms_;
+  PK11SymKey *ms_;
+  CK_VERSION pms_version_;
+};
+
+TEST_F(TlsPrfTest, ExtendedMsParamErr) {
+  Init();
+
+  // This should fail; it's the correct set from which the below are derived
+  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
+
+  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
+
+  // not-DH && pms size != SSL3_PMS_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
+
+  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
+  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
+
+  // !CKM_TLS_PRF && seed length != hash output length
+  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
+}
+
+// Test matrix:
+//
+//            DH  RSA
+//  TLS_PRF   1   2
+//  SHA256    3   4
+TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_TLS_PRF,
+                     nullptr,
+                     kExpectedOutputEmsTlsPrf);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_TLS_PRF,
+                     &pms_version_,
+                     kExpectedOutputEmsTlsPrf);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+
+TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_SHA256,
+                     nullptr,
+                     kExpectedOutputEmsSha256);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_SHA256,
+                     &pms_version_,
+                     kExpectedOutputEmsSha256);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+}  // namespace nss_test
+
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -0,0 +1,246 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+#include <memory>
+
+#include "gtest/gtest.h"
+#include "scoped_ptrs.h"
+
+namespace nss_test {
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector1Spki[] = {
+  0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
+  0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17, 0x58, 0x9a, 0x51,
+  0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec, 0x0e, 0x36, 0xad, 0x52,
+  0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9, 0x91, 0xd8, 0xc5, 0x10, 0x56,
+  0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2, 0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94,
+  0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91, 0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0,
+  0xb1, 0xdf, 0xd5, 0xcd, 0x95, 0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5,
+  0xd6, 0x71, 0xef, 0x63, 0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70,
+  0xe2, 0x59, 0x8e, 0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0,
+  0xcb, 0x35, 0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22,
+  0xe1, 0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
+  0x37, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1
+const uint8_t kTestVector1Data[] = {
+  0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb, 0xbc,
+  0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54, 0x75, 0xcc,
+  0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c, 0xe2, 0x39, 0x2e,
+  0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15, 0x6a, 0x0d, 0x8d, 0x52,
+  0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09, 0x57, 0x86, 0xcb, 0x76, 0x97,
+  0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe, 0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5,
+  0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2, 0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67,
+  0x69, 0x3f, 0x90, 0xdf, 0xb0, 0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44,
+  0x72, 0xc0, 0x0e, 0x5f, 0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06,
+  0xce, 0x78, 0xe0, 0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0,
+  0x31, 0x7e, 0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38,
+  0x08, 0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
+  0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41, 0x62,
+  0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9, 0xea, 0x8f,
+  0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16, 0xbe, 0x02, 0x54,
+  0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26, 0x76, 0xe0, 0x8a, 0xed,
+  0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67, 0xd0
+};
+const uint8_t kTestVector1Sig[] = {
+  0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38, 0x8e,
+  0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1, 0x85, 0xdf,
+  0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd, 0x44, 0xdc, 0x86,
+  0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2, 0x26, 0xf3, 0xec, 0x22,
+  0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31, 0xf5, 0x05, 0x12, 0x15, 0xdf,
+  0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa, 0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14,
+  0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4, 0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa,
+  0x35, 0x42, 0xff, 0xee, 0x65, 0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d,
+  0xeb, 0x27, 0xdc, 0xa1, 0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00,
+  0xf1, 0xff, 0x2b, 0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c
+};
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+const uint8_t kTestVector2Spki[] = {
+  0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00, 0x30, 0x82,
+  0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a, 0xc4, 0xcb, 0x02,
+  0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70, 0xef, 0x99, 0x1c, 0x56,
+  0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa, 0x89, 0x37, 0xce, 0xa5, 0x7b,
+  0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00, 0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22,
+  0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27, 0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80,
+  0x90, 0xfe, 0xe2, 0xa7, 0xad, 0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49,
+  0x97, 0xc7, 0xa4, 0x2d, 0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f,
+  0xe5, 0x21, 0xc1, 0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e,
+  0x4c, 0x7e, 0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57,
+  0x7e, 0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
+  0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc, 0x95,
+  0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79, 0x25, 0xfe,
+  0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea, 0x45, 0x49, 0xc5,
+  0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9, 0x1f, 0xff, 0x58, 0x73,
+  0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70, 0x5a, 0x33, 0xe3, 0x91, 0x90,
+  0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1, 0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c,
+  0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17, 0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d,
+  0xce, 0x09, 0xcb, 0x4a, 0xd0, 0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98,
+  0xee, 0x27, 0xcf, 0x55, 0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec,
+  0x8b, 0x17, 0x4b, 0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21,
+  0xae, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01
+};
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1
+const uint8_t kTestVector2Data[] = {
+  0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9, 0x68, 0x03, 0x27,
+  0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f, 0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a,
+  0x3a, 0xd6, 0x09
+};
+const uint8_t kTestVector2Sig[] = {
+  0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b, 0x19,
+  0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f, 0xce, 0x54,
+  0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd, 0xfd, 0xac, 0xe1,
+  0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14, 0x8e, 0xba, 0xd7, 0xa0,
+  0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5, 0x72, 0x7d, 0x05, 0xf2, 0x1e,
+  0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20, 0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a,
+  0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6, 0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59,
+  0x61, 0xc8, 0xbf, 0xad, 0x74, 0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39,
+  0x3e, 0x72, 0x23, 0x73, 0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55,
+  0x5b, 0x0e, 0xc0, 0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76,
+  0x14, 0xce, 0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95,
+  0x16, 0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
+  0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8, 0xfe,
+  0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77, 0x55, 0x92,
+  0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00, 0x0b, 0xe2, 0x5b,
+  0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86, 0x18, 0x4d, 0xd1, 0xc8,
+  0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f, 0x60, 0x66, 0x3d, 0xe7, 0xf5,
+  0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f, 0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4,
+  0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1, 0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2,
+  0x38, 0x52, 0x30, 0xd0, 0x70, 0xd0, 0x7e, 0x16, 0x66
+};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(
+    static_cast<const unsigned char*>(v));
+}
+
+class Pkcs11RsaPssTest : public ::testing::Test {
+};
+
+class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
+ public:
+  void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data,
+              size_t data_len, const uint8_t* sig, size_t sig_len) {
+    // Verify data signed with PSS/SHA-1.
+    SECOidTag hashOid = SEC_OID_SHA1;
+    CK_MECHANISM_TYPE hashMech = CKM_SHA_1;
+    CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA1;
+
+    // Set up PSS parameters.
+    unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+    CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
+    SECItem params = { siBuffer,
+                       reinterpret_cast<unsigned char*>(&rsaPssParams),
+                       sizeof(rsaPssParams) };
+
+    // Import public key.
+    SECItem spkiItem = { siBuffer, toUcharPtr(spki),
+                         static_cast<unsigned int>(spki_len) };
+    ScopedCERTSubjectPublicKeyInfo certSpki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+    ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+
+    // Hash the data.
+    std::vector<uint8_t> hashBuf(hLen);
+    SECItem hash = { siBuffer, &hashBuf[0],
+                     static_cast<unsigned int>(hashBuf.size()) };
+    SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data),
+                                data_len);
+    EXPECT_EQ(rv, SECSuccess);
+
+    // Verify.
+    CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+    SECItem sigItem = { siBuffer, toUcharPtr(sig),
+                        static_cast<unsigned int>(sig_len) };
+    rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sigItem, &hash,
+                                  nullptr);
+    EXPECT_EQ(rv, SECSuccess);
+  }
+};
+
+#define PSS_TEST_VECTOR_VERIFY(spki, data, sig) \
+  Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig));
+
+TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
+  // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
+  SECOidTag hashOid = SEC_OID_SHA256;
+  CK_MECHANISM_TYPE hashMech = CKM_SHA256;
+  CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
+  PK11RSAGenParams rsaGenParams = { 1024, 0x10001 };
+
+  // Generate RSA key pair.
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  SECKEYPublicKey* pubKeyRaw = nullptr;
+  ScopedSECKEYPrivateKey privKey(PK11_GenerateKeyPair(slot.get(),
+                                                      CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                                      &rsaGenParams, &pubKeyRaw,
+                                                      false, false, nullptr));
+  ASSERT_TRUE(!!privKey && pubKeyRaw);
+  ScopedSECKEYPublicKey pubKey(pubKeyRaw);
+
+  // Generate random data to sign.
+  uint8_t dataBuf[50];
+  SECItem data = { siBuffer, dataBuf, sizeof(dataBuf) };
+  unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
+  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), data.data, data.len);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Allocate memory for the signature.
+  std::vector<uint8_t> sigBuf(PK11_SignatureLen(privKey.get()));
+  SECItem sig = { siBuffer, &sigBuf[0],
+                  static_cast<unsigned int>(sigBuf.size()) };
+
+  // Set up PSS parameters.
+  CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
+  SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
+                     sizeof(rsaPssParams) };
+
+  // Sign.
+  CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
+  rv = PK11_SignWithMechanism(privKey.get(), mech, &params, &sig, &data);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verify.
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECSuccess);
+
+  // Verification with modified data must fail.
+  data.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+
+  // Verification with original data but the wrong signature must fail.
+  data.data[0] ^= 0xff; // Revert previous changes.
+  sig.data[0] ^= 0xff;
+  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
+                                nullptr);
+  EXPECT_EQ(rv, SECFailure);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig);
+}
+
+// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
+// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
+TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
+  PSS_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig);
+}
+
+}  // namespace nss_test
+
--- a/security/nss/external_tests/ssl_gtest/Makefile
+++ b/security/nss/external_tests/ssl_gtest/Makefile
@@ -20,41 +20,26 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (3) Include "component" configuration information. (OPTIONAL)       #
 #######################################################################
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-include ../../cmd/platlibs.mk
+include ../common/gtest.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-MKPROG = $(CCC)
 CFLAGS += -I$(CORE_DEPTH)/lib/ssl
-
-include ../../cmd/platrules.mk
-
-ifeq (WINNT,$(OS_ARCH))
-    # -EHsc because gtest has exception handlers
-    OS_CFLAGS += -EHsc -nologo
-    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
-    OS_CFLAGS += -DNOMINMAX
-
-    # Linking to winsock to get htonl
-    OS_LIBS += Ws2_32.lib
-else
-    CXXFLAGS += -std=c++0x
-endif
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -46,19 +46,26 @@ class DataBuffer {
 
   void Truncate(size_t len) {
     len_ = std::min(len_, len);
   }
 
   void Assign(const DataBuffer& other) {
     Assign(other.data(), other.len());
   }
+
   void Assign(const uint8_t* data, size_t len) {
-    Allocate(len);
-    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+    if (data) {
+      Allocate(len);
+      memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
+    } else {
+      assert(len == 0);
+      data_ = nullptr;
+      len_ = 0;
+    }
   }
 
   // Write will do a new allocation and expand the size of the buffer if needed.
   void Write(size_t index, const uint8_t* val, size_t count) {
     if (index + count > len_) {
       size_t newlen = index + count;
       uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
       memcpy(static_cast<void*>(tmp),
@@ -161,11 +168,20 @@ inline std::ostream& operator<<(std::ost
     }
     stream << std::hex << std::setfill('0') << std::setw(2)
            << static_cast<unsigned>(buf.data()[i]);
   }
   stream << std::dec;
   return stream;
 }
 
+inline bool operator==(const DataBuffer& a, const DataBuffer& b) {
+  return (a.empty() && b.empty()) ||
+    (a.len() == b.len() && 0 == memcmp(a.data(), b.data(), a.len()));
+}
+
+inline bool operator!=(const DataBuffer& a, const DataBuffer& b) {
+  return !(a == b);
+}
+
 } // namespace nss_test
 
 #endif
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -10,17 +10,16 @@ MODULE = nss
 CSRCS = \
       libssl_internals.c \
       $(NULL)
 
 CPPSRCS = \
       ssl_agent_unittest.cc \
       ssl_loopback_unittest.cc \
       ssl_extension_unittest.cc \
-      ssl_prf_unittest.cc \
       ssl_skip_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
       tls_agent.cc \
       tls_connect.cc \
       tls_filter.cc \
       tls_parser.cc \
       $(NULL)
--- a/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
@@ -604,16 +604,120 @@ TEST_P(TlsExtensionTest12Plus, Signature
     uint32_t v;
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].hashAlg, static_cast<SSLHashType>(v));
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].sigAlg, static_cast<SSLSignType>(v));
   }
 }
 
+/*
+ * Tests for Certificate Transparency (RFC 6962)
+ */
+
+// Helper class - stores signed certificate timestamps as provided
+// by the relevant callbacks on the client.
+class SignedCertificateTimestampsExtractor {
+ public:
+  SignedCertificateTimestampsExtractor(TlsAgent& client) {
+    client.SetAuthCertificateCallback(
+      [&](TlsAgent& agent, PRBool checksig, PRBool isServer) {
+        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
+        ASSERT_TRUE(scts);
+        auth_timestamps_.reset(new DataBuffer(scts->data, scts->len));
+      }
+    );
+    client.SetHandshakeCallback(
+      [&](TlsAgent& agent) {
+        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
+        ASSERT_TRUE(scts);
+        handshake_timestamps_.reset(new DataBuffer(scts->data, scts->len));
+      }
+    );
+  }
+
+  void assertTimestamps(const DataBuffer& timestamps) {
+    ASSERT_TRUE(auth_timestamps_);
+    ASSERT_EQ(timestamps, *auth_timestamps_);
+
+    ASSERT_TRUE(handshake_timestamps_);
+    ASSERT_EQ(timestamps, *handshake_timestamps_);
+  }
+
+ private:
+  std::unique_ptr<DataBuffer> auth_timestamps_;
+  std::unique_ptr<DataBuffer> handshake_timestamps_;
+};
+
+// Test timestamps extraction during a successful handshake.
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsHandshake) {
+  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
+  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
+  const DataBuffer timestamps(val, sizeof(val));
+
+  server_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
+      &si_timestamps, server_->kea()));
+
+  client_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_OptionSet(client_->ssl_fd(),
+      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(timestamps);
+}
+
+// Test SSL_PeerSignedCertTimestamps returning zero-length SECItem
+// when the client / the server / both have not enabled the feature.
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveClient) {
+  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
+  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
+
+  server_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
+      &si_timestamps, server_->kea()));
+
+  client_->StartConnect();
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveServer) {
+  server_->StartConnect();
+
+  client_->StartConnect();
+  ASSERT_EQ(SECSuccess,
+    SSL_OptionSet(client_->ssl_fd(),
+      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveBoth) {
+  server_->StartConnect();
+  client_->StartConnect();
+
+  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
+  Handshake();
+  CheckConnected();
+  timestamps_extractor.assertTimestamps(DataBuffer());
+}
+
+
 INSTANTIATE_TEST_CASE_P(ExtensionTls10, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesStream,
                           TlsConnectTestBase::kTlsV10));
 INSTANTIATE_TEST_CASE_P(ExtensionVariants, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesAll,
                           TlsConnectTestBase::kTlsV11V12));
deleted file mode 100644
--- a/security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
+++ /dev/null
@@ -1,253 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nss.h"
-#include "pk11pub.h"
-#include <memory>
-
-#include "gtest_utils.h"
-
-namespace nss_test {
-
-#define CONST_UINT8_TO_UCHAR(a) const_cast<unsigned char*>( \
-    static_cast<const unsigned char *>(a))
-
-const size_t kPmsSize = 48;
-const size_t kMasterSecretSize = 48;
-const size_t kPrfSeedSizeSha256 = 32;
-const size_t kPrfSeedSizeTlsPrf = 36;
-
-// This is not the right size for anything
-const size_t kIncorrectSize = 17;
-
-const uint8_t kPmsData[] = {
-  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
-  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
-  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
-};
-
-const uint8_t kPrfSeed[] = {
-  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
-  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
-  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
-  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
-  0xd0,0xd1,0xd2,0xd3
-};
-
-const uint8_t kExpectedOutputEmsSha256[] = {
-  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
-  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
-  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
-  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
-  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
-  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
-};
-
-const uint8_t kExpectedOutputEmsTlsPrf[] = {
-  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
-  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
-  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
-  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
-  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
-  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
-};
-
-static unsigned char* toUcharPtr(const uint8_t* v) {
-  return const_cast<unsigned char*>(
-    static_cast<const unsigned char *>(v));
-}
-
-class TlsPrfTest : public ::testing::Test {
- public:
-  TlsPrfTest()
-    : params_({siBuffer, nullptr, 0})
-    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
-    , key_mech_(0)
-    , slot_(nullptr)
-    , pms_(nullptr)
-    , ms_(nullptr)
-    , pms_version_({0, 0}) {}
-
-  ~TlsPrfTest() {
-    if (slot_) { PK11_FreeSlot(slot_); }
-    ClearTempVars();
-  }
-
-  void ClearTempVars() {
-    if (pms_) { PK11_FreeSymKey(pms_); }
-    if (ms_)  { PK11_FreeSymKey(ms_);  }
-  }
-
-  void Init() {
-    params_.type = siBuffer;
-
-    pms_item_.type = siBuffer;
-    pms_item_.data = const_cast<unsigned char*>(
-                        static_cast<const unsigned char *>(kPmsData));
-
-    slot_ = PK11_GetInternalSlot();
-    ASSERT_NE(nullptr, slot_);
-  }
-
-  void CheckForError(CK_MECHANISM_TYPE hash_mech,
-                     size_t seed_len,
-                     size_t pms_len,
-                     size_t output_len) {
-    // Error tests don't depend on the derivation mechansim
-    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
-          seed_len, pms_len, output_len, nullptr, nullptr);
-  }
-
-  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
-                          CK_MECHANISM_TYPE hash_mech,
-                          CK_VERSION* version,
-                          const uint8_t* expected) {
-    // Infer seed length from mechanism
-    int seed_len = 0;
-    switch (hash_mech) {
-      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
-      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    Inner(derive_mech, hash_mech, seed_len,
-          kPmsSize, 0, version, expected);
-  }
-
-
-  // Set output == nullptr to test when errors occur
-  void Inner(
-      CK_MECHANISM_TYPE derive_mech,
-      CK_MECHANISM_TYPE hash_mech,
-      size_t seed_len,
-      size_t pms_len,
-      size_t output_len,
-      CK_VERSION* version,
-      const uint8_t* expected) {
-    ClearTempVars();
-
-    // Infer the key mechanism from the hash type
-    switch (hash_mech) {
-      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
-      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    // Import the params
-    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
-      hash_mech,
-      toUcharPtr(kPrfSeed),
-      seed_len,
-      version
-    };
-    params_.data = reinterpret_cast<unsigned char*>(&master_params);
-    params_.len = sizeof(master_params);
-
-    // Import the PMS
-    pms_item_.len = pms_len;
-    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
-                            CKA_DERIVE, &pms_item_, NULL);
-    ASSERT_NE(nullptr, pms_);
-
-
-    // Compute the EMS
-    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
-        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
-
-    // Verify the EMS has the expected value (null or otherwise)
-    if (!expected) {
-      EXPECT_EQ(nullptr, ms_);
-    } else {
-      ASSERT_NE(nullptr, ms_);
-
-      SECStatus rv = PK11_ExtractKeyValue(ms_);
-      ASSERT_EQ(SECSuccess, rv);
-
-      SECItem *msData = PK11_GetKeyData(ms_);
-      ASSERT_NE(nullptr, msData);
-
-      ASSERT_EQ(kMasterSecretSize, msData->len);
-      EXPECT_EQ(0,
-                memcmp(msData->data, expected, kMasterSecretSize));
-    }
-  }
-
- protected:
-  SECItem params_;
-  SECItem pms_item_;
-  CK_MECHANISM_TYPE key_mech_;
-  PK11SlotInfo *slot_;
-  PK11SymKey *pms_;
-  PK11SymKey *ms_;
-  CK_VERSION pms_version_;
-};
-
-TEST_F(TlsPrfTest, ExtendedMsParamErr) {
-  Init();
-
-  // This should fail; it's the correct set from which the below are derived
-  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
-
-  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
-
-  // not-DH && pms size != SSL3_PMS_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
-
-  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
-  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
-
-  // !CKM_TLS_PRF && seed length != hash output length
-  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
-}
-
-// Test matrix:
-//
-//            DH  RSA
-//  TLS_PRF   1   2
-//  SHA256    3   4
-TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_TLS_PRF,
-                     nullptr,
-                     kExpectedOutputEmsTlsPrf);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_TLS_PRF,
-                     &pms_version_,
-                     kExpectedOutputEmsTlsPrf);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-
-TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_SHA256,
-                     nullptr,
-                     kExpectedOutputEmsSha256);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_SHA256,
-                     &pms_version_,
-                     kExpectedOutputEmsSha256);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-}  // namespace nss_test
-
--- a/security/nss/external_tests/ssl_gtest/tls_agent.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -35,17 +35,19 @@ TlsAgent::TlsAgent(const std::string& na
     expect_resumption_(false),
     can_falsestart_hook_called_(false),
     sni_hook_called_(false),
     auth_certificate_hook_called_(false),
     handshake_callback_called_(false),
     error_code_(0),
     send_ctr_(0),
     recv_ctr_(0),
-    expected_read_error_(false) {
+    expected_read_error_(false),
+    handshake_callback_(),
+    auth_certificate_callback_() {
 
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
   SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
                                             ssl_variant_stream : ssl_variant_datagram,
                                             &vrange_);
   EXPECT_EQ(SECSuccess, rv);
 }
--- a/security/nss/external_tests/ssl_gtest/tls_agent.h
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -6,16 +6,17 @@
 
 #ifndef tls_agent_h_
 #define tls_agent_h_
 
 #include "prio.h"
 #include "ssl.h"
 
 #include <iostream>
+#include <functional>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
@@ -23,16 +24,26 @@ namespace nss_test {
 
 enum SessionResumptionMode {
   RESUME_NONE = 0,
   RESUME_SESSIONID = 1,
   RESUME_TICKET = 2,
   RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
 };
 
+class TlsAgent;
+
+typedef
+  std::function<void(TlsAgent& agent, PRBool checksig, PRBool isServer)>
+  AuthCertificateCallbackFunction;
+
+typedef
+  std::function<void(TlsAgent& agent)>
+  HandshakeCallbackFunction;
+
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
   enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
 
   TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
   virtual ~TlsAgent();
 
@@ -89,18 +100,22 @@ class TlsAgent : public PollTarget {
   void CheckErrorCode(int32_t expected) const;
   void SendData(size_t bytes, size_t blocksize = 1024);
   void ReadBytes();
   void ResetSentBytes(); // Hack to test drops.
   void EnableExtendedMasterSecret();
   void CheckExtendedMasterSecret(bool expected);
   void DisableRollbackDetection();
 
+  Role role() const { return role_; }
+
   State state() const { return state_; }
 
+  SSLKEAType kea() const { return kea_; }
+
   const char* state_str() const { return state_str(state()); }
 
   const char* state_str(State state) const { return states[state]; }
 
   PRFileDesc* ssl_fd() { return ssl_fd_; }
   DummyPrSocket* adapter() { return adapter_; }
 
   uint16_t min_version() const { return vrange_.min; }
@@ -126,16 +141,25 @@ class TlsAgent : public PollTarget {
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
 
   size_t received_bytes() const { return recv_ctr_; }
   int32_t error_code() const { return error_code_; }
 
+  void SetHandshakeCallback(HandshakeCallbackFunction handshake_callback) {
+    handshake_callback_ = handshake_callback;
+  }
+
+  void SetAuthCertificateCallback(
+      AuthCertificateCallbackFunction auth_certificate_callback) {
+    auth_certificate_callback_ = auth_certificate_callback;
+  }
+
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -143,25 +167,31 @@ class TlsAgent : public PollTarget {
   }
 
   // Dummy auth certificate hook.
   static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->auth_certificate_hook_called_ = true;
+    if (agent->auth_certificate_callback_) {
+      agent->auth_certificate_callback_(*agent, checksig, isServer);
+    }
     return SECSuccess;
   }
 
   // Client auth certificate hook.
   static SECStatus ClientAuthenticated(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     EXPECT_TRUE(agent->expect_client_auth_);
     EXPECT_TRUE(isServer);
+    if (agent->auth_certificate_callback_) {
+      agent->auth_certificate_callback_(*agent, checksig, isServer);
+    }
     return SECSuccess;
   }
 
   static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
                                          CERTDistNames* caNames,
                                          CERTCertificate** cert,
                                          SECKEYPrivateKey** privKey);
 
@@ -203,16 +233,19 @@ class TlsAgent : public PollTarget {
     *canFalseStart = true;
     return SECSuccess;
   }
 
   static void HandshakeCallback(PRFileDesc *fd, void *arg) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->handshake_callback_called_ = true;
+    if (agent->handshake_callback_) {
+      agent->handshake_callback_(*agent);
+    }
   }
 
   void CheckCallbacks() const;
   void Connected();
 
   const std::string name_;
   Mode mode_;
   SSLKEAType kea_;
@@ -232,16 +265,18 @@ class TlsAgent : public PollTarget {
   bool handshake_callback_called_;
   SSLChannelInfo info_;
   SSLCipherSuiteInfo csinfo_;
   SSLVersionRange vrange_;
   int32_t error_code_;
   size_t send_ctr_;
   size_t recv_ctr_;
   bool expected_read_error_;
+  HandshakeCallbackFunction handshake_callback_;
+  AuthCertificateCallbackFunction auth_certificate_callback_;
 };
 
 class TlsAgentTestBase : public ::testing::Test {
  public:
   static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
 
