Bug 1251185, NSS clang-format: else line-break fixes, r=ttaubert NSS_3_23_BETA7
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Thu, 25 Feb 2016 15:28:52 +0100
changeset 11940 0e6e8153513e40154dc1907c2aff318b5342e73e
parent 11939 e1aec44f44ccb915b4479611701e86539401d5f2
child 11941 cacd2e6f8a456da53eac9389c75ad1db96d4ad87
push id1020
push userkaie@kuix.de
push dateThu, 25 Feb 2016 14:29:07 +0000
reviewersttaubert
bugs1251185
Bug 1251185, NSS clang-format: else line-break fixes, r=ttaubert
lib/base/arena.c
lib/base/error.c
lib/base/hash.c
lib/base/item.c
lib/base/libc.c
lib/base/list.c
lib/base/utf8.c
lib/certdb/alg1485.c
lib/certdb/certdb.c
lib/certdb/certv3.c
lib/certdb/certxutl.c
lib/certdb/crl.c
lib/certdb/genname.c
lib/certdb/polcyxtn.c
lib/certdb/secname.c
lib/certdb/stanpcertdb.c
lib/certdb/xauthkid.c
lib/certdb/xbsconst.c
lib/certhigh/certhigh.c
lib/certhigh/certvfy.c
lib/certhigh/certvfypkix.c
lib/certhigh/crlv2.c
lib/certhigh/ocsp.c
lib/certhigh/ocspsig.c
lib/ckfw/builtins/anchor.c
lib/ckfw/builtins/bfind.c
lib/ckfw/capi/anchor.c
lib/ckfw/capi/cfind.c
lib/ckfw/capi/cobject.c
lib/ckfw/dbm/anchor.c
lib/ckfw/dbm/db.c
lib/ckfw/dbm/slot.c
lib/ckfw/dbm/token.c
lib/ckfw/find.c
lib/ckfw/hash.c
lib/ckfw/instance.c
lib/ckfw/nssmkey/manchor.c
lib/ckfw/nssmkey/mfind.c
lib/ckfw/nssmkey/mobject.c
lib/ckfw/object.c
lib/ckfw/session.c
lib/ckfw/sessobj.c
lib/ckfw/slot.c
lib/ckfw/token.c
lib/ckfw/wrap.c
lib/crmf/challcli.c
lib/crmf/cmmfchal.c
lib/crmf/cmmfrec.c
lib/crmf/cmmfresp.c
lib/crmf/crmfcont.c
lib/crmf/crmfget.c
lib/crmf/crmfpop.c
lib/crmf/crmfreq.c
lib/crmf/respcmn.c
lib/crmf/servget.c
lib/cryptohi/seckey.c
lib/cryptohi/secsign.c
lib/cryptohi/secvfy.c
lib/dbm/include/hash.h
lib/dbm/src/dirent.c
lib/dbm/src/dirent.h
lib/dbm/src/h_bigkey.c
lib/dbm/src/h_page.c
lib/dbm/src/hash.c
lib/dbm/src/hash_buf.c
lib/dbm/src/memmove.c
lib/dbm/src/mktemp.c
lib/dbm/tests/lots.c
lib/dev/ckhelper.c
lib/dev/ckhelper.h
lib/dev/devtoken.c
lib/dev/devutil.c
lib/ssl/authcert.c
lib/ssl/cmpcert.c
lib/ssl/derive.c
lib/ssl/dtlscon.c
lib/ssl/os2_err.c
lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c
lib/ssl/ssl3ext.c
lib/ssl/ssl3gthr.c
lib/ssl/sslauth.c
lib/ssl/sslcon.c
lib/ssl/ssldef.c
lib/ssl/sslgathr.c
lib/ssl/sslinfo.c
lib/ssl/sslmutex.h
lib/ssl/sslnonce.c
lib/ssl/sslsecur.c
lib/ssl/sslsnce.c
lib/ssl/sslsock.c
lib/ssl/ssltrace.c
lib/ssl/tls13con.c
lib/ssl/tls13hkdf.c
--- a/lib/base/arena.c
+++ b/lib/base/arena.c
@@ -525,18 +525,17 @@ nssArena_Mark(NSSArena *arena)
     }
     PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
     if ((PRThread *)NULL == arena->marking_thread) {
         /* Unmarked.  Store our thread ID */
         arena->marking_thread = PR_GetCurrentThread();
         /* This call never fails. */
-    }
-    else {
+    } else {
         /* Marked.  Verify it's the current thread */
         if (PR_GetCurrentThread() != arena->marking_thread) {
             PR_Unlock(arena->lock);
             nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
             return (nssArenaMark *)NULL;
         }
     }
 #endif /* ARENA_THREADMARK */
@@ -551,18 +550,17 @@ nssArena_Mark(NSSArena *arena)
         nss_SetError(NSS_ERROR_NO_MEMORY);
         return (nssArenaMark *)NULL;
     }
 
 #ifdef ARENA_THREADMARK
     if ((nssArenaMark *)NULL == arena->first_mark) {
         arena->first_mark = rv;
         arena->last_mark = rv;
-    }
-    else {
+    } else {
         arena->last_mark->next = rv;
         arena->last_mark = rv;
     }
 #endif /* ARENA_THREADMARK */
 
     rv->mark = p;
     rv->magic = MARK_MAGIC;
 
@@ -840,18 +838,17 @@ nss_ZAlloc(NSSArena *arenaOpt, PRUint32 
             return (void *)NULL;
         }
 
         h->arena = (NSSArena *)NULL;
         h->size = size;
         /* We used calloc: it's already zeroed */
 
         return (void *)((char *)h + sizeof(struct pointer_header));
-    }
-    else {
+    } else {
         void *rv;
 /* Arena allocation */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
             return (void *)NULL;
         }
 #endif /* NSSDEBUG */
 
@@ -935,18 +932,17 @@ nss_ZFreeIf(void *pointer)
 
     /* Check any magic here */
 
     if ((NSSArena *)NULL == h->arena) {
         /* Heap */
         (void)nsslibc_memset(pointer, 0, h->size);
         PR_Free(h);
         return PR_SUCCESS;
-    }
-    else {
+    } else {
 /* Arena */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(h->arena)) {
             return PR_FAILURE;
         }
 #endif /* NSSDEBUG */
 
         if ((PRLock *)NULL == h->arena->lock) {
@@ -1053,28 +1049,26 @@ nss_ZRealloc(void *pointer, PRUint32 new
         new_h->arena = (NSSArena *)NULL;
         new_h->size = newSize;
         rv = (void *)((char *)new_h + sizeof(struct pointer_header));
 
         if (newSize > h->size) {
             (void)nsslibc_memcpy(rv, pointer, h->size);
             (void)nsslibc_memset(&((char *)rv)[h->size], 0,
                                  (newSize - h->size));
-        }
-        else {
+        } else {
             (void)nsslibc_memcpy(rv, pointer, newSize);
         }
 
         (void)nsslibc_memset(pointer, 0, h->size);
         h->size = 0;
         PR_Free(h);
 
         return rv;
-    }
-    else {
+    } else {
         void *p;
 /* Arena */
 #ifdef NSSDEBUG
         if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
             return (void *)NULL;
         }
 #endif /* NSSDEBUG */
 
--- a/lib/base/error.c
+++ b/lib/base/error.c
@@ -90,23 +90,21 @@ error_get_my_stack(void)
             return (error_stack *)NULL;
         }
     }
 
     rv = (error_stack *)PR_GetThreadPrivate(error_stack_index);
     if ((error_stack *)NULL == rv) {
         /* Doesn't exist; create one */
         new_size = 16;
-    }
-    else if (rv->header.count == rv->header.space &&
-             rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
+    } else if (rv->header.count == rv->header.space &&
+               rv->header.count < NSS_MAX_ERROR_STACK_COUNT) {
         /* Too small, expand it */
         new_size = PR_MIN(rv->header.space * 2, NSS_MAX_ERROR_STACK_COUNT);
-    }
-    else {
+    } else {
         /* Okay, return it */
         return rv;
     }
 
     new_bytes = (new_size * sizeof(PRInt32)) + sizeof(error_stack);
     /* Use NSPR's calloc/realloc, not NSS's, to avoid loops! */
     new_stack = PR_Calloc(1, new_bytes);
 
@@ -222,18 +220,17 @@ nss_SetError(PRUint32 error)
     es = error_get_my_stack();
     if ((error_stack *)NULL == es) {
         /* Oh, well. */
         return;
     }
 
     if (es->header.count < es->header.space) {
         es->stack[es->header.count++] = error;
-    }
-    else {
+    } else {
         memmove(es->stack, es->stack + 1,
                 (es->header.space - 1) * (sizeof es->stack[0]));
         es->stack[es->header.space - 1] = error;
     }
     return;
 }
 
 /*
--- a/lib/base/hash.c
+++ b/lib/base/hash.c
@@ -87,18 +87,17 @@ nssHash_Create(NSSArena *arenaOpt, PRUin
         nss_SetError(NSS_ERROR_INVALID_POINTER);
         return (nssHash *)NULL;
     }
 #endif /* NSSDEBUG */
 
     if (arenaOpt) {
         arena = arenaOpt;
         i_alloced = PR_FALSE;
-    }
-    else {
+    } else {
         arena = nssArena_Create();
         i_alloced = PR_TRUE;
     }
 
     rv = nss_ZNEW(arena, nssHash);
     if ((nssHash *)NULL == rv) {
         goto loser;
     }
@@ -165,18 +164,17 @@ nssHash_CreateItem(NSSArena *arenaOpt, P
  */
 NSS_IMPLEMENT void
 nssHash_Destroy(nssHash *hash)
 {
     (void)PZ_DestroyLock(hash->mutex);
     PL_HashTableDestroy(hash->plHashTable);
     if (hash->i_alloced_arena) {
         nssArena_Destroy(hash->arena);
-    }
-    else {
+    } else {
         nss_ZFreeIf(hash);
     }
 }
 
 /*
  * nssHash_Add
  *
  */
@@ -186,21 +184,19 @@ nssHash_Add(nssHash *hash, const void *k
     PRStatus error = PR_FAILURE;
     PLHashEntry *he;
 
     PZ_Lock(hash->mutex);
 
     he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
     if ((PLHashEntry *)NULL == he) {
         nss_SetError(NSS_ERROR_NO_MEMORY);
-    }
-    else if (he->value != value) {
+    } else if (he->value != value) {
         nss_SetError(NSS_ERROR_HASH_COLLISION);
-    }
-    else {
+    } else {
         hash->count++;
         error = PR_SUCCESS;
     }
 
     (void)PZ_Unlock(hash->mutex);
 
     return error;
 }
@@ -255,18 +251,17 @@ nssHash_Exists(nssHash *hash, const void
     PZ_Lock(hash->mutex);
 
     value = PL_HashTableLookup(hash->plHashTable, it);
 
     (void)PZ_Unlock(hash->mutex);
 
     if ((void *)NULL == value) {
         return PR_FALSE;
-    }
-    else {
+    } else {
         return PR_TRUE;
     }
 }
 
 /*
  * nssHash_Lookup
  *
  */
--- a/lib/base/item.c
+++ b/lib/base/item.c
@@ -49,18 +49,17 @@ nssItem_Create(NSSArena *arenaOpt, NSSIt
     }
 #endif /* DEBUG */
 
     if ((NSSItem *)NULL == rvOpt) {
         rv = (NSSItem *)nss_ZNEW(arenaOpt, NSSItem);
         if ((NSSItem *)NULL == rv) {
             goto loser;
         }
-    }
-    else {
+    } else {
         rv = rvOpt;
     }
 
     rv->size = length;
     rv->data = nss_ZAlloc(arenaOpt, length);
     if ((void *)NULL == rv->data) {
         goto loser;
     }
--- a/lib/base/libc.c
+++ b/lib/base/libc.c
@@ -101,18 +101,17 @@ nsslibc_memequal(const void *a, const vo
 #endif /* NSSDEBUG */
 
     if ((PRStatus *)NULL != statusOpt) {
         *statusOpt = PR_SUCCESS;
     }
 
     if (0 == memcmp(a, b, len)) {
         return PR_TRUE;
-    }
-    else {
+    } else {
         return PR_FALSE;
     }
 }
 
 /*
  * nsslibc_memcmp
  */
 
--- a/lib/base/list.c
+++ b/lib/base/list.c
@@ -78,18 +78,17 @@ NSS_IMPLEMENT nssList *
 nssList_Create(NSSArena *arenaOpt, PRBool threadSafe)
 {
     NSSArena *arena;
     nssList *list;
     PRBool i_alloced;
     if (arenaOpt) {
         arena = arenaOpt;
         i_alloced = PR_FALSE;
-    }
-    else {
+    } else {
         arena = nssArena_Create();
         i_alloced = PR_TRUE;
     }
     if (!arena) {
         return (nssList *)NULL;
     }
     list = nss_ZNEW(arena, nssList);
     if (!list) {
@@ -98,18 +97,17 @@ nssList_Create(NSSArena *arenaOpt, PRBoo
         }
         return (nssList *)NULL;
     }
     if (threadSafe) {
         list->lock = PZ_NewLock(nssILockOther);
         if (!list->lock) {
             if (arenaOpt) {
                 nss_ZFreeIf(list);
-            }
-            else {
+            } else {
                 NSSArena_Destroy(arena);
             }
             return (nssList *)NULL;
         }
     }
     list->arena = arena;
     list->i_alloced_arena = i_alloced;
     list->compareFunc = pointer_compare;
@@ -200,23 +198,21 @@ nsslist_add_element(nssList *list, void 
                 }
                 if (link == PR_LIST_TAIL(&list->head->link)) {
                     /* reached end of list, append */
                     PR_INSERT_AFTER(&node->link, link);
                     break;
                 }
                 currNode = (nssListElement *)PR_NEXT_LINK(&currNode->link);
             }
-        }
-        else {
+        } else {
             /* not sorting */
             PR_APPEND_LINK(&node->link, &list->head->link);
         }
-    }
-    else {
+    } else {
         list->head = node;
     }
     ++list->count;
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Add(nssList *list, void *data)
--- a/lib/base/utf8.c
+++ b/lib/base/utf8.c
@@ -56,18 +56,17 @@ nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a
 
     /*
      * XXX fgmr
      *
      * This is, like, so wrong!
      */
     if (0 == PL_strcasecmp((const char *)a, (const char *)b)) {
         return PR_TRUE;
-    }
-    else {
+    } else {
         return PR_FALSE;
     }
 }
 
 /*
  * nssUTF8_PrintableMatch
  *
  * Returns true if the two Printable strings pointed to by the
@@ -162,18 +161,17 @@ nssUTF8_PrintableMatch(const NSSUTF8 *a,
 
     while (' ' == *d) {
         d++;
     }
 
     if (*c == *d) {
         /* And both '\0', btw */
         return PR_TRUE;
-    }
-    else {
+    } else {
         return PR_FALSE;
     }
 }
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
@@ -319,33 +317,27 @@ nssUTF8_Length(const NSSUTF8 *s, PRStatu
      * 0020 0000-03FF FFFF   111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
      * 0400 0000-7FFF FFFF   1111110x 10xxxxxx ... 10xxxxxx
      */
 
     while (0 != *c) {
         PRUint32 incr;
         if ((*c & 0x80) == 0) {
             incr = 1;
-        }
-        else if ((*c & 0xE0) == 0xC0) {
+        } else if ((*c & 0xE0) == 0xC0) {
             incr = 2;
-        }
-        else if ((*c & 0xF0) == 0xE0) {
+        } else if ((*c & 0xF0) == 0xE0) {
             incr = 3;
-        }
-        else if ((*c & 0xF8) == 0xF0) {
+        } else if ((*c & 0xF8) == 0xF0) {
             incr = 4;
-        }
-        else if ((*c & 0xFC) == 0xF8) {
+        } else if ((*c & 0xFC) == 0xF8) {
             incr = 5;
-        }
-        else if ((*c & 0xFE) == 0xFC) {
+        } else if ((*c & 0xFE) == 0xFC) {
             incr = 6;
-        }
-        else {
+        } else {
             nss_SetError(NSS_ERROR_INVALID_STRING);
             goto loser;
         }
 
         l += incr;
 
 #ifdef PEDANTIC
         if (l < incr) {
@@ -450,18 +442,17 @@ nssUTF8_Create(NSSArena *arenaOpt, nssSt
             /*
              * PrintableString consists of A-Za-z0-9 ,()+,-./:=?
              * This is a subset of ASCII, which is a subset of UTF8.
              * So we can just duplicate the string over.
              */
 
             if (0 == size) {
                 rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-            }
-            else {
+            } else {
                 rv = nss_ZAlloc(arenaOpt, size + 1);
                 if ((NSSUTF8 *)NULL == rv) {
                     return (NSSUTF8 *)NULL;
                 }
 
                 (void)nsslibc_memcpy(rv, inputString, size);
             }
 
@@ -472,18 +463,17 @@ nssUTF8_Create(NSSArena *arenaOpt, nssSt
             break;
         case nssStringType_BMPString:
             /* Base Multilingual Plane of Unicode */
             nss_SetError(NSS_ERROR_INTERNAL_ERROR); /* unimplemented */
             break;
         case nssStringType_UTF8String:
             if (0 == size) {
                 rv = nssUTF8_Duplicate((const NSSUTF8 *)inputString, arenaOpt);
-            }
-            else {
+            } else {
                 rv = nss_ZAlloc(arenaOpt, size + 1);
                 if ((NSSUTF8 *)NULL == rv) {
                     return (NSSUTF8 *)NULL;
                 }
 
                 (void)nsslibc_memcpy(rv, inputString, size);
             }
 
@@ -550,18 +540,17 @@ nssUTF8_GetEncoding(NSSArena *arenaOpt, 
             }
 
             if ((NSSItem *)NULL == rvOpt) {
                 rv = nss_ZNEW(arenaOpt, NSSItem);
                 if ((NSSItem *)NULL == rv) {
                     (void)nss_ZFreeIf(dup);
                     return (NSSItem *)NULL;
                 }
-            }
-            else {
+            } else {
                 rv = rvOpt;
             }
 
             rv->data = dup;
             dup = (NSSUTF8 *)NULL;
             rv->size = nssUTF8_Size(rv->data, &status);
             if ((0 == rv->size) && (PR_SUCCESS != status)) {
                 if ((NSSItem *)NULL == rvOpt) {
@@ -635,23 +624,21 @@ nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *str
             return PR_SUCCESS;
         }
 
         /* Too long.  We have to trim the last character */
         for (/*bs*/; bs != 0; bs--) {
             if ((buffer[bs - 1] & 0xC0) != 0x80) {
                 buffer[bs - 1] = pad;
                 break;
-            }
-            else {
+            } else {
                 buffer[bs - 1] = pad;
             }
         }
-    }
-    else {
+    } else {
         (void)nsslibc_memset(buffer, pad, bufferSize);
         (void)nsslibc_memcpy(buffer, string, stringSize);
     }
 
     return PR_SUCCESS;
 }
 
 /*
--- a/lib/certdb/alg1485.c
+++ b/lib/certdb/alg1485.c
@@ -256,18 +256,17 @@ scanVal(const char** pbp, const char* en
 
     bp = *pbp;
 