   TlsAgentTestBase(TlsAgent::Role role,
                    Mode mode) : agent_(nullptr),
--- a/security/nss/lib/Makefile
+++ b/security/nss/lib/Makefile
@@ -41,35 +41,53 @@ ifeq ($(OS_ARCH),Linux)
 SYSINIT_SRCDIR = sysinit  # Add the sysinit directory to DIRS.
 endif
 endif
 
 ifndef NSS_DISABLE_DBM
 DBM_SRCDIR = dbm  # Add the dbm directory to DIRS.
 endif
 
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+SYSINIT_SRCDIR=
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
-# Not included when building nss without softoken
-UTIL_SRCDIR =
-FREEBL_SRCDIR =
-SOFTOKEN_SRCDIR =
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+  UTIL_SRCDIR = util
+  FREEBL_SRCDIR =
+  SOFTOKEN_SRCDIR =
 else
-# default is to include all
-UTIL_SRCDIR = util
-FREEBL_SRCDIR = freebl
-SOFTOKEN_SRCDIR = softoken
+  ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+      UTIL_SRCDIR =
+      FREEBL_SRCDIR = freebl
+      SOFTOKEN_SRCDIR = softoken
+  else
+    ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+      # Not included when building nss without softoken
+      # This build type uses the build results of the prior
+      # NSS_BUILD_UTIL_ONLY and NSS_BUILD_SOFTOKEN_ONLY builds
+      UTIL_SRCDIR =
+      FREEBL_SRCDIR =
+      SOFTOKEN_SRCDIR =
+    else
+      # default is to include all
+      UTIL_SRCDIR = util
+      FREEBL_SRCDIR = freebl
+      SOFTOKEN_SRCDIR = softoken
+    endif
+  endif
 endif
--- a/security/nss/lib/base/arena.c
+++ b/security/nss/lib/base/arena.c
@@ -36,110 +36,104 @@
  *
  * The nonpublic methods relating to this type are:
  *
  *  nssArena_Create  -- constructor
  *  nssArena_Destroy
  *  nssArena_Mark
  *  nssArena_Release
  *  nssArena_Unmark
- * 
+ *
  *  nss_ZAlloc
  *  nss_ZFreeIf
  *  nss_ZRealloc
  *
  * In debug builds, the following calls are available:
  *
  *  nssArena_verifyPointer
  *  nssArena_registerDestructor
  *  nssArena_deregisterDestructor
  */
 
 struct NSSArenaStr {
-  PLArenaPool pool;
-  PRLock *lock;
+    PLArenaPool pool;
+    PRLock *lock;
 #ifdef ARENA_THREADMARK
-  PRThread *marking_thread;
-  nssArenaMark *first_mark;
-  nssArenaMark *last_mark;
+    PRThread *marking_thread;
+    nssArenaMark *first_mark;
+    nssArenaMark *last_mark;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *first_destructor;
-  struct arena_destructor_node *last_destructor;
+    struct arena_destructor_node *first_destructor;
+    struct arena_destructor_node *last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 /*
  * nssArenaMark
  *
  * This type is used to mark the current state of an NSSArena.
  */
 
 struct nssArenaMarkStr {
-  PRUint32 magic;
-  void *mark;
+    PRUint32 magic;
+    void *mark;
 #ifdef ARENA_THREADMARK
-  nssArenaMark *next;
+    nssArenaMark *next;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-  struct arena_destructor_node *next_destructor;
-  struct arena_destructor_node *prev_destructor;
+    struct arena_destructor_node *next_destructor;
+    struct arena_destructor_node *prev_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 #define MARK_MAGIC 0x4d41524b /* "MARK" how original */
 
 /*
  * But first, the pointer-tracking code
  */
 #ifdef DEBUG
 extern const NSSError NSS_ERROR_INTERNAL_ERROR;
 
 static nssPointerTracker arena_pointer_tracker;
 
 static PRStatus
-arena_add_pointer
-(
-  const NSSArena *arena
-)
+arena_add_pointer(const NSSArena *arena)
 {
-  PRStatus rv;
+    PRStatus rv;
+
+    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+    if (PR_SUCCESS != rv) {
+        return rv;
+    }
 
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    return rv;
-  }
+    rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        NSSError e = NSS_GetError();
+        if (NSS_ERROR_NO_MEMORY != e) {
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+        }
+
+        return rv;
+    }
 
-  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    NSSError e = NSS_GetError();
-    if( NSS_ERROR_NO_MEMORY != e ) {
-      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+    return PR_SUCCESS;
+}
+
+static PRStatus
+arena_remove_pointer(const NSSArena *arena)
+{
+    PRStatus rv;
+
+    rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
     }
 
     return rv;
-  }
-
-  return PR_SUCCESS;
-}
-
-static PRStatus
-arena_remove_pointer
-(
-  const NSSArena *arena
-)
-{
-  PRStatus rv;
-
-  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-  }
-
-  return rv;
 }
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
@@ -150,186 +144,172 @@ arena_remove_pointer
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-)
+nssArena_verifyPointer(const NSSArena *arena)
 {
-  PRStatus rv;
+    PRStatus rv;
 
-  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-  if( PR_SUCCESS != rv ) {
-    /*
-     * This is a little disingenious.  We have to initialize the
-     * tracker, because someone could "legitimately" try to verify
-     * an arena pointer before one is ever created.  And this step
-     * might fail, due to lack of memory.  But the only way that
-     * this step can fail is if it's doing the call_once stuff,
-     * (later calls just no-op).  And if it didn't no-op, there
-     * aren't any valid arenas.. so the argument certainly isn't one.
-     */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
+    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+    if (PR_SUCCESS != rv) {
+        /*
+         * This is a little disingenious.  We have to initialize the
+         * tracker, because someone could "legitimately" try to verify
+         * an arena pointer before one is ever created.  And this step
+         * might fail, due to lack of memory.  But the only way that
+         * this step can fail is if it's doing the call_once stuff,
+         * (later calls just no-op).  And if it didn't no-op, there
+         * aren't any valid arenas.. so the argument certainly isn't one.
+         */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
 
-  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
+    rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
+    if (PR_SUCCESS != rv) {
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 struct arena_destructor_node {
-  struct arena_destructor_node *next;
-  struct arena_destructor_node *prev;
-  void (*destructor)(void *argument);
-  void *arg;
+    struct arena_destructor_node *next;
+    struct arena_destructor_node *prev;
+    void (*destructor)(void *argument);
+    void *arg;
 };
 
 /*
  * nssArena_registerDestructor
  *
  * This routine stores a pointer to a callback and an arbitrary
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * the the original intent of arenas.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
+nssArena_registerDestructor(NSSArena *arena, void (*destructor)(void *argument),
+                            void *arg)
 {
-  struct arena_destructor_node *it;
+    struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
-  
-  it = nss_ZNEW(arena, struct arena_destructor_node);
-  if( (struct arena_destructor_node *)NULL == it ) {
-    return PR_FAILURE;
-  }
+
+    it = nss_ZNEW(arena, struct arena_destructor_node);
+    if ((struct arena_destructor_node *)NULL == it) {
+        return PR_FAILURE;
+    }
 
-  it->prev = arena->last_destructor;
-  arena->last_destructor->next = it;
-  arena->last_destructor = it;
-  it->destructor = destructor;
-  it->arg = arg;
+    it->prev = arena->last_destructor;
+    arena->last_destructor->next = it;
+    arena->last_destructor = it;
+    it->destructor = destructor;
+    it->arg = arg;
 
-  if( (nssArenaMark *)NULL != arena->last_mark ) {
-    arena->last_mark->prev_destructor = it->prev;
-    arena->last_mark->next_destructor = it->next;
-  }
+    if ((nssArenaMark *)NULL != arena->last_mark) {
+        arena->last_mark->prev_destructor = it->prev;
+        arena->last_mark->next_destructor = it->next;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-)
+nssArena_deregisterDestructor(NSSArena *arena,
+                              void (*destructor)(void *argument), void *arg)
 {
-  struct arena_destructor_node *it;
+    struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  for( it = arena->first_destructor; it; it = it->next ) {
-    if( (it->destructor == destructor) && (it->arg == arg) ) {
-      break;
+    for (it = arena->first_destructor; it; it = it->next) {
+        if ((it->destructor == destructor) && (it->arg == arg)) {
+            break;
+        }
     }
-  }
 
-  if( (struct arena_destructor_node *)NULL == it ) {
-    nss_SetError(NSS_ERROR_NOT_FOUND);
-    return PR_FAILURE;
-  }
+    if ((struct arena_destructor_node *)NULL == it) {
+        nss_SetError(NSS_ERROR_NOT_FOUND);
+        return PR_FAILURE;
+    }
 
-  if( it == arena->first_destructor ) {
-    arena->first_destructor = it->next;
-  }
+    if (it == arena->first_destructor) {
+        arena->first_destructor = it->next;
+    }
 
-  if( it == arena->last_destructor ) {
-    arena->last_destructor = it->prev;
-  }
+    if (it == arena->last_destructor) {
+        arena->last_destructor = it->prev;
+    }
 
-  if( (struct arena_destructor_node *)NULL != it->prev ) {
-    it->prev->next = it->next;
-  }
+    if ((struct arena_destructor_node *)NULL != it->prev) {
+        it->prev->next = it->next;
+    }
 
-  if( (struct arena_destructor_node *)NULL != it->next ) {
-    it->next->prev = it->prev;
-  }
+    if ((struct arena_destructor_node *)NULL != it->next) {
+        it->next->prev = it->prev;
+    }
 
-  {
-    nssArenaMark *m;
-    for( m = arena->first_mark; m; m = m->next ) {
-      if( m->next_destructor == it ) {
-        m->next_destructor = it->next;
-      }
-      if( m->prev_destructor == it ) {
-        m->prev_destructor = it->prev;
-      }
+    {
+        nssArenaMark *m;
+        for (m = arena->first_mark; m; m = m->next) {
+            if (m->next_destructor == it) {
+                m->next_destructor = it->next;
+            }
+            if (m->prev_destructor == it) {
+                m->prev_destructor = it->prev;
+            }
+        }
     }
-  }
 
-  nss_ZFreeIf(it);
-  return PR_SUCCESS;
+    nss_ZFreeIf(it);
+    return PR_SUCCESS;
 }
 
 static void
-nss_arena_call_destructor_chain
-(
-  struct arena_destructor_node *it
-)
+nss_arena_call_destructor_chain(struct arena_destructor_node *it)
 {
-  for( ; it ; it = it->next ) {
-    (*(it->destructor))(it->arg);
-  }
+    for (; it; it = it->next) {
+        (*(it->destructor))(it->arg);
+    }
 }
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * NSSArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
@@ -339,382 +319,367 @@ nss_arena_call_destructor_chain
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-NSSArena_Create
-(
-  void
-)
+NSSArena_Create(void)
 {
-  nss_ClearErrorStack();
-  return nssArena_Create();
+    nss_ClearErrorStack();
+    return nssArena_Create();
 }
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
+ * NULL upon error, in which case it will have set an error on the
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-nssArena_Create
-(
-  void
-)
+nssArena_Create(void)
 {
-  NSSArena *rv = (NSSArena *)NULL;
+    NSSArena *rv = (NSSArena *)NULL;
 
-  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
-  if( (NSSArena *)NULL == rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
+    rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
+    if ((NSSArena *)NULL == rv) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (NSSArena *)NULL;
+    }
+
+    rv->lock = PR_NewLock();
+    if ((PRLock *)NULL == rv->lock) {
+        (void)nss_ZFreeIf(rv);
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (NSSArena *)NULL;
+    }
 
-  rv->lock = PR_NewLock();
-  if( (PRLock *)NULL == rv->lock ) {
-    (void)nss_ZFreeIf(rv);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSArena *)NULL;
-  }
+    /*
+     * Arena sizes.  The current security code has 229 occurrences of
+     * PORT_NewArena.  The default chunksizes specified break down as
+     *
+     *  Size    Mult.   Specified as
+     *   512       1    512
+     *  1024       7    1024
+     *  2048       5    2048
+     *  2048       5    CRMF_DEFAULT_ARENA_SIZE
+     *  2048     190    DER_DEFAULT_CHUNKSIZE
+     *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
+     *  4096       1    4096
+     *
+     * Obviously this "default chunksize" flexibility isn't very
+     * useful to us, so I'll just pick 2048.
+     */
 
-  /*
-   * Arena sizes.  The current security code has 229 occurrences of
-   * PORT_NewArena.  The default chunksizes specified break down as
-   *
-   *  Size    Mult.   Specified as
-   *   512       1    512
-   *  1024       7    1024
-   *  2048       5    2048
-   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
-   *  2048     190    DER_DEFAULT_CHUNKSIZE
-   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
-   *  4096       1    4096
-   *
-   * Obviously this "default chunksize" flexibility isn't very 
-   * useful to us, so I'll just pick 2048.
-   */
-
-  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
+    PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
 
 #ifdef DEBUG
-  {
-    PRStatus st;
-    st = arena_add_pointer(rv);
-    if( PR_SUCCESS != st ) {
-      PL_FinishArenaPool(&rv->pool);
-      PR_DestroyLock(rv->lock);
-      (void)nss_ZFreeIf(rv);
-      return (NSSArena *)NULL;
+    {
+        PRStatus st;
+        st = arena_add_pointer(rv);
+        if (PR_SUCCESS != st) {
+            PL_FinishArenaPool(&rv->pool);
+            PR_DestroyLock(rv->lock);
+            (void)nss_ZFreeIf(rv);
+            return (NSSArena *)NULL;
+        }
     }
-  }
 #endif /* DEBUG */
 
-  return rv;
+    return rv;
 }
 
 /*
  * NSSArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * create an error stack and return PR_FAILURE.
  *
  * The top-level error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
 NSS_IMPLEMENT PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-)
+NSSArena_Destroy(NSSArena *arena)
 {
-  nss_ClearErrorStack();
+    nss_ClearErrorStack();
 
 #ifdef DEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* DEBUG */
 
-  return nssArena_Destroy(arena);
+    return nssArena_Destroy(arena);
 }
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-)
+nssArena_Destroy(NSSArena *arena)
 {
-  PRLock *lock;
+    PRLock *lock;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  PR_Lock(arena->lock);
-  
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
+    PR_Lock(arena->lock);
+
 #ifdef DEBUG
-  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
-    PR_Unlock(arena->lock);
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != arena_remove_pointer(arena)) {
+        PR_Unlock(arena->lock);
+        return PR_FAILURE;
+    }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
-  /* Note that the arena is locked at this time */
-  nss_arena_call_destructor_chain(arena->first_destructor);
+    /* Note that the arena is locked at this time */
+    nss_arena_call_destructor_chain(arena->first_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-  PL_FinishArenaPool(&arena->pool);
-  lock = arena->lock;
-  arena->lock = (PRLock *)NULL;
-  PR_Unlock(lock);
-  PR_DestroyLock(lock);
-  (void)nss_ZFreeIf(arena);
-  return PR_SUCCESS;
+    PL_FinishArenaPool(&arena->pool);
+    lock = arena->lock;
+    arena->lock = (PRLock *)NULL;
+    PR_Unlock(lock);
+    PR_DestroyLock(lock);
+    (void)nss_ZFreeIf(arena);
+    return PR_SUCCESS;
 }
 
 static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
+ * or committed by calling nssArena_Unmark.  When successful,
+ * this routine returns a valid nssArenaMark pointer.  This
+ * routine may return NULL upon error, in which case it will
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
 NSS_IMPLEMENT nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-)
+nssArena_Mark(NSSArena *arena)
 {
-  nssArenaMark *rv;
-  void *p;
+    nssArenaMark *rv;
+    void *p;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return (nssArenaMark *)NULL;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return (nssArenaMark *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return (nssArenaMark *)NULL;
-  }
-  PR_Lock(arena->lock);
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return (nssArenaMark *)NULL;
+    }
+    PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL == arena->marking_thread ) {
-    /* Unmarked.  Store our thread ID */
-    arena->marking_thread = PR_GetCurrentThread();
-    /* This call never fails. */
-  } else {
-    /* Marked.  Verify it's the current thread */
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return (nssArenaMark *)NULL;
+    if ((PRThread *)NULL == arena->marking_thread) {
+        /* Unmarked.  Store our thread ID */
+        arena->marking_thread = PR_GetCurrentThread();
+        /* This call never fails. */
     }
-  }
+    else {
+        /* Marked.  Verify it's the current thread */
+        if (PR_GetCurrentThread() != arena->marking_thread) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+            return (nssArenaMark *)NULL;
+        }
+    }
 #endif /* ARENA_THREADMARK */
 
-  p = PL_ARENA_MARK(&arena->pool);
-  /* No error possible */
+    p = PL_ARENA_MARK(&arena->pool);
+    /* No error possible */
 
-  /* Do this after the mark */
-  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
-  if( (nssArenaMark *)NULL == rv ) {
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (nssArenaMark *)NULL;
-  }
+    /* Do this after the mark */
+    rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
+    if ((nssArenaMark *)NULL == rv) {
+        PR_Unlock(arena->lock);
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (nssArenaMark *)NULL;
+    }
 
 #ifdef ARENA_THREADMARK
-  if ( (nssArenaMark *)NULL == arena->first_mark) {
-    arena->first_mark = rv;
-    arena->last_mark = rv;
-  } else {
-    arena->last_mark->next = rv;
-    arena->last_mark = rv;
-  }
+    if ((nssArenaMark *)NULL == arena->first_mark) {
+        arena->first_mark = rv;
+        arena->last_mark = rv;
+    }
+    else {
+        arena->last_mark->next = rv;
+        arena->last_mark = rv;
+    }
 #endif /* ARENA_THREADMARK */
 
-  rv->mark = p;
-  rv->magic = MARK_MAGIC;
+    rv->mark = p;
+    rv->magic = MARK_MAGIC;
 
 #ifdef ARENA_DESTRUCTOR_LIST
-  rv->prev_destructor = arena->last_destructor;
+    rv->prev_destructor = arena->last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-  PR_Unlock(arena->lock);
+    PR_Unlock(arena->lock);
 
-  return rv;
+    return rv;
 }
 
 /*
  * nss_arena_unmark_release
  *
  * This static routine implements the routines nssArena_Release
  * ans nssArena_Unmark, which are almost identical.
  */
 
 static PRStatus
-nss_arena_unmark_release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark,
-  PRBool release
-)
+nss_arena_unmark_release(NSSArena *arena, nssArenaMark *arenaMark,
+                         PRBool release)
 {
-  void *inner_mark;
+    void *inner_mark;
 
 #ifdef NSSDEBUG
-  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-    return PR_FAILURE;
-  }
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+        return PR_FAILURE;
+    }
 #endif /* NSSDEBUG */
 
-  if( MARK_MAGIC != arenaMark->magic ) {
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
+    if (MARK_MAGIC != arenaMark->magic) {
+        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+        return PR_FAILURE;
+    }
 
-  if( (PRLock *)NULL == arena->lock ) {
-    /* Just got destroyed */
-    nss_SetError(NSS_ERROR_INVALID_ARENA);
-    return PR_FAILURE;
-  }
-  PR_Lock(arena->lock);
+    if ((PRLock *)NULL == arena->lock) {
+        /* Just got destroyed */
+        nss_SetError(NSS_ERROR_INVALID_ARENA);
+        return PR_FAILURE;
+    }
+    PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-  if( (PRThread *)NULL != arena->marking_thread ) {
-    if( PR_GetCurrentThread() != arena->marking_thread ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-      return PR_FAILURE;
+    if ((PRThread *)NULL != arena->marking_thread) {
+        if (PR_GetCurrentThread() != arena->marking_thread) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+            return PR_FAILURE;
+        }
     }
-  }
 #endif /* ARENA_THREADMARK */
 
-  if( MARK_MAGIC != arenaMark->magic ) {
-    /* Just got released */
-    PR_Unlock(arena->lock);
-    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-    return PR_FAILURE;
-  }
-
-  arenaMark->magic = 0;
-  inner_mark = arenaMark->mark;
-
-#ifdef ARENA_THREADMARK
-  {
-    nssArenaMark **pMark = &arena->first_mark;
-    nssArenaMark *rest;
-    nssArenaMark *last = (nssArenaMark *)NULL;
-
-    /* Find this mark */
-    while( *pMark != arenaMark ) {
-      last = *pMark;
-      pMark = &(*pMark)->next;
+    if (MARK_MAGIC != arenaMark->magic) {
+        /* Just got released */
+        PR_Unlock(arena->lock);
+        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+        return PR_FAILURE;
     }
 
-    /* Remember the pointer, then zero it */
-    rest = (*pMark)->next;
-    *pMark = (nssArenaMark *)NULL;
+    arenaMark->magic = 0;
+    inner_mark = arenaMark->mark;
 
-    arena->last_mark = last;
+#ifdef ARENA_THREADMARK
+    {
+        nssArenaMark **pMark = &arena->first_mark;
+        nssArenaMark *rest;
+        nssArenaMark *last = (nssArenaMark *)NULL;
+
+        /* Find this mark */
+        while (*pMark != arenaMark) {
+            last = *pMark;
+            pMark = &(*pMark)->next;
+        }
 
-    /* Invalidate any later marks being implicitly released */
-    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
-      rest->magic = 0;
-    }
+        /* Remember the pointer, then zero it */
+        rest = (*pMark)->next;
+        *pMark = (nssArenaMark *)NULL;
+
+        arena->last_mark = last;
 
-    /* If we just got rid of the first mark, clear the thread ID */
-    if( (nssArenaMark *)NULL == arena->first_mark ) {
-      arena->marking_thread = (PRThread *)NULL;
+        /* Invalidate any later marks being implicitly released */
+        for (; (nssArenaMark *)NULL != rest; rest = rest->next) {
+            rest->magic = 0;
+        }
+
+        /* If we just got rid of the first mark, clear the thread ID */
+        if ((nssArenaMark *)NULL == arena->first_mark) {
+            arena->marking_thread = (PRThread *)NULL;
+        }
     }
-  }
 #endif /* ARENA_THREADMARK */
 
-  if( release ) {
+    if (release) {
 #ifdef ARENA_DESTRUCTOR_LIST
-    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
-      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
-    }
-    arena->last_destructor = arenaMark->prev_destructor;
+        if ((struct arena_destructor_node *)NULL !=
+            arenaMark->prev_destructor) {
+            arenaMark->prev_destructor->next =
+                (struct arena_destructor_node *)NULL;
+        }
+        arena->last_destructor = arenaMark->prev_destructor;
 
-    /* Note that the arena is locked at this time */
-    nss_arena_call_destructor_chain(arenaMark->next_destructor);
+        /* Note that the arena is locked at this time */
+        nss_arena_call_destructor_chain(arenaMark->next_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-    PL_ARENA_RELEASE(&arena->pool, inner_mark);
-    /* No error return */
-  }
+        PL_ARENA_RELEASE(&arena->pool, inner_mark);
+        /* No error return */
+    }
 
-  PR_Unlock(arena->lock);
-  return PR_SUCCESS;
+    PR_Unlock(arena->lock);
+    return PR_SUCCESS;
 }
 
 /*
  * nssArena_Release
  *
  * This routine invalidates and releases all memory allocated from
  * the specified arena after the point at which the specified mark
  * was obtained.  This routine returns a PRStatus value; if successful,
@@ -727,23 +692,19 @@ nss_arena_unmark_release
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
+nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark)
 {
-  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
+    return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
 }
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
  * it, making them unreleasable.  Note that any earlier marks can
  * still be released, and such a release will invalidate these
@@ -759,456 +720,430 @@ nssArena_Release
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-)
+nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark)
 {
-  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
+    return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
 }
 
 /*
  * We prefix this header to all allocated blocks.  It is a multiple
  * of the alignment size.  Note that this usage of a header may make
  * purify spew bogus warnings about "potentially leaked blocks" of
  * memory; if that gets too annoying we can add in a pointer to the
  * header in the header itself.  There's not a lot of safety here;
  * maybe we should add a magic value?
  */
 struct pointer_header {
-  NSSArena *arena;
-  PRUint32 size;
+    NSSArena *arena;
+    PRUint32 size;
 };
 
 static void *
-nss_zalloc_arena_locked
-(
-  NSSArena *arena,
-  PRUint32 size
-)
+nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size)
 {
-  void *p;
-  void *rv;
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
-  PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
-  if( (void *)NULL == p ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-  /* 
-   * Do this before we unlock.  This way if the user is using
-   * an arena in one thread while destroying it in another, he'll
-   * fault/FMR in his code, not ours.
-   */
-  h = (struct pointer_header *)p;
-  h->arena = arena;
-  h->size = size;
-  rv = (void *)((char *)h + sizeof(struct pointer_header));
-  (void)nsslibc_memset(rv, 0, size);
-  return rv;
+    void *p;
+    void *rv;
+    struct pointer_header *h;
+    PRUint32 my_size = size + sizeof(struct pointer_header);
+    PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
+    if ((void *)NULL == p) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
+    }
+    /*
+     * Do this before we unlock.  This way if the user is using
+     * an arena in one thread while destroying it in another, he'll
+     * fault/FMR in his code, not ours.
+     */
+    h = (struct pointer_header *)p;
+    h->arena = arena;
+    h->size = size;
+    rv = (void *)((char *)h + sizeof(struct pointer_header));
+    (void)nsslibc_memset(rv, 0, size);
+    return rv;
 }
 
 /*
  * NSS_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling NSS_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-NSS_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
+NSS_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
 {
-  return nss_ZAlloc(arenaOpt, size);
+    return nss_ZAlloc(arenaOpt, size);
 }
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-)
+nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
 {
-  struct pointer_header *h;
-  PRUint32 my_size = size + sizeof(struct pointer_header);
+    struct pointer_header *h;
+    PRUint32 my_size = size + sizeof(struct pointer_header);
 
-  if( my_size < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
-
-  if( (NSSArena *)NULL == arenaOpt ) {
-    /* Heap allocation, no locking required. */
-    h = (struct pointer_header *)PR_Calloc(1, my_size);
-    if( (struct pointer_header *)NULL == h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
+    if (my_size < sizeof(struct pointer_header)) {
+        /* Wrapped */
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
     }
 
-    h->arena = (NSSArena *)NULL;
-    h->size = size;
-    /* We used calloc: it's already zeroed */
+    if ((NSSArena *)NULL == arenaOpt) {
+        /* Heap allocation, no locking required. */
+        h = (struct pointer_header *)PR_Calloc(1, my_size);
+        if ((struct pointer_header *)NULL == h) {
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    return (void *)((char *)h + sizeof(struct pointer_header));
-  } else {
-    void *rv;
-    /* Arena allocation */
+        h->arena = (NSSArena *)NULL;
+        h->size = size;
+        /* We used calloc: it's already zeroed */
+
+        return (void *)((char *)h + sizeof(struct pointer_header));
+    }
+    else {
+        void *rv;
+/* Arena allocation */
 #ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (void *)NULL;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (void *)NULL;
+        }
 #endif /* NSSDEBUG */
 
-    if( (PRLock *)NULL == arenaOpt->lock ) {
-      /* Just got destroyed */
-      nss_SetError(NSS_ERROR_INVALID_ARENA);
-      return (void *)NULL;
-    }
-    PR_Lock(arenaOpt->lock);
+        if ((PRLock *)NULL == arenaOpt->lock) {
+            /* Just got destroyed */
+            nss_SetError(NSS_ERROR_INVALID_ARENA);
+            return (void *)NULL;
+        }
+        PR_Lock(arenaOpt->lock);
 
 #ifdef ARENA_THREADMARK
-    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
-      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        PR_Unlock(arenaOpt->lock);
-        return (void *)NULL;
-      }
-    }
+        if ((PRThread *)NULL != arenaOpt->marking_thread) {
+            if (PR_GetCurrentThread() != arenaOpt->marking_thread) {
+                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+                PR_Unlock(arenaOpt->lock);
+                return (void *)NULL;
+            }
+        }
 #endif /* ARENA_THREADMARK */
 
-    rv = nss_zalloc_arena_locked(arenaOpt, size);
+        rv = nss_zalloc_arena_locked(arenaOpt, size);
 
-    PR_Unlock(arenaOpt->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
+        PR_Unlock(arenaOpt->lock);
+        return rv;
+    }
+    /*NOTREACHED*/
 }
 
 /*
  * NSS_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * NSS_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * NSS_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 NSS_IMPLEMENT PRStatus
-NSS_ZFreeIf
-(
-  void *pointer
-)
+NSS_ZFreeIf(void *pointer)
 {
-   return nss_ZFreeIf(pointer);
+    return nss_ZFreeIf(pointer);
 }
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * nss_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-)
+nss_ZFreeIf(void *pointer)
 {
-  struct pointer_header *h;
+    struct pointer_header *h;
 
-  if( (void *)NULL == pointer ) {
-    return PR_SUCCESS;
-  }
+    if ((void *)NULL == pointer) {
+        return PR_SUCCESS;
+    }
 
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
+    h = (struct pointer_header *)((char *)pointer -
+                                  sizeof(struct pointer_header));
+
+    /* Check any magic here */
 
-  /* Check any magic here */
-
-  if( (NSSArena *)NULL == h->arena ) {
-    /* Heap */
-    (void)nsslibc_memset(pointer, 0, h->size);
-    PR_Free(h);
-    return PR_SUCCESS;
-  } else {
-    /* Arena */
+    if ((NSSArena *)NULL == h->arena) {
+        /* Heap */
+        (void)nsslibc_memset(pointer, 0, h->size);
+        PR_Free(h);
+        return PR_SUCCESS;
+    }
+    else {
+/* Arena */
 #ifdef NSSDEBUG
-    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
-      return PR_FAILURE;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(h->arena)) {
+            return PR_FAILURE;
+        }
 #endif /* NSSDEBUG */
 
-    if( (PRLock *)NULL == h->arena->lock ) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return PR_FAILURE;
-    }
-    PR_Lock(h->arena->lock);
+        if ((PRLock *)NULL == h->arena->lock) {
+            /* Just got destroyed.. so this pointer is invalid */
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return PR_FAILURE;
+        }
+        PR_Lock(h->arena->lock);
 
-    (void)nsslibc_memset(pointer, 0, h->size);
+        (void)nsslibc_memset(pointer, 0, h->size);
 
-    /* No way to "free" it within an NSPR arena. */
+        /* No way to "free" it within an NSPR arena. */
 
-    PR_Unlock(h->arena->lock);
-    return PR_SUCCESS;
-  }
-  /*NOTREACHED*/
+        PR_Unlock(h->arena->lock);
+        return PR_SUCCESS;
+    }
+    /*NOTREACHED*/
 }
 
 /*
  * NSS_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-NSS_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
+NSS_ZRealloc(void *pointer, PRUint32 newSize)
 {
     return nss_ZRealloc(pointer, newSize);
 }
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-)
+nss_ZRealloc(void *pointer, PRUint32 newSize)
 {
-  NSSArena *arena;
-  struct pointer_header *h, *new_h;
-  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
-  void *rv;
+    NSSArena *arena;
+    struct pointer_header *h, *new_h;
+    PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
+    void *rv;
 
-  if( my_newSize < sizeof(struct pointer_header) ) {
-    /* Wrapped */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (void *)NULL;
-  }
+    if (my_newSize < sizeof(struct pointer_header)) {
+        /* Wrapped */
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (void *)NULL;
+    }
 
-  if( (void *)NULL == pointer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
-
-  h = (struct pointer_header *)((char *)pointer
-    - sizeof(struct pointer_header));
-
-  /* Check any magic here */
+    if ((void *)NULL == pointer) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 
-  if( newSize == h->size ) {
-    /* saves thrashing */
-    return pointer;
-  }
+    h = (struct pointer_header *)((char *)pointer -
+                                  sizeof(struct pointer_header));
 
-  arena = h->arena;
-  if (!arena) {
-    /* Heap */
-    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
-    if( (struct pointer_header *)NULL == new_h ) {
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
+    /* Check any magic here */
+
+    if (newSize == h->size) {
+        /* saves thrashing */
+        return pointer;
     }
 
-    new_h->arena = (NSSArena *)NULL;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+    arena = h->arena;
+    if (!arena) {
+        /* Heap */
+        new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
+        if ((struct pointer_header *)NULL == new_h) {
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    if( newSize > h->size ) {
-      (void)nsslibc_memcpy(rv, pointer, h->size);
-      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
-                           0, (newSize - h->size));
-    } else {
-      (void)nsslibc_memcpy(rv, pointer, newSize);
-    }
+        new_h->arena = (NSSArena *)NULL;
+        new_h->size = newSize;
+        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
 
-    (void)nsslibc_memset(pointer, 0, h->size);
-    h->size = 0;
-    PR_Free(h);
+        if (newSize > h->size) {
+            (void)nsslibc_memcpy(rv, pointer, h->size);
+            (void)nsslibc_memset(&((char *)rv)[h->size], 0,
+                                 (newSize - h->size));
+        }
+        else {
+            (void)nsslibc_memcpy(rv, pointer, newSize);
+        }
 
-    return rv;
-  } else {
-    void *p;
-    /* Arena */
+        (void)nsslibc_memset(pointer, 0, h->size);
+        h->size = 0;
+        PR_Free(h);
+
+        return rv;
+    }
+    else {
+        void *p;
+/* Arena */
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-      return (void *)NULL;
-    }
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
 #endif /* NSSDEBUG */
 
-    if (!arena->lock) {
-      /* Just got destroyed.. so this pointer is invalid */
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (void *)NULL;
-    }
-    PR_Lock(arena->lock);
+        if (!arena->lock) {
+            /* Just got destroyed.. so this pointer is invalid */
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return (void *)NULL;
+        }
+        PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-    if (arena->marking_thread) {
-      if (PR_GetCurrentThread() != arena->marking_thread) {
-        PR_Unlock(arena->lock);
-        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-        return (void *)NULL;
-      }
-    }
+        if (arena->marking_thread) {
+            if (PR_GetCurrentThread() != arena->marking_thread) {
+                PR_Unlock(arena->lock);
+                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+                return (void *)NULL;
+            }
+        }
 #endif /* ARENA_THREADMARK */
 
-    if( newSize < h->size ) {
-      /*
-       * We have no general way of returning memory to the arena
-       * (mark/release doesn't work because things may have been
-       * allocated after this object), so the memory is gone
-       * anyway.  We might as well just return the same pointer to
-       * the user, saying "yeah, uh-hunh, you can only use less of
-       * it now."  We'll zero the leftover part, of course.  And
-       * in fact we might as well *not* adjust h->size-- this way,
-       * if the user reallocs back up to something not greater than
-       * the original size, then voila, there's the memory!  This
-       * way a thrash big/small/big/small doesn't burn up the arena.
-       */
-      char *extra = &((char *)pointer)[ newSize ];
-      (void)nsslibc_memset(extra, 0, (h->size - newSize));
-      PR_Unlock(arena->lock);
-      return pointer;
-    }
+        if (newSize < h->size) {
+            /*
+             * We have no general way of returning memory to the arena
+             * (mark/release doesn't work because things may have been
+             * allocated after this object), so the memory is gone
+             * anyway.  We might as well just return the same pointer to
+             * the user, saying "yeah, uh-hunh, you can only use less of
+             * it now."  We'll zero the leftover part, of course.  And
+             * in fact we might as well *not* adjust h->size-- this way,
+             * if the user reallocs back up to something not greater than
+             * the original size, then voila, there's the memory!  This
+             * way a thrash big/small/big/small doesn't burn up the arena.
+             */
+            char *extra = &((char *)pointer)[newSize];
+            (void)nsslibc_memset(extra, 0, (h->size - newSize));
+            PR_Unlock(arena->lock);
+            return pointer;
+        }
 
-    PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
-    if( (void *)NULL == p ) {
-      PR_Unlock(arena->lock);
-      nss_SetError(NSS_ERROR_NO_MEMORY);
-      return (void *)NULL;
-    }
+        PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
+        if ((void *)NULL == p) {
+            PR_Unlock(arena->lock);
+            nss_SetError(NSS_ERROR_NO_MEMORY);
+            return (void *)NULL;
+        }
 
-    new_h = (struct pointer_header *)p;
-    new_h->arena = arena;
-    new_h->size = newSize;
-    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-    if (rv != pointer) {
-	(void)nsslibc_memcpy(rv, pointer, h->size);
-	(void)nsslibc_memset(pointer, 0, h->size);
+        new_h = (struct pointer_header *)p;
+        new_h->arena = arena;
+        new_h->size = newSize;
+        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+        if (rv != pointer) {
+            (void)nsslibc_memcpy(rv, pointer, h->size);
+            (void)nsslibc_memset(pointer, 0, h->size);
+        }
+        (void)nsslibc_memset(&((char *)rv)[h->size], 0, (newSize - h->size));
+        h->arena = (NSSArena *)NULL;
+        h->size = 0;
+        PR_Unlock(arena->lock);
+        return rv;
     }
-    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, (newSize - h->size));
-    h->arena = (NSSArena *)NULL;
-    h->size = 0;
-    PR_Unlock(arena->lock);
-    return rv;
-  }
-  /*NOTREACHED*/
+    /*NOTREACHED*/
 }
 
-PRStatus 
+PRStatus
 nssArena_Shutdown(void)
 {
-  PRStatus rv = PR_SUCCESS;
+    PRStatus rv = PR_SUCCESS;
 #ifdef DEBUG
-  rv = nssPointerTracker_finalize(&arena_pointer_tracker);
+    rv = nssPointerTracker_finalize(&arena_pointer_tracker);
 #endif
-  return rv;
+    return rv;
 }
--- a/security/nss/lib/base/base.h
+++ b/security/nss/lib/base/base.h
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BASE_H
 #define BASE_H
 
 /*
  * base.h
  *
- * This header file contains basic prototypes and preprocessor 
+ * This header file contains basic prototypes and preprocessor
  * definitions used throughout nss but not available publicly.
  */
 
 #ifndef BASET_H
 #include "baset.h"
 #endif /* BASET_H */
 
 #ifndef NSSBASE_H
@@ -59,17 +59,17 @@ PR_BEGIN_EXTERN_C
  *
  *  nssArenaHashAllocOps
  */
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the 
+ * NULL upon error, in which case it will have set an error on the
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
@@ -78,74 +78,62 @@ PR_BEGIN_EXTERN_C
 /*
  * XXX fgmr
  * Arenas can be named upon creation; this is mostly of use when
  * debugging.  Should we expose that here, allowing an optional
  * "const char *name" argument?  Should the public version of this
  * call (NSSArena_Create) have it too?
  */
 
-NSS_EXTERN NSSArena *
-nssArena_Create
-(
-  void
-);
+NSS_EXTERN NSSArena *nssArena_Create(void);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Destroy
-(
-  NSSArena *arena
-);
+NSS_EXTERN PRStatus nssArena_Destroy(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful, 
- * this routine returns a valid nssArenaMark pointer.  This 
- * routine may return NULL upon error, in which case it will 
+ * or committed by calling nssArena_Unmark.  When successful,
+ * this routine returns a valid nssArenaMark pointer.  This
+ * routine may return NULL upon error, in which case it will
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
-NSS_EXTERN nssArenaMark *
-nssArena_Mark
-(
-  NSSArena *arena
-);
+NSS_EXTERN nssArenaMark *nssArena_Mark(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nssArena_Release
  *
@@ -160,22 +148,17 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Release
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
+NSS_EXTERN PRStatus nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
@@ -192,22 +175,17 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_Unmark
-(
-  NSSArena *arena,
-  nssArenaMark *arenaMark
-);
+NSS_EXTERN PRStatus nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 /*
@@ -217,229 +195,205 @@ extern const NSSError NSS_ERROR_ARENA_MA
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a 
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * the the original intent of arenas.  This routine returns a
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_registerDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
+NSS_EXTERN PRStatus nssArena_registerDestructor(
+    NSSArena *arena, void (*destructor)(void *argument), void *arg);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_deregisterDestructor
  *
  * This routine will remove the first destructor in the specified
  * arena which has the specified destructor and argument values.
  * The destructor will not be called.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If 
- * unsuccessful, it will set an error on the error stack and 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If
+ * unsuccessful, it will set an error on the error stack and
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NOT_FOUND
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nssArena_deregisterDestructor
-(
-  NSSArena *arena,
-  void (*destructor)(void *argument),
-  void *arg
-);
+NSS_EXTERN PRStatus nssArena_deregisterDestructor(
+    NSSArena *arena, void (*destructor)(void *argument), void *arg);
 
 extern const NSSError NSS_ERROR_INVALID_ITEM;
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NOT_FOUND;
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-NSS_EXTERN void *
-nss_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);
+NSS_EXTERN void *nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory 
- * to which it points -- which must have been allocated with 
- * nss_ZAlloc -- will be zeroed and released.  This routine 
+ * If the specified pointer is non-null, then the region of memory
+ * to which it points -- which must have been allocated with
+ * nss_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return 
+ * If unsuccessful, it will set an error on the error stack and return
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-nss_ZFreeIf
-(
-  void *pointer
-);
+NSS_EXTERN PRStatus nss_ZFreeIf(void *pointer);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
-NSS_EXTERN void *
-nss_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-);
+NSS_EXTERN void *nss_ZRealloc(void *pointer, PRUint32 newSize);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZNEW
  *
  * This preprocessor macro will allocate memory for a new object
  * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
+ * return value appropriately.  If the optional arena argument is
+ * non-null, the memory will be obtained from that arena; otherwise,
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
  * upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
 #define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
 
 /*
  * nss_ZNEWARRAY
  *
  * This preprocessor macro will allocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
+ * If the optional arena argument is non-null, the memory will
+ * be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon
+ * error, in which case it will have set an error upon the error
  * stack.  The array size may be specified as zero.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
+#define nss_ZNEWARRAY(arenaOpt, type, quantity)                                \
+    ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
 
 /*
  * nss_ZREALLOCARRAY
  *
  * This preprocessor macro will reallocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * This routine may return NULL upon error, in which case it will 
+ * This routine may return NULL upon error, in which case it will
  *  have set an error upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
-#define nss_ZREALLOCARRAY(p, type, quantity) ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
+#define nss_ZREALLOCARRAY(p, type, quantity)                                   \
+    ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
  * this routine will return PR_SUCCESS.  Otherwise, it will put an
@@ -449,21 +403,17 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssArena_verifyPointer
-(
-  const NSSArena *arena
-);
+NSS_EXTERN PRStatus nssArena_verifyPointer(const NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 #endif /* DEBUG */
 
 /*
  * nssArena_VERIFYPOINTER
  *
  * This macro is always available.  In debug builds it will call
@@ -474,35 +424,35 @@ extern const NSSError NSS_ERROR_INVALID_
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
 #define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
 #else /* DEBUG */
-/* The following line exceeds 72 characters, but emacs screws up if I split it. */
-#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
+
+#define nssArena_VERIFYPOINTER(p)                                              \
+    (((NSSArena *)NULL == (p)) ? PR_FAILURE : PR_SUCCESS)
 #endif /* DEBUG */
 
 /*
- * Private function to be called by NSS_Shutdown to cleanup nssArena 
+ * Private function to be called by NSS_Shutdown to cleanup nssArena
  * bookkeeping.
  */
-extern PRStatus
-nssArena_Shutdown(void);
+extern PRStatus nssArena_Shutdown(void);
 
 /*
  * nssArenaHashAllocOps
  *
  * This constant structure contains allocation callbacks designed for
  * use with the NSPL routine PL_NewHashTable.  For example:
  *
  *  NSSArena *hashTableArena = nssArena_Create();
- *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
+ *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare,
  *    value_compare, nssArenaHashAllocOps, hashTableArena);
  */
 
 NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
 
 /*
  * The error stack
  *
@@ -510,176 +460,129 @@ NSS_EXTERN_DATA PLHashAllocOps nssArenaH
  *
  *  nss_SetError
  *  nss_ClearErrorStack
  */
 
 /*
  * nss_SetError
  *
- * This routine places a new error code on the top of the calling 
+ * This routine places a new error code on the top of the calling
  * thread's error stack.  Calling this routine wiht an error code
  * of zero will clear the error stack.
  */
 
-NSS_EXTERN void
-nss_SetError
-(
-  PRUint32 error
-);
+NSS_EXTERN void nss_SetError(PRUint32 error);
 
 /*
  * nss_ClearErrorStack
  *
  * This routine clears the calling thread's error stack.
  */
 
-NSS_EXTERN void
-nss_ClearErrorStack
-(
-  void
-);
+NSS_EXTERN void nss_ClearErrorStack(void);
 
 /*
  * nss_DestroyErrorStack
  *
  * This routine frees the calling thread's error stack.
  */
 
-NSS_EXTERN void
-nss_DestroyErrorStack
-(
-  void
-);
+NSS_EXTERN void nss_DestroyErrorStack(void);
 
 /*
  * NSSItem
  *
  * nssItem_Create
  * nssItem_Duplicate
  * nssItem_Equal
  */
 
-NSS_EXTERN NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-);
+NSS_EXTERN NSSItem *nssItem_Create(NSSArena *arenaOpt, NSSItem *rvOpt,
+                                   PRUint32 length, const void *data);
 
-NSS_EXTERN void
-nssItem_Destroy
-(
-  NSSItem *item
-);
+NSS_EXTERN void nssItem_Destroy(NSSItem *item);
 
-NSS_EXTERN NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-);
+NSS_EXTERN NSSItem *nssItem_Duplicate(NSSItem *obj, NSSArena *arenaOpt,
+                                      NSSItem *rvOpt);
 
-NSS_EXTERN PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssItem_Equal(const NSSItem *one, const NSSItem *two,
+                                PRStatus *statusOpt);
 
 /*
  * NSSUTF8
  *
  *  nssUTF8_CaseIgnoreMatch
  *  nssUTF8_Duplicate
  *  nssUTF8_Size
  *  nssUTF8_Length
  *  nssUTF8_CopyIntoFixedBuffer
  */
 
 /*
  * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
+ *
+ * Returns true if the two UTF8-encoded strings pointed to by the
  * two specified NSSUTF8 pointers differ only in typcase.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a, const NSSUTF8 *b,
+                                          PRStatus *statusOpt);
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
  * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
  * not null, the memory required will be obtained from that arena;
  * otherwise, the memory required will be obtained from the heap.
  * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
+ * an error will be placed on the error stack and NULL will be
  * returned.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  */
 
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-);
+NSS_EXTERN NSSUTF8 *nssUTF8_Duplicate(const NSSUTF8 *s, NSSArena *arenaOpt);
 
 /*
  * nssUTF8_PrintableMatch
  *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
+ * Returns true if the two Printable strings pointed to by the
+ * two specified NSSUTF8 pointers match when compared with the
+ * rules for Printable String (leading and trailing spaces are
+ * disregarded, extents of whitespace match irregardless of length,
  * and case is not significant), then PR_TRUE will be returned.
  * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
  * will be returned.  If the optional statusOpt argument is not
  * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
  * location.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_PrintableMatch(const NSSUTF8 *a, const NSSUTF8 *b,
+                                         PRStatus *statusOpt);
 
 /*
  * nssUTF8_Size
  *
  * This routine returns the length in bytes (including the terminating
  * null) of the UTF8-encoded string pointed to by the specified
  * NSSUTF8 pointer.  Zero is returned on error.
  *
@@ -687,22 +590,17 @@ nssUTF8_PrintableMatch
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_VALUE_TOO_LARGE
  *
  * Return value:
  *  nonzero size of the string
  *  0 on error
  */
 
-NSS_EXTERN PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRUint32 nssUTF8_Size(const NSSUTF8 *s, PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 
 /*
  * nssUTF8_Length
  *
  * This routine returns the length in characters (not including the
@@ -714,22 +612,17 @@ extern const NSSError NSS_ERROR_VALUE_TO
  *  NSS_ERROR_VALUE_TOO_LARGE
  *  NSS_ERROR_INVALID_STRING
  *
  * Return value:
  *  length of the string (which may be zero)
  *  0 on error
  */
 
-NSS_EXTERN PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRUint32 nssUTF8_Length(const NSSUTF8 *s, PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 extern const NSSError NSS_ERROR_INVALID_STRING;
 
 /*
  * nssUTF8_Create
  *
@@ -748,265 +641,174 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_UNSUPPORTED_TYPE
  *
  * Return value:
  *  NULL upon error
  *  A non-null pointer to a new UTF8 string otherwise
  */
 
-NSS_EXTERN NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-);
+NSS_EXTERN NSSUTF8 *nssUTF8_Create(NSSArena *arenaOpt, nssStringType type,
+                                   const void *inputString,
+                                   PRUint32 size /* in bytes, not characters */
+                                   );
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
 
-NSS_EXTERN NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-);
+NSS_EXTERN NSSItem *nssUTF8_GetEncoding(NSSArena *arenaOpt, NSSItem *rvOpt,
+                                        nssStringType type, NSSUTF8 *string);
 
 /*
  * nssUTF8_CopyIntoFixedBuffer
  *
- * This will copy a UTF8 string into a fixed-length buffer, making 
+ * This will copy a UTF8 string into a fixed-length buffer, making
  * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
+ * be padded with the specified ASCII character, typically either
  * null or space.
  *
  * Blah, blah, blah.
  */
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
 
-NSS_EXTERN PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-);
+NSS_EXTERN PRStatus nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *string, char *buffer,
+                                                PRUint32 bufferSize, char pad);
 
 /*
  * nssUTF8_Equal
  *
  */
 
-NSS_EXTERN PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nssUTF8_Equal(const NSSUTF8 *a, const NSSUTF8 *b,
+                                PRStatus *statusOpt);
 
 /*
  * nssList
  *
  * The goal is to provide a simple, optionally threadsafe, linked list
  * class.  Since NSS did not seem to use the circularity of PRCList
  * much before, this provides a list that appears to be a linear,
  * NULL-terminated list.
  */
 