     /* quoted? */
     if (*bp == C_DOUBLE_QUOTE) {
         isQuoted = PR_TRUE;
         /* skip over it */
         bp++;
-    }
-    else {
+    } else {
         isQuoted = PR_FALSE;
     }
 
     valBufp = valBuf;
     while (bp < endptr) {
         char c = *bp;
         if (c == C_BACKSLASH) {
             /* escape character */
@@ -277,25 +276,22 @@ scanVal(const char** pbp, const char* en
                 *pbp = bp;
                 return 0;
             }
             c = *bp;
             if (IS_HEX(c) && (endptr - bp) >= 2 && IS_HEX(bp[1])) {
                 bp++;
                 c = (char)((x2b[(PRUint8)c] << 4) | x2b[(PRUint8)*bp]);
             }
-        }
-        else if (c == '#' && bp == *pbp) {
+        } else if (c == '#' && bp == *pbp) {
             /* ignore leading #, quotation not required for it. */
-        }
-        else if (!isQuoted && SPECIAL_CHAR(c)) {
+        } else if (!isQuoted && SPECIAL_CHAR(c)) {
             /* unescaped special and not within quoted value */
             break;
-        }
-        else if (c == C_DOUBLE_QUOTE) {
+        } else if (c == C_DOUBLE_QUOTE) {
             /* reached unescaped double quote */
             break;
         }
         /* append character */
         vallen++;
         if (vallen >= valBufSize) {
             *pbp = bp;
             return 0;
@@ -399,18 +395,17 @@ ParseRFC1485AVA(PLArenaPool* arena, cons
     /* if we haven't finished, insist that we've stopped on a separator */
     if (sep && sep != ',' && sep != ';' && sep != '+') {
         goto loser;
     }
 
     /* is this a dotted decimal OID attribute type ? */
     if (!PL_strncasecmp("oid.", tagBuf, 4)) {
         rv = SEC_StringToOID(arena, &derOid, tagBuf, strlen(tagBuf));
-    }
-    else {
+    } else {
         for (n2k = name2kinds; n2k->name; n2k++) {
             SECOidData* oidrec;
             if (PORT_Strcasecmp(n2k->name, tagBuf) == 0) {
                 kind = n2k->kind;
                 vt = n2k->valueType;
                 oidrec = SECOID_FindOIDByTag(kind);
                 if (oidrec == NULL)
                     goto loser;
@@ -424,18 +419,17 @@ ParseRFC1485AVA(PLArenaPool* arena, cons
 
     /* Is this a hex encoding of a DER attribute value ? */
     if ('#' == valBuf[0]) {
         /* convert attribute value from hex to binary */
         rv = hexToBin(arena, &derVal, valBuf + 1, valLen - 1);
         if (rv)
             goto loser;
         a = CERT_CreateAVAFromRaw(arena, &derOid, &derVal);
-    }
-    else {
+    } else {
         if (kind == SEC_OID_UNKNOWN)
             goto loser;
         if (kind == SEC_OID_AVA_COUNTRY_NAME && valLen != 2)
             goto loser;
         if (vt == SEC_ASN1_PRINTABLE_STRING &&
             !IsPrintable((unsigned char*)valBuf, valLen))
             goto loser;
         if (vt == SEC_ASN1_DS) {
@@ -478,18 +472,17 @@ ParseRFC1485Name(const char* buf, int le
         ava = ParseRFC1485AVA(name->arena, &bp, e);
         if (ava == 0)
             goto loser;
         if (!rdn) {
             rdn = CERT_CreateRDN(name->arena, ava, (CERTAVA*)0);
             if (rdn == 0)
                 goto loser;
             rv = CERT_AddRDN(name, rdn);
-        }
-        else {
+        } else {
             rv = CERT_AddAVA(name->arena, rdn, ava);
         }
         if (rv)
             goto loser;
         if (bp[-1] != '+')
             rdn = NULL; /* done with this RDN */
         skipSpace(&bp, e);
     }
@@ -560,18 +553,17 @@ AppendStr(stringBuf* bufp, char* str)
     bufLen = bufp->offset;
     len = PORT_Strlen(str);
     bufSize = bufLen + len;
     if (!buf) {
         bufSize++;
         size = PR_MAX(DEFAULT_BUFFER_SIZE, bufSize * 2);
         buf = (char*)PORT_Alloc(size);
         bufp->size = size;
-    }
-    else if (bufp->size < bufSize) {
+    } else if (bufp->size < bufSize) {
         size = bufSize * 2;
         buf = (char*)PORT_Realloc(buf, size);
         bufp->size = size;
     }
     if (!buf) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return SECFailure;
     }
@@ -610,27 +602,24 @@ cert_RFC1485_GetRequiredLen(const char* 
     char lastC = 0;
 
     /* need to make an initial pass to determine if quoting is needed */
     for (i = 0; i < srclen; i++) {
         char c = src[i];
         reqLen++;
         if (NEEDS_HEX_ESCAPE(c)) { /* c -> \xx  */
             reqLen += 2;
-        }
-        else if (NEEDS_ESCAPE(c)) { /* c -> \c   */
+        } else if (NEEDS_ESCAPE(c)) { /* c -> \c   */
             reqLen++;
-        }
-        else if (SPECIAL_CHAR(c)) {
+        } else if (SPECIAL_CHAR(c)) {
             if (mode == minimalEscapeAndQuote) /* quoting is allowed */
                 needsQuoting = PR_TRUE;        /* entirety will need quoting */
             else if (mode == fullEscape)
                 reqLen++; /* MAY escape this character */
-        }
-        else if (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)) {
+        } else if (OPTIONAL_SPACE(c) && OPTIONAL_SPACE(lastC)) {
             if (mode == minimalEscapeAndQuote) /* quoting is allowed */
                 needsQuoting = PR_TRUE;        /* entirety will need quoting */
         }
         lastC = c;
     }
     /* if it begins or ends in optional space it needs quoting */
     if (!needsQuoting && srclen > 0 && mode == minimalEscapeAndQuote &&
         (OPTIONAL_SPACE(src[srclen - 1]) || OPTIONAL_SPACE(src[0]))) {
@@ -662,18 +651,17 @@ escapeAndQuote(char* dst, int dstlen, ch
     if (mode == minimalEscapeAndQuote)
         *dst++ = C_DOUBLE_QUOTE;
     for (i = 0; i < srclen; i++) {
         char c = src[i];
         if (NEEDS_HEX_ESCAPE(c)) {
             *dst++ = C_BACKSLASH;
             *dst++ = hexChars[(c >> 4) & 0x0f];
             *dst++ = hexChars[c & 0x0f];
-        }
-        else {
+        } else {
             if (NEEDS_ESCAPE(c) || (SPECIAL_CHAR(c) && mode == fullEscape)) {
                 *dst++ = C_BACKSLASH;
             }
             *dst++ = c;
         }
     }
     if (mode == minimalEscapeAndQuote)
         *dst++ = C_DOUBLE_QUOTE;
@@ -761,23 +749,21 @@ CERT_GetOidString(const SECItem* oid)
                 goto unsupported;
 
             if (!rvString) {
                 /* This is the first number.. decompose it */
                 PRUint32 one = PR_MIN(n / 40, 2); /* never > 2 */
                 PRUint32 two = n - (one * 40);
 
                 rvString = PR_smprintf("OID.%lu.%lu", one, two);
-            }
-            else {
+            } else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.%lu", prefix, n);
             }
-        }
-        else if (bytesBeforeLast <= 9U) { /* 29-64 bit number */
+        } else if (bytesBeforeLast <= 9U) { /* 29-64 bit number */
             PRUint64 n = 0;
             PRUint64 c;
 
             switch (bytesBeforeLast) {
                 CASE(9, 0x01);
                 CASE(8, 0x7f);
                 CASE(7, 0x7f);
                 CASE(6, 0x7f);
@@ -793,23 +779,21 @@ CERT_GetOidString(const SECItem* oid)
                 goto unsupported;
 
             if (!rvString) {
                 /* This is the first number.. decompose it */
                 PRUint64 one = PR_MIN(n / 40, 2); /* never > 2 */
                 PRUint64 two = n - (one * 40);
 
                 rvString = PR_smprintf("OID.%llu.%llu", one, two);
-            }
-            else {
+            } else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.%llu", prefix, n);
             }
-        }
-        else {
+        } else {
         /* More than a 64-bit number, or not minimal encoding. */
         unsupported:
             if (!rvString)
                 rvString = PR_smprintf("OID.UNSUPPORTED");
             else {
                 prefix = rvString;
                 rvString = PR_smprintf("%s.UNSUPPORTED", prefix);
             }
@@ -940,18 +924,17 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
                                             : SEC_OID_AVA_POSTAL_ADDRESS;
     tag = CERT_GetAVATag(ava);
     while (pn2k->kind != tag && pn2k->kind != endKind) {
         ++pn2k;
     }
 
     if (pn2k->kind != endKind) {
         n2k = *pn2k;
-    }
-    else if (strict != CERT_N2A_READABLE) {
+    } else if (strict != CERT_N2A_READABLE) {
         useHex = PR_TRUE;
     }
     /* For invertable form, force Directory Strings to use hex form. */
     if (strict == CERT_N2A_INVERTIBLE && vt == SEC_ASN1_DS) {
         tagName = NULL;   /* must use OID.N form */
         useHex = PR_TRUE; /* must use hex string */
     }
     if (!useHex) {
@@ -986,40 +969,36 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
         (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen(
                                       (char*)avaValue->data, avaValue->len, &mode));
     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
 
     maxName = nameLen;
     maxValue = valueLen;
     if (len <= sizeof(tmpBuf)) {
         encodedAVA = tmpBuf;
-    }
-    else if (strict != CERT_N2A_READABLE) {
+    } else if (strict != CERT_N2A_READABLE) {
         encodedAVA = PORT_Alloc(len);
         if (!encodedAVA) {
             SECITEM_FreeItem(avaValue, PR_TRUE);
             if (unknownTag)
                 PR_smprintf_free(unknownTag);
             return SECFailure;
         }
-    }
-    else {
+    } else {
         /* Must make output fit in tmpbuf */
         unsigned int fair = (sizeof tmpBuf) / 2 - 1; /* for = and \0 */
 
         if (nameLen < fair) {
             /* just truncate the value */
             maxValue = (sizeof tmpBuf) - (nameLen + 6); /* for "=...\0",
                                                      and possibly '"' */
-        }
-        else if (valueLen < fair) {
+        } else if (valueLen < fair) {
             /* just truncate the name */
             maxName = (sizeof tmpBuf) - (valueLen + 5); /* for "=...\0" */
-        }
-        else {
+        } else {
             /* truncate both */
             maxName = maxValue = fair - 3; /* for "..." */
         }
         if (nameLen > maxName) {
             PORT_Assert(unknownTag && unknownTag == tagName);
             truncateName = PR_TRUE;
             nameLen = maxName;
         }
@@ -1051,22 +1030,20 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
         memcpy(encodedAVA + nameLen, (char*)avaValue->data, valueLen);
         end[0] = '\0';
         if (truncateValue) {
             end[-1] = '.';
             end[-2] = '.';
             end[-3] = '.';
         }
         rv = SECSuccess;
-    }
-    else if (!truncateValue) {
+    } else if (!truncateValue) {
         rv = escapeAndQuote(encodedAVA + nameLen, len - nameLen,
                             (char*)avaValue->data, avaValue->len, &mode);
-    }
-    else {
+    } else {
         /* must truncate the escaped and quoted value */
         char bigTmpBuf[TMPBUF_LEN * 3 + 3];
         PORT_Assert(valueLen < sizeof tmpBuf);
         rv = escapeAndQuote(bigTmpBuf, sizeof bigTmpBuf, (char*)avaValue->data,
                             PR_MIN(avaValue->len, valueLen), &mode);
 
         bigTmpBuf[valueLen--] = '\0'; /* hard stop here */
         /* See if we're in the middle of a multi-byte UTF8 character */
@@ -1131,18 +1108,17 @@ CERT_NameToAsciiInvertible(CERTName* nam
         while (avas && (ava = *avas++) != NULL) {
             SECStatus rv;
             /* Put in comma or plus separator */
             if (!first) {
                 /* Use of spaces is deprecated in RFC 2253. */
                 rv = AppendStr(&strBuf, newRDN ? "," : "+");
                 if (rv)
                     goto loser;
-            }
-            else {
+            } else {
                 first = PR_FALSE;
             }
 
             /* Add in tag type plus value into strBuf */
             rv = AppendAVA(&strBuf, ava, strict);
             if (rv)
                 goto loser;
             newRDN = PR_FALSE;
@@ -1206,18 +1182,17 @@ avaToString(PLArenaPool* arena, CERTAVA*
     avaValue = CERT_DecodeAVAValue(&ava->value);
     if (!avaValue) {
         return buf;
     }
     valueLen =
         cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL) + 1;
     if (arena) {
         buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
-    }
-    else {
+    } else {
         buf = (char*)PORT_ZAlloc(valueLen);
     }
     if (buf) {
         SECStatus rv =
             escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
         if (rv != SECSuccess) {
             if (!arena)
                 PORT_Free(buf);
@@ -1316,18 +1291,17 @@ CERT_GetCertificateEmailAddress(CERTCert
                         CERT_GetNameElement(cert->arena, &(current->name.directoryName),
                                             SEC_OID_PKCS9_EMAIL_ADDRESS);
                     if (rawEmailAddr ==
                         NULL) {
                         rawEmailAddr =
                             CERT_GetNameElement(cert->arena, &(current->name.directoryName),
                                                 SEC_OID_RFC1274_MAIL);
                     }
-                }
-                else if (current->type == certRFC822Name) {
+                } else if (current->type == certRFC822Name) {
                     rawEmailAddr =
                         (char*)PORT_ArenaZAlloc(cert->arena, current->name.other.len +
                                                                  1);
                     if (!rawEmailAddr) {
                         goto finish;
                     }
                     PORT_Memcpy(rawEmailAddr, current->name.other.data,
                                 current->name.other.len);
@@ -1397,18 +1371,17 @@ appendItemToBuf(char* dest, SECItem* src
                 PRUint8 c = src->data[i];
                 if (NEEDS_HEX_ESCAPE(c)) {
                     *dest++ =
                         C_BACKSLASH;
                     *dest++ =
                         hexChars[(c >> 4) & 0x0f];
                     *dest++ =
                         hexChars[c & 0x0f];
-                }
-                else {
+                } else {
                     *dest++ =
                         tolower(c);
                 }
             }
             *dest++ = '\0';
             *pRemaining -= reqLen;
         }
     }
@@ -1466,18 +1439,17 @@ cert_GetCertificateEmailAddresses(CERTCe
                     pBuf =
                         appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
 
                     rawEmailAddr =
                         CERT_GetNameElement(
                             tmpArena, &current->name.directoryName, SEC_OID_RFC1274_MAIL);
                     pBuf =
                         appendStringToBuf(pBuf, rawEmailAddr, &maxLen);
-                }
-                else if (current->type == certRFC822Name) {
+                } else if (current->type == certRFC822Name) {
                     pBuf =
                         appendItemToBuf(pBuf, &current->name.other, &maxLen);
                 }
                 current = CERT_GetNextGeneralName(current);
             } while (current != nameList);
         }
         SECITEM_FreeItem(&subAltName, PR_FALSE);
         /* Don't free nameList, it's part of the tmpArena. */
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -395,18 +395,17 @@ GetKeyUsage(CERTCertificate *cert)
     if (rv == SECSuccess) {
         /* remember the actual value of the extension */
         cert->rawKeyUsage = tmpitem.data[0];
         cert->keyUsagePresent = PR_TRUE;
         cert->keyUsage = tmpitem.data[0];
 
         PORT_Free(tmpitem.data);
         tmpitem.data = NULL;
-    }
-    else {
+    } else {
         /* if the extension is not present, then we allow all uses */
         cert->keyUsage = KU_ALL;
         cert->rawKeyUsage = KU_ALL;
         cert->keyUsagePresent = PR_FALSE;
     }
 
     if (CERT_GovtApprovedBitSet(cert)) {
         cert->keyUsage |= KU_NS_GOVT_APPROVED;
@@ -478,18 +477,17 @@ cert_ComputeCertType(CERTCertificate *ce
     }
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv == SECSuccess) {
         basicConstraintPresent = PR_TRUE;
     }
     if (tmpitem.data != NULL || extKeyUsage != NULL) {
         if (tmpitem.data == NULL) {
             nsCertType = 0;
-        }
-        else {
+        } else {
             nsCertType = tmpitem.data[0];
         }
 
         /* free tmpitem data pointer to avoid memory leak */
         PORT_Free(tmpitem.data);
         tmpitem.data = NULL;
 
         /*
@@ -512,72 +510,66 @@ cert_ComputeCertType(CERTCertificate *ce
          * to be used for email or as an email CA, if basic constraints
          * indicates that it is a CA.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
             SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-            }
-            else {
+            } else {
                 nsCertType |= NS_CERT_TYPE_EMAIL;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            }
-            else {
+            } else {
                 nsCertType |= NS_CERT_TYPE_SSL_SERVER;
             }
         }
         /*
          * Treat certs with step-up OID as also having SSL server type.
          * COMODO needs this behaviour until June 2020.  See Bug 737802.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
             SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            }
-            else {
+            } else {
                 nsCertType |= NS_CERT_TYPE_SSL_SERVER;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_SSL_CA;
-            }
-            else {
+            } else {
                 nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) {
             if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
                 nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-            }
-            else {
+            } else {
                 nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
             }
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
         }
         if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_OCSP_RESPONDER) ==
             SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         }
-    }
-    else {
+    } else {
         /* If no NS Cert Type extension and no EKU extension, then */
         nsCertType = 0;
         if (CERT_IsCACert(cert, &nsCertType))
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         /* if the basic constraint extension says the cert is a CA, then
            allow SSL CA and EMAIL CA and Status Responder */
         if (basicConstraintPresent && basicConstraint.isCA) {
             nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
@@ -669,18 +661,17 @@ cert_IsRootCert(CERTCertificate *cert)
             if (rv == SECSuccess) {
                 PRBool match;
                 /* also present, they MUST match for it to be a root */
                 match =
                     SECITEM_ItemsAreEqual(&cert->authKeyID->keyID, &tmpitem);
                 PORT_Free(tmpitem.data);
                 if (!match)
                     return PR_FALSE; /* else fall through */
-            }
-            else {
+            } else {
                 /* the subject key ID is required when AKI is present */
                 return PR_FALSE;
             }
         }
         if (cert->authKeyID->authCertIssuer) {
             SECItem *caName;
             caName = (SECItem *)CERT_GetGeneralNameByType(
                 cert->authKeyID->authCertIssuer, certDirectoryName, PR_TRUE);
@@ -738,18 +729,17 @@ CERT_DecodeDERCertificate(SECItem *derSi
         /* copy the DER data for the cert into this arena */
         data = (void *)PORT_ArenaAlloc(arena, derSignedCert->len);
         if (!data) {
             goto loser;
         }
         cert->derCert.data = (unsigned char *)data;
         cert->derCert.len = derSignedCert->len;
         PORT_Memcpy(data, derSignedCert->data, derSignedCert->len);
-    }
-    else {
+    } else {
         /* point to passed in DER data */
         cert->derCert = *derSignedCert;
     }
 
     /* decode the certificate info */
     rv = SEC_QuickDERDecodeItem(arena, cert, SEC_SignedCertificateTemplate,
                                 &cert->derCert);
 
@@ -766,18 +756,17 @@ CERT_DecodeDERCertificate(SECItem *derSi
                                  &cert->certKey);
     if (rv) {
         goto loser;
     }
 
     /* set the nickname */
     if (nickname == NULL) {
         cert->nickname = NULL;
-    }
-    else {
+    } else {
         /* copy and install the nickname */
         len = PORT_Strlen(nickname) + 1;
         cert->nickname = (char *)PORT_ArenaAlloc(arena, len);
         if (cert->nickname == NULL) {
             goto loser;
         }
 
         PORT_Memcpy(cert->nickname, nickname, len);
@@ -1002,18 +991,17 @@ SEC_GetCrlTimes(CERTCrl *date, PRTime *n
     }
 