 /*
  * nssList_Create
  *
  * If threadsafe is true, the list will be locked during modifications
  * and traversals.
  */
-NSS_EXTERN nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-);
+NSS_EXTERN nssList *nssList_Create(NSSArena *arenaOpt, PRBool threadSafe);
 
 /*
  * nssList_Destroy
  */
-NSS_EXTERN PRStatus
-nssList_Destroy
-(
-  nssList *list
-);
+NSS_EXTERN PRStatus nssList_Destroy(nssList *list);
 
-NSS_EXTERN void
-nssList_Clear
-(
-  nssList *list, 
-  nssListElementDestructorFunc destructor
-);
+NSS_EXTERN void nssList_Clear(nssList *list,
+                              nssListElementDestructorFunc destructor);
 
 /*
  * nssList_SetCompareFunction
  *
  * By default, two list elements will be compared by comparing their
  * data pointers.  By setting this function, the user can control
  * how elements are compared.
  */
-NSS_EXTERN void
-nssList_SetCompareFunction
-(
-  nssList *list, 
-  nssListCompareFunc compareFunc
-);
+NSS_EXTERN void nssList_SetCompareFunction(nssList *list,
+                                           nssListCompareFunc compareFunc);
 
 /*
  * nssList_SetSortFunction
  *
  * Sort function to use for an ordered list.
  */
-NSS_EXTERN void
-nssList_SetSortFunction
-(
-  nssList *list, 
-  nssListSortFunc sortFunc
-);
+NSS_EXTERN void nssList_SetSortFunction(nssList *list,
+                                        nssListSortFunc sortFunc);
 
 /*
  * nssList_Add
  */
-NSS_EXTERN PRStatus
-nssList_Add
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN PRStatus nssList_Add(nssList *list, void *data);
 
 /*
  * nssList_AddUnique
  *
  * This will use the compare function to see if the element is already
  * in the list.
  */
-NSS_EXTERN PRStatus
-nssList_AddUnique
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN PRStatus nssList_AddUnique(nssList *list, void *data);
 
 /*
  * nssList_Remove
  *
  * Uses the compare function to locate the element and remove it.
  */
-NSS_EXTERN PRStatus
-nssList_Remove(nssList *list, void *data);
+NSS_EXTERN PRStatus nssList_Remove(nssList *list, void *data);
 
 /*
  * nssList_Get
  *
  * Uses the compare function to locate an element.  Also serves as
  * nssList_Exists.
  */
-NSS_EXTERN void *
-nssList_Get
-(
-  nssList *list, 
-  void *data
-);
+NSS_EXTERN void *nssList_Get(nssList *list, void *data);
 
 /*
  * nssList_Count
  */
-NSS_EXTERN PRUint32
-nssList_Count
-(
-  nssList *list
-);
+NSS_EXTERN PRUint32 nssList_Count(nssList *list);
 
 /*
  * nssList_GetArray
  *
  * Fill rvArray, up to maxElements, with elements in the list.  The
  * array is NULL-terminated, so its allocated size must be maxElements + 1.
  */
-NSS_EXTERN PRStatus
-nssList_GetArray
-(
-  nssList *list, 
-  void **rvArray, 
-  PRUint32 maxElements
-);
+NSS_EXTERN PRStatus nssList_GetArray(nssList *list, void **rvArray,
+                                     PRUint32 maxElements);
 
 /*
  * nssList_CreateIterator
  *
  * Create an iterator for list traversal.
  */
-NSS_EXTERN nssListIterator *
-nssList_CreateIterator
-(
-  nssList *list
-);
+NSS_EXTERN nssListIterator *nssList_CreateIterator(nssList *list);
 
-NSS_EXTERN nssList *
-nssList_Clone
-(
-  nssList *list
-);
+NSS_EXTERN nssList *nssList_Clone(nssList *list);
 
 /*
  * nssListIterator_Destroy
  */
-NSS_EXTERN void
-nssListIterator_Destroy
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void nssListIterator_Destroy(nssListIterator *iter);
 
 /*
  * nssListIterator_Start
  *
  * Begin a list iteration.  After this call, if the list is threadSafe,
  * the list is *locked*.
  */
-NSS_EXTERN void *
-nssListIterator_Start
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void *nssListIterator_Start(nssListIterator *iter);
 
 /*
  * nssListIterator_Next
  *
  * Continue a list iteration.
  */
-NSS_EXTERN void *
-nssListIterator_Next
-(
-  nssListIterator *iter
-);
+NSS_EXTERN void *nssListIterator_Next(nssListIterator *iter);
 
 /*
  * nssListIterator_Finish
  *
  * Complete a list iteration.  This *must* be called in order for the
  * lock to be released.
  */
-NSS_EXTERN PRStatus
-nssListIterator_Finish
-(
-  nssListIterator *iter
-);
+NSS_EXTERN PRStatus nssListIterator_Finish(nssListIterator *iter);
 
 /*
  * nssHash
  *
  *  nssHash_Create
  *  nssHash_Destroy
  *  nssHash_Add
  *  nssHash_Remove
@@ -1016,178 +818,122 @@ nssListIterator_Finish
  *  nssHash_Iterate
  */
 
 /*
  * nssHash_Create
  *
  */
 
-NSS_EXTERN nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-);
+NSS_EXTERN nssHash *nssHash_Create(NSSArena *arenaOpt, PRUint32 numBuckets,
+                                   PLHashFunction keyHash,
+                                   PLHashComparator keyCompare,
+                                   PLHashComparator valueCompare);
 
-NSS_EXTERN nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreatePointer(NSSArena *arenaOpt,
+                                          PRUint32 numBuckets);
 
-NSS_EXTERN nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreateString(NSSArena *arenaOpt,
+                                         PRUint32 numBuckets);
 
-NSS_EXTERN nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-);
+NSS_EXTERN nssHash *nssHash_CreateItem(NSSArena *arenaOpt, PRUint32 numBuckets);
 
 /*
  * nssHash_Destroy
  *
  */
-NSS_EXTERN void
-nssHash_Destroy
-(
-  nssHash *hash
-);
+NSS_EXTERN void nssHash_Destroy(nssHash *hash);
 
 /*
  * nssHash_Add
  *
  */
 
 extern const NSSError NSS_ERROR_HASH_COLLISION;
 
-NSS_EXTERN PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-);
+NSS_EXTERN PRStatus nssHash_Add(nssHash *hash, const void *key,
+                                const void *value);
 
 /*
  * nssHash_Remove
  *
  */
-NSS_EXTERN void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN void nssHash_Remove(nssHash *hash, const void *it);
 
 /*
  * nssHash_Count
  *
  */
-NSS_EXTERN PRUint32
-nssHash_Count
-(
-  nssHash *hash
-);
+NSS_EXTERN PRUint32 nssHash_Count(nssHash *hash);
 
 /*
  * nssHash_Exists
  *
  */
-NSS_EXTERN PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN PRBool nssHash_Exists(nssHash *hash, const void *it);
 
 /*
  * nssHash_Lookup
  *
  */
-NSS_EXTERN void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-);
+NSS_EXTERN void *nssHash_Lookup(nssHash *hash, const void *it);
 
 /*
  * nssHash_Iterate
  *
  */
-NSS_EXTERN void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-);
-
+NSS_EXTERN void nssHash_Iterate(nssHash *hash, nssHashIterator fcn,
+                                void *closure);
 
 /*
  * nssPointerTracker
  *
  * This type and these methods are only present in debug builds.
- * 
+ *
  * The nonpublic methods relating to this type are:
  *
  *  nssPointerTracker_initialize
  *  nssPointerTracker_finalize
  *  nssPointerTracker_add
  *  nssPointerTracker_remove
  *  nssPointerTracker_verify
  */
 
 /*
  * nssPointerTracker_initialize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine initializes an nssPointerTracker object.  Note that
  * the object must have been declared *static* to guarantee that it
  * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * may even be safely called by multiple threads simultaneously with
+ * the same argument.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  On failure it will set an
  * error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-);
+NSS_EXTERN PRStatus nssPointerTracker_initialize(nssPointerTracker *tracker);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_finalize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine returns the nssPointerTracker object to the pre-
  * initialized state, releasing all resources used by the object.
  * It will *NOT* destroy the objects being tracked by the pointer
  * (should any remain), and therefore cannot be used to "sweep up"
  * remaining objects.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCES.  On failure it will set an
  * error on the error stack and return PR_FAILURE.  If any objects
  * remain in the tracker when it is finalized, that will be treated
@@ -1197,21 +943,17 @@ extern const NSSError NSS_ERROR_NO_MEMOR
  *  NSS_ERROR_TRACKER_NOT_EMPTY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-);
+NSS_EXTERN PRStatus nssPointerTracker_finalize(nssPointerTracker *tracker);
 
 extern const NSSError NSS_ERROR_TRACKER_NOT_EMPTY;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_add
  *
  * This method is only present in debug builds.
@@ -1229,92 +971,80 @@ extern const NSSError NSS_ERROR_TRACKER_
  *  NSS_ERROR_DUPLICATE_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_add(nssPointerTracker *tracker,
+                                          const void *pointer);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
 extern const NSSError NSS_ERROR_DUPLICATE_POINTER;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_remove
  *
  * This method is only present in debug builds.
  *
- * This routine removes the specified pointer from the 
+ * This routine removes the specified pointer from the
  * nssPointerTracker object.  It does not call any destructor for the
  * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * The nssPointerTracker is threadsafe, but this call is not
+ * idempotent.  This routine returns a PRStatus value; if successful
+ * it will return PR_SUCCESS.  On failure it will set an error on the
  * error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_TRACKER_NOT_INITIALIZED
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_remove(nssPointerTracker *tracker,
+                                             const void *pointer);
 
 extern const NSSError NSS_ERROR_TRACKER_NOT_INITIALIZED;
 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
 #endif /* DEBUG */
 
 /*
  * nssPointerTracker_verify
  *
  * This method is only present in debug builds.
  *
  * This routine verifies that the specified pointer has been registered
  * with the nssPointerTracker object.  The nssPointerTracker object is
  * threadsafe, and this call may be safely called from multiple threads
  * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
+ * PRStatus value; if the pointer is registered this will return
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and
+ * return PR_FAILURE.  Although the error is suitable for leaving on
+ * the stack, callers may wish to augment the information available by
  * placing a more type-specific error on the stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILRUE
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-);
+NSS_EXTERN PRStatus nssPointerTracker_verify(nssPointerTracker *tracker,
+                                             const void *pointer);
 
 extern const NSSError NSS_ERROR_POINTER_NOT_REGISTERED;
 #endif /* DEBUG */
 
 /*
  * libc
  *
  * nsslibc_memcpy
@@ -1328,67 +1058,49 @@ extern const NSSError NSS_ERROR_POINTER_
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
-NSS_EXTERN void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-);
+NSS_EXTERN void *nsslibc_memcpy(void *dest, const void *source, PRUint32 n);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nsslibc_memset
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
-NSS_EXTERN void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-);
+NSS_EXTERN void *nsslibc_memset(void *dest, PRUint8 byte, PRUint32 n);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nsslibc_memequal
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if they match
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-);
+NSS_EXTERN PRBool nsslibc_memequal(const void *a, const void *b, PRUint32 len,
+                                   PRStatus *statusOpt);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 #define nsslibc_offsetof(str, memb) ((PRPtrdiff)(&(((str *)0)->memb)))
 
 PR_END_EXTERN_C
 
 #endif /* BASE_H */
--- a/security/nss/lib/base/baset.h
+++ b/security/nss/lib/base/baset.h
@@ -27,17 +27,17 @@ PR_BEGIN_EXTERN_C
  */
 
 struct nssArenaMarkStr;
 typedef struct nssArenaMarkStr nssArenaMark;
 
 #ifdef DEBUG
 /*
  * ARENA_THREADMARK
- * 
+ *
  * Optionally, this arena implementation can be compiled with some
  * runtime checking enabled, which will catch the situation where
  * one thread "marks" the arena, another thread allocates memory,
  * and then the mark is released.  Usually this is a surprise to
  * the second thread, and this leads to weird runtime errors.
  * Define ARENA_THREADMARK to catch these cases; we define it for all
  * (internal and external) debug builds.
  */
@@ -63,63 +63,62 @@ typedef struct nssArenaMarkStr nssArenaM
 #ifdef ARENA_THREADMARK
 #define ARENA_DESTRUCTOR_LIST
 #endif /* ARENA_THREADMARK */
 
 #endif /* DEBUG */
 
 typedef struct nssListStr nssList;
 typedef struct nssListIteratorStr nssListIterator;
-typedef PRBool (* nssListCompareFunc)(void *a, void *b);
-typedef PRIntn (* nssListSortFunc)(void *a, void *b);
-typedef void (* nssListElementDestructorFunc)(void *el);
+typedef PRBool (*nssListCompareFunc)(void *a, void *b);
+typedef PRIntn (*nssListSortFunc)(void *a, void *b);
+typedef void (*nssListElementDestructorFunc)(void *el);
 
 typedef struct nssHashStr nssHash;
-typedef void (PR_CALLBACK *nssHashIterator)(const void *key, 
-                                            void *value, 
-                                            void *arg);
+typedef void(PR_CALLBACK *nssHashIterator)(const void *key, void *value,
+                                           void *arg);
 
 /*
  * nssPointerTracker
  *
  * This type is used in debug builds (both external and internal) to
  * track our object pointers.  Objects of this type must be statically
  * allocated, which means the structure size must be available to the
  * compiler.  Therefore we must expose the contents of this structure.
  * But please don't access elements directly; use the accessors.
  */
 
 #ifdef DEBUG
 struct nssPointerTrackerStr {
-  PRCallOnceType once;
-  PZLock *lock;
-  PLHashTable *table;
+    PRCallOnceType once;
+    PZLock *lock;
+    PLHashTable *table;
 };
 typedef struct nssPointerTrackerStr nssPointerTracker;
 #endif /* DEBUG */
 
 /*
  * nssStringType
  *
  * There are several types of strings in the real world.  We try to
  * use only UTF8 and avoid the rest, but that's not always possible.
  * So we have a couple converter routines to go to and from the other
  * string types.  We have to be able to specify those string types,
  * so we have this enumeration.
  */
 
 enum nssStringTypeEnum {
-  nssStringType_DirectoryString,
-  nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
-  nssStringType_PrintableString,
-  nssStringType_UniversalString,
-  nssStringType_BMPString,
-  nssStringType_UTF8String,
-  nssStringType_PHGString,
-  nssStringType_GeneralString,
+    nssStringType_DirectoryString,
+    nssStringType_TeletexString, /* Not "teletext" with trailing 't' */
+    nssStringType_PrintableString,
+    nssStringType_UniversalString,
+    nssStringType_BMPString,
+    nssStringType_UTF8String,
+    nssStringType_PHGString,
+    nssStringType_GeneralString,
 
-  nssStringType_Unknown = -1
+    nssStringType_Unknown = -1
 };
 typedef enum nssStringTypeEnum nssStringType;
 
 PR_END_EXTERN_C
 
 #endif /* BASET_H */
--- a/security/nss/lib/base/error.c
+++ b/security/nss/lib/base/error.c
@@ -1,42 +1,42 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * error.c
  *
- * This file contains the code implementing the per-thread error 
+ * This file contains the code implementing the per-thread error
  * stacks upon which most NSS routines report their errors.
  */
 
 #ifndef BASE_H
 #include "base.h"
-#endif /* BASE_H */
+#endif              /* BASE_H */
 #include <limits.h> /* for UINT_MAX */
 #include <string.h> /* for memmove */
 
 #define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
 
 /*
  * The stack itself has a header, and a sequence of integers.
  * The header records the amount of space (as measured in stack
  * slots) already allocated for the stack, and the count of the
  * number of records currently being used.
  */
 
 struct stack_header_str {
-  PRUint16 space;
-  PRUint16 count;
+    PRUint16 space;
+    PRUint16 count;
 };
 
 struct error_stack_str {
-  struct stack_header_str header;
-  PRInt32 stack[1];
+    struct stack_header_str header;
+    PRInt32 stack[1];
 };
 typedef struct error_stack_str error_stack;
 
 /*
  * error_stack_index
  *
  * Thread-private data must be indexed.  This is that index.
  * See PR_NewThreadPrivateIndex for more information.
@@ -57,72 +57,74 @@ static PRUintn error_stack_index = INVAL
 static PRCallOnceType error_call_once;
 
 /*
  * error_once_function
  *
  * This is the once-called callback.
  */
 static PRStatus
-error_once_function ( void)
+error_once_function(void)
 {
-  return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+    return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
 }
 
 /*
  * error_get_my_stack
  *
  * This routine returns the calling thread's error stack, creating
  * it if necessary.  It may return NULL upon error, which implicitly
  * means that it ran out of memory.
  */
 
 static error_stack *
-error_get_my_stack ( void)
+error_get_my_stack(void)
 {
-  PRStatus st;
-  error_stack *rv;
-  PRUintn new_size;
-  PRUint32 new_bytes;
-  error_stack *new_stack;
+    PRStatus st;
+    error_stack *rv;
+    PRUintn new_size;
+    PRUint32 new_bytes;
+    error_stack *new_stack;
 
-  if( INVALID_TPD_INDEX == error_stack_index ) {
-    st = PR_CallOnce(&error_call_once, error_once_function);
-    if( PR_SUCCESS != st ) {
-      return (error_stack *)NULL;
+    if (INVALID_TPD_INDEX == error_stack_index) {
+        st = PR_CallOnce(&error_call_once, error_once_function);
+        if (PR_SUCCESS != st) {
+            return (error_stack *)NULL;
+        }
     }
-  }
 
-  rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
-  if( (error_stack *)NULL == rv ) {
-    /* Doesn't exist; create one */
-    new_size = 16;
-  } else if( rv->header.count == rv->header.space  &&
-             rv->header.count  < NSS_MAX_ERROR_STACK_COUNT ) {
-    /* Too small, expand it */
-    new_size = PR_MIN( rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
-  } else {
-    /* Okay, return it */
-    return rv;
-  }
+    rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
+    if ((error_stack *)NULL == rv) {
+        /* Doesn't exist; create one */
+        new_size = 16;
+    }
+    else if (rv->header.count == rv->header.space &&
+             rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
+        /* Too small, expand it */
+        new_size = PR_MIN(rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
+    }
+    else {
+        /* Okay, return it */
+        return rv;
+    }
 
-  new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
-  /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
-  new_stack = PR_Calloc(1, new_bytes);
-  
-  if( (error_stack *)NULL != new_stack ) {
-    if( (error_stack *)NULL != rv ) {
-	(void)nsslibc_memcpy(new_stack,rv,rv->header.space);
+    new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
+    /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
+    new_stack = PR_Calloc(1, new_bytes);
+
+    if ((error_stack *)NULL != new_stack) {
+        if ((error_stack *)NULL != rv) {
+            (void)nsslibc_memcpy(new_stack, rv, rv->header.space);
+        }
+        new_stack->header.space = new_size;
     }
-    new_stack->header.space = new_size;
-  }
 
-  /* Set the value, whether or not the allocation worked */
-  PR_SetThreadPrivate(error_stack_index, new_stack);
-  return new_stack;
+    /* Set the value, whether or not the allocation worked */
+    PR_SetThreadPrivate(error_stack_index, new_stack);
+    return new_stack;
 }
 
 /*
  * The error stack
  *
  * The public methods relating to the error stack are:
  *
  *  NSS_GetError
@@ -146,124 +148,125 @@ error_get_my_stack ( void)
  * indicates that the previous NSS library call did not set an error.
  *
  * Return value:
  *  0 if no error has been set
  *  A nonzero error number
  */
 
 NSS_IMPLEMENT PRInt32
-NSS_GetError ( void)
+NSS_GetError(void)
 {
-  error_stack *es = error_get_my_stack();
+    error_stack *es = error_get_my_stack();
 
-  if( (error_stack *)NULL == es ) {
-    return NSS_ERROR_NO_MEMORY; /* Good guess! */
-  }
+    if ((error_stack *)NULL == es) {
+        return NSS_ERROR_NO_MEMORY; /* Good guess! */
+    }
 
-  if( 0 == es->header.count ) {
-    return 0;
-  }
+    if (0 == es->header.count) {
+        return 0;
+    }
 
-  return es->stack[ es->header.count-1 ];
+    return es->stack[es->header.count - 1];
 }
 
 /*
  * NSS_GetErrorStack
  *
  * This routine returns a pointer to an array of integers, containing
  * the entire sequence or "stack" of errors set by the most recent NSS
  * library routine called by the same thread calling this routine.
  * NOTE: the caller DOES NOT OWN the memory pointed to by the return
  * value.  The pointer will remain valid until the calling thread
- * calls another NSS routine.  The lowest-level (most specific) error 
+ * calls another NSS routine.  The lowest-level (most specific) error
  * is first in the array, and the highest-level is last.  The array is
  * zero-terminated.  This routine may return NULL upon error; this
  * indicates a low-memory situation.
  *
  * Return value:
  *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
  *  A NON-caller-owned pointer to an array of integers
  */
 
 NSS_IMPLEMENT PRInt32 *
-NSS_GetErrorStack ( void)
+NSS_GetErrorStack(void)
 {
-  error_stack *es = error_get_my_stack();
+    error_stack *es = error_get_my_stack();
 
-  if( (error_stack *)NULL == es ) {
-    return (PRInt32 *)NULL;
-  }
+    if ((error_stack *)NULL == es) {
+        return (PRInt32 *)NULL;
+    }
 
-  /* Make sure it's terminated */
-  es->stack[ es->header.count ] = 0;
+    /* Make sure it's terminated */
+    es->stack[es->header.count] = 0;
 
-  return es->stack;
+    return es->stack;
 }
 
 /*
  * nss_SetError
  *
- * This routine places a new error code on the top of the calling 
+ * This routine places a new error code on the top of the calling
  * thread's error stack.  Calling this routine wiht an error code
  * of zero will clear the error stack.
  */
 
 NSS_IMPLEMENT void
-nss_SetError ( PRUint32 error)
+nss_SetError(PRUint32 error)
 {
-  error_stack *es;
+    error_stack *es;
 
-  if( 0 == error ) {
-    nss_ClearErrorStack();
-    return;
-  }
+    if (0 == error) {
+        nss_ClearErrorStack();
+        return;
+    }
 
-  es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
-    return;
-  }
+    es = error_get_my_stack();
+    if ((error_stack *)NULL == es) {
+        /* Oh, well. */
+        return;
+    }
 
-  if (es->header.count < es->header.space) {
-    es->stack[ es->header.count++ ] = error;
-  } else {
-    memmove(es->stack, es->stack + 1, 
-		(es->header.space - 1) * (sizeof es->stack[0]));
-    es->stack[ es->header.space - 1 ] = error;
-  }
-  return;
+    if (es->header.count < es->header.space) {
+        es->stack[es->header.count++] = error;
+    }
+    else {
+        memmove(es->stack, es->stack + 1,
+                (es->header.space - 1) * (sizeof es->stack[0]));
+        es->stack[es->header.space - 1] = error;
+    }
+    return;
 }
 
 /*
  * nss_ClearErrorStack
  *
  * This routine clears the calling thread's error stack.
  */
 
 NSS_IMPLEMENT void
-nss_ClearErrorStack ( void)
+nss_ClearErrorStack(void)
 {
-  error_stack *es = error_get_my_stack();
-  if( (error_stack *)NULL == es ) {
-    /* Oh, well. */
+    error_stack *es = error_get_my_stack();
+    if ((error_stack *)NULL == es) {
+        /* Oh, well. */
+        return;
+    }
+
+    es->header.count = 0;
+    es->stack[0] = 0;
     return;
-  }
-
-  es->header.count = 0;
-  es->stack[0] = 0;
-  return;
 }
 
 /*
  * nss_DestroyErrorStack
  *
  * This routine frees the calling thread's error stack.
  */
 
 NSS_IMPLEMENT void
-nss_DestroyErrorStack ( void)
+nss_DestroyErrorStack(void)
 {
-  if( INVALID_TPD_INDEX != error_stack_index ) {
-    PR_SetThreadPrivate(error_stack_index, NULL);
-  }
-  return;
+    if (INVALID_TPD_INDEX != error_stack_index) {
+        PR_SetThreadPrivate(error_stack_index, NULL);
+    }
+    return;
 }
--- a/security/nss/lib/base/errorval.c
+++ b/security/nss/lib/base/errorval.c
@@ -7,16 +7,18 @@
  *
  * This file contains the actual error constants used in NSS.
  */
 
 #ifndef NSSBASET_H
 #include "nssbaset.h"
 #endif /* NSSBASET_H */
 
+/* clang-format off */
+
 const NSSError NSS_ERROR_NO_ERROR                       =  0;
 const NSSError NSS_ERROR_INTERNAL_ERROR                 =  1;
 const NSSError NSS_ERROR_NO_MEMORY                      =  2;
 const NSSError NSS_ERROR_INVALID_POINTER                =  3;
 const NSSError NSS_ERROR_INVALID_ARENA                  =  4;
 const NSSError NSS_ERROR_INVALID_ARENA_MARK             =  5;
 const NSSError NSS_ERROR_DUPLICATE_POINTER              =  6;
 const NSSError NSS_ERROR_POINTER_NOT_REGISTERED         =  7;
@@ -55,8 +57,9 @@ const NSSError NSS_ERROR_CERTIFICATE_IN_
 const NSSError NSS_ERROR_HASH_COLLISION                 = 33;
 const NSSError NSS_ERROR_DEVICE_ERROR                   = 34;
 const NSSError NSS_ERROR_INVALID_CERTIFICATE            = 35;
 const NSSError NSS_ERROR_BUSY                           = 36;
 const NSSError NSS_ERROR_ALREADY_INITIALIZED            = 37;
 
 const NSSError NSS_ERROR_PKCS11                         = 38;
 
+/* clang-format on */
\ No newline at end of file
--- a/security/nss/lib/base/hash.c
+++ b/security/nss/lib/base/hash.c
@@ -27,345 +27,293 @@
  *  nssHash_Remove
  *  nssHash_Count
  *  nssHash_Exists
  *  nssHash_Lookup
  *  nssHash_Iterate
  */
 
 struct nssHashStr {
-  NSSArena *arena;
-  PRBool i_alloced_arena;
-  PRLock *mutex;
+    NSSArena *arena;
+    PRBool i_alloced_arena;
+    PRLock *mutex;
 
-  /*
-   * The invariant that mutex protects is:
-   *   The count accurately reflects the hashtable state.
-   */
+    /*
+     * The invariant that mutex protects is:
+     *   The count accurately reflects the hashtable state.
+     */
 
-  PLHashTable *plHashTable;
-  PRUint32 count;
+    PLHashTable *plHashTable;
+    PRUint32 count;
 };
 
 static PLHashNumber
-nss_identity_hash
-(
-  const void *key
-)
+nss_identity_hash(const void *key)
 {
-  return (PLHashNumber)((char *)key - (char *)NULL);
+    return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 static PLHashNumber
-nss_item_hash
-(
-  const void *key
-)
+nss_item_hash(const void *key)
 {
-  unsigned int i;
-  PLHashNumber h;
-  NSSItem *it = (NSSItem *)key;
-  h = 0;
-  for (i=0; i<it->size; i++)
-    h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i];
-  return h;
+    unsigned int i;
+    PLHashNumber h;
+    NSSItem *it = (NSSItem *)key;
+    h = 0;
+    for (i = 0; i < it->size; i++)
+        h = PR_ROTATE_LEFT32(h, 4) ^ ((unsigned char *)it->data)[i];
+    return h;
 }
 
 static int
 nss_compare_items(const void *v1, const void *v2)
 {
-  PRStatus ignore;
-  return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
+    PRStatus ignore;
+    return (int)nssItem_Equal((NSSItem *)v1, (NSSItem *)v2, &ignore);
 }
 
 /*
  * nssHash_create
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_Create
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets,
-  PLHashFunction keyHash,
-  PLHashComparator keyCompare,
-  PLHashComparator valueCompare
-)
+nssHash_Create(NSSArena *arenaOpt, PRUint32 numBuckets, PLHashFunction keyHash,
+               PLHashComparator keyCompare, PLHashComparator valueCompare)
 {
-  nssHash *rv;
-  NSSArena *arena;
-  PRBool i_alloced;
+    nssHash *rv;
+    NSSArena *arena;
+    PRBool i_alloced;
 
 #ifdef NSSDEBUG
-  if( arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (nssHash *)NULL;
-  }
+    if (arenaOpt && PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (nssHash *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  if (arenaOpt) {
-    arena = arenaOpt;
-    i_alloced = PR_FALSE;
-  } else {
-    arena = nssArena_Create();
-    i_alloced = PR_TRUE;
-  }
+    if (arenaOpt) {
+        arena = arenaOpt;
+        i_alloced = PR_FALSE;
+    }
+    else {
+        arena = nssArena_Create();
+        i_alloced = PR_TRUE;
+    }
 
-  rv = nss_ZNEW(arena, nssHash);
-  if( (nssHash *)NULL == rv ) {
-    goto loser;
-  }
+    rv = nss_ZNEW(arena, nssHash);
+    if ((nssHash *)NULL == rv) {
+        goto loser;
+    }
 
-  rv->mutex = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == rv->mutex ) {
-    goto loser;
-  }
+    rv->mutex = PZ_NewLock(nssILockOther);
+    if ((PZLock *)NULL == rv->mutex) {
+        goto loser;
+    }
 
-  rv->plHashTable = PL_NewHashTable(numBuckets, 
-                                    keyHash, keyCompare, valueCompare,
-                                    &nssArenaHashAllocOps, arena);
-  if( (PLHashTable *)NULL == rv->plHashTable ) {
-    (void)PZ_DestroyLock(rv->mutex);
-    goto loser;
-  }
+    rv->plHashTable =
+        PL_NewHashTable(numBuckets, keyHash, keyCompare, valueCompare,
+                        &nssArenaHashAllocOps, arena);
+    if ((PLHashTable *)NULL == rv->plHashTable) {
+        (void)PZ_DestroyLock(rv->mutex);
+        goto loser;
+    }
 
-  rv->count = 0;
-  rv->arena = arena;
-  rv->i_alloced_arena = i_alloced;
+    rv->count = 0;
+    rv->arena = arena;
+    rv->i_alloced_arena = i_alloced;
 
-  return rv;
+    return rv;
 loser:
-  (void)nss_ZFreeIf(rv);
-  return (nssHash *)NULL;
+    (void)nss_ZFreeIf(rv);
+    return (nssHash *)NULL;
 }
 
 /*
  * nssHash_CreatePointer
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreatePointer
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreatePointer(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_identity_hash, PL_CompareValues, PL_CompareValues);
+    return nssHash_Create(arenaOpt, numBuckets, nss_identity_hash,
+                          PL_CompareValues, PL_CompareValues);
 }
 
 /*
  * nssHash_CreateString
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreateString
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreateString(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        PL_HashString, PL_CompareStrings, PL_CompareStrings);
+    return nssHash_Create(arenaOpt, numBuckets, PL_HashString,
+                          PL_CompareStrings, PL_CompareStrings);
 }
 
 /*
  * nssHash_CreateItem
  *
  */
 NSS_IMPLEMENT nssHash *
-nssHash_CreateItem
-(
-  NSSArena *arenaOpt,
-  PRUint32 numBuckets
-)
+nssHash_CreateItem(NSSArena *arenaOpt, PRUint32 numBuckets)
 {
-  return nssHash_Create(arenaOpt, numBuckets, 
-                        nss_item_hash, nss_compare_items, PL_CompareValues);
+    return nssHash_Create(arenaOpt, numBuckets, nss_item_hash,
+                          nss_compare_items, PL_CompareValues);
 }
 
 /*
  * nssHash_Destroy
  *
  */
 NSS_IMPLEMENT void
-nssHash_Destroy
-(
-  nssHash *hash
-)
+nssHash_Destroy(nssHash *hash)
 {
-  (void)PZ_DestroyLock(hash->mutex);
-  PL_HashTableDestroy(hash->plHashTable);
-  if (hash->i_alloced_arena) {
-    nssArena_Destroy(hash->arena);
-  } else {
-    nss_ZFreeIf(hash);
-  }
+    (void)PZ_DestroyLock(hash->mutex);
+    PL_HashTableDestroy(hash->plHashTable);
+    if (hash->i_alloced_arena) {
+        nssArena_Destroy(hash->arena);
+    }
+    else {
+        nss_ZFreeIf(hash);
+    }
 }
 
 /*
  * nssHash_Add
  *
  */
 NSS_IMPLEMENT PRStatus
-nssHash_Add
-(
-  nssHash *hash,
-  const void *key,
-  const void *value
-)
+nssHash_Add(nssHash *hash, const void *key, const void *value)
 {
-  PRStatus error = PR_FAILURE;
-  PLHashEntry *he;
+    PRStatus error = PR_FAILURE;
+    PLHashEntry *he;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-  
-  he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
-  if( (PLHashEntry *)NULL == he ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  } else if (he->value != value) {
-    nss_SetError(NSS_ERROR_HASH_COLLISION);
-  } else {
-    hash->count++;
-    error = PR_SUCCESS;
-  }
+    he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
+    if ((PLHashEntry *)NULL == he) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+    }
+    else if (he->value != value) {
+        nss_SetError(NSS_ERROR_HASH_COLLISION);
+    }
+    else {
+        hash->count++;
+        error = PR_SUCCESS;
+    }
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return error;
+    return error;
 }
 
 /*
  * nssHash_Remove
  *
  */
 NSS_IMPLEMENT void
-nssHash_Remove
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Remove(nssHash *hash, const void *it)
 {
-  PRBool found;
+    PRBool found;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
+    found = PL_HashTableRemove(hash->plHashTable, it);
+    if (found) {
+        hash->count--;
+    }
 
-  found = PL_HashTableRemove(hash->plHashTable, it);
-  if( found ) {
-    hash->count--;
-  }
-
-  (void)PZ_Unlock(hash->mutex);
-  return;
+    (void)PZ_Unlock(hash->mutex);
+    return;
 }
 
 /*
  * nssHash_Count
  *
  */
 NSS_IMPLEMENT PRUint32
-nssHash_Count
-(
-  nssHash *hash
-)
+nssHash_Count(nssHash *hash)
 {
-  PRUint32 count;
+    PRUint32 count;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-
-  count = hash->count;
+    count = hash->count;
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return count;
+    return count;
 }
 
 /*
  * nssHash_Exists
  *
  */
 NSS_IMPLEMENT PRBool
-nssHash_Exists
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Exists(nssHash *hash, const void *it)
 {
-  void *value;
+    void *value;
 
-  PZ_Lock(hash->mutex);
+    PZ_Lock(hash->mutex);
+
+    value = PL_HashTableLookup(hash->plHashTable, it);
 
-  value = PL_HashTableLookup(hash->plHashTable, it);
-
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  if( (void *)NULL == value ) {
-    return PR_FALSE;
-  } else {
-    return PR_TRUE;
-  }
+    if ((void *)NULL == value) {
+        return PR_FALSE;
+    }
+    else {
+        return PR_TRUE;
+    }
 }
 
 /*
  * nssHash_Lookup
  *
  */
 NSS_IMPLEMENT void *
-nssHash_Lookup
-(
-  nssHash *hash,
-  const void *it
-)
+nssHash_Lookup(nssHash *hash, const void *it)
 {
-  void *rv;
+    void *rv;
+
+    PZ_Lock(hash->mutex);
 
-  PZ_Lock(hash->mutex);
-
-  rv = PL_HashTableLookup(hash->plHashTable, it);
+    rv = PL_HashTableLookup(hash->plHashTable, it);
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return rv;
+    return rv;
 }
 
 struct arg_str {
-  nssHashIterator fcn;
-  void *closure;
+    nssHashIterator fcn;
+    void *closure;
 };
 
 static PRIntn
-nss_hash_enumerator
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
+nss_hash_enumerator(PLHashEntry *he, PRIntn index, void *arg)
 {
-  struct arg_str *as = (struct arg_str *)arg;
-  as->fcn(he->key, he->value, as->closure);
-  return HT_ENUMERATE_NEXT;
+    struct arg_str *as = (struct arg_str *)arg;
+    as->fcn(he->key, he->value, as->closure);
+    return HT_ENUMERATE_NEXT;
 }
 
 /*
  * nssHash_Iterate
  *
  * NOTE that the iteration function will be called with the hashtable locked.
  */
 NSS_IMPLEMENT void
-nssHash_Iterate
-(
-  nssHash *hash,
-  nssHashIterator fcn,
-  void *closure
-)
+nssHash_Iterate(nssHash *hash, nssHashIterator fcn, void *closure)
 {
-  struct arg_str as;
-  as.fcn = fcn;
-  as.closure = closure;
+    struct arg_str as;
+    as.fcn = fcn;
+    as.closure = closure;
 
-  PZ_Lock(hash->mutex);
+    PZ_Lock(hash->mutex);
 
-  PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
+    PL_HashTableEnumerateEntries(hash->plHashTable, nss_hash_enumerator, &as);
 
-  (void)PZ_Unlock(hash->mutex);
+    (void)PZ_Unlock(hash->mutex);
 
-  return;
+    return;
 }
--- a/security/nss/lib/base/hashops.c
+++ b/security/nss/lib/base/hashops.c
@@ -7,78 +7,58 @@
  *
  * This file includes a set of PLHashAllocOps that use NSSArenas.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
-static void * PR_CALLBACK
-nss_arena_hash_alloc_table
-(
-  void *pool,
-  PRSize size
-)
+static void *PR_CALLBACK
+nss_arena_hash_alloc_table(void *pool, PRSize size)
 {
-  NSSArena *arena = (NSSArena *)NULL;
+    NSSArena *arena = (NSSArena *)NULL;
 
 #ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
+    if ((void *)NULL != arena) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
     }
-  }
 #endif /* NSSDEBUG */
 
-  return nss_ZAlloc(arena, size);
+    return nss_ZAlloc(arena, size);
 }
 
 static void PR_CALLBACK
-nss_arena_hash_free_table
-(
-  void *pool, 
-  void *item
-)
+nss_arena_hash_free_table(void *pool, void *item)
 {
-  (void)nss_ZFreeIf(item);
+    (void)nss_ZFreeIf(item);
 }
 
-static PLHashEntry * PR_CALLBACK
-nss_arena_hash_alloc_entry
-(
-  void *pool,
-  const void *key
-)
+static PLHashEntry *PR_CALLBACK
+nss_arena_hash_alloc_entry(void *pool, const void *key)
 {
-  NSSArena *arena = NULL;
+    NSSArena *arena = NULL;
 
 #ifdef NSSDEBUG
-  if( (void *)NULL != arena ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
-      return (void *)NULL;
+    if ((void *)NULL != arena) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+            return (void *)NULL;
+        }
     }
-  }
 #endif /* NSSDEBUG */
 
-  return nss_ZNEW(arena, PLHashEntry);
+    return nss_ZNEW(arena, PLHashEntry);
 }
 
 static void PR_CALLBACK
-nss_arena_hash_free_entry
-(
-  void *pool,
-  PLHashEntry *he,
-  PRUintn flag
-)
+nss_arena_hash_free_entry(void *pool, PLHashEntry *he, PRUintn flag)
 {
-  if( HT_FREE_ENTRY == flag ) {
-    (void)nss_ZFreeIf(he);
-  }
+    if (HT_FREE_ENTRY == flag) {
+        (void)nss_ZFreeIf(he);
+    }
 }
 
-NSS_IMPLEMENT_DATA PLHashAllocOps 
-nssArenaHashAllocOps = {
-  nss_arena_hash_alloc_table,
-  nss_arena_hash_free_table,
-  nss_arena_hash_alloc_entry,
-  nss_arena_hash_free_entry
+NSS_IMPLEMENT_DATA PLHashAllocOps nssArenaHashAllocOps = {
+    nss_arena_hash_alloc_table, nss_arena_hash_free_table,
+    nss_arena_hash_alloc_entry, nss_arena_hash_free_entry
 };
--- a/security/nss/lib/base/item.c
+++ b/security/nss/lib/base/item.c
@@ -17,128 +17,115 @@
  *
  * -- fgmr comments --
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *  NSS_ERROR_INVALID_POINTER
- *  
+ *
  * Return value:
  *  A pointer to an NSSItem upon success
  *  NULL upon failure
  */
 
 NSS_IMPLEMENT NSSItem *
-nssItem_Create
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  PRUint32 length,
-  const void *data
-)
+nssItem_Create(NSSArena *arenaOpt, NSSItem *rvOpt, PRUint32 length,
+               const void *data)
 {
-  NSSItem *rv = (NSSItem *)NULL;
+    NSSItem *rv = (NSSItem *)NULL;
 
 #ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSItem *)NULL;
+        }
     }
-  }
 
-  if( (const void *)NULL == data ) {
-    if( length > 0 ) {
-      nss_SetError(NSS_ERROR_INVALID_POINTER);
-      return (NSSItem *)NULL;
+    if ((const void *)NULL == data) {
+        if (length > 0) {
+            nss_SetError(NSS_ERROR_INVALID_POINTER);
+            return (NSSItem *)NULL;
+        }
     }
-  }
 #endif /* DEBUG */
 
-  if( (NSSItem *)NULL == rvOpt ) {
-    rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
-    if( (NSSItem *)NULL == rv ) {
-      goto loser;
+    if ((NSSItem *)NULL == rvOpt) {
+        rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
+        if ((NSSItem *)NULL == rv) {
+            goto loser;
+        }
     }
-  } else {
-    rv = rvOpt;
-  }
+    else {
+        rv = rvOpt;
+    }
 
-  rv->size = length;
-  rv->data = nss_ZAlloc(arenaOpt, length);
-  if( (void *)NULL == rv->data ) {
-    goto loser;
-  }
+    rv->size = length;
+    rv->data = nss_ZAlloc(arenaOpt, length);
+    if ((void *)NULL == rv->data) {
+        goto loser;
+    }
 
-  if( length > 0 ) {
-    (void)nsslibc_memcpy(rv->data, data, length);
-  }
+    if (length > 0) {
+        (void)nsslibc_memcpy(rv->data, data, length);
+    }
 
-  return rv;
+    return rv;
 
- loser:
-  if( rv != rvOpt ) {
-    nss_ZFreeIf(rv);
-  }
+loser:
+    if (rv != rvOpt) {
+        nss_ZFreeIf(rv);
+    }
 
-  return (NSSItem *)NULL;
+    return (NSSItem *)NULL;
 }
 
 NSS_IMPLEMENT void
-nssItem_Destroy
-(
-  NSSItem *item
-)
+nssItem_Destroy(NSSItem *item)
 {
-  nss_ClearErrorStack();
+    nss_ClearErrorStack();
 
-  nss_ZFreeIf(item->data);
-  nss_ZFreeIf(item);
-
+    nss_ZFreeIf(item->data);
+    nss_ZFreeIf(item);
 }
 
 /*
  * nssItem_Duplicate
  *
  * -- fgmr comments --
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *  NSS_ERROR_INVALID_ITEM
- *  
+ *
  * Return value:
  *  A pointer to an NSSItem upon success
  *  NULL upon failure
  */
 
 NSS_IMPLEMENT NSSItem *
-nssItem_Duplicate
-(
-  NSSItem *obj,
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt
-)
+nssItem_Duplicate(NSSItem *obj, NSSArena *arenaOpt, NSSItem *rvOpt)
 {
 #ifdef DEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSItem *)NULL;
+        }
     }
-  }
 
-  if( (NSSItem *)NULL == obj ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return (NSSItem *)NULL;
-  }
+    if ((NSSItem *)NULL == obj) {
+        nss_SetError(NSS_ERROR_INVALID_ITEM);
+        return (NSSItem *)NULL;
+    }
 #endif /* DEBUG */
 
-  return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
+    return nssItem_Create(arenaOpt, rvOpt, obj->size, obj->data);
 }
 
 #ifdef DEBUG
 /*
  * nssItem_verifyPointer
  *
  * -- fgmr comments --
  *
@@ -146,28 +133,25 @@ nssItem_Duplicate
  *  NSS_ERROR_INVALID_ITEM
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
 NSS_IMPLEMENT PRStatus
-nssItem_verifyPointer
-(
-  const NSSItem *item
-)
+nssItem_verifyPointer(const NSSItem *item)
 {
-  if( ((const NSSItem *)NULL == item) ||
-      (((void *)NULL == item->data) && (item->size > 0)) ) {
-    nss_SetError(NSS_ERROR_INVALID_ITEM);
-    return PR_FAILURE;
-  }
+    if (((const NSSItem *)NULL == item) ||
+        (((void *)NULL == item->data) && (item->size > 0))) {
+        nss_SetError(NSS_ERROR_INVALID_ITEM);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 #endif /* DEBUG */
 
 /*
  * nssItem_Equal
  *
  * -- fgmr comments --
  *
@@ -176,33 +160,28 @@ nssItem_verifyPointer
  *
  * Return value:
  *  PR_TRUE if the items are identical
  *  PR_FALSE if they aren't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nssItem_Equal
-(
-  const NSSItem *one,
-  const NSSItem *two,
-  PRStatus *statusOpt
-)
+nssItem_Equal(const NSSItem *one, const NSSItem *two, PRStatus *statusOpt)
 {
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
+
+    if (((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two)) {
+        return PR_TRUE;
+    }
 
-  if( ((const NSSItem *)NULL == one) && ((const NSSItem *)NULL == two) ) {
-    return PR_TRUE;
-  }
+    if (((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two)) {
+        return PR_FALSE;
+    }
 
-  if( ((const NSSItem *)NULL == one) || ((const NSSItem *)NULL == two) ) {
-    return PR_FALSE;
-  }
+    if (one->size != two->size) {
+        return PR_FALSE;
+    }
 
-  if( one->size != two->size ) {
-    return PR_FALSE;
-  }
-
-  return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+    return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
 }
--- a/security/nss/lib/base/libc.c
+++ b/security/nss/lib/base/libc.c
@@ -1,19 +1,19 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * libc.c
  *
- * This file contains our wrappers/reimplementations for "standard" 
- * libc functions.  Things like "memcpy."  We add to this as we need 
- * it.  Oh, and let's keep it in alphabetical order, should it ever 
- * get large.  Most string/character stuff should be in utf8.c, not 
+ * This file contains our wrappers/reimplementations for "standard"
+ * libc functions.  Things like "memcpy."  We add to this as we need
+ * it.  Oh, and let's keep it in alphabetical order, should it ever
+ * get large.  Most string/character stuff should be in utf8.c, not
  * here.  This file (and maybe utf8.c) should be the only ones in
  * NSS to include files with angle brackets.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
@@ -33,132 +33,112 @@
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
 NSS_IMPLEMENT void *
-nsslibc_memcpy
-(
-  void *dest,
-  const void *source,
-  PRUint32 n
-)
+nsslibc_memcpy(void *dest, const void *source, PRUint32 n)
 {
 #ifdef NSSDEBUG
-  if( ((void *)NULL == dest) || ((const void *)NULL == source) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
+    if (((void *)NULL == dest) || ((const void *)NULL == source)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  return memcpy(dest, source, (size_t)n);
+    return memcpy(dest, source, (size_t)n);
 }
 
 /*
  * nsslibc_memset
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  NULL on error
  *  The destination pointer on success
  */
 
 NSS_IMPLEMENT void *
-nsslibc_memset
-(
-  void *dest,
-  PRUint8 byte,
-  PRUint32 n
-)
+nsslibc_memset(void *dest, PRUint8 byte, PRUint32 n)
 {
 #ifdef NSSDEBUG
-  if( ((void *)NULL == dest) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (void *)NULL;
-  }
+    if (((void *)NULL == dest)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (void *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  return memset(dest, (int)byte, (size_t)n);
+    return memset(dest, (int)byte, (size_t)n);
 }
 
 /*
  * nsslibc_memequal
  *
  * Errors:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if they match
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nsslibc_memequal
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
+nsslibc_memequal(const void *a, const void *b, PRUint32 len,
+                 PRStatus *statusOpt)
 {
 #ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ((((void *)NULL == a) || ((void *)NULL == b))) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return PR_FALSE;
     }
-    return PR_FALSE;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  if( 0 == memcmp(a, b, len) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
+    if (0 == memcmp(a, b, len)) {
+        return PR_TRUE;
+    }
+    else {
+        return PR_FALSE;
+    }
 }
 
 /*
  * nsslibc_memcmp
  */
 
 NSS_IMPLEMENT PRInt32
-nsslibc_memcmp
-(
-  const void *a,
-  const void *b,
-  PRUint32 len,
-  PRStatus *statusOpt
-)
+nsslibc_memcmp(const void *a, const void *b, PRUint32 len, PRStatus *statusOpt)
 {
-  int v;
+    int v;
 
 #ifdef NSSDEBUG
-  if( (((void *)NULL == a) || ((void *)NULL == b)) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ((((void *)NULL == a) || ((void *)NULL == b))) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return -2;
     }
-    return -2;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  v = memcmp(a, b, len);
-  return (PRInt32)v;
+    v = memcmp(a, b, len);
+    return (PRInt32)v;
 }
 
 /*
  * offsetof is a preprocessor definition
  */
--- a/security/nss/lib/base/list.c
+++ b/security/nss/lib/base/list.c
@@ -8,131 +8,131 @@
  * This contains the implementation of NSS's thread-safe linked list.
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
 
 struct nssListElementStr {
-    PRCList  link;
-    void    *data;
+    PRCList link;
+    void *data;
 };
 
 typedef struct nssListElementStr nssListElement;
 
 struct nssListStr {
-    NSSArena       *arena;
-    PZLock         *lock;
+    NSSArena *arena;
+    PZLock *lock;
     nssListElement *head;
-    PRUint32        count;
+    PRUint32 count;
     nssListCompareFunc compareFunc;
-    nssListSortFunc    sortFunc;
+    nssListSortFunc sortFunc;
     PRBool i_alloced_arena;
 };
 
 struct nssListIteratorStr {
     PZLock *lock;
     nssList *list;
     nssListElement *current;
 };
 