     /* convert DER not-after time */
     if (date->nextUpdate.data) {
         rv = DER_DecodeTimeChoice(notAfter, &date->nextUpdate);
         if (rv) {
             return (SECFailure);
         }
-    }
-    else {
+    } else {
         LL_I2L(*notAfter, 0L);
     }
     return (SECSuccess);
 }
 
 /* These routines should probably be combined with the cert
  * routines using an common extraction routine.
  */
@@ -1127,18 +1115,17 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_OBJECT_SIGNING_CA |
                                    NS_CERT_TYPE_EMAIL_CA | NS_CERT_TYPE_SSL_CA;
                 break;
             default:
                 PORT_Assert(0);
                 goto loser;
         }
-    }
-    else {
+    } else {
         switch (usage) {
             case certUsageSSLClient:
                 /*
                  * RFC 5280 lists digitalSignature and keyAgreement for
                  * id-kp-clientAuth.  NSS does not support the *_fixed_dh and
                  * *_fixed_ecdh client certificate types.
                  */
                 requiredKeyUsage = KU_DIGITAL_SIGNATURE;
@@ -1351,42 +1338,39 @@ cert_TestHostName(char *cn, const char *
         int regvalid = PORT_RegExpValid(cn);
         if (regvalid != NON_SXP) {
             SECStatus rv;
             /* cn is a regular expression, try to match the shexp */
             int match = PORT_RegExpCaseSearch(hn, cn);
 
             if (match == 0) {
                 rv = SECSuccess;
-            }
-            else {
+            } else {
                 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
                 rv = SECFailure;
             }
             return rv;
         }
-    }
-    else {
+    } else {
         /* New approach conforms to RFC 6125. */
         char *wildcard = PORT_Strchr(cn, '*');
         char *firstcndot = PORT_Strchr(cn, '.');
         char *secondcndot =
             firstcndot ? PORT_Strchr(firstcndot + 1, '.') : NULL;
         char *firsthndot = PORT_Strchr(hn, '.');
 
         /* For a cn pattern to be considered valid, the wildcard character...
          * - may occur only in a DNS name with at least 3 components, and
          * - may occur only as last character in the first component, and
          * - may be preceded by additional characters, and
          * - must not be preceded by an IDNA ACE prefix (xn--)
          */
         if (wildcard && secondcndot && secondcndot[1] && firsthndot &&
-            firstcndot - wildcard ==
-                1 /* wildcard is last char in first component */
-            && secondcndot - firstcndot > 1 /* second component is non-empty */
+            firstcndot - wildcard == 1           /* wildcard is last char in first component */
+            && secondcndot - firstcndot > 1      /* second component is non-empty */
             && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
             && !PORT_Strncasecmp(cn, hn, wildcard - cn) &&
             !PORT_Strcasecmp(firstcndot, firsthndot)
             /* If hn starts with xn--, then cn must start with wildcard */
             && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
             /* valid wildcard pattern match */
             return SECSuccess;
         }
@@ -1468,33 +1452,30 @@ cert_VerifySubjectAltName(const CERTCert
             case certIPAddress:
                 if (isIPaddr) {
                     int match = 0;
                     PRIPv6Addr v6Addr;
                     if (current->name.other.len == 4 && /* IP v4 address */
                         netAddr.inet.family == PR_AF_INET) {
                         match = !memcmp(&netAddr.inet.ip,
                                         current->name.other.data, 4);
-                    }
-                    else if (current->name.other.len ==
-                                 16 && /* IP v6 address */
-                             netAddr.ipv6.family == PR_AF_INET6) {
+                    } else if (current->name.other.len ==
+                                   16 && /* IP v6 address */
+                               netAddr.ipv6.family == PR_AF_INET6) {
                         match = !memcmp(&netAddr.ipv6.ip,
                                         current->name.other.data, 16);
-                    }
-                    else if (current->name.other.len ==
-                                 16 && /* IP v6 address */
-                             netAddr.inet.family == PR_AF_INET) {
+                    } else if (current->name.other.len ==
+                                   16 && /* IP v6 address */
+                               netAddr.inet.family == PR_AF_INET) {
                         /* convert netAddr to ipv6, then compare. */
                         /* ipv4 must be in Network Byte Order on input. */
                         PR_ConvertIPv4AddrToIPv6(netAddr.inet.ip, &v6Addr);
                         match = !memcmp(&v6Addr, current->name.other.data, 16);
-                    }
-                    else if (current->name.other.len == 4 && /* IP v4 address */
-                             netAddr.inet.family == PR_AF_INET6) {
+                    } else if (current->name.other.len == 4 && /* IP v4 address */
+                               netAddr.inet.family == PR_AF_INET6) {
                         /* convert netAddr to ipv6, then compare. */
                         PRUint32 ipv4 = (current->name.other.data[0] << 24) |
                                         (current->name.other.data[1] << 16) |
                                         (current->name.other.data[2] << 8) |
                                         current->name.other.data[3];
                         /* ipv4 must be in Network Byte Order on input. */
                         PR_ConvertIPv4AddrToIPv6(PR_htonl(ipv4), &v6Addr);
                         match = !memcmp(&netAddr.ipv6.ip, &v6Addr, 16);
@@ -1512,18 +1493,17 @@ cert_VerifySubjectAltName(const CERTCert
         current = CERT_GetNextGeneralName(current);
     } while (current != nameList);
 
 fail:
 
     if (!(isIPaddr ? IPextCount : DNSextCount)) {
         /* no relevant value in the extension was found. */
         PORT_SetError(SEC_ERROR_EXTENSION_NOT_FOUND);
-    }
-    else {
+    } else {
         PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     }
     rv = SECFailure;
 
 finish:
 
     /* Don't free nameList, it's part of the arena. */
     if (arena) {
@@ -1643,18 +1623,17 @@ cert_GetDNSPatternsFromGeneralNames(CERT
                             currentInput->name.other.len);
                 cn[currentInput->name.other.len] = 0;
                 break;
             case certIPAddress:
                 if (currentInput->name.other.len == 4) {
                     addr.inet.family = PR_AF_INET;
                     memcpy(&addr.inet.ip, currentInput->name.other.data,
                            currentInput->name.other.len);
-                }
-                else if (currentInput->name.other.len == 16) {
+                } else if (currentInput->name.other.len == 16) {
                     addr.ipv6.family = PR_AF_INET6;
                     memcpy(&addr.ipv6.ip, currentInput->name.other.data,
                            currentInput->name.other.len);
                 }
                 if (PR_NetAddrToString(&addr, ipbuf, sizeof(ipbuf)) ==
                     PR_FAILURE)
                     return SECFailure;
                 cn = PORT_ArenaStrdup(nickNames->arena, ipbuf);
@@ -1782,42 +1761,38 @@ CERT_VerifyCertName(const CERTCertificat
         return rv;
 
     cn = CERT_GetCommonName(&cert->subject);
     if (cn) {
         PRBool isIPaddr = cert_IsIPAddr(hn);
         if (isIPaddr) {
             if (PORT_Strcasecmp(hn, cn) == 0) {
                 rv = SECSuccess;
-            }
-            else {
+            } else {
                 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
                 rv = SECFailure;
             }
-        }
-        else {
+        } else {
             rv = cert_TestHostName(cn, hn);
         }
         PORT_Free(cn);
-    }
-    else
+    } else
         PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
     return rv;
 }
 
 PRBool
 CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2)
 {
     SECComparison comp;
 
     comp = SECITEM_CompareItem(&c1->derCert, &c2->derCert);
     if (comp == SECEqual) { /* certs are the same */
         return (PR_TRUE);
-    }
-    else {
+    } else {
         return (PR_FALSE);
     }
 }
 
 static SECStatus
 StringsEqual(char *s1, char *s2)
 {
     if ((s1 == NULL) || (s2 == NULL)) {
@@ -1961,18 +1936,17 @@ CERT_MakeCANickname(CERTCertificate *cer
 
     org = CERT_GetOrgName(&cert->issuer);
     if (org == NULL) {
         org = CERT_GetDomainComponentName(&cert->issuer);
         if (org == NULL) {
             if (firstname) {
                 org = firstname;
                 firstname = NULL;
-            }
-            else {
+            } else {
                 org = PORT_Strdup("Unknown CA");
             }
         }
     }
 
     /* can only fail if PORT_Strdup fails, in which case
      * we're having memory problems. */
     if (org == NULL) {
@@ -1980,26 +1954,23 @@ CERT_MakeCANickname(CERTCertificate *cer
     }
 
     count = 1;
     while (1) {
 
         if (firstname) {
             if (count == 1) {
                 nickname = PR_smprintf("%s - %s", firstname, org);
-            }
-            else {
+            } else {
                 nickname = PR_smprintf("%s - %s #%d", firstname, org, count);
             }
-        }
-        else {
+        } else {
             if (count == 1) {
                 nickname = PR_smprintf("%s", org);
-            }
-            else {
+            } else {
                 nickname = PR_smprintf("%s #%d", org, count);
             }
         }
         if (nickname == NULL) {
             goto done;
         }
 
         /* look up the nickname to make sure it isn't in use already */
@@ -2099,18 +2070,17 @@ PRBool
 CERT_IsCACert(CERTCertificate *cert, unsigned int *rettype)
 {
     unsigned int cType = cert->nsCertType;
     PRBool ret = PR_FALSE;
 
     if (cType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                  NS_CERT_TYPE_OBJECT_SIGNING_CA)) {
         ret = PR_TRUE;
-    }
-    else {
+    } else {
         SECStatus rv;
         CERTBasicConstraints constraints;
 
         rv = CERT_FindBasicConstraintExten(cert, &constraints);
         if (rv == SECSuccess && constraints.isCA) {
             ret = PR_TRUE;
             cType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA);
         }
@@ -2249,18 +2219,17 @@ CERT_IsNewer(CERTCertificate *certa, CER
 
     if (newerbefore) {
         /* cert A was issued after cert B, but expires sooner */
         /* if A is expired, then pick B */
         if (LL_CMP(notAfterA, <, now)) {
             return (PR_FALSE);
         }
         return (PR_TRUE);
-    }
-    else {
+    } else {
         /* cert B was issued after cert A, but expires sooner */
         /* if B is expired, then pick A */
         if (LL_CMP(notAfterB, <, now)) {
             return (PR_TRUE);
         }
         return (PR_FALSE);
     }
 }
@@ -2366,18 +2335,17 @@ CERT_DecodeTrustString(CERTCertTrust *tr
                 break;
             case 'g':
                 *pflags = *pflags | CERTDB_GOVT_APPROVED_CA;
                 break;
 
             case ',':
                 if (pflags == &trust->sslFlags) {
                     pflags = &trust->emailFlags;
-                }
-                else {
+                } else {
                     pflags = &trust->objectSigningFlags;
                 }
                 break;
             default:
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 return SECFailure;
         }
     }
@@ -2484,32 +2452,30 @@ CERT_ImportCerts(CERTCertDBHandle *certd
                     /* if we are importing only a single cert and specifying
                      * a nickname, we want to use that nickname if it a CA,
                      * otherwise if there are more than one cert, we don't
                      * know which cert it belongs to. But we still may try
                      * the individual canickname from the cert itself.
                      */
                     /* Bug 1192442 - propagate errors from these calls. */
                     (void)CERT_AddTempCertToPerm(certs[i], canickname, NULL);
-                }
-                else {
+                } else {
                     (void)CERT_AddTempCertToPerm(
                         certs[i], nickname ? nickname : canickname, NULL);
                 }
 
                 PORT_Free(canickname);
                 /* don't care if it fails - keep going */
             }
         }
     }
 
     if (retCerts) {
         *retCerts = certs;
-    }
-    else {
+    } else {
         if (certs) {
             CERT_DestroyCertArray(certs, fcerts);
         }
     }
 
     return (fcerts || !ncerts) ? SECSuccess : SECFailure;
 }
 
@@ -2695,18 +2661,17 @@ CERT_SortCBValidity(CERTCertificate *cer
 
     if ((!newerbefore) && (!newerafter)) {
         return (PR_FALSE);
     }
 
     if (newerbefore) {
         /* cert A was issued after cert B, but expires sooner */
         return (PR_TRUE);
-    }
-    else {
+    } else {
         /* cert B was issued after cert A, but expires sooner */
         return (PR_FALSE);
     }
 }
 
 SECStatus
 CERT_AddCertToListSorted(CERTCertList *certs, CERTCertificate *cert,
                          CERTSortCallback f, void *arg)
@@ -2795,32 +2760,30 @@ CERT_FilterCertListByUsage(CERTCertList 
         if (!bad) {
             unsigned int certType = 0;
             if (ca) {
                 /* This function returns a more comprehensive cert type that
                  * takes trust flags into consideration.  Should probably
                  * fix the cert decoding code to do this.
                  */
                 (void)CERT_IsCACert(node->cert, &certType);
-            }
-            else {
+            } else {
                 certType = node->cert->nsCertType;
             }
             if (!(certType & requiredCertType)) {
                 bad = PR_TRUE;
             }
         }
 
         if (bad) {
             /* remove the node if it is bad */
             savenode = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(node);
             node = savenode;
-        }
-        else {
+        } else {
             node = CERT_LIST_NEXT(node);
         }
     }
     return (SECSuccess);
 
 loser:
     return (SECFailure);
 }
@@ -2831,18 +2794,17 @@ CERT_IsUserCert(CERTCertificate *cert)
     CERTCertTrust trust;
     SECStatus rv = SECFailure;
 
     rv = CERT_GetCertTrust(cert, &trust);
     if (rv == SECSuccess &&
         ((trust.sslFlags & CERTDB_USER) || (trust.emailFlags & CERTDB_USER) ||
          (trust.objectSigningFlags & CERTDB_USER))) {
         return PR_TRUE;
-    }
-    else {
+    } else {
         return PR_FALSE;
     }
 }
 
 SECStatus
 CERT_FilterCertListForUserCerts(CERTCertList *certList)
 {
     CERTCertListNode *node, *freenode;
@@ -2856,18 +2818,17 @@ CERT_FilterCertListForUserCerts(CERTCert
 
     while (!CERT_LIST_END(node, certList)) {
         cert = node->cert;
         if (PR_TRUE != CERT_IsUserCert(cert)) {
             /* Not a User Cert, so remove this cert from the list */
             freenode = node;
             node = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(freenode);
-        }
-        else {
+        } else {
             /* Is a User cert, so leave it in the list */
             node = CERT_LIST_NEXT(node);
         }
     }
 
     return (SECSuccess);
 }
 
@@ -2949,27 +2910,25 @@ SECStatus
 cert_DestroyLocks(void)
 {
     SECStatus rv = SECSuccess;
 
     PORT_Assert(certRefCountLock != NULL);
     if (certRefCountLock) {
         PZ_DestroyLock(certRefCountLock);
         certRefCountLock = NULL;
-    }
-    else {
+    } else {
         rv = SECFailure;
     }
 
     PORT_Assert(certTrustLock != NULL);
     if (certTrustLock) {
         PZ_DestroyLock(certTrustLock);
         certTrustLock = NULL;
-    }
-    else {
+    } else {
         rv = SECFailure;
     }
     return rv;
 }
 
 /*
  * Free the cert trust lock
  */
--- a/lib/certdb/certv3.c
+++ b/lib/certdb/certv3.c
@@ -133,18 +133,17 @@ CERT_FindSubjectKeyIDExtension(CERTCerti
         if (tmpArena) {
             rv = SEC_QuickDERDecodeItem(tmpArena, &decodedValue,
                                         SEC_ASN1_GET(SEC_OctetStringTemplate),
                                         &encodedValue);
             if (rv == SECSuccess) {
                 rv = SECITEM_CopyItem(NULL, retItem, &decodedValue);
             }
             PORT_FreeArena(tmpArena, PR_FALSE);
-        }
-        else {
+        } else {
             rv = SECFailure;
         }
     }
     SECITEM_FreeItem(&encodedValue, PR_FALSE);
     return rv;
 }
 
 SECStatus
@@ -212,16 +211,15 @@ CERT_CheckCertUsage(CERTCertificate *cer
     /* This code formerly ignored the Key Usage extension if it was
     ** marked non-critical.  That was wrong.  Since we do understand it,
     ** we are obligated to honor it, whether or not it is critical.
     */
     rv = CERT_FindKeyUsageExtension(cert, &keyUsage);
     if (rv == SECFailure) {
         rv = (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) ? SECSuccess
                                                                 : SECFailure;
-    }
-    else if (!(keyUsage.data[0] & usage)) {
+    } else if (!(keyUsage.data[0] & usage)) {
         PORT_SetError(SEC_ERROR_CERT_USAGES_INVALID);
         rv = SECFailure;
     }
     PORT_Free(keyUsage.data);
     return (rv);
 }
--- a/lib/certdb/certxutl.c
+++ b/lib/certdb/certxutl.c
@@ -197,18 +197,17 @@ CERT_AddExtensionByOID(void *exthandle, 
     }
 
     /* set the value */
     if (copyData) {
         rv = SECITEM_CopyItem(handle->ownerArena, &ext->value, value);
         if (rv) {
             return (SECFailure);
         }
-    }
-    else {
+    } else {
         ext->value = *value;
     }
 
     handle->count++;
 
     return (SECSuccess);
 }
 
@@ -357,18 +356,17 @@ CERT_MergeExtensions(void *exthandle, CE
         return SECFailure;
     }
     while ((ext = *extensions++) != NULL) {
         tag = SECOID_FindOIDTag(&ext->id);
         for (node = handle->head; node != NULL; node = node->next) {
             if (tag == 0) {
                 if (SECITEM_ItemsAreEqual(&ext->id, &node->ext->id))
                     break;
-            }
-            else {
+            } else {
                 if (SECOID_FindOIDTag(&node->ext->id) == tag) {
                     break;
                 }
             }
         }
         if (node == NULL) {
             PRBool critical = (ext->critical.len != 0 &&
                                ext->critical.data[ext->critical.len - 1] != 0);
--- a/lib/certdb/crl.c
+++ b/lib/certdb/crl.c
@@ -269,18 +269,17 @@ CERT_KeyFromDERCrl(PLArenaPool* arena, S
     SECStatus rv;
     CERTSignedData sd;
     CERTCrlKey crlkey;
     PLArenaPool* myArena;
 
     if (!arena) {
         /* arena needed for QuickDER */
         myArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-    }
-    else {
+    } else {
         myArena = arena;
     }
     PORT_Memset(&sd, 0, sizeof(sd));
     rv = SEC_QuickDERDecodeItem(myArena, &sd, CERT_SignedDataTemplate, derCrl);
     if (SECSuccess == rv) {
         PORT_Memset(&crlkey, 0, sizeof(crlkey));
         rv = SEC_QuickDERDecodeItem(myArena, &crlkey, cert_CrlKeyTemplate,
                                     &sd.data);
@@ -306,18 +305,17 @@ CERT_CompleteCRLDecodeEntries(CERTSigned
 {
     SECStatus rv = SECSuccess;
     SECItem* crldata = NULL;
     OpaqueCRLFields* extended = NULL;
 
     if ((!crl) || (!(extended = (OpaqueCRLFields*)crl->opaque)) ||
         (PR_TRUE == extended->decodingError)) {
         rv = SECFailure;
-    }
-    else {
+    } else {
         if (PR_FALSE == extended->partial) {
             /* the CRL has already been fully decoded */
             return SECSuccess;
         }
         if (PR_TRUE == extended->badEntries) {
             /* the entries decoding already failed */
             return SECFailure;
         }
@@ -328,18 +326,17 @@ CERT_CompleteCRLDecodeEntries(CERTSigned
     }
 
     if (SECSuccess == rv) {
         rv = SEC_QuickDERDecodeItem(crl->arena, &crl->crl,
                                     CERT_CrlTemplateEntriesOnly, crldata);
         if (SECSuccess == rv) {
             extended->partial = PR_FALSE; /* successful decode, avoid
                 decoding again */
-        }
-        else {
+        } else {
             extended->decodingError = PR_TRUE;
             extended->badEntries = PR_TRUE;
             /* cache the decoding failure. If it fails the first time,
                it will fail again, which will grow the arena and leak
                memory, so we want to avoid it */
         }
         rv = cert_check_crl_entries(&crl->crl);
         if (rv != SECSuccess) {
@@ -382,18 +379,17 @@ CERT_DecodeDERCrlWithFlags(PLArenaPool* 
     }
 
     /* make a new arena if needed */
     if (narena == NULL) {
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (!arena) {
             return NULL;
         }
-    }
-    else {
+    } else {
         arena = narena;
     }
 
     /* allocate the CRL structure */
     crl = (CERTSignedCrl*)PORT_ArenaZAlloc(arena, sizeof(CERTSignedCrl));
     if (!crl) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
@@ -409,18 +405,17 @@ CERT_DecodeDERCrlWithFlags(PLArenaPool* 
     extended = (OpaqueCRLFields*)crl->opaque;
     if (options & CRL_DECODE_ADOPT_HEAP_DER) {
         extended->heapDER = PR_TRUE;
     }
     if (options & CRL_DECODE_DONT_COPY_DER) {
         crl->derCrl = derSignedCrl; /* DER is not copied . The application
                                        must keep derSignedCrl until it
                                        destroys the CRL */
-    }
-    else {
+    } else {
         crl->derCrl = (SECItem*)PORT_ArenaZAlloc(arena, sizeof(SECItem));
         if (crl->derCrl == NULL) {
             goto loser;
         }
         rv = SECITEM_CopyItem(arena, crl->derCrl, derSignedCrl);
         if (rv != SECSuccess) {
             goto loser;
         }
@@ -556,18 +551,17 @@ SEC_FindCrlByKeyOnSlot(PK11SlotInfo* slo
     if (crl) {
         crl->slot = slot;
         slot = NULL;   /* adopt it */
         derCrl = NULL; /* adopted by the crl struct */
         crl->pkcs11ID = crlHandle;
         if (url) {
             crl->url = PORT_ArenaStrdup(crl->arena, url);
         }
-    }
-    else {
+    } else {
         rv = SECFailure;
     }
 
     if (url) {
         PORT_Free(url);
     }
 
     if (slot) {
@@ -730,18 +724,17 @@ SEC_DestroyCrl(CERTSignedCrl* crl)
                 PR_TRUE == GetOpaqueCRLFields(crl)->heapDER) {
                 SECITEM_FreeItem(crl->derCrl, PR_TRUE);
             }
             if (crl->arena) {
                 PORT_FreeArena(crl->arena, PR_FALSE);
             }
         }
         return SECSuccess;
-    }
-    else {
+    } else {
         return SECFailure;
     }
 }
 
 SECStatus
 SEC_LookupCrls(CERTCertDBHandle* handle, CERTCrlHeadNode** nodes, int type)
 {
     CERTCrlHeadNode* head;
@@ -1010,25 +1003,23 @@ InitCRLCache(void)
                 PL_HashTableDestroy(namedCRLCache.entries);
                 namedCRLCache.entries = NULL;
             }
 
             return SECFailure;
         }
         crlcache_initialized = PR_TRUE;
         return SECSuccess;
-    }
-    else {
+    } else {
         PORT_Assert(crlcache.lock);
         PORT_Assert(crlcache.issuers);
         if ((NULL == crlcache.lock) || (NULL == crlcache.issuers)) {
             /* CRL cache not fully initialized */
             return SECFailure;
-        }
-        else {
+        } else {
             /* CRL cache already initialized */
             return SECSuccess;
         }
     }
 }
 
 /* destructor for CRL DPCache object */
 static SECStatus
@@ -1042,18 +1033,17 @@ DPCache_Destroy(CRLDPCache* cache)
         return SECFailure;
     }
     if (cache->lock) {
 #ifdef DPC_RWLOCK
         NSSRWLock_Destroy(cache->lock);
 #else
         PR_DestroyLock(cache->lock);
 #endif
-    }
-    else {
+    } else {
         PORT_Assert(0);
         return SECFailure;
     }
     /* destroy all our CRL objects */
     for (i = 0; i < cache->ncrls; i++) {
         if (!cache->crls || !cache->crls[i] ||
             SECSuccess != CachedCrl_Destroy(cache->crls[i])) {
             return SECFailure;
@@ -1087,18 +1077,17 @@ IssuerCache_Destroy(CRLIssuerCache* cach
     if (!cache) {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 #ifdef XCRL
     if (cache->lock) {
         NSSRWLock_Destroy(cache->lock);
-    }
-    else {
+    } else {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     if (cache->issuer) {
         CERT_DestroyCertificate(cache->issuer);
     }
 #endif
@@ -1402,31 +1391,30 @@ TokenCRLStillExists(CERTSignedCrl* crl)
 
     arena = NSSArena_Create();
     PORT_Assert(arena);
     if (!arena) {
         return PR_FALSE;
     }
 
     status =
-        nssCryptokiCRL_GetAttributes(&instance, NULL, /* XXX sessionOpt */
+        nssCryptokiCRL_GetAttributes(&instance, NULL,          /* XXX sessionOpt */
                                      arena, NULL, &newsubject, /* subject */
                                      &crl_class,               /* class */
                                      NULL, NULL);
     if (PR_SUCCESS == status) {
         subject.data = newsubject.data;
         subject.len = newsubject.size;
         if (SECITEM_CompareItem(oldSubject, &subject) != SECEqual) {
             xstatus = PR_FALSE;
         }
         if (CKO_NETSCAPE_CRL != crl_class) {
             xstatus = PR_FALSE;
         }
-    }
-    else {
+    } else {
         xstatus = PR_FALSE;
     }
     NSSArena_Destroy(arena);
     return xstatus;
 }
 
 /* verify the signature of a CRL against its issuer at a given date */
 static SECStatus
@@ -1459,18 +1447,17 @@ CachedCrl_Verify(CRLDPCache* cache, Cach
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
     if (PR_TRUE == GetOpaqueCRLFields(crlobject->crl)->decodingError) {
         crlobject->sigChecked = PR_TRUE; /* we can never verify a CRL
             with bogus DER. Mark it checked so we won't try again */
         PORT_SetError(SEC_ERROR_BAD_DER);
         return SECSuccess;
-    }
-    else {
+    } else {
         SECStatus signstatus = SECFailure;
         if (cache->issuerDERCert) {
             CERTCertificate* issuer = CERT_NewTempCertificate(
                 cache->dbHandle, cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
 
             if (issuer) {
                 signstatus =
                     CERT_VerifyCRL(crlobject->crl, issuer, vfdate, wincx);
@@ -1479,24 +1466,22 @@ CachedCrl_Verify(CRLDPCache* cache, Cach
         }
         if (SECSuccess != signstatus) {
             if (!cache->issuerDERCert) {
                 /* we tried to verify without an issuer cert . This is
                    because this CRL came through a call to SEC_FindCrlByName.
                    So, we don't cache this verification failure. We'll try
                    to verify the CRL again when a certificate from that issuer
                    becomes available */
-            }
-            else {
+            } else {
                 crlobject->sigChecked = PR_TRUE;
             }
             PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
             return SECSuccess;
-        }
-        else {
+        } else {
             crlobject->sigChecked = PR_TRUE;
             crlobject->sigValid = PR_TRUE;
         }
     }
 
     return SECSuccess;
 }
 
@@ -1517,18 +1502,17 @@ DPCache_FetchFromTokens(CRLDPCache* cach
     rv = pk11_RetrieveCrls(&head, cache->subject, wincx);
 
     /* if this function fails, something very wrong happened, such as an out
        of memory error during CRL decoding. We don't want to proceed and must
        mark the cache object invalid */
     if (SECFailure == rv) {
         /* fetch failed, add error bit */
         cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
-    }
-    else {
+    } else {
         /* fetch was successful, clear this error bit */
         cache->invalid &= (~CRL_CACHE_LAST_FETCH_FAILED);
     }
 
     /* add any CRLs found to our array */
     if (SECSuccess == rv) {
         CERTCrlNode* crlNode = NULL;
 
@@ -1541,22 +1525,20 @@ DPCache_FetchFromTokens(CRLDPCache* cach
             }
             rv = CachedCrl_Create(&returned, crlobject, CRL_OriginToken);
             if (SECSuccess == rv) {
                 PRBool added = PR_FALSE;
                 rv = DPCache_AddCRL(cache, returned, &added);
                 if (PR_TRUE != added) {
                     rv = CachedCrl_Destroy(returned);
                     returned = NULL;
-                }
-                else if (vfdate) {
+                } else if (vfdate) {
                     rv = CachedCrl_Verify(cache, returned, vfdate, wincx);
                 }
-            }
-            else {
+            } else {
                 /* not enough memory to add the CRL to the cache. mark it
                    invalid so we will try again . */
                 cache->invalid |= CRL_CACHE_LAST_FETCH_FAILED;
             }
             if (SECFailure == rv) {
                 break;
             }
         }
@@ -1590,18 +1572,17 @@ CachedCrl_GetEntry(CachedCrl* crl, const
     PORT_Assert(returned);
     if (!crl || !sn || !returned || !crl->entries) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     acrlEntry = PL_HashTableLookup(crl->entries, (void*)sn);
     if (acrlEntry) {
         *returned = acrlEntry;
-    }
-    else {
+    } else {
         *returned = NULL;
     }
     return SECSuccess;
 }
 
 /* check if a particular SN is in the CRL cache and return its entry */
 dpcacheStatus
 DPCache_Lookup(CRLDPCache* cache, const SECItem* sn, CERTCrlEntry** returned)
@@ -1621,22 +1602,20 @@ DPCache_Lookup(CRLDPCache* cache, const 
     if (!cache->selected) {
         /* no CRL means no entry to return. This is OK, except for
          * NIST policy */
         return dpcacheEmpty;
     }
     rv = CachedCrl_GetEntry(cache->selected, sn, returned);
     if (SECSuccess != rv) {
         return dpcacheLookupError;
-    }
-    else {
+    } else {
         if (*returned) {
             return dpcacheFoundEntry;
-        }
-        else {
+        } else {
             return dpcacheNoEntry;
         }
     }
 }
 
 #if defined(DPC_RWLOCK)
 
 #define DPCache_LockWrite()                                                    \
@@ -1903,18 +1882,17 @@ SortImperfectCRLs(const void* arg1, cons
     CachedCrl *a, *b;
 
     a = *(CachedCrl**)arg1;
     b = *(CachedCrl**)arg2;
 
     if (!a || !b) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         PORT_Assert(0);
-    }
-    else {
+    } else {
         PRBool aDecoded = PR_FALSE, bDecoded = PR_FALSE;
         if ((PR_TRUE == a->sigValid) && (PR_TRUE == b->sigValid)) {
             /* both CRLs have been validated, choose the latest one */
             return SortCRLsByThisUpdate(arg1, arg2);
         }
         if (PR_TRUE == a->sigValid) {
             return 1; /* a is greater than b */
         }
@@ -1961,18 +1939,17 @@ DPCache_SelectCRL(CRLDPCache* cache)
             !cache->crls[i]->sigValid) {
             valid = PR_FALSE;
             break;
         }
     }
     if (PR_TRUE == valid) {
         /* all CRLs are valid, clear this error */
         cache->invalid &= (~CRL_CACHE_INVALID_CRLS);
-    }
-    else {
+    } else {
         /* some CRLs are invalid, set this error */
         cache->invalid |= CRL_CACHE_INVALID_CRLS;
     }
 
     if (cache->invalid) {
         /* cache is in an invalid state, so reset it */
         if (cache->selected) {
             cache->selected = NULL;
@@ -2093,18 +2070,17 @@ IssuerCache_AddDP(CRLIssuerCache* cache,
     }
     if (!dp) {
         /* default distribution point */
         SECStatus rv = DPCache_Create(&cache->dpp, issuer, subject, NULL);
         if (SECSuccess == rv) {
             *newdpc = cache->dpp;
             return SECSuccess;
         }
-    }
-    else {
+    } else {
         /* we should never hit this until we support multiple DPs */
         PORT_Assert(dp);
         /* XCRL allocate a new distribution point cache object, initialize it,
            and add it to the hash table of DPs */
     }
     return SECFailure;
 }
 
@@ -2289,34 +2265,32 @@ AcquireDPCache(CERTCertificate* issuer, 
             if (!existing) {
 #endif
                 rv = CRLCache_AddIssuer(issuercache);
                 if (SECSuccess != rv) {
                     /* failure */
                     rv = SECFailure;
                 }
 #ifdef GLOBAL_RWLOCK
-            }
-            else {
+            } else {
                 /* somebody else updated before we did */
                 IssuerCache_Destroy(issuercache); /* destroy the new object */
                 issuercache = existing;           /* use the existing one */
                 *dpcache = IssuerCache_GetDPCache(issuercache, dp);
             }
 #endif
         }
 
 /* now unlock the global cache. We only want to lock the issuer hash
    table addition. Holding it longer would hurt scalability */
 #ifdef GLOBAL_RWLOCK
         if (PR_TRUE == globalwrite) {
             NSSRWLock_UnlockWrite(crlcache.lock);
             globalwrite = PR_FALSE;
-        }
-        else {
+        } else {
             NSSRWLock_UnlockRead(crlcache.lock);
         }
 #else
         PR_Unlock(crlcache.lock);
 #endif
 
         /* if there was a failure adding an issuer cache object, destroy it */
         if (SECSuccess != rv && issuercache) {
@@ -2329,18 +2303,17 @@ AcquireDPCache(CERTCertificate* issuer, 
             }
             IssuerCache_Destroy(issuercache);
             issuercache = NULL;
         }
 
         if (SECSuccess != rv) {
             return SECFailure;
         }
-    }
-    else {
+    } else {
 #ifdef GLOBAL_RWLOCK
         NSSRWLock_UnlockRead(crlcache.lock);
 #else
         PR_Unlock(crlcache.lock);
 #endif
         *dpcache = IssuerCache_GetDPCache(issuercache, dp);
     }
     /* we now have a DPCache that we can use for lookups */
@@ -2355,18 +2328,17 @@ AcquireDPCache(CERTCertificate* issuer, 
 
     if (SECSuccess == rv) {
         /* currently there is always one and only one DPCache per issuer */
         PORT_Assert(*dpcache);
         if (*dpcache) {
             /* make sure the DP cache is up to date before using it */
             rv = DPCache_GetUpToDate(*dpcache, issuer, PR_FALSE == *writeLocked,
                                      t, wincx);
-        }
-        else {
+        } else {
             rv = SECFailure;
         }
     }
     return rv;
 }
 
 /* unlock access to the DPCache */
 void
@@ -2374,18 +2346,17 @@ ReleaseDPCache(CRLDPCache* dpcache, PRBo
 {
     if (!dpcache) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return;
     }
 #ifdef DPC_RWLOCK
     if (PR_TRUE == writeLocked) {
         NSSRWLock_UnlockWrite(dpcache->lock);
-    }
-    else {
+    } else {
         NSSRWLock_UnlockRead(dpcache->lock);
     }
 #else
     PR_Unlock(dpcache->lock);
 #endif
 }
 
 SECStatus
@@ -2441,28 +2412,25 @@ cert_CheckCertRevocationStatus(CERTCerti
                 if (SECSuccess ==
                     DER_DecodeTimeChoice(&revocationDate,
                                          &entry->revocationDate)) {
                     /* we got a good revocation date, only consider the
                        certificate revoked if the time we are inquiring about
                        is past the revocation date */
                     if (t >= revocationDate) {
                         rv = SECFailure;
-                    }
-                    else {
+                    } else {
                         status = certRevocationStatusValid;
                     }
-                }
-                else {
+                } else {
                     /* invalid revocation date, consider the certificate
                        permanently revoked */
                     rv = SECFailure;
                 }
-            }
-            else {
+            } else {
                 /* no revocation date, certificate is permanently revoked */
                 rv = SECFailure;
             }
             if (SECFailure == rv) {
                 (void)CERT_FindCRLEntryReasonExten(entry, &reason);
                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
             }
             break;
@@ -2756,18 +2724,17 @@ addCRLToCache(CERTCertDBHandle* dbhandle
         rv = NamedCRLCacheEntry_Destroy(entry); /* destroys CRL too */
         PORT_Assert(SECSuccess == rv);
         return SECFailure;
     }
     /* now, attempt to insert CRL into CRL cache */
     if (SECSuccess == CERT_CacheCRL(dbhandle, entry->crl)) {
         entry->inCRLCache = PR_TRUE;
         entry->successfulInsertionTime = entry->lastAttemptTime;
-    }
-    else {
+    } else {
         switch (PR_GetError()) {
             case SEC_ERROR_CRL_ALREADY_EXISTS:
                 entry->dupe = PR_TRUE;
                 break;
 
             case SEC_ERROR_BAD_DER:
                 entry->badDER = PR_TRUE;
                 break;
@@ -2824,73 +2791,67 @@ cert_CacheCRLByGeneralName(CERTCertDBHan
             /* add new good entry to the hash table */
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 NamedCRLCacheEntry_Destroy(newEntry);
                 rv = SECFailure;
             }
-        }
-        else {
+        } else {
             PRBool removed;
             /* remove the old CRL from the cache if needed */
             if (oldEntry->inCRLCache) {
                 rv = CERT_UncacheCRL(dbhandle, oldEntry->crl);
                 PORT_Assert(SECSuccess == rv);
             }
             removed = PL_HashTableRemove(namedCRLCache.entries,
                                          (void*)oldEntry->canonicalizedName);
             PORT_Assert(removed);
             if (!removed) {
                 rv = SECFailure;
                 /* leak old entry since we couldn't remove it from the hash
                  * table */
-            }
-            else {
+            } else {
                 PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
             }
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 rv = SECFailure;
             }
         }
-    }
-    else {
+    } else {
         /* error adding new CRL to cache */
         if (!oldEntry) {
             /* no old cache entry, use the new one even though it's bad */
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*)newEntry->canonicalizedName,
                                         (void*)newEntry)) {
                 PORT_Assert(0);
                 rv = SECFailure;
             }
-        }
-        else {
+        } else {
             if (oldEntry->inCRLCache) {
                 /* previous cache entry was good, keep it and update time */
                 oldEntry->lastAttemptTime = newEntry->lastAttemptTime;
                 /* throw away new bad entry */
                 rv = NamedCRLCacheEntry_Destroy(newEntry);
                 PORT_Assert(SECSuccess == rv);
-            }
-            else {
+            } else {
                 /* previous cache entry was bad, just replace it */
                 PRBool removed = PL_HashTableRemove(
                     namedCRLCache.entries, (void*)oldEntry->canonicalizedName);
                 PORT_Assert(removed);
                 if (!removed) {
                     /* leak old entry since we couldn't remove it from the hash
                      * table */
                     rv = SECFailure;
-                }
-                else {
+                } else {
                     PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
                 }
                 if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                             (void*)newEntry->canonicalizedName,
                                             (void*)newEntry)) {
                     PORT_Assert(0);
                     rv = SECFailure;
                 }
@@ -3059,18 +3020,17 @@ CachedCrl_Compare(CachedCrl* a, CachedCr
            to truly be a dupe */
         if ((b->crl->slot == a->crl->slot) &&
             (b->crl->pkcs11ID == a->crl->pkcs11ID)) {
             /* ASN.1 DER needs to match for dupe check */
             /* could optimize by just checking a few fields like thisUpdate */
             if (SECEqual ==
                 SECITEM_CompareItem(b->crl->derCrl, a->crl->derCrl)) {
                 *isDupe = PR_TRUE;
-            }
-            else {
+            } else {
                 *isUpdated = PR_TRUE;
             }
         }
         return SECSuccess;
     }
     if (CRL_OriginExplicit == b->origin) {
         /* We need to make sure this is the same object that the user provided
            to CERT_CacheCRL previously. That API takes a SECItem*, thus, we
--- a/lib/certdb/genname.c
+++ b/lib/certdb/genname.c
@@ -194,18 +194,17 @@ cert_CopyOneGeneralName(PLArenaPool *are
             break;
 
         default:
             rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other);
             break;
     }
     if (rv != SECSuccess) {
         PORT_ArenaRelease(arena, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 
 void
 CERT_DestroyGeneralNameList(CERTGeneralNameList *list)
 {
@@ -213,18 +212,17 @@ CERT_DestroyGeneralNameList(CERTGeneralN
 
     if (list != NULL) {
         lock = list->lock;
         PZ_Lock(lock);
         if (--list->refCount <= 0 && list->arena != NULL) {
             PORT_FreeArena(list->arena, PR_FALSE);
             PZ_Unlock(lock);
             PZ_DestroyLock(lock);
-        }
-        else {
+        } else {
             PZ_Unlock(lock);
         }
     }
     return;
 }
 