-#define NSSLIST_LOCK_IF(list) \
-    if ((list)->lock) PZ_Lock((list)->lock)
+#define NSSLIST_LOCK_IF(list)                                                  \
+    if ((list)->lock)                                                          \
+    PZ_Lock((list)->lock)
 
-#define NSSLIST_UNLOCK_IF(list) \
-    if ((list)->lock) PZ_Unlock((list)->lock)
+#define NSSLIST_UNLOCK_IF(list)                                                \
+    if ((list)->lock)                                                          \
+    PZ_Unlock((list)->lock)
 
 static PRBool
 pointer_compare(void *a, void *b)
 {
     return (PRBool)(a == b);
 }
 
 static nssListElement *
 nsslist_get_matching_element(nssList *list, void *data)
 {
     PRCList *link;
     nssListElement *node;
     node = list->head;
     if (!node) {
-	return NULL;
+        return NULL;
     }
     link = &node->link;
     while (node) {
-	/* using a callback slows things down when it's just compare ... */
-	if (list->compareFunc(node->data, data)) {
-	    break;
-	}
-	link = &node->link;
-	if (link == PR_LIST_TAIL(&list->head->link)) {
-	    node = NULL;
-	    break;
-	}
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
+        /* using a callback slows things down when it's just compare ... */
+        if (list->compareFunc(node->data, data)) {
+            break;
+        }
+        link = &node->link;
+        if (link == PR_LIST_TAIL(&list->head->link)) {
+            node = NULL;
+            break;
+        }
+        node = (nssListElement *)PR_NEXT_LINK(&node->link);
     }
     return node;
 }
 
 NSS_IMPLEMENT nssList *
-nssList_Create
-(
-  NSSArena *arenaOpt,
-  PRBool threadSafe
-)
+nssList_Create(NSSArena *arenaOpt, PRBool threadSafe)
 {
     NSSArena *arena;
     nssList *list;
     PRBool i_alloced;
     if (arenaOpt) {
-	arena = arenaOpt;
-	i_alloced = PR_FALSE;
-    } else {
-	arena = nssArena_Create();
-	i_alloced = PR_TRUE;
+        arena = arenaOpt;
+        i_alloced = PR_FALSE;
+    }
+    else {
+        arena = nssArena_Create();
+        i_alloced = PR_TRUE;
     }
     if (!arena) {
-	return (nssList *)NULL;
+        return (nssList *)NULL;
     }
     list = nss_ZNEW(arena, nssList);
     if (!list) {
-	if (!arenaOpt) {
-	    NSSArena_Destroy(arena);
-	}
-	return (nssList *)NULL;
+        if (!arenaOpt) {
+            NSSArena_Destroy(arena);
+        }
+        return (nssList *)NULL;
     }
     if (threadSafe) {
-	list->lock = PZ_NewLock(nssILockOther);
-	if (!list->lock) {
-	    if (arenaOpt) {
-		nss_ZFreeIf(list);
-	    } else {
-		NSSArena_Destroy(arena);
-	    }
-	    return (nssList *)NULL;
-	}
+        list->lock = PZ_NewLock(nssILockOther);
+        if (!list->lock) {
+            if (arenaOpt) {
+                nss_ZFreeIf(list);
+            }
+            else {
+                NSSArena_Destroy(arena);
+            }
+            return (nssList *)NULL;
+        }
     }
     list->arena = arena;
     list->i_alloced_arena = i_alloced;
     list->compareFunc = pointer_compare;
     return list;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Destroy(nssList *list)
 {
     if (!list->i_alloced_arena) {
-	nssList_Clear(list, NULL);
+        nssList_Clear(list, NULL);
     }
     if (list->lock) {
-	(void)PZ_DestroyLock(list->lock);
+        (void)PZ_DestroyLock(list->lock);
     }
     if (list->i_alloced_arena) {
-	NSSArena_Destroy(list->arena);
-	list = NULL;
+        NSSArena_Destroy(list->arena);
+        list = NULL;
     }
     nss_ZFreeIf(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT void
 nssList_SetCompareFunction(nssList *list, nssListCompareFunc compareFunc)
 {
@@ -156,64 +156,68 @@ NSS_IMPLEMENT void
 nssList_Clear(nssList *list, nssListElementDestructorFunc destructor)
 {
     PRCList *link;
     nssListElement *node, *tmp;
     NSSLIST_LOCK_IF(list);
     node = list->head;
     list->head = NULL;
     while (node && list->count > 0) {
-	if (destructor) (*destructor)(node->data);
-	link = &node->link;
-	tmp = (nssListElement *)PR_NEXT_LINK(link);
-	PR_REMOVE_LINK(link);
-	nss_ZFreeIf(node);
-	node = tmp;
-	--list->count;
+        if (destructor)
+            (*destructor)(node->data);
+        link = &node->link;
+        tmp = (nssListElement *)PR_NEXT_LINK(link);
+        PR_REMOVE_LINK(link);
+        nss_ZFreeIf(node);
+        node = tmp;
+        --list->count;
     }
     NSSLIST_UNLOCK_IF(list);
 }
 
 static PRStatus
 nsslist_add_element(nssList *list, void *data)
 {
     nssListElement *node = nss_ZNEW(list->arena, nssListElement);
     if (!node) {
-	return PR_FAILURE;
+        return PR_FAILURE;
     }
     PR_INIT_CLIST(&node->link);
     node->data = data;
     if (list->head) {
-	if (list->sortFunc) {
-	    PRCList *link;
-	    nssListElement *currNode;
-	    currNode = list->head;
-	    /* insert in ordered list */
-	    while (currNode) {
-		link = &currNode->link;
-		if (list->sortFunc(data, currNode->data) <= 0) {
-		    /* new element goes before current node */
-		    PR_INSERT_BEFORE(&node->link, link);
-		    /* reset head if this is first */
-		    if (currNode == list->head) list->head = node;
-		    break;
-		}
-		if (link == PR_LIST_TAIL(&list->head->link)) {
-		    /* reached end of list, append */
-		    PR_INSERT_AFTER(&node->link, link);
-		    break;
-		}
-		currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
-	    }
-	} else {
-	    /* not sorting */
-	    PR_APPEND_LINK(&node->link, &list->head->link);
-	}
-    } else {
-	list->head = node;
+        if (list->sortFunc) {
+            PRCList *link;
+            nssListElement *currNode;
+            currNode = list->head;
+            /* insert in ordered list */
+            while (currNode) {
+                link = &currNode->link;
+                if (list->sortFunc(data, currNode->data) <= 0) {
+                    /* new element goes before current node */
+                    PR_INSERT_BEFORE(&node->link, link);
+                    /* reset head if this is first */
+                    if (currNode == list->head)
+                        list->head = node;
+                    break;
+                }
+                if (link == PR_LIST_TAIL(&list->head->link)) {
+                    /* reached end of list, append */
+                    PR_INSERT_AFTER(&node->link, link);
+                    break;
+                }
+                currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
+            }
+        }
+        else {
+            /* not sorting */
+            PR_APPEND_LINK(&node->link, &list->head->link);
+        }
+    }
+    else {
+        list->head = node;
     }
     ++list->count;
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Add(nssList *list, void *data)
 {
@@ -226,40 +230,40 @@ nssList_Add(nssList *list, void *data)
 NSS_IMPLEMENT PRStatus
 nssList_AddUnique(nssList *list, void *data)
 {
     PRStatus nssrv;
     nssListElement *node;
     NSSLIST_LOCK_IF(list);
     node = nsslist_get_matching_element(list, data);
     if (node) {
-	/* already in, finish */
-	NSSLIST_UNLOCK_IF(list);
-	return PR_SUCCESS;
+        /* already in, finish */
+        NSSLIST_UNLOCK_IF(list);
+        return PR_SUCCESS;
     }
     nssrv = nsslist_add_element(list, data);
     NSSLIST_UNLOCK_IF(list);
     return nssrv;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Remove(nssList *list, void *data)
 {
     nssListElement *node;
     NSSLIST_LOCK_IF(list);
     node = nsslist_get_matching_element(list, data);
     if (node) {
-	if (node == list->head) {
-	    list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
-	}
-	PR_REMOVE_LINK(&node->link);
-	nss_ZFreeIf(node);
-	if (--list->count == 0) {
-	    list->head = NULL;
-	}
+        if (node == list->head) {
+            list->head = (nssListElement *)PR_NEXT_LINK(&node->link);
+        }
+        PR_REMOVE_LINK(&node->link);
+        nss_ZFreeIf(node);
+        if (--list->count == 0) {
+            list->head = NULL;
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT void *
 nssList_Get(nssList *list, void *data)
 {
@@ -279,122 +283,122 @@ nssList_Count(nssList *list)
 NSS_IMPLEMENT PRStatus
 nssList_GetArray(nssList *list, void **rvArray, PRUint32 maxElements)
 {
     nssListElement *node;
     PRUint32 i = 0;
     PR_ASSERT(maxElements > 0);
     node = list->head;
     if (!node) {
-	return PR_SUCCESS;
+        return PR_SUCCESS;
     }
     NSSLIST_LOCK_IF(list);
     while (node) {
-	rvArray[i++] = node->data;
-	if (i == maxElements) break;
-	node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	if (node == list->head) {
-	    break;
-	}
+        rvArray[i++] = node->data;
+        if (i == maxElements)
+            break;
+        node = (nssListElement *)PR_NEXT_LINK(&node->link);
+        if (node == list->head) {
+            break;
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT nssList *
 nssList_Clone(nssList *list)
 {
     nssList *rvList;
     nssListElement *node;
     rvList = nssList_Create(NULL, (list->lock != NULL));
     if (!rvList) {
-	return NULL;
+        return NULL;
     }
     NSSLIST_LOCK_IF(list);
     if (list->count > 0) {
-	node = list->head;
-	while (PR_TRUE) {
-	    nssList_Add(rvList, node->data);
-	    node = (nssListElement *)PR_NEXT_LINK(&node->link);
-	    if (node == list->head) {
-		break;
-	    }
-	}
+        node = list->head;
+        while (PR_TRUE) {
+            nssList_Add(rvList, node->data);
+            node = (nssListElement *)PR_NEXT_LINK(&node->link);
+            if (node == list->head) {
+                break;
+            }
+        }
     }
     NSSLIST_UNLOCK_IF(list);
     return rvList;
 }
 
 NSS_IMPLEMENT nssListIterator *
 nssList_CreateIterator(nssList *list)
 {
     nssListIterator *rvIterator;
     rvIterator = nss_ZNEW(NULL, nssListIterator);
     if (!rvIterator) {
-	return NULL;
+        return NULL;
     }
     rvIterator->list = nssList_Clone(list);
     if (!rvIterator->list) {
-	nss_ZFreeIf(rvIterator);
-	return NULL;
+        nss_ZFreeIf(rvIterator);
+        return NULL;
     }
     rvIterator->current = rvIterator->list->head;
     if (list->lock) {
-	rvIterator->lock = PZ_NewLock(nssILockOther);
-	if (!rvIterator->lock) {
-	    nssList_Destroy(rvIterator->list);
-	    nss_ZFreeIf(rvIterator);
-	    rvIterator = NULL;
-	}
+        rvIterator->lock = PZ_NewLock(nssILockOther);
+        if (!rvIterator->lock) {
+            nssList_Destroy(rvIterator->list);
+            nss_ZFreeIf(rvIterator);
+            rvIterator = NULL;
+        }
     }
     return rvIterator;
 }
 
 NSS_IMPLEMENT void
 nssListIterator_Destroy(nssListIterator *iter)
 {
     if (iter->lock) {
-	(void)PZ_DestroyLock(iter->lock);
+        (void)PZ_DestroyLock(iter->lock);
     }
     nssList_Destroy(iter->list);
     nss_ZFreeIf(iter);
 }
 
 NSS_IMPLEMENT void *
 nssListIterator_Start(nssListIterator *iter)
 {
     NSSLIST_LOCK_IF(iter);
     if (iter->list->count == 0) {
-	return NULL;
+        return NULL;
     }
     iter->current = iter->list->head;
     return iter->current->data;
 }
 
 NSS_IMPLEMENT void *
 nssListIterator_Next(nssListIterator *iter)
 {
     nssListElement *node;
     PRCList *link;
     if (iter->list->count == 1 || iter->current == NULL) {
-	/* Reached the end of the list.  Don't change the state, force to
-	 * user to call nssList_Finish to clean up.
-	 */
-	return NULL;
+        /* Reached the end of the list.  Don't change the state, force to
+         * user to call nssList_Finish to clean up.
+         */
+        return NULL;
     }
     node = (nssListElement *)PR_NEXT_LINK(&iter->current->link);
     link = &node->link;
     if (link == PR_LIST_TAIL(&iter->list->head->link)) {
-	/* Signal the end of the list. */
-	iter->current = NULL;
-	return node->data;
+        /* Signal the end of the list. */
+        iter->current = NULL;
+        return node->data;
     }
     iter->current = node;
     return node->data;
 }
 
 NSS_IMPLEMENT PRStatus
 nssListIterator_Finish(nssListIterator *iter)
 {
     iter->current = iter->list->head;
     return (iter->lock) ? PZ_Unlock(iter->lock) : PR_SUCCESS;
 }
-
--- a/security/nss/lib/base/nssbase.h
+++ b/security/nss/lib/base/nssbase.h
@@ -39,45 +39,37 @@ PR_BEGIN_EXTERN_C
  * The top-level error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
-NSS_EXTERN NSSArena *
-NSSArena_Create
-(
-  void
-);
+NSS_EXTERN NSSArena *NSSArena_Create(void);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * NSSArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if 
+ * allocated from it.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * create an error stack and return PR_FAILURE.
  *
  * The top-level error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
-NSS_EXTERN PRStatus
-NSSArena_Destroy
-(
-  NSSArena *arena
-);
+NSS_EXTERN PRStatus NSSArena_Destroy(NSSArena *arena);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 
 /*
  * The error stack
  *
  * The public methods relating to the error stack are:
  *
@@ -95,152 +87,131 @@ extern const NSSError NSS_ERROR_INVALID_
  * This routine cannot fail.  It may return NSS_ERROR_NO_ERROR, which
  * indicates that the previous NSS library call did not set an error.
  *
  * Return value:
  *  0 if no error has been set
  *  A nonzero error number
  */
 
-NSS_EXTERN NSSError
-NSS_GetError
-(
-  void
-);
+NSS_EXTERN NSSError NSS_GetError(void);
 
 extern const NSSError NSS_ERROR_NO_ERROR;
 
 /*
  * NSS_GetErrorStack
  *
- * This routine returns a pointer to an array of NSSError values, 
- * containingthe entire sequence or "stack" of errors set by the most 
- * recent NSS library routine called by the same thread calling this 
- * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by 
- * the return value.  The pointer will remain valid until the calling 
- * thread calls another NSS routine.  The lowest-level (most specific) 
- * error is first in the array, and the highest-level is last.  The 
- * array is zero-terminated.  This routine may return NULL upon error; 
+ * This routine returns a pointer to an array of NSSError values,
+ * containingthe entire sequence or "stack" of errors set by the most
+ * recent NSS library routine called by the same thread calling this
+ * routine.  NOTE: the caller DOES NOT OWN the memory pointed to by
+ * the return value.  The pointer will remain valid until the calling
+ * thread calls another NSS routine.  The lowest-level (most specific)
+ * error is first in the array, and the highest-level is last.  The
+ * array is zero-terminated.  This routine may return NULL upon error;
  * this indicates a low-memory situation.
  *
  * Return value:
  *  NULL upon error, which is an implied NSS_ERROR_NO_MEMORY
  *  A NON-caller-owned pointer to an array of NSSError values
  */
 
-NSS_EXTERN NSSError *
-NSS_GetErrorStack
-(
-  void
-);
+NSS_EXTERN NSSError *NSS_GetErrorStack(void);
 
 /*
  * NSS_ZNEW
  *
  * This preprocessor macro will allocate memory for a new object
  * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is 
- * non-null, the memory will be obtained from that arena; otherwise, 
- * the memory will be obtained from the heap.  This routine may 
- * return NULL upon error, in which case it will have set an error 
+ * return value appropriately.  If the optional arena argument is
+ * non-null, the memory will be obtained from that arena; otherwise,
+ * the memory will be obtained from the heap.  This routine may
+ * return NULL upon error, in which case it will have set an error
  * upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs barfs if we split it. */
 #define NSS_ZNEW(arenaOpt, type) ((type *)NSS_ZAlloc((arenaOpt), sizeof(type)))
 
 /*
  * NSS_ZNEWARRAY
  *
  * This preprocessor macro will allocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will 
- * be obtained from that arena; otherwise, the memory will be 
- * obtained from the heap.  This routine may return NULL upon 
- * error, in which case it will have set an error upon the error 
+ * If the optional arena argument is non-null, the memory will
+ * be obtained from that arena; otherwise, the memory will be
+ * obtained from the heap.  This routine may return NULL upon
+ * error, in which case it will have set an error upon the error
  * stack.  The array size may be specified as zero.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-/* The following line exceeds 72 characters, but emacs barfs if we split it. */
-#define NSS_ZNEWARRAY(arenaOpt, type, quantity) ((type *)NSS_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
-
+#define NSS_ZNEWARRAY(arenaOpt, type, quantity)                                \
+    ((type *)NSS_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
 
 /*
  * NSS_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the 
+ * This routine allocates and zeroes a section of memory of the
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid 
+ * value specified for size may be zero; in which case a valid
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling NSS_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-NSS_EXTERN void *
-NSS_ZAlloc
-(
-  NSSArena *arenaOpt,
-  PRUint32 size
-);
+NSS_EXTERN void *NSS_ZAlloc(NSSArena *arenaOpt, PRUint32 size);
 
 /*
  * NSS_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine 
- * may return NULL upon failure, in which case it will have placed 
+ * obtained or released -- is in either case zeroed.  This routine
+ * may return NULL upon failure, in which case it will have placed
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
-NSS_EXTERN void *
-NSS_ZRealloc
-(
-  void *pointer,
-  PRUint32 newSize
-);
-
+NSS_EXTERN void *NSS_ZRealloc(void *pointer, PRUint32 newSize);
 
 /*
  * NSS_ZFreeIf
  *
  * If the specified pointer is non-null, then the region of memory
  * to which it points -- which must have been allocated with
  * nss_ZAlloc -- will be zeroed and released.  This routine
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
@@ -250,17 +221,13 @@ NSS_ZRealloc
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus
-NSS_ZFreeIf
-(
-  void *pointer
-);
+NSS_EXTERN PRStatus NSS_ZFreeIf(void *pointer);
 
 PR_END_EXTERN_C
 
 #endif /* NSSBASE_H */
--- a/security/nss/lib/base/nssbaset.h
+++ b/security/nss/lib/base/nssbaset.h
@@ -13,68 +13,67 @@
 
 #include "nspr.h"
 #include "nssilock.h"
 
 /*
  * NSS_EXTERN, NSS_IMPLEMENT, NSS_EXTERN_DATA, NSS_IMPLEMENT_DATA
  *
  * NSS has its own versions of these NSPR macros, in a form which
- * does not confuse ctags and other related utilities.  NSPR 
+ * does not confuse ctags and other related utilities.  NSPR
  * defines these macros to take the type as an argument, because
  * of certain OS requirements on platforms not supported by NSS.
  */
 
-#define DUMMY	/* dummy */
-#define NSS_EXTERN         extern
-#define NSS_EXTERN_DATA    extern
-#define NSS_IMPLEMENT      
-#define NSS_IMPLEMENT_DATA 
+#define DUMMY /* dummy */
+#define NSS_EXTERN extern
+#define NSS_EXTERN_DATA extern
+#define NSS_IMPLEMENT
+#define NSS_IMPLEMENT_DATA
 
 PR_BEGIN_EXTERN_C
 
 /*
  * NSSError
  *
  * Calls to NSS routines may result in one or more errors being placed
  * on the calling thread's "error stack."  Every possible error that
- * may be returned from a function is declared where the function is 
+ * may be returned from a function is declared where the function is
  * prototyped.  All errors are of the following type.
  */
 
 typedef PRInt32 NSSError;
 
 /*
  * NSSArena
  *
  * Arenas are logical sets of heap memory, from which memory may be
  * allocated.  When an arena is destroyed, all memory allocated within
- * that arena is implicitly freed.  These arenas are thread-safe: 
+ * that arena is implicitly freed.  These arenas are thread-safe:
  * an arena pointer may be used by multiple threads simultaneously.
  * However, as they are not backed by shared memory, they may only be
  * used within one process.
  */
 
 struct NSSArenaStr;
 typedef struct NSSArenaStr NSSArena;
 
 /*
  * NSSItem
  *
  * This is the basic type used to refer to an unconstrained datum of
  * arbitrary size.
  */
 
 struct NSSItemStr {
-  void *data;
-  PRUint32 size;
+    void *data;
+    PRUint32 size;
 };
 typedef struct NSSItemStr NSSItem;
 
-
 /*
  * NSSBER
  *
  * Data packed according to the Basic Encoding Rules of ASN.1.
  */
 
 typedef NSSItem NSSBER;
 
--- a/security/nss/lib/base/tracker.c
+++ b/security/nss/lib/base/tracker.c
@@ -1,15 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * tracker.c
- * 
+ *
  * This file contains the code used by the pointer-tracking calls used
  * in the debug builds to catch bad pointers.  The entire contents are
  * only available in debug builds (both internal and external builds).
  */
 
 #ifndef BASE_H
 #include "base.h"
 #endif /* BASE_H */
@@ -19,131 +19,114 @@
  * identity_hash
  *
  * This static callback is a PLHashFunction as defined in plhash.h
  * It merely returns the value of the object pointer as its hash.
  * There are no possible errors.
  */
 
 static PLHashNumber PR_CALLBACK
-identity_hash
-(
-  const void *key
-)
+identity_hash(const void *key)
 {
-  return (PLHashNumber)((char *)key - (char *)NULL);
+    return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 /*
  * trackerOnceFunc
  *
  * This function is called once, using the nssCallOnce function above.
  * It creates a new pointer tracker object; initialising its hash
  * table and protective lock.
  */
 
 static PRStatus
-trackerOnceFunc
-(
-  void *arg
-)
+trackerOnceFunc(void *arg)
 {
-  nssPointerTracker *tracker = (nssPointerTracker *)arg;
+    nssPointerTracker *tracker = (nssPointerTracker *)arg;
 
-  tracker->lock = PZ_NewLock(nssILockOther);
-  if( (PZLock *)NULL == tracker->lock ) {
-    return PR_FAILURE;
-  }
+    tracker->lock = PZ_NewLock(nssILockOther);
+    if ((PZLock *)NULL == tracker->lock) {
+        return PR_FAILURE;
+    }
 
-  tracker->table = PL_NewHashTable(0, 
-                                   identity_hash, 
-                                   PL_CompareValues,
-                                   PL_CompareValues,
-                                   (PLHashAllocOps *)NULL, 
-                                   (void *)NULL);
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_DestroyLock(tracker->lock);
-    tracker->lock = (PZLock *)NULL;
-    return PR_FAILURE;
-  }
+    tracker->table =
+        PL_NewHashTable(0, identity_hash, PL_CompareValues, PL_CompareValues,
+                        (PLHashAllocOps *)NULL, (void *)NULL);
+    if ((PLHashTable *)NULL == tracker->table) {
+        PZ_DestroyLock(tracker->lock);
+        tracker->lock = (PZLock *)NULL;
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 /*
  * nssPointerTracker_initialize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine initializes an nssPointerTracker object.  Note that
  * the object must have been declared *static* to guarantee that it
  * is in a zeroed state initially.  This routine is idempotent, and
- * may even be safely called by multiple threads simultaneously with 
- * the same argument.  This routine returns a PRStatus value; if 
- * successful, it will return PR_SUCCESS.  On failure it will set an 
+ * may even be safely called by multiple threads simultaneously with
+ * the same argument.  This routine returns a PRStatus value; if
+ * successful, it will return PR_SUCCESS.  On failure it will set an
  * error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssPointerTracker_initialize
-(
-  nssPointerTracker *tracker
-)
+nssPointerTracker_initialize(nssPointerTracker *tracker)
 {
-  PRStatus rv = PR_CallOnceWithArg(&tracker->once, trackerOnceFunc, tracker);
-  if( PR_SUCCESS != rv ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-  }
+    PRStatus rv = PR_CallOnceWithArg(&tracker->once, trackerOnceFunc, tracker);
+    if (PR_SUCCESS != rv) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+    }
 
-  return rv;
+    return rv;
 }
 
 #ifdef DONT_DESTROY_EMPTY_TABLES
 /* See same #ifdef below */
 /*
  * count_entries
  *
  * This static routine is a PLHashEnumerator, as defined in plhash.h.
  * It merely causes the enumeration function to count the number of
  * entries.
  */
 
 static PRIntn PR_CALLBACK
-count_entries
-(
-  PLHashEntry *he,
-  PRIntn index,
-  void *arg
-)
+count_entries(PLHashEntry *he, PRIntn index, void *arg)
 {
-  return HT_ENUMERATE_NEXT;
+    return HT_ENUMERATE_NEXT;
 }
 #endif /* DONT_DESTROY_EMPTY_TABLES */
 