 CERTGeneralNameList *
 CERT_CreateGeneralNameList(CERTGeneralName *name)
@@ -433,18 +431,17 @@ CERT_DecodeGeneralName(PLArenaPool *reqA
         return NULL;
     }
     /* TODO: mark arena */
     genNameType = (CERTGeneralNameType)((*(newEncodedName->data) & 0x0f) + 1);
     if (genName == NULL) {
         genName = CERT_NewGeneralName(reqArena, genNameType);
         if (!genName)
             goto loser;
-    }
-    else {
+    } else {
         genName->type = genNameType;
         genName->l.prev = genName->l.next = &genName->l;
     }
 
     switch (genNameType) {
         case certURI:
             template = CERT_URITemplate;
             break;
@@ -701,18 +698,17 @@ cert_DecodeNameConstraintSubTree(PLArena
     /* TODO: mark arena */
     while (subTree[i] != NULL) {
         current = cert_DecodeNameConstraint(arena, subTree[i]);
         if (current == NULL) {
             goto loser;
         }
         if (first == NULL) {
             first = current;
-        }
-        else {
+        } else {
             current->l.prev = &(last->l);
             last->l.next = &(current->l);
         }
         last = current;
         i++;
     }
     first->l.prev = &(last->l);
     last->l.next = &(first->l);
@@ -811,18 +807,17 @@ CERT_CopyGeneralName(PLArenaPool *arena,
                 temp = CERT_NewGeneralName(arena, (CERTGeneralNameType)0);
                 if (!temp)
                     goto loser;
                 temp->l.next = &destHead->l;
                 temp->l.prev = &dest->l;
                 destHead->l.prev = &temp->l;
                 dest->l.next = &temp->l;
                 dest = temp;
-            }
-            else {
+            } else {
                 dest = CERT_GetNextGeneralName(dest);
             }
         }
     } while (src != srcHead && rv == SECSuccess);
     /* TODO: unmark arena */
     return rv;
 loser:
     /* TODO: release back to mark */
@@ -884,21 +879,19 @@ cert_CombineNamesLists(CERTGeneralName *
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
 
     if (list1 == NULL) {
         return list2;
-    }
-    else if (list2 == NULL) {
+    } else if (list2 == NULL) {
         return list1;
-    }
-    else {
+    } else {
         begin1 = &list1->l;
         begin2 = &list2->l;
         end1 = list1->l.prev;
         end2 = list2->l.prev;
         end1->next = begin2;
         end2->next = begin1;
         begin1->prev = end2;
         begin2->prev = end1;
@@ -912,21 +905,19 @@ cert_CombineConstraintsLists(CERTNameCon
 {
     PRCList *begin1;
     PRCList *begin2;
     PRCList *end1;
     PRCList *end2;
 
     if (list1 == NULL) {
         return list2;
-    }
-    else if (list2 == NULL) {
+    } else if (list2 == NULL) {
         return list1;
-    }
-    else {
+    } else {
         begin1 = &list1->l;
         begin2 = &list2->l;
         end1 = list1->l.prev;
         end2 = list2->l.prev;
         end1->next = begin2;
         end2->next = begin1;
         begin1->prev = end2;
         begin2->prev = end1;
@@ -1543,26 +1534,24 @@ CERT_AddNameConstraintByGeneralName(PLAr
         goto done;
     }
 
     current->name.l.prev = current->name.l.next = &(current->name.l);
 
     if (first == NULL) {
         *constraints = current;
         PR_INIT_CLIST(&current->l);
-    }
-    else {
+    } else {
         PR_INSERT_BEFORE(&current->l, &first->l);
     }
 
 done:
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return rv;
 }
 
 /*
  * Here we define a list of name constraints to be imposed on
  * certain certificates, most importantly root certificates.
@@ -1689,18 +1678,17 @@ CERT_FindNameConstraintsExten(PLArenaPoo
     *constraints = cert_DecodeNameConstraints(arena, &constraintsExtension);
     if (*constraints == NULL) { /* decode failed */
         rv = SECFailure;
     }
     PORT_Free(constraintsExtension.data);
 
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(arena, mark);
     }
 
     return rv;
 }
 
 /* Verify name against all the constraints relevant to that type of
 ** the name.
--- a/lib/certdb/polcyxtn.c
+++ b/lib/certdb/polcyxtn.c
@@ -286,26 +286,24 @@ CERT_DecodePolicyConstraintsExtension(
                                     encodedValue);
 
         if (rv != SECSuccess) {
             break;
         }
 
         if (decodeContext.explicitPolicySkipCerts.len == 0) {
             *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data = -1;
-        }
-        else {
+        } else {
             *(PRInt32 *)decodedValue->explicitPolicySkipCerts.data =
                 DER_GetInteger(&decodeContext.explicitPolicySkipCerts);
         }
 
         if (decodeContext.inhibitMappingSkipCerts.len == 0) {
             *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data = -1;
-        }
-        else {
+        } else {
             *(PRInt32 *)decodedValue->inhibitMappingSkipCerts.data =
                 DER_GetInteger(&decodeContext.inhibitMappingSkipCerts);
         }
 
         if ((*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
              PR_INT32_MIN) ||
             (*(PRInt32 *)decodedValue->explicitPolicySkipCerts.data ==
              PR_INT32_MAX) ||
@@ -470,18 +468,17 @@ stringFromUserNotice(SECItem *noticeItem
             while (*noticeNumbers != NULL) {
                 /* XXX - only one byte integers right now*/
                 strnum = (*noticeNumbers)->data[0];
                 policystr =
                     (*policyStringCB)(stringbuf, strnum, policyStringCBArg);
                 if (policystr != NULL) {
                     if (retstr != NULL) {
                         retstr = PR_sprintf_append(retstr, "\n%s", policystr);
-                    }
-                    else {
+                    } else {
                         retstr = PR_sprintf_append(retstr, "%s", policystr);
                     }
 
                     PORT_Free(policystr);
                 }
 
                 noticeNumbers++;
             }
--- a/lib/certdb/secname.c
+++ b/lib/certdb/secname.c
@@ -49,18 +49,17 @@ AddToArray(PLArenaPool *arena, void **ar
             count++;
         }
     }
 
     if (array) {
         array =
             (void **)PORT_ArenaGrow(arena, array, (count + 1) * sizeof(void *),
                                     (count + 2) * sizeof(void *));
-    }
-    else {
+    } else {
         array = (void **)PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *));
     }
     if (array) {
         array[count] = element;
         array[count + 1] = 0;
     }
     return array;
 }
@@ -341,18 +340,17 @@ CERT_CreateName(CERTRDN *rdn0, ...)
 
     name = (CERTName *)PORT_ArenaAlloc(arena, sizeof(CERTName));
     if (name) {
         name->arena = arena;
 
         /* Count number of RDNs going into the Name */
         if (!rdn0) {
             count = 0;
-        }
-        else {
+        } else {
             count = 1;
             va_start(ap, rdn0);
             while ((rdn = va_arg(ap, CERTRDN *)) != 0) {
                 count++;
             }
             va_end(ap);
         }
 
@@ -463,18 +461,17 @@ canonicalize(SECItem *foo)
     dest = 0;
     lastch = ' ';
     while (src < len) {
         ch = foo->data[src++];
         if (ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n') {
             ch = ' ';
             if (ch == lastch)
                 continue;
-        }
-        else if (ch >= 'A' && ch <= 'Z') {
+        } else if (ch >= 'A' && ch <= 'Z') {
             ch |= 0x20; /* downshift */
         }
         foo->data[dest++] = lastch = ch;
     }
     foo->len = dest;
 }
 
 /* SECItems a and b contain DER-encoded printable strings. */
@@ -517,18 +514,17 @@ CERT_CompareAVA(const CERTAVA *a, const 
             SECItem *aVal = CERT_DecodeAVAValue(&a->value);
             SECItem *bVal = CERT_DecodeAVAValue(&b->value);
             if (aVal && aVal->len && aVal->data && bVal && bVal->len &&
                 bVal->data) {
                 rv = SECITEM_CompareItem(aVal, bVal);
             }
             SECITEM_FreeItem(aVal, PR_TRUE);
             SECITEM_FreeItem(bVal, PR_TRUE);
-        }
-        else if (a->value.data[0] == 0x13) { /* both are printable strings. */
+        } else if (a->value.data[0] == 0x13) { /* both are printable strings. */
             /* printable strings */
             rv = CERT_CompareDERPrintableStrings(&a->value, &b->value);
         }
     }
     return rv;
 }
 
 SECComparison
--- a/lib/certdb/stanpcertdb.c
+++ b/lib/certdb/stanpcertdb.c
@@ -88,18 +88,17 @@ SEC_DeletePermCertificate(CERTCertificat
 
 SECStatus
 CERT_GetCertTrust(const CERTCertificate *cert, CERTCertTrust *trust)
 {
     SECStatus rv;
     CERT_LockCertTrust(cert);
     if (cert->trust == NULL) {
         rv = SECFailure;
-    }
-    else {
+    } else {
         *trust = *cert->trust;
         rv = SECSuccess;
     }
     CERT_UnlockCertTrust(cert);
     return (rv);
 }
 
 extern const NSSError NSS_ERROR_NO_ERROR;
@@ -354,18 +353,17 @@ CERT_NewTempCertificate(CERTCertDBHandle
              * so it is still possible to return a cert with the same
              * issuer/serial but a different encoding, and we're
              * going to reject that
              */
             if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
                 nssCertificate_Destroy(c);
                 PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
                 cc = NULL;
-            }
-            else {
+            } else {
                 cc = STAN_GetCERTCertificateOrRelease(c);
                 if (cc == NULL) {
                     CERT_MapStanError();
                 }
             }
             return cc;
         }
     }
@@ -379,18 +377,17 @@ CERT_NewTempCertificate(CERTCertDBHandle
         CERT_MapStanError();
         nssPKIObject_Destroy(pkio);
         return NULL;
     }
     c->object = *pkio;
     if (copyDER) {
         nssItem_Create(c->object.arena, &c->encoding, derCert->len,
                        derCert->data);
-    }
-    else {
+    } else {
         NSSITEM_FROM_SECITEM(&c->encoding, derCert);
     }
     /* Forces a decoding of the cert in order to obtain the parts used
      * below
      */
     /* 'c' is not adopted here, if we fail loser frees what has been
      * allocated so far for 'c' */
     cc = STAN_GetCERTCertificate(c);
@@ -476,18 +473,17 @@ CERT_FindCertByIssuerAndSN(CERTCertDBHan
 
 static NSSCertificate *
 get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp)
 {
     NSSUsage usage;
     NSSCertificate *arr[3];
     if (!ct) {
         return nssCertificate_AddRef(cp);
-    }
-    else if (!cp) {
+    } else if (!cp) {
         return nssCertificate_AddRef(ct);
     }
     arr[0] = ct;
     arr[1] = cp;
     arr[2] = NULL;
     usage.anyUsage = PR_TRUE;
     return nssCertificateArray_FindBestCertificate(arr, NULL, &usage, NULL);
 }
@@ -560,18 +556,17 @@ CERT_FindCertByNickname(CERTCertDBHandle
     cert = PK11_FindCertFromNickname(nickname, NULL);
     c = NULL;
     if (cert) {
         c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
         CERT_DestroyCertificate(cert);
         if (ct) {
             CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
         }
-    }
-    else {
+    } else {
         c = ct;
     }
     return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
 }
 
 CERTCertificate *
 CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
 {
@@ -622,18 +617,17 @@ common_FindCertByNicknameOrEmailAddrForU
             ct = NSSCryptoContext_FindBestCertificateByEmail(
                 cc, lowercaseName, NULL, &usage, NULL);
             PORT_Free(lowercaseName);
         }
     }
 
     if (anyUsage) {
         cert = PK11_FindCertFromNickname(name, NULL);
-    }
-    else {
+    } else {
         if (ct) {
             /* Does ct really have the required usage? */
             nssDecodedCert *dc;
             dc = nssCertificate_GetDecoding(ct);
             if (!dc->matchUsage(dc, &usage)) {
                 CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
                 ct = NULL;
             }
@@ -652,18 +646,17 @@ common_FindCertByNicknameOrEmailAddrForU
     }
 
     if (cert) {
         c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
         CERT_DestroyCertificate(cert);
         if (ct) {
             CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct));
         }
-    }
-    else {
+    } else {
         c = ct;
     }
     return c ? STAN_GetCERTCertificateOrRelease(c) : NULL;
 }
 
 CERTCertificate *
 CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, const char *name)
 {
@@ -688,18 +681,17 @@ add_to_subject_list(CERTCertList *certLi
     if (!validOnly ||
         CERT_CheckCertValidTimes(cert, sorttime, PR_FALSE) ==
             secCertTimeValid) {
         secrv = CERT_AddCertToListSorted(certList, cert, CERT_SortCBValidity,
                                          (void *)&sorttime);
         if (secrv != SECSuccess) {
             CERT_DestroyCertificate(cert);
         }
-    }
-    else {
+    } else {
         CERT_DestroyCertificate(cert);
     }
 }
 
 CERTCertList *
 CERT_CreateSubjectCertList(CERTCertList *certList, CERTCertDBHandle *handle,
                            const SECItem *name, PRTime sorttime,
                            PRBool validOnly)
@@ -771,18 +763,17 @@ CERT_DestroyCertificate(CERTCertificate 
          * go to the trouble of translating the CERTCertificate into
          * an NSSCertificate just to destroy it.  If it hasn't been done
          * yet, don't do it at all.
          */
         NSSCertificate *tmp = cert->nssCertificate;
         if (tmp) {
             /* delete the NSSCertificate */
             NSSCertificate_Destroy(tmp);
-        }
-        else if (cert->arena) {
+        } else if (cert->arena) {
             PORT_FreeArena(cert->arena, PR_FALSE);
         }
     }
     return;
 }
 
 int
 CERT_GetDBContentVersion(CERTCertDBHandle *handle)
@@ -816,97 +807,89 @@ certdb_SaveSingleProfile(CERTCertificate
         stanProfile = nssCryptoContext_FindSMIMEProfileForCertificate(cc, c);
         if (stanProfile) {
             PORT_Assert(stanProfile->profileData);
             SECITEM_FROM_NSSITEM(&oldprof, stanProfile->profileData);
             oldProfile = &oldprof;
             SECITEM_FROM_NSSITEM(&oldproftime, stanProfile->profileTime);
             oldProfileTime = &oldproftime;
         }
-    }
-    else {
+    } else {
         oldProfile = PK11_FindSMimeProfile(&slot, (char *)emailAddr,
                                            &cert->derSubject, &oldProfileTime);
         freeOldProfile = PR_TRUE;
     }
 
     saveit = PR_FALSE;
 
     /* both profileTime and emailProfile have to exist or not exist */
     if (emailProfile == NULL) {
         profileTime = NULL;
-    }
-    else if (profileTime == NULL) {
+    } else if (profileTime == NULL) {
         emailProfile = NULL;
     }
 
     if (oldProfileTime == NULL) {
         saveit = PR_TRUE;
-    }
-    else {
+    } else {
         /* there was already a profile for this email addr */
         if (profileTime) {
             /* we have an old and new profile - save whichever is more recent*/
             if (oldProfileTime->len == 0) {
                 /* always replace if old entry doesn't have a time */
                 oldtime = LL_MININT;
-            }
-            else {
+            } else {
                 rv = DER_UTCTimeToTime(&oldtime, oldProfileTime);
                 if (rv != SECSuccess) {
                     goto loser;
                 }
             }
 
             rv = DER_UTCTimeToTime(&newtime, profileTime);
             if (rv != SECSuccess) {
                 goto loser;
             }
 
             if (LL_CMP(newtime, >, oldtime)) {
                 /* this is a newer profile, save it and cert */
                 saveit = PR_TRUE;
             }
-        }
-        else {
+        } else {
             saveit = PR_TRUE;
         }
     }
 
     if (saveit) {
         if (cc) {
             if (stanProfile) {
                 /* stanProfile is already stored in the crypto context,
                  * overwrite the data
                  */
                 NSSArena *arena = stanProfile->object.arena;
                 stanProfile->profileTime = nssItem_Create(
                     arena, NULL, profileTime->len, profileTime->data);
                 stanProfile->profileData = nssItem_Create(
                     arena, NULL, emailProfile->len, emailProfile->data);
-            }
-            else if (profileTime && emailProfile) {
+            } else if (profileTime && emailProfile) {
                 PRStatus nssrv;
                 NSSItem profTime, profData;
                 NSSITEM_FROM_SECITEM(&profTime, profileTime);
                 NSSITEM_FROM_SECITEM(&profData, emailProfile);
                 stanProfile = nssSMIMEProfile_Create(c, &profTime, &profData);
                 if (!stanProfile)
                     goto loser;
                 nssrv = nssCryptoContext_ImportSMIMEProfile(cc, stanProfile);
                 rv = (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
             }
-        }
-        else {
+        } else {
             rv = PK11_SaveSMimeProfile(slot, (char *)emailAddr,
                                        &cert->derSubject, emailProfile,
                                        profileTime);
         }
-    }
-    else {
+    } else {
         rv = SECSuccess;
     }
 
 loser:
     if (oldProfile && freeOldProfile) {
         SECITEM_FreeItem(oldProfile, PR_TRUE);
     }
     if (oldProfileTime && freeOldProfile) {
--- a/lib/certdb/xauthkid.c
+++ b/lib/certdb/xauthkid.c
@@ -57,18 +57,17 @@ CERT_EncodeAuthKeyID(PLArenaPool *arena,
             }
 
             value->DERAuthCertIssuer =
                 cert_EncodeGeneralNames(arena, value->authCertIssuer);
             if (!value->DERAuthCertIssuer) {
                 PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
                 break;
             }
-        }
-        else if (value->authCertSerialNumber.data) {
+        } else if (value->authCertSerialNumber.data) {
             PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID);
             break;
         }
 
         if (SEC_ASN1EncodeItem(arena, encodedValue, value,
                                CERTAuthKeyIDTemplate) == NULL)
             break;
         rv = SECSuccess;
--- a/lib/certdb/xbsconst.c
+++ b/lib/certdb/xbsconst.c
@@ -121,26 +121,24 @@ CERT_DecodeBasicConstraintValue(CERTBasi
         if (decodeContext.pathLenConstraint.data == NULL) {
             /* if the pathLenConstraint is not encoded, and the current setting
               is CA, then the pathLenConstraint should be set to a negative
               number
               for unlimited certificate path.
              */
             if (value->isCA)
                 value->pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
-        }
-        else if (value->isCA) {
+        } else if (value->isCA) {
             long len = DER_GetInteger(&decodeContext.pathLenConstraint);
             if (len < 0 || len == LONG_MAX) {
                 PORT_SetError(SEC_ERROR_BAD_DER);
                 GEN_BREAK(SECFailure);
             }
             value->pathLenConstraint = len;
-        }
-        else {
+        } else {
             /* here we get an error where the subject is not a CA, but
                the pathLenConstraint is set */
             PORT_SetError(SEC_ERROR_BAD_DER);
             GEN_BREAK(SECFailure);
             break;
         }
 
     } while (0);
--- a/lib/certhigh/certhigh.c
+++ b/lib/certhigh/certhigh.c
@@ -35,18 +35,17 @@ CERT_MatchNickname(char *name1, char *na
     token2 = PORT_Strchr(name2, ':');
     if ((token1 && token2) || (!token1 && !token2)) {
         /* either both token names are specified or neither are, not match */
         return PR_FALSE;
     }
     if (token1) {
         nickname1 = token1;
         nickname2 = name2;
-    }
-    else {
+    } else {
         nickname1 = token2;
         nickname2 = name1;
     }
     nickname1++;
     if (PORT_Strcmp(nickname1, nickname2) != 0) {
         return PR_FALSE;
     }
     /* Bug 1192443 - compare the other token with the internal slot here */
@@ -162,18 +161,17 @@ CERT_FindUserCertsByUsage(CERTCertDBHand
 		     */
                     if (flags[n]) {
                         /* We have already seen a cert with this nickname,
 			 * so delete this one.
 			 */
                         freenode = node;
                         node = CERT_LIST_NEXT(node);
                         CERT_RemoveCertListNode(freenode);
-                    }
-                    else {
+                    } else {
                         /* keep the first cert for each nickname, but set the
 			 * flag so we know to delete any others with the same
 			 * nickname.
 			 */
                         flags[n] = PR_TRUE;
                         node = CERT_LIST_NEXT(node);
                     }
                     break;
@@ -903,18 +901,17 @@ cert_ImportCAChain(SECItem *certs, int n
 
         if (!isca) {
             if (!trusted) {
                 goto endloop;
             }
             trust.sslFlags = CERTDB_VALID_CA;
             trust.emailFlags = CERTDB_VALID_CA;
             trust.objectSigningFlags = CERTDB_VALID_CA;
-        }
-        else {
+        } else {
             /* SSL ca's must have the ssl bit set */
             if ((certUsage == certUsageSSLCA) &&
                 ((certtype & NS_CERT_TYPE_SSL_CA) != NS_CERT_TYPE_SSL_CA)) {
                 goto endloop;
             }
 
             /* it passed all of the tests, so lets add it to the database */
             /* mark it as a CA */
@@ -954,18 +951,17 @@ cert_ImportCAChain(SECItem *certs, int n
             nickname = CERT_MakeCANickname(cert);
 
             rv = CERT_AddTempCertToPerm(cert, nickname, &trust);
 
             /* free the nickname */
             if (nickname) {
                 PORT_Free(nickname);
             }
-        }
-        else {
+        } else {
             rv = SECSuccess;
         }
 
         CERT_DestroyCertificate(cert);
         cert = NULL;
 
         if (rv != SECSuccess) {
             goto loser;
@@ -1088,18 +1084,17 @@ CERT_CertChainFromCert(CERTCertificate *
 	     * not a root.  Don't discard it.
 	     */
             includeRoot = PR_TRUE;
         }
         CERT_DestroyCertificate(cCert);
     }
     if (!includeRoot && len > 1) {
         chain->len = len - 1;
-    }
-    else {
+    } else {
         chain->len = len;
     }
 
     chain->arena = arena;
     nss_ZFreeIf(stanChain);
     return chain;
 loser:
     i = 0;
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -56,22 +56,20 @@ checkKeyParams(const SECAlgorithmID *sig
             }
 
             curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams);
             if (curve != 0) {
                 if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
                     !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
                     PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
                     return SECFailure;
-                }
-                else {
+                } else {
                     return SECSuccess;
                 }
-            }
-            else {
+            } else {
                 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
                 return SECFailure;
             }
             return SECSuccess;
         case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
@@ -338,32 +336,29 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
         node->depth = depth;
         node->arg = arg;
 
         if (log->tail == NULL) {
             /* empty list */
             log->head = log->tail = node;
             node->prev = NULL;
             node->next = NULL;
-        }
-        else if (depth >= log->tail->depth) {
+        } else if (depth >= log->tail->depth) {
             /* add to tail */
             node->prev = log->tail;
             log->tail->next = node;
             log->tail = node;
             node->next = NULL;
-        }
-        else if (depth < log->head->depth) {
+        } else if (depth < log->head->depth) {
             /* add at head */
             node->prev = NULL;
             node->next = log->head;
             log->head->prev = node;
             log->head = node;
-        }
-        else {
+        } else {
             /* add in middle */
             tnode = log->tail;
             while (tnode != NULL) {
                 if (depth >= tnode->depth) {
                     /* insert after tnode */
                     node->prev = tnode;
                     node->next = tnode->next;
                     tnode->next->prev = node;
@@ -384,18 +379,17 @@ cert_AddToVerifyLog(CERTVerifyLog *log, 
     if (log == NULL) {           \
         goto loser;              \
     }
 
 #define LOG_ERROR_OR_EXIT(log, cert, depth, arg)               \
     if (log != NULL) {                                         \
         cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
                             (void *)(PRWord)arg);              \
-    }                                                          \
-    else {                                                     \
+    } else {                                                   \
         goto loser;                                            \
     }
 
 #define LOG_ERROR(log, cert, depth, arg)                       \
     if (log != NULL) {                                         \
         cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, \
                             (void *)(PRWord)arg);              \
     }
@@ -453,35 +447,35 @@ cert_VerifyCertChainOld(CERTCertDBHandle
         case certUsageVerifyCA:
         case certUsageAnyCA:
         case certUsageStatusResponder:
             if (CERT_TrustFlagsForCACertUsage(certUsage, &requiredFlags,
                                               &trustType) != SECSuccess) {
                 PORT_Assert(0);
                 EXIT_IF_NOT_LOGGING(log);
                 /* XXX continuing with requiredFlags = 0 seems wrong.  It'll
-        	     * cause the following test to be true incorrectly:
-        	     *   flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
-        	     *   if (( flags & requiredFlags ) == requiredFlags) {
-        	     *       rv = rvFinal;
-        	     *       goto done;
-        	     *   }
-        	     * There are three other instances of this problem.
-        	     */
+                 * cause the following test to be true incorrectly:
+                 *   flags = SEC_GET_TRUST_FLAGS(issuerCert->trust, trustType);
+                 *   if (( flags & requiredFlags ) == requiredFlags) {
+                 *       rv = rvFinal;
+                 *       goto done;
+                 *   }
+                 * There are three other instances of this problem.
+                 */
                 requiredFlags = 0;
                 trustType = trustSSL;
             }
             break;
         default:
             PORT_Assert(0);
             EXIT_IF_NOT_LOGGING(log);
             requiredFlags = 0;
             trustType = trustSSL; /* This used to be 0, but we need something
-			      * that matches the enumeration type.
-			      */
+                                   * that matches the enumeration type.
+                                   */
             caCertType = 0;
     }
 
     subjectCert = CERT_DupCertificate(cert);
     if (subjectCert == NULL) {
         goto loser;
     }
 
@@ -498,20 +492,20 @@ cert_VerifyCertChainOld(CERTCertDBHandle
     ** in the leaf (EE) cert, whether it is self issued or not, so
     ** we pretend that it is not.
     */
     subjectCertIsSelfIssued = PR_FALSE;
     for (count = 0; count < CERT_MAX_CERT_CHAIN; count++) {
         PRBool validCAOverride = PR_FALSE;
 
         /* Construct a list of names for the current and all previous
-    	 * certifcates (except leaf (EE) certs, root CAs, and self-issued
-    	 * intermediate CAs) to be verified against the name constraints
-    	 * extension of the issuer certificate.
-    	 */
+         * certifcates (except leaf (EE) certs, root CAs, and self-issued
+         * intermediate CAs) to be verified against the name constraints
+         * extension of the issuer certificate.
+         */
         if (subjectCertIsSelfIssued == PR_FALSE) {
             CERTGeneralName *subjectNameList;
             int subjectNameListLen;
             int i;
             PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
             subjectNameList =
                 CERT_GetConstrainedCertificateNames(subjectCert, arena,
                                                     getSubjectCN);
@@ -560,46 +554,44 @@ cert_VerifyCertChainOld(CERTCertDBHandle
 
             if (rv != SECSuccess) {
                 if (sigerror) {
                     *sigerror = PR_TRUE;
                 }
                 if (PORT_GetError() == SEC_ERROR_EXPIRED_CERTIFICATE) {
                     PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
                     LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
-                }
-                else {
+                } else {
                     if (PORT_GetError() !=
                         SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
                         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
                     }
                     LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
                 }
             }
         }
 
         /* If the basicConstraint extension is included in an immediate CA
-    	 * certificate, make sure that the isCA flag is on.  If the
-    	 * pathLenConstraint component exists, it must be greater than the
-    	 * number of CA certificates we have seen so far.  If the extension
-    	 * is omitted, we will assume that this is a CA certificate with
-    	 * an unlimited pathLenConstraint (since it already passes the
-    	 * netscape-cert-type extension checking).
-    	 */
+         * certificate, make sure that the isCA flag is on.  If the
+         * pathLenConstraint component exists, it must be greater than the
+         * number of CA certificates we have seen so far.  If the extension
+         * is omitted, we will assume that this is a CA certificate with
+         * an unlimited pathLenConstraint (since it already passes the
+         * netscape-cert-type extension checking).
+         */
 
         rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint);
         if (rv != SECSuccess) {
             if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
             pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT;
             /* no basic constraints found, we aren't (yet) a CA. */
             isca = PR_FALSE;
-        }
-        else {
+        } else {
             if (basicConstraint.isCA == PR_FALSE) {
                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
             pathLengthLimit = basicConstraint.pathLenConstraint;
             isca = PR_TRUE;
         }
         /* make sure that the path len constraint is properly set.*/
@@ -615,60 +607,57 @@ cert_VerifyCertChainOld(CERTCertDBHandle
                                    arena, &badCert);
         if (rv != SECSuccess || badCert != NULL) {
             PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
             LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
             goto loser;
         }
 
         /* XXX - the error logging may need to go down into CRL stuff at some
-    	 * point
-    	 */
+         * point
+         */
         /* check revoked list (issuer) */
         rv = SEC_CheckCRL(handle, subjectCert, issuerCert, t, wincx);
         if (rv == SECFailure) {
             if (revoked) {
                 *revoked = PR_TRUE;
             }
             LOG_ERROR_OR_EXIT(log, subjectCert, count, 0);
-        }
-        else if (rv == SECWouldBlock) {
+        } else if (rv == SECWouldBlock) {
             /* We found something fishy, so we intend to issue an
              * error to the user, but the user may wish to continue
              * processing, in which case we better make sure nothing
              * worse has happened... so keep cranking the loop */
             rvFinal = SECFailure;
             if (revoked) {
                 *revoked = PR_TRUE;
             }
             LOG_ERROR(log, subjectCert, count, 0);
         }
 
         if (CERT_GetCertTrust(issuerCert, &issuerTrust) == SECSuccess) {
             /* we have some trust info, but this does NOT imply that this
-    	     * cert is actually trusted for any purpose.  The cert may be
-    	     * explicitly UNtrusted.  We won't know until we examine the
-    	     * trust bits.
-    	     */
+             * cert is actually trusted for any purpose.  The cert may be
+             * explicitly UNtrusted.  We won't know until we examine the
+             * trust bits.
+             */
             unsigned int flags;
 
             if (certUsage != certUsageAnyCA &&
                 certUsage != certUsageStatusResponder) {
 
                 /*
-    	         * XXX This choice of trustType seems arbitrary.
-    	         */
+                 * XXX This choice of trustType seems arbitrary.
+                 */
                 if (certUsage == certUsageVerifyCA) {
                     if (subjectCert->nsCertType & NS_CERT_TYPE_EMAIL_CA) {
                         trustType = trustEmail;
-                    }
-                    else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
+                    } else if (subjectCert->nsCertType & NS_CERT_TYPE_SSL_CA) {
                         trustType = trustSSL;
-                    }
-                    else {
+                    } else {
                         trustType = trustObjectSigning;
                     }
                 }
 
                 flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                 if ((flags & requiredFlags) == requiredFlags) {
                     /* we found a trusted one, so return */
                     rv = rvFinal;
@@ -676,63 +665,62 @@ cert_VerifyCertChainOld(CERTCertDBHandle
                 }
                 if (flags & CERTDB_VALID_CA) {
                     validCAOverride = PR_TRUE;
                 }
                 /* is it explicitly distrusted? */
                 if ((flags & CERTDB_TERMINAL_RECORD) &&
                     ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
                     /* untrusted -- the cert is explicitly untrusted, not
-		             * just that it doesn't chain to a trusted cert */
+                     * just that it doesn't chain to a trusted cert */
                     PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
                     LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
                 }
-            }
-            else {
+            } else {
                 /* Check if we have any valid trust when cheching for
                  * certUsageAnyCA or certUsageStatusResponder. */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                     if ((flags & requiredFlags) == requiredFlags) {
                         rv = rvFinal;
                         goto done;
                     }
                     if (flags & CERTDB_VALID_CA)
                         validCAOverride = PR_TRUE;
                 }
                 /* We have 2 separate loops because we want any single trust
-        		 * bit to allow this usage to return trusted. Only if none of
-        		 * the trust bits are on do we check to see if the cert is
-        		 * untrusted */
+                 * bit to allow this usage to return trusted. Only if none of
+                 * the trust bits are on do we check to see if the cert is
+                 * untrusted */
                 for (trustType = trustSSL; trustType < trustTypeNone;
                      trustType++) {
                     flags = SEC_GET_TRUST_FLAGS(&issuerTrust, trustType);
                     /* is it explicitly distrusted? */
                     if ((flags & CERTDB_TERMINAL_RECORD) &&
                         ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
                         /* untrusted -- the cert is explicitly untrusted, not
-			             * just that it doesn't chain to a trusted cert */
+                         * just that it doesn't chain to a trusted cert */
                         PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
                         LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, flags);
                     }
                 }
             }
         }
 
         if (!validCAOverride) {
             /*
-    	     * Make sure that if this is an intermediate CA in the chain that
-    	     * it was given permission by its signer to be a CA.
-    	     */
+             * Make sure that if this is an intermediate CA in the chain that
+             * it was given permission by its signer to be a CA.
+             */
             /*
-    	     * if basicConstraints says it is a ca, then we check the
-    	     * nsCertType.  If the nsCertType has any CA bits set, then
-    	     * it must have the right one.
-    	     */
+             * if basicConstraints says it is a ca, then we check the
+             * nsCertType.  If the nsCertType has any CA bits set, then
+             * it must have the right one.
+             */
             if (!isca || (issuerCert->nsCertType & NS_CERT_TYPE_CA)) {
                 isca = (issuerCert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
             }
 
             if (!isca) {
                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, 0);
             }
@@ -740,36 +728,36 @@ cert_VerifyCertChainOld(CERTCertDBHandle
             /* make sure key usage allows cert signing */
             if (CERT_CheckKeyUsage(issuerCert, requiredCAKeyUsage) != SECSuccess) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
                 LOG_ERROR_OR_EXIT(log, issuerCert, count + 1, requiredCAKeyUsage);
             }
         }
 
         /* make sure that the issuer is not self signed.  If it is, then
-    	 * stop here to prevent looping.
-    	 */
+         * stop here to prevent looping.
+         */
         if (issuerCert->isRoot) {
             PORT_SetError(SEC_ERROR_UNTRUSTED_ISSUER);
             LOG_ERROR(log, issuerCert, count + 1, 0);
             goto loser;
         }
         /* The issuer cert will be the subject cert in the next loop.
-    	 * A cert is self-issued if its subject and issuer are equal and
-    	 * both are of non-zero length.
-    	 */
+         * A cert is self-issued if its subject and issuer are equal and
+         * both are of non-zero length.
+         */
         subjectCertIsSelfIssued = (PRBool)
                                       SECITEM_ItemsAreEqual(&issuerCert->derIssuer,
                                                             &issuerCert->derSubject) &&
                                   issuerCert->derSubject.len >
                                       0;
         if (subjectCertIsSelfIssued == PR_FALSE) {
             /* RFC 3280 says only non-self-issued intermediate CA certs
-    	     * count in path length.
-    	     */
+             * count in path length.
+             */
             ++currentPathLen;
         }
 
         CERT_DestroyCertificate(subjectCert);
         subjectCert = issuerCert;
         issuerCert = NULL;
     }
 
@@ -866,18 +854,18 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
                 trustType = trustSSL;
             }
             break;
         default:
             PORT_Assert(0);
             EXIT_IF_NOT_LOGGING(log);
             requiredFlags = 0;
             trustType = trustSSL; /* This used to be 0, but we need something
-                			       * that matches the enumeration type.
-                			       */
+                                   * that matches the enumeration type.
+                                   */
             caCertType = 0;
     }
 
     /* If the basicConstraint extension is included in an intermmediate CA
      * certificate, make sure that the isCA flag is on.  If the
      * pathLenConstraint component exists, it must be greater than the
      * number of CA certificates we have seen so far.  If the extension
      * is omitted, we will assume that this is a CA certificate with
@@ -887,84 +875,83 @@ CERT_VerifyCACertForUsage(CERTCertDBHand
 
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv != SECSuccess) {
         if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
         /* no basic constraints found, we aren't (yet) a CA. */
         isca = PR_FALSE;
-    }
-    else {
+    } else {
         if (basicConstraint.isCA == PR_FALSE) {
             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
 
         /* can't check path length if we don't know the previous path */
         isca = PR_TRUE;
     }
 
     if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
         /* we have some trust info, but this does NOT imply that this
-    	 * cert is actually trusted for any purpose.  The cert may be
-    	 * explicitly UNtrusted.  We won't know until we examine the
-    	 * trust bits.
-    	 */
+         * cert is actually trusted for any purpose.  The cert may be
+         * explicitly UNtrusted.  We won't know until we examine the
+         * trust bits.
+         */
         if (certUsage == certUsageStatusResponder) {
             /* Check the special case of certUsageStatusResponder */
             issuerCert = CERT_FindCertIssuer(cert, t, certUsage);
             if (issuerCert) {
                 if (SEC_CheckCRL(handle, cert, issuerCert, t, wincx) !=
                     SECSuccess) {
                     PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
                     CERT_DestroyCertificate(issuerCert);
                     goto loser;
                 }
                 CERT_DestroyCertificate(issuerCert);
             }
             /* XXX We have NOT determined that this cert is trusted.
-    	     * For years, NSS has treated this as trusted,
-    	     * but it seems incorrect.
-    	     */
+             * For years, NSS has treated this as trusted,
+             * but it seems incorrect.
+             */
             rv = rvFinal;
             goto done;
         }
 