 /*
  * zero_once
  *
  * This is a guaranteed zeroed once block.  It's used to help clear
  * the tracker.
  */
 
 static const PRCallOnceType zero_once;
 
 /*
  * nssPointerTracker_finalize
  *
  * This method is only present in debug builds.
- * 
+ *
  * This routine returns the nssPointerTracker object to the pre-
  * initialized state, releasing all resources used by the object.
  * It will *NOT* destroy the objects being tracked by the pointer
  * (should any remain), and therefore cannot be used to "sweep up"
  * remaining objects.  This routine returns a PRStatus value; if
  * successful, it will return PR_SUCCES.  On failure it will set an
  * error on the error stack and return PR_FAILURE.  If any objects
  * remain in the tracker when it is finalized, that will be treated
@@ -155,68 +138,64 @@ static const PRCallOnceType zero_once;
  *  NSS_ERROR_TRACKER_NOT_EMPTY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssPointerTracker_finalize
-(
-  nssPointerTracker *tracker
-)
+nssPointerTracker_finalize(nssPointerTracker *tracker)
 {
-  PZLock *lock;
+    PZLock *lock;
 
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
+    if ((nssPointerTracker *)NULL == tracker) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return PR_FAILURE;
+    }
 
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PZLock *)NULL == tracker->lock) {
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
-  lock = tracker->lock;
-  PZ_Lock(lock);
+    lock = tracker->lock;
+    PZ_Lock(lock);
 
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PLHashTable *)NULL == tracker->table) {
+        PZ_Unlock(lock);
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
 #ifdef DONT_DESTROY_EMPTY_TABLES
-  /*
-   * I changed my mind; I think we don't want this after all.
-   * Comments?
-   */
-  count = PL_HashTableEnumerateEntries(tracker->table, 
-                                       count_entries,
-                                       (void *)NULL);
+    /*
+     * I changed my mind; I think we don't want this after all.
+     * Comments?
+     */
+    count = PL_HashTableEnumerateEntries(tracker->table, count_entries,
+                                         (void *)NULL);
 
-  if( 0 != count ) {
-    PZ_Unlock(lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
-    return PR_FAILURE;
-  }
+    if (0 != count) {
+        PZ_Unlock(lock);
+        nss_SetError(NSS_ERROR_TRACKER_NOT_EMPTY);
+        return PR_FAILURE;
+    }
 #endif /* DONT_DESTROY_EMPTY_TABLES */
 
-  PL_HashTableDestroy(tracker->table);
-  /* memset(tracker, 0, sizeof(nssPointerTracker)); */
-  tracker->once = zero_once;
-  tracker->lock = (PZLock *)NULL;
-  tracker->table = (PLHashTable *)NULL;
+    PL_HashTableDestroy(tracker->table);
+    /* memset(tracker, 0, sizeof(nssPointerTracker)); */
+    tracker->once = zero_once;
+    tracker->lock = (PZLock *)NULL;
+    tracker->table = (PLHashTable *)NULL;
 
-  PZ_Unlock(lock);
-  PZ_DestroyLock(lock);
+    PZ_Unlock(lock);
+    PZ_DestroyLock(lock);
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 /*
  * nssPointerTracker_add
  *
  * This method is only present in debug builds.
  *
  * This routine adds the specified pointer to the nssPointerTracker
@@ -233,179 +212,167 @@ nssPointerTracker_finalize
  *  NSS_ERROR_DUPLICATE_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssPointerTracker_add
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
+nssPointerTracker_add(nssPointerTracker *tracker, const void *pointer)
 {
-  void *check;
-  PLHashEntry *entry;
+    void *check;
+    PLHashEntry *entry;
+
+    if ((nssPointerTracker *)NULL == tracker) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return PR_FAILURE;
+    }
+
+    if ((PZLock *)NULL == tracker->lock) {
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
+    PZ_Lock(tracker->lock);
+
+    if ((PLHashTable *)NULL == tracker->table) {
+        PZ_Unlock(tracker->lock);
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    check = PL_HashTableLookup(tracker->table, pointer);
+    if ((void *)NULL != check) {
+        PZ_Unlock(tracker->lock);
+        nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
+        return PR_FAILURE;
+    }
 
-  PZ_Lock(tracker->lock);
+    entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
 
-  if( (PLHashTable *)NULL == tracker->table ) {
     PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
-
-  check = PL_HashTableLookup(tracker->table, pointer);
-  if( (void *)NULL != check ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_DUPLICATE_POINTER);
-    return PR_FAILURE;
-  }
 
-  entry = PL_HashTableAdd(tracker->table, pointer, (void *)pointer);
-
-  PZ_Unlock(tracker->lock);
+    if ((PLHashEntry *)NULL == entry) {
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return PR_FAILURE;
+    }
 
-  if( (PLHashEntry *)NULL == entry ) {
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return PR_FAILURE;
-  }
+    return PR_SUCCESS;
+}
 
-  return PR_SUCCESS;
-}
-  
 /*
  * nssPointerTracker_remove
  *
  * This method is only present in debug builds.
  *
- * This routine removes the specified pointer from the 
+ * This routine removes the specified pointer from the
  * nssPointerTracker object.  It does not call any destructor for the
  * object; rather, this should be called from the object's destructor.
- * The nssPointerTracker is threadsafe, but this call is not 
- * idempotent.  This routine returns a PRStatus value; if successful 
- * it will return PR_SUCCESS.  On failure it will set an error on the 
+ * The nssPointerTracker is threadsafe, but this call is not
+ * idempotent.  This routine returns a PRStatus value; if successful
+ * it will return PR_SUCCESS.  On failure it will set an error on the
  * error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_TRACKER_NOT_INITIALIZED
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssPointerTracker_remove
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
+nssPointerTracker_remove(nssPointerTracker *tracker, const void *pointer)
 {
-  PRBool registered;
+    PRBool registered;
 
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
+    if ((nssPointerTracker *)NULL == tracker) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return PR_FAILURE;
+    }
 
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PZLock *)NULL == tracker->lock) {
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
+
+    PZ_Lock(tracker->lock);
 
-  PZ_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PLHashTable *)NULL == tracker->table) {
+        PZ_Unlock(tracker->lock);
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
-  registered = PL_HashTableRemove(tracker->table, pointer);
-  PZ_Unlock(tracker->lock);
+    registered = PL_HashTableRemove(tracker->table, pointer);
+    PZ_Unlock(tracker->lock);
 
-  if( !registered ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
+    if (!registered) {
+        nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 /*
  * nssPointerTracker_verify
  *
  * This method is only present in debug builds.
  *
  * This routine verifies that the specified pointer has been registered
  * with the nssPointerTracker object.  The nssPointerTracker object is
  * threadsafe, and this call may be safely called from multiple threads
  * simultaneously with the same arguments.  This routine returns a
- * PRStatus value; if the pointer is registered this will return 
- * PR_SUCCESS.  Otherwise it will set an error on the error stack and 
- * return PR_FAILURE.  Although the error is suitable for leaving on 
- * the stack, callers may wish to augment the information available by 
+ * PRStatus value; if the pointer is registered this will return
+ * PR_SUCCESS.  Otherwise it will set an error on the error stack and
+ * return PR_FAILURE.  Although the error is suitable for leaving on
+ * the stack, callers may wish to augment the information available by
  * placing a more type-specific error on the stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_TRACKER_NOT_INITIALIZED
  *  NSS_ERROR_POINTER_NOT_REGISTERED
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILRUE
  */
 
 NSS_IMPLEMENT PRStatus
-nssPointerTracker_verify
-(
-  nssPointerTracker *tracker,
-  const void *pointer
-)
+nssPointerTracker_verify(nssPointerTracker *tracker, const void *pointer)
 {
-  void *check;
+    void *check;
 
-  if( (nssPointerTracker *)NULL == tracker ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FAILURE;
-  }
+    if ((nssPointerTracker *)NULL == tracker) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return PR_FAILURE;
+    }
 
-  if( (PZLock *)NULL == tracker->lock ) {
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PZLock *)NULL == tracker->lock) {
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
+
+    PZ_Lock(tracker->lock);
 
-  PZ_Lock(tracker->lock);
-
-  if( (PLHashTable *)NULL == tracker->table ) {
-    PZ_Unlock(tracker->lock);
-    nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
-    return PR_FAILURE;
-  }
+    if ((PLHashTable *)NULL == tracker->table) {
+        PZ_Unlock(tracker->lock);
+        nss_SetError(NSS_ERROR_TRACKER_NOT_INITIALIZED);
+        return PR_FAILURE;
+    }
 
-  check = PL_HashTableLookup(tracker->table, pointer);
-  PZ_Unlock(tracker->lock);
+    check = PL_HashTableLookup(tracker->table, pointer);
+    PZ_Unlock(tracker->lock);
 
-  if( (void *)NULL == check ) {
-    nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
-    return PR_FAILURE;
-  }
+    if ((void *)NULL == check) {
+        nss_SetError(NSS_ERROR_POINTER_NOT_REGISTERED);
+        return PR_FAILURE;
+    }
 
-  return PR_SUCCESS;
+    return PR_SUCCESS;
 }
 
 #endif /* DEBUG */
--- a/security/nss/lib/base/utf8.c
+++ b/security/nss/lib/base/utf8.c
@@ -19,232 +19,218 @@
  * NOTES:
  *
  * There's an "is hex string" function in pki1/atav.c.  If we need
  * it in more places, pull that one out.
  */
 
 /*
  * nssUTF8_CaseIgnoreMatch
- * 
- * Returns true if the two UTF8-encoded strings pointed to by the 
+ *
+ * Returns true if the two UTF8-encoded strings pointed to by the
  * two specified NSSUTF8 pointers differ only in typcase.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nssUTF8_CaseIgnoreMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
+nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a, const NSSUTF8 *b, PRStatus *statusOpt)
 {
 #ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if (((const NSSUTF8 *)NULL == a) || ((const NSSUTF8 *)NULL == b)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return PR_FALSE;
     }
-    return PR_FALSE;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  /*
-   * XXX fgmr
-   *
-   * This is, like, so wrong!
-   */
-  if( 0 == PL_strcasecmp((const char *)a, (const char *)b) ) {
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
+    /*
+     * XXX fgmr
+     *
+     * This is, like, so wrong!
+     */
+    if (0 == PL_strcasecmp((const char *)a, (const char *)b)) {
+        return PR_TRUE;
+    }
+    else {
+        return PR_FALSE;
+    }
 }
 
 /*
  * nssUTF8_PrintableMatch
  *
- * Returns true if the two Printable strings pointed to by the 
- * two specified NSSUTF8 pointers match when compared with the 
- * rules for Printable String (leading and trailing spaces are 
- * disregarded, extents of whitespace match irregardless of length, 
+ * Returns true if the two Printable strings pointed to by the
+ * two specified NSSUTF8 pointers match when compared with the
+ * rules for Printable String (leading and trailing spaces are
+ * disregarded, extents of whitespace match irregardless of length,
  * and case is not significant), then PR_TRUE will be returned.
  * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
  * will be returned.  If the optional statusOpt argument is not
  * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
  * location.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
 NSS_IMPLEMENT PRBool
-nssUTF8_PrintableMatch
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
+nssUTF8_PrintableMatch(const NSSUTF8 *a, const NSSUTF8 *b, PRStatus *statusOpt)
 {
-  PRUint8 *c;
-  PRUint8 *d;
+    PRUint8 *c;
+    PRUint8 *d;
 
 #ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if (((const NSSUTF8 *)NULL == a) || ((const NSSUTF8 *)NULL == b)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return PR_FALSE;
     }
-    return PR_FALSE;
-  }
 #endif /* NSSDEBUG */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  c = (PRUint8 *)a;
-  d = (PRUint8 *)b;
-
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  while( ('\0' != *c) && ('\0' != *d) ) {
-    PRUint8 e, f;
-
-    e = *c;
-    f = *d;
-    
-    if( ('a' <= e) && (e <= 'z') ) {
-      e -= ('a' - 'A');
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
     }
 
-    if( ('a' <= f) && (f <= 'z') ) {
-      f -= ('a' - 'A');
+    c = (PRUint8 *)a;
+    d = (PRUint8 *)b;
+
+    while (' ' == *c) {
+        c++;
     }
 
-    if( e != f ) {
-      return PR_FALSE;
+    while (' ' == *d) {
+        d++;
     }
 
-    c++;
-    d++;
+    while (('\0' != *c) && ('\0' != *d)) {
+        PRUint8 e, f;
+
+        e = *c;
+        f = *d;
+
+        if (('a' <= e) && (e <= 'z')) {
+            e -= ('a' - 'A');
+        }
+
+        if (('a' <= f) && (f <= 'z')) {
+            f -= ('a' - 'A');
+        }
 
-    if( ' ' == *c ) {
-      while( ' ' == *c ) {
+        if (e != f) {
+            return PR_FALSE;
+        }
+
         c++;
-      }
-      c--;
+        d++;
+
+        if (' ' == *c) {
+            while (' ' == *c) {
+                c++;
+            }
+            c--;
+        }
+
+        if (' ' == *d) {
+            while (' ' == *d) {
+                d++;
+            }
+            d--;
+        }
     }
 
-    if( ' ' == *d ) {
-      while( ' ' == *d ) {
+    while (' ' == *c) {
+        c++;
+    }
+
+    while (' ' == *d) {
         d++;
-      }
-      d--;
     }
-  }
 
-  while( ' ' == *c ) {
-    c++;
-  }
-
-  while( ' ' == *d ) {
-    d++;
-  }
-
-  if( *c == *d ) {
-    /* And both '\0', btw */
-    return PR_TRUE;
-  } else {
-    return PR_FALSE;
-  }
+    if (*c == *d) {
+        /* And both '\0', btw */
+        return PR_TRUE;
+    }
+    else {
+        return PR_FALSE;
+    }
 }
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
  * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
  * not null, the memory required will be obtained from that arena;
  * otherwise, the memory required will be obtained from the heap.
  * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be 
+ * an error will be placed on the error stack and NULL will be
  * returned.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  */
 
 NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Duplicate
-(
-  const NSSUTF8 *s,
-  NSSArena *arenaOpt
-)
+nssUTF8_Duplicate(const NSSUTF8 *s, NSSArena *arenaOpt)
 {
-  NSSUTF8 *rv;
-  PRUint32 len;
+    NSSUTF8 *rv;
+    PRUint32 len;
 
 #ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
+    if ((const NSSUTF8 *)NULL == s) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (NSSUTF8 *)NULL;
+    }
 
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSUTF8 *)NULL;
+        }
     }
-  }
 #endif /* NSSDEBUG */
 
-  len = PL_strlen((const char *)s);
+    len = PL_strlen((const char *)s);
 #ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ len ] ) {
-    /* must have wrapped, e.g., too big for PRUint32 */
-    nss_SetError(NSS_ERROR_NO_MEMORY);
-    return (NSSUTF8 *)NULL;
-  }
-#endif /* PEDANTIC */
-  len++; /* zero termination */
+    if ('\0' != ((const char *)s)[len]) {
+        /* must have wrapped, e.g., too big for PRUint32 */
+        nss_SetError(NSS_ERROR_NO_MEMORY);
+        return (NSSUTF8 *)NULL;
+    }
+#endif     /* PEDANTIC */
+    len++; /* zero termination */
 
-  rv = nss_ZAlloc(arenaOpt, len);
-  if( (void *)NULL == rv ) {
-    return (NSSUTF8 *)NULL;
-  }
+    rv = nss_ZAlloc(arenaOpt, len);
+    if ((void *)NULL == rv) {
+        return (NSSUTF8 *)NULL;
+    }
 
-  (void)nsslibc_memcpy(rv, s, len);
-  return rv;
+    (void)nsslibc_memcpy(rv, s, len);
+    return rv;
 }
 
 /*
  * nssUTF8_Size
  *
  * This routine returns the length in bytes (including the terminating
  * null) of the UTF8-encoded string pointed to by the specified
  * NSSUTF8 pointer.  Zero is returned on error.
@@ -254,51 +240,47 @@ nssUTF8_Duplicate
  *  NSS_ERROR_VALUE_TOO_LARGE
  *
  * Return value:
  *  0 on error
  *  nonzero length of the string.
  */
 
 NSS_IMPLEMENT PRUint32
-nssUTF8_Size
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
+nssUTF8_Size(const NSSUTF8 *s, PRStatus *statusOpt)
 {
-  PRUint32 sv;
+    PRUint32 sv;
 
 #ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ((const NSSUTF8 *)NULL == s) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return 0;
     }
-    return 0;
-  }
 #endif /* NSSDEBUG */
 
-  sv = PL_strlen((const char *)s) + 1;
+    sv = PL_strlen((const char *)s) + 1;
 #ifdef PEDANTIC
-  if( '\0' != ((const char *)s)[ sv-1 ] ) {
-    /* wrapped */
-    nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if ('\0' != ((const char *)s)[sv - 1]) {
+        /* wrapped */
+        nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return 0;
     }
-    return 0;
-  }
 #endif /* PEDANTIC */
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
-  return sv;
+    return sv;
 }
 
 /*
  * nssUTF8_Length
  *
  * This routine returns the length in characters (not including the
  * terminating null) of the UTF8-encoded string pointed to by the
  * specified NSSUTF8 pointer.
@@ -309,101 +291,102 @@ nssUTF8_Size
  *  NSS_ERROR_INVALID_STRING
  *
  * Return value:
  *  length of the string (which may be zero)
  *  0 on error
  */
 
 NSS_IMPLEMENT PRUint32
-nssUTF8_Length
-(
-  const NSSUTF8 *s,
-  PRStatus *statusOpt
-)
+nssUTF8_Length(const NSSUTF8 *s, PRStatus *statusOpt)
 {
-  PRUint32 l = 0;
-  const PRUint8 *c = (const PRUint8 *)s;
+    PRUint32 l = 0;
+    const PRUint8 *c = (const PRUint8 *)s;
 
 #ifdef NSSDEBUG
-  if( (const NSSUTF8 *)NULL == s ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    goto loser;
-  }
+    if ((const NSSUTF8 *)NULL == s) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        goto loser;
+    }
 #endif /* NSSDEBUG */
 
-  /*
-   * From RFC 2044:
-   *
-   * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
-   * 0000 0000-0000 007F   0xxxxxxx
-   * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
-   * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
-   * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
-   * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
-   */  
+    /*
+     * From RFC 2044:
+     *
+     * UCS-4 range (hex.)           UTF-8 octet sequence (binary)
+     * 0000 0000-0000 007F   0xxxxxxx
+     * 0000 0080-0000 07FF   110xxxxx 10xxxxxx
+     * 0000 0800-0000 FFFF   1110xxxx 10xxxxxx 10xxxxxx
+     * 0001 0000-001F FFFF   11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
+     * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
+     * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
+     */
 
-  while( 0 != *c ) {
-    PRUint32 incr;
-    if( (*c & 0x80) == 0 ) {
-      incr = 1;
-    } else if( (*c & 0xE0) == 0xC0 ) {
-      incr = 2;
-    } else if( (*c & 0xF0) == 0xE0 ) {
-      incr = 3;
-    } else if( (*c & 0xF8) == 0xF0 ) {
-      incr = 4;
-    } else if( (*c & 0xFC) == 0xF8 ) {
-      incr = 5;
-    } else if( (*c & 0xFE) == 0xFC ) {
-      incr = 6;
-    } else {
-      nss_SetError(NSS_ERROR_INVALID_STRING);
-      goto loser;
-    }
+    while (0 != *c) {
+        PRUint32 incr;
+        if ((*c & 0x80) == 0) {
+            incr = 1;
+        }
+        else if ((*c & 0xE0) == 0xC0) {
+            incr = 2;
+        }
+        else if ((*c & 0xF0) == 0xE0) {
+            incr = 3;
+        }
+        else if ((*c & 0xF8) == 0xF0) {
+            incr = 4;
+        }
+        else if ((*c & 0xFC) == 0xF8) {
+            incr = 5;
+        }
+        else if ((*c & 0xFE) == 0xFC) {
+            incr = 6;
+        }
+        else {
+            nss_SetError(NSS_ERROR_INVALID_STRING);
+            goto loser;
+        }
 
-    l += incr;
+        l += incr;
 
 #ifdef PEDANTIC
-    if( l < incr ) {
-      /* Wrapped-- too big */
-      nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
-      goto loser;
-    }
+        if (l < incr) {
+            /* Wrapped-- too big */
+            nss_SetError(NSS_ERROR_VALUE_TOO_LARGE);
+            goto loser;
+        }
 
-    {
-      PRUint8 *d;
-      for( d = &c[1]; d < &c[incr]; d++ ) {
-        if( (*d & 0xC0) != 0xF0 ) {
-          nss_SetError(NSS_ERROR_INVALID_STRING);
-          goto loser;
+        {
+            PRUint8 *d;
+            for (d = &c[1]; d < &c[incr]; d++) {
+                if ((*d & 0xC0) != 0xF0) {
+                    nss_SetError(NSS_ERROR_INVALID_STRING);
+                    goto loser;
+                }
+            }
         }
-      }
-    }
 #endif /* PEDANTIC */
 
-    c += incr;
-  }
+        c += incr;
+    }
 
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_SUCCESS;
-  }
-
-  return l;
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_SUCCESS;
+    }
 
- loser:
-  if( (PRStatus *)NULL != statusOpt ) {
-    *statusOpt = PR_FAILURE;
-  }
+    return l;
 
-  return 0;
+loser:
+    if ((PRStatus *)NULL != statusOpt) {
+        *statusOpt = PR_FAILURE;
+    }
+
+    return 0;
 }
 
-
 /*
  * nssUTF8_Create
  *
  * This routine creates a UTF8 string from a string in some other
  * format.  Some types of string may include embedded null characters,
  * so for them the length parameter must be used.  For string types
  * that are null-terminated, the length parameter is optional; if it
  * is zero, it will be ignored.  If the optional arena argument is
@@ -420,307 +403,290 @@ nssUTF8_Length
  * Return value:
  *  NULL upon error
  *  A non-null pointer to a new UTF8 string otherwise
  */
 
 extern const NSSError NSS_ERROR_INTERNAL_ERROR; /* XXX fgmr */
 
 NSS_IMPLEMENT NSSUTF8 *
-nssUTF8_Create
-(
-  NSSArena *arenaOpt,
-  nssStringType type,
-  const void *inputString,
-  PRUint32 size /* in bytes, not characters */
-)
+nssUTF8_Create(NSSArena *arenaOpt, nssStringType type, const void *inputString,
+               PRUint32 size /* in bytes, not characters */
+               )
 {
-  NSSUTF8 *rv = NULL;
+    NSSUTF8 *rv = NULL;
 
 #ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSUTF8 *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSUTF8 *)NULL;
+        }
     }
-  }
 
-  if( (const void *)NULL == inputString ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSUTF8 *)NULL;
-  }
+    if ((const void *)NULL == inputString) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (NSSUTF8 *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    /* This is a composite type requiring BER */
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  case nssStringType_TeletexString:
-    /*
-     * draft-ietf-pkix-ipki-part1-11 says in part:
-     *
-     * In addition, many legacy implementations support names encoded 
-     * in the ISO 8859-1 character set (Latin1String) but tag them as 
-     * TeletexString.  The Latin1String includes characters used in 
-     * Western European countries which are not part of the 
-     * TeletexString charcter set.  Implementations that process 
-     * TeletexString SHOULD be prepared to handle the entire ISO 
-     * 8859-1 character set.[ISO 8859-1].
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    /*
-     * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
-     * This is a subset of ASCII, which is a subset of UTF8.
-     * So we can just duplicate the string over.
-     */
+    switch (type) {
+        case nssStringType_DirectoryString:
+            /* This is a composite type requiring BER */
+            nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+            break;
+        case nssStringType_TeletexString:
+            /*
+             * draft-ietf-pkix-ipki-part1-11 says in part:
+             *
+             * In addition, many legacy implementations support names encoded
+             * in the ISO 8859-1 character set (Latin1String) but tag them as
+             * TeletexString.  The Latin1String includes characters used in
+             * Western European countries which are not part of the
+             * TeletexString charcter set.  Implementations that process
+             * TeletexString SHOULD be prepared to handle the entire ISO
+             * 8859-1 character set.[ISO 8859-1].
+             */
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_PrintableString:
+            /*
+             * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
+             * This is a subset of ASCII, which is a subset of UTF8.
+             * So we can just duplicate the string over.
+             */
+
+            if (0 == size) {
+                rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+            }
+            else {
+                rv = nss_ZAlloc(arenaOpt, size + 1);
+                if ((NSSUTF8 *)NULL == rv) {
+                    return (NSSUTF8 *)NULL;
+                }
+
+                (void)nsslibc_memcpy(rv, inputString, size);
+            }
 
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
+            break;
+        case nssStringType_UniversalString:
+            /* 4-byte unicode */
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_BMPString:
+            /* Base Multilingual Plane of Unicode */
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_UTF8String:
+            if (0 == size) {
+                rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
+            }
+            else {
+                rv = nss_ZAlloc(arenaOpt, size + 1);
+                if ((NSSUTF8 *)NULL == rv) {
+                    return (NSSUTF8 *)NULL;
+                }
 