         /*
-    	 * check the trust params of the issuer
-    	 */
+         * check the trust params of the issuer
+         */
         flags = SEC_GET_TRUST_FLAGS(&certTrust, trustType);
         if ((flags & requiredFlags) == requiredFlags) {
             /* we found a trusted one, so return */
             rv = rvFinal;
             goto done;
         }
         if (flags & CERTDB_VALID_CA) {
             validCAOverride = PR_TRUE;
         }
         /* is it explicitly distrusted? */
         if ((flags & CERTDB_TERMINAL_RECORD) &&
             ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0)) {
             /* untrusted -- the cert is explicitly untrusted, not
-	         * just that it doesn't chain to a trusted cert */
+             * just that it doesn't chain to a trusted cert */
             PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
             LOG_ERROR_OR_EXIT(log, cert, 0, flags);
         }
     }
     if (!validCAOverride) {
         /*
-    	 * Make sure that if this is an intermediate CA in the chain that
-    	 * it was given permission by its signer to be a CA.
-    	 */
+         * Make sure that if this is an intermediate CA in the chain that
+         * it was given permission by its signer to be a CA.
+         */
         /*
-    	 * if basicConstraints says it is a ca, then we check the
-    	 * nsCertType.  If the nsCertType has any CA bits set, then
-    	 * it must have the right one.
-    	 */
+         * if basicConstraints says it is a ca, then we check the
+         * nsCertType.  If the nsCertType has any CA bits set, then
+         * it must have the right one.
+         */
         if (!isca || (cert->nsCertType & NS_CERT_TYPE_CA)) {
             isca = (cert->nsCertType & caCertType) ? PR_TRUE : PR_FALSE;
         }
 
         if (!isca) {
             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
             LOG_ERROR_OR_EXIT(log, cert, 0, 0);
         }
@@ -1036,76 +1023,73 @@ cert_CheckLeafTrust(CERTCertificate *cer
     if (CERT_GetCertTrust(cert, &trust) == SECSuccess) {
         switch (certUsage) {
             case certUsageSSLClient:
             case certUsageSSLServer:
                 flags = trust.sslFlags;
 
                 /* is the cert directly trusted or not trusted ? */
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						    * authoritative */
+                            * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    }
-                    else { /* don't trust this cert */
+                    } else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageSSLServerWithStepUp:
                 /* XXX - step up certs can't be directly trusted, only distrust */
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						                               * authoritative */
+                                                       * authoritative */
                     if ((flags & CERTDB_TRUSTED) == 0) {
                         /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageSSLCA:
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						                               * authoritative */
+                                                       * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageEmailSigner:
             case certUsageEmailRecipient:
                 flags = trust.emailFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						                               * authoritative */
+                                                       * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    }
-                    else { /* don't trust this cert */
+                    } else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
 
                 break;
             case certUsageObjectSigner:
                 flags = trust.objectSigningFlags;
 
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						                               * authoritative */
+                                                       * authoritative */
                     if (flags & CERTDB_TRUSTED) {     /* trust this cert */
                         *trusted = PR_TRUE;
                         return SECSuccess;
-                    }
-                    else { /* don't trust this cert */
+                    } else { /* don't trust this cert */
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
             case certUsageVerifyCA:
             case certUsageStatusResponder:
                 flags = trust.sslFlags;
@@ -1130,35 +1114,35 @@ cert_CheckLeafTrust(CERTCertificate *cer
                     return SECSuccess;
                 }
                 /* fall through to test distrust */
             case certUsageAnyCA:
             case certUsageUserCertImport:
                 /* do we distrust these certs explicitly */
                 flags = trust.sslFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						    * authoritative */
+                            * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 flags = trust.emailFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						    * authoritative */
+                            * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 /* fall through */
             case certUsageProtectedObjectSigner:
                 flags = trust.objectSigningFlags;
                 if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
-						                               * authoritative */
+                                                       * authoritative */
                     if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
                         *failedFlags = flags;
                         return SECFailure;
                     }
                 }
                 break;
         }
     }
@@ -1202,18 +1186,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
     if (!requiredUsages) {
         /* there are no required usages, so the user probably wants to
            get status for all usages */
         checkAllUsages = PR_TRUE;
     }
 
     if (returnedUsages) {
         *returnedUsages = 0;
-    }
-    else {
+    } else {
         /* we don't have a place to return status for all usages,
            so we can skip checks for usages that aren't required */
         checkAllUsages = PR_FALSE;
     }
     valid = SECSuccess; /* start off assuming cert is valid */
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
@@ -1288,18 +1271,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
 
         rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
         if (rv == SECFailure) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
             }
             LOG_ERROR(log, cert, 0, flags);
             INVALID_USAGE();
-        }
-        else if (trusted) {
+        } else if (trusted) {
             VALID_USAGE();
         }
 
         if (PR_TRUE == revoked || PR_TRUE == sigerror) {
             INVALID_USAGE();
         }
 
         rv = cert_VerifyCertChain(handle, cert,
@@ -1429,18 +1411,17 @@ cert_VerifyCertWithFlags(CERTCertDBHandl
         PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
         LOG_ERROR_OR_EXIT(log, cert, 0, requiredCertType);
     }
 
     rv = cert_CheckLeafTrust(cert, certUsage, &failedFlags, &trusted);
     if (rv == SECFailure) {
         PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
         LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags);
-    }
-    else if (trusted) {
+    } else if (trusted) {
         goto done;
     }
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
                               t, wincx, log);
     if (rv != SECSuccess) {
         EXIT_IF_NOT_LOGGING(log);
     }
@@ -1497,22 +1478,22 @@ CERT_VerifyCertNow(CERTCertDBHandle *han
 {
     return (CERT_VerifyCert(handle, cert, checkSig,
                             certUsage, PR_Now(), wincx, NULL));
 }
 
 /* [ FROM pcertdb.c ] */
 /*
  * Supported usage values and types:
- *	certUsageSSLClient
- *	certUsageSSLServer
- *	certUsageSSLServerWithStepUp
- *	certUsageEmailSigner
- *	certUsageEmailRecipient
- *	certUsageObjectSigner
+ *  certUsageSSLClient
+ *  certUsageSSLServer
+ *  certUsageSSLServerWithStepUp
+ *  certUsageEmailSigner
+ *  certUsageEmailRecipient
+ *  certUsageObjectSigner
  */
 
 CERTCertificate *
 CERT_FindMatchingCert(CERTCertDBHandle *handle, SECItem *derName,
                       CERTCertOwner owner, SECCertUsage usage,
                       PRBool preferTrusted, PRTime validTime, PRBool validOnly)
 {
     CERTCertList *certList = NULL;
@@ -1556,26 +1537,25 @@ CERT_FindMatchingCert(CERTCertDBHandle *
             cert = node->cert;
 
             /* looking for a trusted CA cert */
             if ((owner == certOwnerCA) && preferTrusted &&
                 (requiredTrustType != trustTypeNone)) {
 
                 if (CERT_GetCertTrust(cert, &certTrust) != SECSuccess) {
                     flags = 0;
-                }
-                else {
+                } else {
                     flags = SEC_GET_TRUST_FLAGS(&certTrust, requiredTrustType);
                 }
 
                 if ((flags & requiredTrustFlags) != requiredTrustFlags) {
                     /* cert is not trusted */
                     /* if this is the first cert to get this far, then save
-		     * it, so we can use it if we can't find a trusted one
-		     */
+                     * it, so we can use it if we can't find a trusted one
+                     */
                     if (saveUntrustedCA == NULL) {
                         saveUntrustedCA = cert;
                     }
                     goto endloop;
                 }
             }
             /* if we got this far, then this cert meets all criteria */
             break;
@@ -1609,21 +1589,21 @@ loser:
     return (NULL);
 }
 
 /* [ From certdb.c ] */
 /*
  * Filter a list of certificates, removing those certs that do not have
  * one of the named CA certs somewhere in their cert chain.
  *
- *	"certList" - the list of certificates to filter
- *	"nCANames" - number of CA names
- *	"caNames" - array of CA names in string(rfc 1485) form
- *	"usage" - what use the certs are for, this is used when
- *		selecting CA certs
+ *  "certList" - the list of certificates to filter
+ *  "nCANames" - number of CA names
+ *  "caNames" - array of CA names in string(rfc 1485) form
+ *  "usage" - what use the certs are for, this is used when
+ *      selecting CA certs
  */
 SECStatus
 CERT_FilterCertListByCANames(CERTCertList *certList, int nCANames,
                              char **caNames, SECCertUsage usage)
 {
     CERTCertificate *issuerCert = NULL;
     CERTCertificate *subjectCert;
     CERTCertListNode *node, *freenode;
@@ -1678,91 +1658,85 @@ CERT_FilterCertListByCANames(CERTCertLis
             subjectCert = issuerCert;
         }
         CERT_DestroyCertificate(subjectCert);
         if (!found) {
             /* CA was not found, so remove this cert from the list */
             freenode = node;
             node = CERT_LIST_NEXT(node);
             CERT_RemoveCertListNode(freenode);
-        }
-        else {
+        } else {
             /* CA was found, so leave it in the list */
             node = CERT_LIST_NEXT(node);
         }
     }
 
     return (SECSuccess);
 }
 
 /*
  * Given a certificate, return a string containing the nickname, and possibly
  * one of the validity strings, based on the current validity state of the
  * certificate.
  *
  * "arena" - arena to allocate returned string from.  If NULL, then heap
- *	is used.
+ *  is used.
  * "cert" - the cert to get nickname from
  * "expiredString" - the string to append to the nickname if the cert is
- *		expired.
+ *      expired.
  * "notYetGoodString" - the string to append to the nickname if the cert is
- *		not yet good.
+ *      not yet good.
  */
 char *
 CERT_GetCertNicknameWithValidity(PLArenaPool *arena, CERTCertificate *cert,
                                  char *expiredString, char *notYetGoodString)
 {
     SECCertTimeValidity validity;
     char *nickname = NULL, *tmpstr = NULL;
 
     validity = CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE);
 
     /* if the cert is good, then just use the nickname directly */
     if (validity == secCertTimeValid) {
         if (arena == NULL) {
             nickname = PORT_Strdup(cert->nickname);
-        }
-        else {
+        } else {
             nickname = PORT_ArenaStrdup(arena, cert->nickname);
         }
 
         if (nickname == NULL) {
             goto loser;
         }
-    }
-    else {
+    } else {
 
         /* if the cert is not valid, then tack one of the strings on the
-    	 * end
-    	 */
+         * end
+         */
         if (validity == secCertTimeExpired) {
             tmpstr = PR_smprintf("%s%s", cert->nickname,
                                  expiredString);
-        }
-        else if (validity == secCertTimeNotValidYet) {
+        } else if (validity == secCertTimeNotValidYet) {
             /* not yet valid */
             tmpstr = PR_smprintf("%s%s", cert->nickname,
                                  notYetGoodString);
-        }
-        else {
+        } else {
             /* undetermined */
             tmpstr = PR_smprintf("%s",
                                  "(NULL) (Validity Unknown)");
         }
 
         if (tmpstr == NULL) {
             goto loser;
         }
 
         if (arena) {
             /* copy the string into the arena and free the malloc'd one */
             nickname = PORT_ArenaStrdup(arena, tmpstr);
             PORT_Free(tmpstr);
-        }
-        else {
+        } else {
             nickname = tmpstr;
         }
         if (nickname == NULL) {
             goto loser;
         }
     }
     return (nickname);
 
@@ -1772,17 +1746,17 @@ loser:
 
 /*
  * Collect the nicknames from all certs in a CertList.  If the cert is not
  * valid, append a string to that nickname.
  *
  * "certList" - the list of certificates
  * "expiredString" - the string to append to the nickname of any expired cert
  * "notYetGoodString" - the string to append to the nickname of any cert
- *		that is not yet valid
+ *      that is not yet valid
  */
 CERTCertNicknames *
 CERT_NicknameStringsFromCertList(CERTCertList *certList, char *expiredString,
                                  char *notYetGoodString)
 {
     CERTCertNicknames *names;
     PLArenaPool *arena;
     CERTCertListNode *node;
@@ -1854,20 +1828,20 @@ loser:
     return (NULL);
 }
 
 /*
  * Extract the nickname from a nickmake string that may have either
  * expiredString or notYetGoodString appended.
  *
  * Args:
- *	"namestring" - the string containing the nickname, and possibly
- *		one of the validity label strings
- *	"expiredString" - the expired validity label string
- *	"notYetGoodString" - the not yet good validity label string
+ *  "namestring" - the string containing the nickname, and possibly
+ *      one of the validity label strings
+ *  "expiredString" - the expired validity label string
+ *  "notYetGoodString" - the not yet good validity label string
  *
  * Returns the raw nickname
  */
 char *
 CERT_ExtractNicknameString(char *namestring, char *expiredString,
                            char *notYetGoodString)
 {
     int explen, nyglen, namelen;
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -691,18 +691,17 @@ cert_PkixToNssCertsChain(
     }
 
     *pvalidChain = validChain;
 
 cleanup:
     if (PKIX_ERROR_RECEIVED) {
         if (validChain) {
             CERT_DestroyCertList(validChain);
-        }
-        else if (arena) {
+        } else if (arena) {
             PORT_FreeArena(arena, PR_FALSE);
         }
         if (nssCert) {
             CERT_DestroyCertificate(nssCert);
         }
     }
     PKIX_DECREF(certItem);
 
@@ -833,18 +832,17 @@ cert_PkixErrorToNssCode(
 #endif /* PKIX_ERROR_DESCRIPTION */
         }
         errPtr = errPtr->cause;
         errLevel += 1;
     }
     PORT_Assert(nssErr);
     if (!nssErr) {
         *pNssErr = SEC_ERROR_LIBPKIX_INTERNAL;
-    }
-    else {
+    } else {
         *pNssErr = nssErr;
     }
 
     PKIX_RETURN(CERTVFYPKIX);
 }
 
 /*
  * FUNCTION: cert_GetLogFromVerifyNode
@@ -893,18 +891,17 @@ cert_GetLogFromVerifyNode(
                     cert_PkixErrorToNssCode(node->error, &nssErrorCode,
                                             plContext),
                     PKIX_GETPKIXERRORCODEFAILED);
 
                 cert_AddToVerifyLog(log, cert, nssErrorCode, node->depth, NULL);
             }
         }
         PKIX_RETURN(CERTVFYPKIX);
-    }
-    else {
+    } else {
         PRUint32 i = 0;
         PKIX_UInt32 length = 0;
 
         PKIX_CHECK(
             PKIX_List_GetLength(children, &length, plContext),
             PKIX_LISTGETLENGTHFAILED);
 
         for (i = 0; i < length; i++) {
@@ -1132,19 +1129,18 @@ cert_VerifyCertChainPkix(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 2;
     fnStackNameArr[0] = "cert_VerifyCertChainPkix";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
-                                                                   PKIX_FALSE
-                                                                   : PKIX_TRUE;
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+                                                                         : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
     do {
         rv = SECFailure;
@@ -1496,18 +1492,17 @@ cert_pkixSetParam(PKIX_ProcessingParams 
 
         case cert_pi_date:
             if (param->value.scalar.time == 0) {
                 error = PKIX_PL_Date_Create_UTCTime(NULL, &date, plContext);
                 if (error != NULL) {
                     errCode = SEC_ERROR_INVALID_TIME;
                     break;
                 }
-            }
-            else {
+            } else {
                 error = pkix_pl_Date_CreateFromPRTime(param->value.scalar.time,
                                                       &date, plContext);
                 if (error != NULL) {
                     errCode = SEC_ERROR_INVALID_TIME;
                     break;
                 }
             }
 
@@ -2014,19 +2009,18 @@ CERT_PKIXVerifyCert(
          * Setting the variable to false, to make additional chain
          * validations be handled by old nss. */
         usePKIXValidationEngine = PR_FALSE;
     }
     testStartFnStackPosition = 1;
     fnStackNameArr[0] = "CERT_PKIXVerifyCert";
     fnStackInvCountArr[0] = 0;
     PKIX_Boolean abortOnLeak =
-        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ?
-                                                                   PKIX_FALSE
-                                                                   : PKIX_TRUE;
+        (PR_GetEnvSecure("PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK") == NULL) ? PKIX_FALSE
+                                                                         : PKIX_TRUE;
     runningLeakTest = PKIX_TRUE;
 
     /* Prevent multi-threaded run of object leak test */
     fnInvLocalCount = PR_ATOMIC_INCREMENT(&parallelFnInvocationCount);
     PORT_Assert(fnInvLocalCount == 1);
 
     do {
         r = SECFailure;
@@ -2144,18 +2138,17 @@ CERT_PKIXVerifyCert(
             goto cleanup;
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
         oparam = cert_pkix_FindOutputParam(paramsOut, cert_po_trustAnchor);
         if (oparam != NULL) {
             if (trustAnchorCert != NULL) {
                 oparam->value.pointer.cert =
                     cert_NSSCertFromPKIXCert(trustAnchorCert);
-            }
-            else {
+            } else {
                 oparam->value.pointer.cert = NULL;
             }
         }
 
         error = PKIX_BuildResult_GetCertChain(buildResult, &builtCertList,
                                               plContext);
         if (error != NULL) {
             goto cleanup;
--- a/lib/certhigh/crlv2.c
+++ b/lib/certhigh/crlv2.c
@@ -75,26 +75,24 @@ CERT_FindCRLNumberExten(PLArenaPool *are
 
     mark = PORT_ArenaMark(arena);
 
     tmpItem = SECITEM_ArenaDupItem(arena, &encodedExtenValue);
     if (tmpItem) {
         rv = SEC_QuickDERDecodeItem(arena, value,
                                     SEC_ASN1_GET(SEC_IntegerTemplate),
                                     tmpItem);
-    }
-    else {
+    } else {
         rv = SECFailure;
     }
 
     PORT_Free(encodedExtenValue.data);
     if (rv == SECFailure) {
         PORT_ArenaRelease(arena, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(arena, mark);
     }
     return (rv);
 }
 
 SECStatus
 CERT_FindCRLEntryReasonExten(CERTCrlEntry *crlEntry,
                              CERTCRLEntryReasonCode *value)
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -201,18 +201,17 @@ static void
 printHexString(const char *prefix, SECItem *hexval)
 {
     unsigned int i;
     char *hexbuf = NULL;
 
     for (i = 0; i < hexval->len; i++) {
         if (i != hexval->len - 1) {
             hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]);
-        }
-        else {
+        } else {
             hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]);
         }
     }
     if (hexbuf) {
         ocsp_Trace("%s %s\n", prefix, hexbuf);
         PR_smprintf_free(hexbuf);
     }
 }
@@ -353,18 +352,17 @@ ocsp_CopyRevokedInfo(PLArenaPool *arena,
     }
 
     if (src->revocationReason) {
         dest->certStatusInfo.revokedInfo->revocationReason =
             SECITEM_ArenaDupItem(arena, src->revocationReason);
         if (!dest->certStatusInfo.revokedInfo->revocationReason) {
             goto loser;
         }
-    }
-    else {
+    } else {
         dest->certStatusInfo.revokedInfo->revocationReason = NULL;
     }
 