-      (void)nsslibc_memcpy(rv, inputString, size);
+                (void)nsslibc_memcpy(rv, inputString, size);
+            }
+
+            break;
+        case nssStringType_PHGString:
+            /*
+             * PHGString is an IA5String (with case-insensitive comparisons).
+             * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
+             * currency symbol.
+             */
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_GeneralString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        default:
+            nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+            break;
     }
 
-    break;
-  case nssStringType_UniversalString:
-    /* 4-byte unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    /* Base Multilingual Plane of Unicode */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    if( 0 == size ) {
-      rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-    } else {
-      rv = nss_ZAlloc(arenaOpt, size+1);
-      if( (NSSUTF8 *)NULL == rv ) {
-        return (NSSUTF8 *)NULL;
-      }
-
-      (void)nsslibc_memcpy(rv, inputString, size);
-    }
-
-    break;
-  case nssStringType_PHGString:
-    /* 
-     * PHGString is an IA5String (with case-insensitive comparisons).
-     * IA5 is ~almost~ ascii; ascii has dollar-sign where IA5 has
-     * currency symbol.
-     */
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_GeneralString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
-
-  return rv;
+    return rv;
 }
 
 NSS_IMPLEMENT NSSItem *
-nssUTF8_GetEncoding
-(
-  NSSArena *arenaOpt,
-  NSSItem *rvOpt,
-  nssStringType type,
-  NSSUTF8 *string
-)
+nssUTF8_GetEncoding(NSSArena *arenaOpt, NSSItem *rvOpt, nssStringType type,
+                    NSSUTF8 *string)
 {
-  NSSItem *rv = (NSSItem *)NULL;
-  PRStatus status = PR_SUCCESS;
+    NSSItem *rv = (NSSItem *)NULL;
+    PRStatus status = PR_SUCCESS;
 
 #ifdef NSSDEBUG
-  if( (NSSArena *)NULL != arenaOpt ) {
-    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
-      return (NSSItem *)NULL;
+    if ((NSSArena *)NULL != arenaOpt) {
+        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
+            return (NSSItem *)NULL;
+        }
     }
-  }
 
-  if( (NSSUTF8 *)NULL == string ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return (NSSItem *)NULL;
-  }
+    if ((NSSUTF8 *)NULL == string) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return (NSSItem *)NULL;
+    }
 #endif /* NSSDEBUG */
 
-  switch( type ) {
-  case nssStringType_DirectoryString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_TeletexString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_PrintableString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UniversalString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_BMPString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  case nssStringType_UTF8String:
-    {
-      NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
-      if( (NSSUTF8 *)NULL == dup ) {
-        return (NSSItem *)NULL;
-      }
+    switch (type) {
+        case nssStringType_DirectoryString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_TeletexString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_PrintableString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_UniversalString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_BMPString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        case nssStringType_UTF8String: {
+            NSSUTF8 *dup = nssUTF8_Duplicate(string, arenaOpt);
+            if ((NSSUTF8 *)NULL == dup) {
+                return (NSSItem *)NULL;
+            }
 
-      if( (NSSItem *)NULL == rvOpt ) {
-        rv = nss_ZNEW(arenaOpt, NSSItem);
-        if( (NSSItem *)NULL == rv ) {
-          (void)nss_ZFreeIf(dup);
-          return (NSSItem *)NULL;
-        }
-      } else {
-        rv = rvOpt;
-      }
+            if ((NSSItem *)NULL == rvOpt) {
+                rv = nss_ZNEW(arenaOpt, NSSItem);
+                if ((NSSItem *)NULL == rv) {
+                    (void)nss_ZFreeIf(dup);
+                    return (NSSItem *)NULL;
+                }
+            }
+            else {
+                rv = rvOpt;
+            }
 
-      rv->data = dup;
-      dup = (NSSUTF8 *)NULL;
-      rv->size = nssUTF8_Size(rv->data, &status);
-      if( (0 == rv->size) && (PR_SUCCESS != status) ) {
-        if( (NSSItem *)NULL == rvOpt ) {
-          (void)nss_ZFreeIf(rv);
-        }
-        return (NSSItem *)NULL;
-      }
+            rv->data = dup;
+            dup = (NSSUTF8 *)NULL;
+            rv->size = nssUTF8_Size(rv->data, &status);
+            if ((0 == rv->size) && (PR_SUCCESS != status)) {
+                if ((NSSItem *)NULL == rvOpt) {
+                    (void)nss_ZFreeIf(rv);
+                }
+                return (NSSItem *)NULL;
+            }
+        } break;
+        case nssStringType_PHGString:
+            nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
+            break;
+        default:
+            nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
+            break;
     }
-    break;
-  case nssStringType_PHGString:
-    nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
-    break;
-  default:
-    nss_SetError(NSS_ERROR_UNSUPPORTED_TYPE);
-    break;
-  }
 
-  return rv;
+    return rv;
 }
 
 /*
  * nssUTF8_CopyIntoFixedBuffer
  *
- * This will copy a UTF8 string into a fixed-length buffer, making 
+ * This will copy a UTF8 string into a fixed-length buffer, making
  * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either 
+ * be padded with the specified ASCII character, typically either
  * null or space.
  *
  * Blah, blah, blah.
  */
 
 NSS_IMPLEMENT PRStatus
-nssUTF8_CopyIntoFixedBuffer
-(
-  NSSUTF8 *string,
-  char *buffer,
-  PRUint32 bufferSize,
-  char pad
-)
+nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *string, char *buffer, PRUint32 bufferSize,
+                            char pad)
 {
-  PRUint32 stringSize = 0;
+    PRUint32 stringSize = 0;
 
 #ifdef NSSDEBUG
-  if( (char *)NULL == buffer ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    return PR_FALSE;
-  }
+    if ((char *)NULL == buffer) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        return PR_FALSE;
+    }
 
-  if( 0 == bufferSize ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
+    if (0 == bufferSize) {
+        nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+        return PR_FALSE;
+    }
 
-  if( (pad & 0x80) != 0x00 ) {
-    nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
-    return PR_FALSE;
-  }
+    if ((pad & 0x80) != 0x00) {
+        nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
+        return PR_FALSE;
+    }
 #endif /* NSSDEBUG */
 
-  if( (NSSUTF8 *)NULL == string ) {
-    string = (NSSUTF8 *) "";
-  }
-
-  stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
-  stringSize--; /* don't count the trailing null */
-  if( stringSize > bufferSize ) {
-    PRUint32 bs = bufferSize;
-    (void)nsslibc_memcpy(buffer, string, bufferSize);
-    
-    if( (            ((buffer[ bs-1 ] & 0x80) == 0x00)) ||
-        ((bs > 1) && ((buffer[ bs-2 ] & 0xE0) == 0xC0)) ||
-        ((bs > 2) && ((buffer[ bs-3 ] & 0xF0) == 0xE0)) ||
-        ((bs > 3) && ((buffer[ bs-4 ] & 0xF8) == 0xF0)) ||
-        ((bs > 4) && ((buffer[ bs-5 ] & 0xFC) == 0xF8)) ||
-        ((bs > 5) && ((buffer[ bs-6 ] & 0xFE) == 0xFC)) ) {
-      /* It fit exactly */
-      return PR_SUCCESS;
+    if ((NSSUTF8 *)NULL == string) {
+        string = (NSSUTF8 *)"";
     }
 
-    /* Too long.  We have to trim the last character */
-    for( /*bs*/; bs != 0; bs-- ) {
-      if( (buffer[bs-1] & 0xC0) != 0x80 ) {
-        buffer[bs-1] = pad;
-        break;
-      } else {
-        buffer[bs-1] = pad;
-      }
-    }      
-  } else {
-    (void)nsslibc_memset(buffer, pad, bufferSize);
-    (void)nsslibc_memcpy(buffer, string, stringSize);
-  }
+    stringSize = nssUTF8_Size(string, (PRStatus *)NULL);
+    stringSize--; /* don't count the trailing null */
+    if (stringSize > bufferSize) {
+        PRUint32 bs = bufferSize;
+        (void)nsslibc_memcpy(buffer, string, bufferSize);
+
+        if ((            ((buffer[bs - 1] & 0x80) == 0x00)) ||
+            ((bs > 1) && ((buffer[bs - 2] & 0xE0) == 0xC0)) ||
+            ((bs > 2) && ((buffer[bs - 3] & 0xF0) == 0xE0)) ||
+            ((bs > 3) && ((buffer[bs - 4] & 0xF8) == 0xF0)) ||
+            ((bs > 4) && ((buffer[bs - 5] & 0xFC) == 0xF8)) ||
+            ((bs > 5) && ((buffer[bs - 6] & 0xFE) == 0xFC))) {
+            /* It fit exactly */
+            return PR_SUCCESS;
+        }
 
-  return PR_SUCCESS;
+        /* Too long.  We have to trim the last character */
+        for (/*bs*/; bs != 0; bs--) {
+            if ((buffer[bs - 1] & 0xC0) != 0x80) {
+                buffer[bs - 1] = pad;
+                break;
+            }
+            else {
+                buffer[bs - 1] = pad;
+            }
+        }
+    }
+    else {
+        (void)nsslibc_memset(buffer, pad, bufferSize);
+        (void)nsslibc_memcpy(buffer, string, stringSize);
+    }
+
+    return PR_SUCCESS;
 }
 
 /*
  * nssUTF8_Equal
  *
  */
 
 NSS_IMPLEMENT PRBool
-nssUTF8_Equal
-(
-  const NSSUTF8 *a,
-  const NSSUTF8 *b,
-  PRStatus *statusOpt
-)
+nssUTF8_Equal(const NSSUTF8 *a, const NSSUTF8 *b, PRStatus *statusOpt)
 {
-  PRUint32 la, lb;
+    PRUint32 la, lb;
 
 #ifdef NSSDEBUG
-  if( ((const NSSUTF8 *)NULL == a) ||
-      ((const NSSUTF8 *)NULL == b) ) {
-    nss_SetError(NSS_ERROR_INVALID_POINTER);
-    if( (PRStatus *)NULL != statusOpt ) {
-      *statusOpt = PR_FAILURE;
+    if (((const NSSUTF8 *)NULL == a) || ((const NSSUTF8 *)NULL == b)) {
+        nss_SetError(NSS_ERROR_INVALID_POINTER);
+        if ((PRStatus *)NULL != statusOpt) {
+            *statusOpt = PR_FAILURE;
+        }
+        return PR_FALSE;
     }
-    return PR_FALSE;
-  }
 #endif /* NSSDEBUG */
 
-  la = nssUTF8_Size(a, statusOpt);
-  if( 0 == la ) {
-    return PR_FALSE;
-  }
+    la = nssUTF8_Size(a, statusOpt);
+    if (0 == la) {
+        return PR_FALSE;
+    }
 
-  lb = nssUTF8_Size(b, statusOpt);
-  if( 0 == lb ) {
-    return PR_FALSE;
-  }
+    lb = nssUTF8_Size(b, statusOpt);
+    if (0 == lb) {
+        return PR_FALSE;
+    }
 
-  if( la != lb ) {
-    return PR_FALSE;
-  }
+    if (la != lb) {
+        return PR_FALSE;
+    }
 
-  return nsslibc_memequal(a, b, la, statusOpt);
+    return nsslibc_memequal(a, b, la, statusOpt);
 }
--- a/security/nss/lib/certdb/alg1485.c
+++ b/security/nss/lib/certdb/alg1485.c
@@ -8,36 +8,38 @@
 #include "cert.h"
 #include "certi.h"
 #include "xconst.h"
 #include "genname.h"
 #include "secitem.h"
 #include "secerr.h"
 
 typedef struct NameToKindStr {
-    const char * name;
+    const char* name;
     unsigned int maxLen; /* max bytes in UTF8 encoded string value */
-    SECOidTag    kind;
-    int		 valueType;
+    SECOidTag kind;
+    int valueType;
 } NameToKind;
 
 /* local type for directory string--could be printable_string or utf8 */
 #define SEC_ASN1_DS SEC_ASN1_HIGH_TAG_NUMBER
 
+/* clang-format off */
+
 /* Add new entries to this table, and maybe to function ParseRFC1485AVA */
 static const NameToKind name2kinds[] = {
 /* IANA registered type names
- * (See: http://www.iana.org/assignments/ldap-parameters) 
+ * (See: http://www.iana.org/assignments/ldap-parameters)
  */
 /* RFC 3280, 4630 MUST SUPPORT */
     { "CN",            640, SEC_OID_AVA_COMMON_NAME,    SEC_ASN1_DS},
     { "ST",            128, SEC_OID_AVA_STATE_OR_PROVINCE,
-							SEC_ASN1_DS},
+                                                        SEC_ASN1_DS},
     { "O",             128, SEC_OID_AVA_ORGANIZATION_NAME,
-							SEC_ASN1_DS},
+                                                        SEC_ASN1_DS},
     { "OU",            128, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME,
                                                         SEC_ASN1_DS},
     { "dnQualifier", 32767, SEC_OID_AVA_DN_QUALIFIER, SEC_ASN1_PRINTABLE_STRING},
     { "C",               2, SEC_OID_AVA_COUNTRY_NAME, SEC_ASN1_PRINTABLE_STRING},
     { "serialNumber",   64, SEC_OID_AVA_SERIAL_NUMBER,SEC_ASN1_PRINTABLE_STRING},
 
 /* RFC 3280, 4630 SHOULD SUPPORT */
     { "L",             128, SEC_OID_AVA_LOCALITY,       SEC_ASN1_DS},
@@ -53,17 +55,17 @@ static const NameToKind name2kinds[] = {
     { "MAIL",          256, SEC_OID_RFC1274_MAIL,       SEC_ASN1_IA5_STRING},
     { "UID",           256, SEC_OID_RFC1274_UID,        SEC_ASN1_DS},
 
 /* ------------------ "strict" boundary ---------------------------------
  * In strict mode, cert_NameToAscii does not encode any of the attributes
  * below this line. The first SECOidTag below this line must be used to
  * conditionally define the "endKind" in function AppendAVA() below.
  * Most new attribute names should be added below this line.
- * Maybe this line should be up higher?  Say, after the 3280 MUSTs and 
+ * Maybe this line should be up higher?  Say, after the 3280 MUSTs and
  * before the 3280 SHOULDs?
  */
 
 /* values from draft-ietf-ldapbis-user-schema-05 (not in RFC 3280) */
     { "postalAddress", 128, SEC_OID_AVA_POSTAL_ADDRESS, SEC_ASN1_DS},
     { "postalCode",     40, SEC_OID_AVA_POSTAL_CODE,    SEC_ASN1_DS},
     { "postOfficeBox",  40, SEC_OID_AVA_POST_OFFICE_BOX,SEC_ASN1_DS},
     { "houseIdentifier",64, SEC_OID_AVA_HOUSE_IDENTIFIER,SEC_ASN1_DS},
@@ -71,1490 +73,1532 @@ static const NameToKind name2kinds[] = {
 
 /* legacy keywords */
     { "E",             128, SEC_OID_PKCS9_EMAIL_ADDRESS,SEC_ASN1_IA5_STRING},
     { "STREET",        128, SEC_OID_AVA_STREET_ADDRESS, SEC_ASN1_DS},
     { "pseudonym",      64, SEC_OID_AVA_PSEUDONYM,      SEC_ASN1_DS},
 
 /* values defined by the CAB Forum for EV */
     { "incorporationLocality", 128, SEC_OID_EV_INCORPORATION_LOCALITY,
-                                                        SEC_ASN1_DS},
+                                    SEC_ASN1_DS},
     { "incorporationState",    128, SEC_OID_EV_INCORPORATION_STATE,
-                                                        SEC_ASN1_DS},
+                                    SEC_ASN1_DS},
     { "incorporationCountry",    2, SEC_OID_EV_INCORPORATION_COUNTRY,
-                                                    SEC_ASN1_PRINTABLE_STRING},
+                                    SEC_ASN1_PRINTABLE_STRING},
     { "businessCategory",       64, SEC_OID_BUSINESS_CATEGORY, SEC_ASN1_DS},
 
 /* values defined in X.520 */
     { "name",           64, SEC_OID_AVA_NAME,           SEC_ASN1_DS},
 
     { 0,               256, SEC_OID_UNKNOWN,            0},
 };
 
 /* Table facilitates conversion of ASCII hex to binary. */
 static const PRInt16 x2b[256] = {
-/* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #3x */  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, 
-/* #4x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #5x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #6x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #7x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #8x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #9x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #ax */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #bx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #cx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #dx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
-/* #ex */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 
+/* #0x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #1x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #2x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #3x */  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1,
+/* #4x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #5x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #6x */ -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #7x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #8x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #9x */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #ax */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #bx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #cx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #dx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+/* #ex */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
 /* #fx */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
 };
 
 #define IS_HEX(c) (x2b[(PRUint8)(c)] >= 0)
 
 #define C_DOUBLE_QUOTE '\042'
 
 #define C_BACKSLASH '\134'
 
 #define C_EQUAL '='
 
-#define OPTIONAL_SPACE(c) \
+#define OPTIONAL_SPACE(c)                                                      \
     (((c) == ' ') || ((c) == '\r') || ((c) == '\n'))
 
-#define SPECIAL_CHAR(c)						\
-    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||	\
-     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||		\
-     ((c) == '<') || ((c) == '>') || ((c) == '#') ||		\
+#define SPECIAL_CHAR(c)                                                        \
+    (((c) == ',') || ((c) == '=') || ((c) == C_DOUBLE_QUOTE) ||                \
+     ((c) == '\r') || ((c) == '\n') || ((c) == '+') ||                         \
+     ((c) == '<') || ((c) == '>') || ((c) == '#') ||                           \
      ((c) == ';') || ((c) == C_BACKSLASH))
 
 
-#define IS_PRINTABLE(c)						\
-    ((((c) >= 'a') && ((c) <= 'z')) ||				\
-     (((c) >= 'A') && ((c) <= 'Z')) ||				\
-     (((c) >= '0') && ((c) <= '9')) ||				\
-     ((c) == ' ') ||						\
-     ((c) == '\'') ||						\
-     ((c) == '\050') ||				/* ( */		\
-     ((c) == '\051') ||				/* ) */		\
-     (((c) >= '+') && ((c) <= '/')) ||		/* + , - . / */	\
-     ((c) == ':') ||						\
-     ((c) == '=') ||						\
+#define IS_PRINTABLE(c)                                                        \
+    ((((c) >= 'a') && ((c) <= 'z')) ||                                         \
+     (((c) >= 'A') && ((c) <= 'Z')) ||                                         \
+     (((c) >= '0') && ((c) <= '9')) ||                                         \
+     ((c) == ' ') ||                                                           \
+     ((c) == '\'') ||                                                          \
+     ((c) == '\050') ||                     /* ( */                            \
+     ((c) == '\051') ||                     /* ) */                            \
+     (((c) >= '+') && ((c) <= '/')) ||      /* + , - . / */                    \
+     ((c) == ':') ||                                                           \
+     ((c) == '=') ||                                                           \
      ((c) == '?'))
 
+/* clang-format on */
+
 /* RFC 2253 says we must escape ",+\"\\<>;=" EXCEPT inside a quoted string.
  * Inside a quoted string, we only need to escape " and \
  * We choose to quote strings containing any of those special characters,
  * so we only need to escape " and \
  */
-#define NEEDS_ESCAPE(c) \
-    (c == C_DOUBLE_QUOTE || c == C_BACKSLASH)
+#define NEEDS_ESCAPE(c) (c == C_DOUBLE_QUOTE || c == C_BACKSLASH)
 
-#define NEEDS_HEX_ESCAPE(c) \
-    ((PRUint8)c < 0x20 || c == 0x7f)
+#define NEEDS_HEX_ESCAPE(c) ((PRUint8)c < 0x20 || c == 0x7f)
 
 int
 cert_AVAOidTagToMaxLen(SECOidTag tag)
 {
-    const NameToKind *n2k = name2kinds;
+    const NameToKind* n2k = name2kinds;
 
     while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
-	++n2k;
+        ++n2k;
     }
     return (n2k->kind != SEC_OID_UNKNOWN) ? n2k->maxLen : -1;
 }
 
 static PRBool
-IsPrintable(unsigned char *data, unsigned len)
+IsPrintable(unsigned char* data, unsigned len)
 {
     unsigned char ch, *end;
 
     end = data + len;
     while (data < end) {
-	ch = *data++;
-	if (!IS_PRINTABLE(ch)) {
-	    return PR_FALSE;
-	}
+        ch = *data++;
+        if (!IS_PRINTABLE(ch)) {
+            return PR_FALSE;
+        }
     }
     return PR_TRUE;
 }
 
 static void
-skipSpace(const char **pbp, const char *endptr)
+skipSpace(const char** pbp, const char* endptr)
 {
-    const char *bp = *pbp;
+    const char* bp = *pbp;
     while (bp < endptr && OPTIONAL_SPACE(*bp)) {
-	bp++;
+        bp++;
     }
     *pbp = bp;
 }
 
 static SECStatus
-scanTag(const char **pbp, const char *endptr, char *tagBuf, int tagBufSize)
+scanTag(const char** pbp, const char* endptr, char* tagBuf, int tagBufSize)
 {
-    const char *bp;
-    char *tagBufp;
+    const char* bp;
+    char* tagBufp;
     int taglen;
 
     PORT_Assert(tagBufSize > 0);
-    
+
     /* skip optional leading space */
     skipSpace(pbp, endptr);
     if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
+        /* nothing left */
+        return SECFailure;
     }
-    
+
     /* fill tagBuf */
     taglen = 0;
     bp = *pbp;
     tagBufp = tagBuf;
     while (bp < endptr && !OPTIONAL_SPACE(*bp) && (*bp != C_EQUAL)) {
-	if (++taglen >= tagBufSize) {
-	    *pbp = bp;
-	    return SECFailure;
-	}
-	*tagBufp++ = *bp++;
+        if (++taglen >= tagBufSize) {
+            *pbp = bp;
+            return SECFailure;
+        }
+        *tagBufp++ = *bp++;
     }
     /* null-terminate tagBuf -- guaranteed at least one space left */
     *tagBufp++ = 0;
     *pbp = bp;
-    
+
     /* skip trailing spaces till we hit something - should be an equal sign */
     skipSpace(pbp, endptr);
     if (*pbp == endptr) {
-	/* nothing left */
-	return SECFailure;
+        /* nothing left */
+        return SECFailure;
     }
     if (**pbp != C_EQUAL) {
-	/* should be an equal sign */
-	return SECFailure;
+        /* should be an equal sign */
+        return SECFailure;
     }
     /* skip over the equal sign */
     (*pbp)++;
-    
+
     return SECSuccess;
 }
 
 /* Returns the number of bytes in the value. 0 means failure. */
 static int
-scanVal(const char **pbp, const char *endptr, char *valBuf, int valBufSize)  
+scanVal(const char** pbp, const char* endptr, char* valBuf, int valBufSize)
 {
-    const char *bp;
-    char *valBufp;
+    const char* bp;
+    char* valBufp;
     int vallen = 0;
     PRBool isQuoted;
-    
+
     PORT_Assert(valBufSize > 0);
-    
+
     /* skip optional leading space */
     skipSpace(pbp, endptr);
-    if(*pbp == endptr) {
-	/* nothing left */
-	return 0;
+    if (*pbp == endptr) {
+        /* nothing left */
+        return 0;
     }
-    
+
     bp = *pbp;
-    
+
     /* quoted? */
     if (*bp == C_DOUBLE_QUOTE) {
-	isQuoted = PR_TRUE;
-	/* skip over it */
-	bp++;
-    } else {
-	isQuoted = PR_FALSE;
+        isQuoted = PR_TRUE;
+        /* skip over it */
+        bp++;
     }
-    
+    else {
+        isQuoted = PR_FALSE;
+    }
+
     valBufp = valBuf;
     while (bp < endptr) {
-	char c = *bp;
-	if (c == C_BACKSLASH) {
-	    /* escape character */
-	    bp++;
-	    if (bp >= endptr) {
-		/* escape charater must appear with paired char */
-		*pbp = bp;
-		return 0;
-	    }
-	    c = *bp;
-	    if (IS_HEX(c) && (endptr - bp) >= 2 && IS_HEX(bp[1])) {
-		bp++;
-		c = (char)((x2b[(PRUint8)c] << 4) | x2b[(PRUint8)*bp]); 
-	    }
-	} else if (c == '#' && bp == *pbp) {
-	    /* ignore leading #, quotation not required for it. */
-	} else if (!isQuoted && SPECIAL_CHAR(c)) {
-	    /* unescaped special and not within quoted value */
-	    break;
-	} else if (c == C_DOUBLE_QUOTE) {
-	    /* reached unescaped double quote */
-	    break;
-	}
-	/* append character */
+        char c = *bp;
+        if (c == C_BACKSLASH) {
+            /* escape character */
+            bp++;
+            if (bp >= endptr) {
+                /* escape charater must appear with paired char */
+                *pbp = bp;
+                return 0;
<