     PORT_ArenaUnmark(arena, mark);
     return SECSuccess;
 
 loser:
     PORT_ArenaRelease(arena, mark);
@@ -456,25 +454,23 @@ ocsp_RemoveCacheItemFromLinkedList(OCSPC
 
     if (item == cache->LRUitem) {
         PORT_Assert(item != cache->MRUitem);
         PORT_Assert(item->lessRecent == NULL);
         PORT_Assert(item->moreRecent != NULL);
         PORT_Assert(item->moreRecent->lessRecent == item);
         cache->LRUitem = item->moreRecent;
         cache->LRUitem->lessRecent = NULL;
-    }
-    else if (item == cache->MRUitem) {
+    } else if (item == cache->MRUitem) {
         PORT_Assert(item->moreRecent == NULL);
         PORT_Assert(item->lessRecent != NULL);
         PORT_Assert(item->lessRecent->moreRecent == item);
         cache->MRUitem = item->lessRecent;
         cache->MRUitem->moreRecent = NULL;
-    }
-    else {
+    } else {
         /* remove an entry in the middle of the list */
         PORT_Assert(item->moreRecent != NULL);
         PORT_Assert(item->lessRecent != NULL);
         PORT_Assert(item->lessRecent->moreRecent == item);
         PORT_Assert(item->moreRecent->lessRecent == item);
         item->moreRecent->lessRecent = item->lessRecent;
         item->lessRecent->moreRecent = item->moreRecent;
     }
@@ -677,18 +673,17 @@ ocsp_SetCacheItemResponse(OCSPCacheItem 
         item->missingResponseError = 0;
         rv = DER_GeneralizedTimeToTime(&item->thisUpdate,
                                        &response->thisUpdate);
         item->haveThisUpdate = (rv == SECSuccess);
         if (response->nextUpdate) {
             rv = DER_GeneralizedTimeToTime(&item->nextUpdate,
                                            response->nextUpdate);
             item->haveNextUpdate = (rv == SECSuccess);
-        }
-        else {
+        } else {
             item->haveNextUpdate = PR_FALSE;
         }
     }
     return SECSuccess;
 }
 
 static void
 ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem)
@@ -706,18 +701,17 @@ ocsp_FreshenCacheItemNextFetchAttemptTim
 
     if (cacheItem->haveThisUpdate) {
         OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate);
         latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate +
                                                   OCSP_Global.maximumSecondsToNextFetchAttempt *
                                                       MICROSECONDS_PER_SECOND;
         OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",
                         latestTimeWhenResponseIsConsideredFresh);
-    }
-    else {
+    } else {
         latestTimeWhenResponseIsConsideredFresh = now +
                                                   OCSP_Global.minimumSecondsToNextFetchAttempt *
                                                       MICROSECONDS_PER_SECOND;
         OCSP_TRACE_TIME("no thisUpdate, "
                         "latestTimeWhenResponseIsConsideredFresh:",
                         latestTimeWhenResponseIsConsideredFresh);
     }
 
@@ -815,18 +809,17 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheD
         return SECSuccess;
     }
 
     if (!cacheItem) {
         CERTOCSPCertID *myCertID;
         if (certIDWasConsumed) {
             myCertID = certID;
             *certIDWasConsumed = PR_TRUE;
-        }
-        else {
+        } else {
             myCertID = cert_DupOCSPCertID(certID);
             if (!myCertID) {
                 PR_ExitMonitor(OCSP_Global.monitor);
                 PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
                 return SECFailure;
             }
         }
 
@@ -844,23 +837,21 @@ ocsp_CreateOrUpdateCacheEntry(OCSPCacheD
         if (!cacheItem->haveThisUpdate ||
             (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) {
             rv = ocsp_SetCacheItemResponse(cacheItem, single);
             if (rv != SECSuccess) {
                 ocsp_RemoveCacheItem(cache, cacheItem);
                 PR_ExitMonitor(OCSP_Global.monitor);
                 return rv;
             }
-        }
-        else {
+        } else {
             OCSP_TRACE(("Not caching response because the response is not "
                         "newer than the cache"));
         }
-    }
-    else {
+    } else {
         cacheItem->missingResponseError = PORT_GetError();
         if (cacheItem->certStatusArena) {
             PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE);
             cacheItem->certStatusArena = NULL;
         }
     }
     ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem);
     ocsp_CheckCacheSize(cache);
@@ -897,21 +888,19 @@ CERT_OCSPCacheSettings(PRInt32 maxCacheE
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     PR_EnterMonitor(OCSP_Global.monitor);
 
     if (maxCacheEntries < 0) {
         OCSP_Global.maxCacheEntries = -1; /* disable cache */
-    }
-    else if (maxCacheEntries == 0) {
+    } else if (maxCacheEntries == 0) {
         OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */
-    }
-    else {
+    } else {
         OCSP_Global.maxCacheEntries = maxCacheEntries;
     }
 
     if (minimumSecondsToNextFetchAttempt <
             OCSP_Global.minimumSecondsToNextFetchAttempt ||
         maximumSecondsToNextFetchAttempt <
             OCSP_Global.maximumSecondsToNextFetchAttempt) {
         /*
@@ -959,18 +948,17 @@ OCSP_InitGlobal(void)
                             ocsp_CacheKeyCompareFunction,
                             PL_CompareValues,
                             NULL,
                             NULL);
         OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure;
         OCSP_Global.cache.numberOfEntries = 0;
         OCSP_Global.cache.MRUitem = NULL;
         OCSP_Global.cache.LRUitem = NULL;
-    }
-    else {
+    } else {
         /*
          * NSS might call this function twice while attempting to init.
          * But it's not allowed to call this again after any activity.
          */
         PORT_Assert(OCSP_Global.cache.numberOfEntries == 0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     }
     if (OCSP_Global.cache.entries)
@@ -1618,18 +1606,17 @@ ocsp_DigestValue(PLArenaPool *arena, SEC
     }
 
     if (fill == NULL || fill->data == NULL) {
         result = SECITEM_AllocItem(arena, fill, digestObject->length);
         if (result == NULL) {
             goto loser;
         }
         digestBuff = result->data;
-    }
-    else {
+    } else {
         if (fill->len < digestObject->length) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             goto loser;
         }
         digestBuff = fill->data;
     }
 
     if (PK11_HashBuf(digestAlg, digestBuff,
@@ -1644,18 +1631,17 @@ ocsp_DigestValue(PLArenaPool *arena, SEC
     if (result == NULL) {
         result = fill;
     }
     return result;
 
 loser:
     if (arena != NULL) {
         PORT_ArenaRelease(arena, mark);
-    }
-    else {
+    } else {
         if (result != NULL) {
             SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE);
         }
     }
     return (NULL);
 }
 
 /*
@@ -2904,18 +2890,17 @@ ocsp_ParseURL(const char *url, char **pH
             c = *url;
         }
         len = url - save;
         path = PORT_Alloc(len + 1);
         if (path == NULL)
             goto loser;
         PORT_Memcpy(path, save, len);
         path[len] = '\0';
-    }
-    else {
+    } else {
         path = PORT_Strdup("/");
         if (path == NULL)
             goto loser;
     }
 
     *pHostname = hostname;
     *pPort = port;
     *pPath = path;
@@ -2970,18 +2955,17 @@ ocsp_ConnectToHost(const char *host, PRU
         hostIndex = 0;
         do {
             hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr);
             if (hostIndex <= 0)
                 goto loser;
         } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS);
 
         PORT_Free(netdbbuf);
-    }
-    else {
+    } else {
         /*
 	 * First put the port into the address, then connect.
 	 */
         if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS)
             goto loser;
         if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS)
             goto loser;
     }
@@ -3049,18 +3033,17 @@ ocsp_SendEncodedRequest(const char *loca
             goto loser;
 
         /*
          * The NSPR documentation promises that if it can, it will write the full
          * amount; this will not return a partial value expecting us to loop.
          */
         if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0)
             goto loser;
-    }
-    else {
+    } else {
         header = PR_smprintf("POST %s HTTP/1.0\r\n"
                              "Host: %s%s\r\n"
                              "Content-Type: application/ocsp-request\r\n"
                              "Content-Length: %u\r\n\r\n",
                              path, hostname, portstr, encodedRequest->len);
         if (header == NULL)
             goto loser;
 
@@ -3106,18 +3089,17 @@ ocsp_read(PRFileDesc *fd, char *buf, int
         PRInt32 got;
 
         got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout);
         if (got < 0) {
             if (0 == total) {
                 total = -1; /* report the error if we didn't read anything yet */
             }
             break;
-        }
-        else if (got == 0) { /* EOS */
+        } else if (got == 0) { /* EOS */
             break;
         }
 
         total += got;
     }
 
     return total;
 }
@@ -3183,18 +3165,17 @@ ocsp_GetEncodedResponse(PLArenaPool *are
             offset += bytesRead;
             *(inBuffer + offset) = '\0'; /* NULL termination */
             headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark);
             if (bytesRead < bufSizeIncrement) {
                 /* we read less data than requested, therefore we are at
                    EOS or there was a read error */
                 EOS = PR_TRUE;
             }
-        }
-        else {
+        } else {
             /* recv error or EOS */
             EOS = PR_TRUE;
         }
     } while ((!headerEnd) && (PR_FALSE == EOS) &&
              (inBufsize < maxBufSize));
 
     if (!headerEnd) {
         AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
@@ -3255,25 +3236,23 @@ ocsp_GetEncodedResponse(PLArenaPool *are
         value++;
         thisHeaderEnd = strstr(value, CRLF);
         if (thisHeaderEnd) {
             *thisHeaderEnd = '\0';
         }
 
         if (0 == PORT_Strcasecmp(nextHeader, "content-type")) {
             contenttype = value;
-        }
-        else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
+        } else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) {
             contentlength = atoi(value);
         }
 
         if (thisHeaderEnd) {
             nextHeader = thisHeaderEnd + CRLFlen;
-        }
-        else {
+        } else {
             nextHeader = NULL;
         }
 
     } while (nextHeader && (nextHeader < (headerEnd + CRLFlen)));
 
     /* check content-type */
     if (!contenttype ||
         (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) {
@@ -3303,18 +3282,17 @@ ocsp_GetEncodedResponse(PLArenaPool *are
                               ocsptimeout);
         if (bytesRead > 0) {
             offset += bytesRead;
             if (bytesRead < bufSizeIncrement) {
                 /* we read less data than requested, therefore we are at
                    EOS or there was a read error */
                 EOS = PR_TRUE;
             }
-        }
-        else {
+        } else {
             /* recv error or EOS */
             EOS = PR_TRUE;
         }
     }
 
     if (0 == offset) {
         AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE);
     }
@@ -3638,21 +3616,19 @@ ocsp_GetEncodedOCSPResponseFromRequest(P
         goto loser;
 
     encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg);
     if (encodedRequest == NULL)
         goto loser;
 
     if (!strcmp(method, "GET")) {
         encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest);
-    }
-    else if (!strcmp(method, "POST")) {
+    } else if (!strcmp(method, "POST")) {
         encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest);
-    }
-    else {
+    } else {
         goto loser;
     }
 
     if (encodedResponse != NULL && pRequest != NULL) {
         *pRequest = request;
         request = NULL; /* avoid destroying below */
     }
 
@@ -3706,18 +3682,17 @@ cert_GetOCSPResponse(PLArenaPool *arena,
     urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL);
     getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded;
 
     /* urlEncodedBufLength already contains room for the zero terminator.
      * Add another if we must add the '/' char.
      */
     if (arena) {
         fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength);
-    }
-    else {
+    } else {
         fullGetPath = (char *)PORT_Alloc(getURLLength);
     }
     if (!fullGetPath) {
         return NULL;
     }
 
     strcpy(fullGetPath, location);
     walkOutput = fullGetPath + pathLength;
@@ -3752,18 +3727,17 @@ cert_FetchOCSPResponse(PLArenaPool *aren
     registeredHttpClient = SEC_GetRegisteredHttpClient();
 
     if (registeredHttpClient && registeredHttpClient->version == 1) {
         encodedResponse = fetchOcspHttpClientV1(
             arena,
             &registeredHttpClient->fcnTable.ftable1,
             location,
             encodedRequest);
-    }
-    else {
+    } else {
         /* use internal http client */
         PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest);
         if (sock) {
             encodedResponse = ocsp_GetEncodedResponse(arena, sock);
             PR_Close(sock);
         }
     }
 
@@ -3963,36 +3937,33 @@ ocsp_GetSignerCertificate(CERTCertDBHand
         if (arena != NULL) {
 
             rv = SEC_QuickDERDecodeItem(arena, &encodedName,
                                         ocsp_ResponderIDDerNameTemplate,
                                         crIndex);
             if (rv != SECSuccess) {
                 if (PORT_GetError() == SEC_ERROR_BAD_DER)
                     PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE);
-            }
-            else {
+            } else {
                 signerCert = CERT_FindCertByName(handle, &encodedName);
             }
             PORT_FreeArena(arena, PR_FALSE);
         }
-    }
-    else {
+    } else {
         /*
     	 * The signer is either 1) a known issuer CA we passed in,
     	 * 2) the default OCSP responder, or 3) an intermediate CA
     	 * passed in the cert list to use. Figure out which it is.
     	 */
         int i;
         CERTCertificate *responder =
             ocsp_CertGetDefaultResponder(handle, NULL);
         if (responder && ocsp_matchcert(certIndex, responder)) {
             signerCert = CERT_DupCertificate(responder);
-        }
-        else if (issuer && ocsp_matchcert(certIndex, issuer)) {
+        } else if (issuer && ocsp_matchcert(certIndex, issuer)) {
             signerCert = CERT_DupCertificate(issuer);
         }
         for (i = 0; (signerCert == NULL) && (i < certCount); i++) {
             if (ocsp_matchcert(certIndex, certs[i])) {
                 signerCert = CERT_DupCertificate(certs[i]);
             }
         }
         if (signerCert == NULL) {
@@ -4106,18 +4077,17 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
     /*
      * If this signature has already gone through verification, just
      * return the cached result.
      */
     if (signature->wasChecked) {
         if (signature->status == SECSuccess) {
             if (pSignerCert != NULL)
                 *pSignerCert = CERT_DupCertificate(signature->cert);
-        }
-        else {
+        } else {
             PORT_SetError(signature->failureReason);
         }
         return signature->status;
     }
 
     signerCert = ocsp_GetSignerCertificate(handle, tbsData,
                                            signature, issuer);
     if (signerCert == NULL) {
@@ -4148,23 +4118,21 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
         goto finish;
 
     /*
      * Just because we have a cert does not mean it is any good; check
      * it for validity, trust and usage.
      */
     if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) {
         rv = SECSuccess;
-    }
-    else {
+    } else {
         SECCertUsage certUsage;
         if (CERT_IsCACert(signerCert, NULL)) {
             certUsage = certUsageAnyCA;
-        }
-        else {
+        } else {
             certUsage = certUsageStatusResponder;
         }
         rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage,
                                       producedAt, CERT_VERIFYCERT_SKIP_OCSP,
                                       pwArg, NULL);
         if (rv != SECSuccess) {
             PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT);
             goto finish;
@@ -4178,18 +4146,17 @@ CERT_VerifyOCSPResponseSignature(CERTOCS
 finish:
     if (signature->wasChecked)
         signature->status = rv;
 
     if (rv != SECSuccess) {
         signature->failureReason = PORT_GetError();
         if (signerCert != NULL)
             CERT_DestroyCertificate(signerCert);
-    }
-    else {
+    } else {
         /*
     	 * Save signer's certificate in signature.
     	 */
         signature->cert = signerCert;
         if (pSignerCert != NULL) {
             /*
     	     * Pass pointer to signer's certificate back to our caller,
     	     * who is also now responsible for destroying it.
@@ -4667,18 +4634,17 @@ ocsp_VerifySingleResponse(CERTOCSPSingle
     if (single->nextUpdate != NULL) {
         rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate);
         if (rv != SECSuccess)
             return rv;
 
         LL_ADD(tmp, tmp, nextUpdate);
         if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate))
             return ocsp_HandleOldSingleResponse(single, now);
-    }
-    else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
+    } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) {
         return ocsp_HandleOldSingleResponse(single, now);
     }
 
     return SECSuccess;
 }
 
 /*
  * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation
@@ -4950,18 +4916,17 @@ ocsp_GetCachedOCSPResponseStatus(CERTOCS
         *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh
                                                            : ocspStale;
         /* having an arena means, we have a cached certStatus */
         if (cacheItem->certStatusArena) {
             *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time);
             if (*rvOcsp != SECSuccess) {
                 *missingResponseError = PORT_GetError();
             }
-        }
-        else {
+        } else {
             /*
              * No status cached, the previous attempt failed.
              * If OCSP is required, we never decide based on a failed attempt
              * However, if OCSP is optional, a recent OCSP failure is
              * an allowed good state.
              */
             if (*cacheFreshness == ocspFresh &&
                 !ignoreGlobalOcspFailureSetting &&
@@ -5073,31 +5038,29 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *h
     rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg,
                                        &certIDWasConsumed,
                                        &rvOcsp);
     if (rv != SECSuccess) {
         PRErrorCode err = PORT_GetError();
         if (ocsp_FetchingFailureIsVerificationFailure()) {
             PORT_SetError(err);
             rvOcsp = SECFailure;
-        }
-        else if (cachedResponseFreshness == ocspStale &&
-                 (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
-                  cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
+        } else if (cachedResponseFreshness == ocspStale &&
+                   (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT ||
+                    cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) {
             /* If we couldn't get a response for a certificate that the OCSP
              * responder previously told us was bad, then assume it is still
              * bad until we hear otherwise, as it is very unlikely that the
              * certificate status has changed from "revoked" to "good" and it
              * is also unlikely that the certificate status has changed from
              * "unknown" to "good", except for some buggy OCSP responders.
              */
             PORT_SetError(cachedErrorCode);
             rvOcsp = SECFailure;
-        }
-        else {
+        } else {
             rvOcsp = SECSuccess;
         }
     }
     if (!certIDWasConsumed) {
         CERT_DestroyOCSPCertID(certID);
     }
     return rvOcsp;
 }
@@ -5262,18 +5225,17 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
 
     if (!OCSP_Global.monitor) {
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return SECFailure;
     }
     PR_EnterMonitor(OCSP_Global.monitor);
     if (OCSP_Global.forcePost) {
         currentStage = stagePOST;
-    }
-    else {
+    } else {
         currentStage = stageGET;
     }
     PR_ExitMonitor(OCSP_Global.monitor);
 
     /*
      * The first thing we need to do is find the location of the responder.
      * This will be the value of the default responder (if enabled), else
      * it will come out of the AIA extension in the cert (if present).
@@ -5322,18 +5284,17 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
     do {
         const char *method;
         PRBool validResponseWithAccurateInfo = PR_FALSE;
         retry = PR_FALSE;
         *rv_ocsp = SECFailure;
 
         if (currentStage == stageGET) {
             method = "GET";
-        }
-        else {
+        } else {
             PORT_Assert(currentStage == stagePOST);
             method = "POST";
         }
 
         encodedResponse =
             ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert,
                                                      location, method,
                                                      time, locationIsDefault,
@@ -5358,28 +5319,25 @@ ocsp_GetOCSPStatusFromNetwork(CERTCertDB
             }
         }
 
         if (currentStage == stageGET) {
             /* only accept GET response if good or revoked */
             if (validResponseWithAccurateInfo) {
                 ocsp_CacheSingleResponse(certID, singleResponse,
                                          certIDWasConsumed);
-            }
-            else {
+            } else {
                 retry = PR_TRUE;
                 currentStage = stagePOST;
             }
-        }
-        else {
+        } else {
             /* cache the POST respone, regardless of status */
             if (!singleResponse) {
                 cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed);
-            }
-            else {
+            } else {
                 ocsp_CacheSingleResponse(certID, singleResponse,
                                          certIDWasConsumed);
             }
         }
 
         if (encodedResponse) {
             SECITEM_FreeItem(encodedResponse, PR_TRUE);
             encodedResponse = NULL;
@@ -5943,18 +5901,17 @@ CERT_SetOCSPDefaultResponder(CERTCertDBH
      * it will get re-found and set whenever use of a default responder is
      * enabled.
      */
     if (statusContext->defaultResponderCert != NULL) {
         CERT_DestroyCertificate(statusContext->defaultResponderCert);
         statusContext->defaultResponderCert = cert;
         /*OCSP enabled, switching responder: clear cache*/
         CERT_ClearOCSPCache();
-    }
-    else {
+    } else {
         PORT_Assert(statusContext->useDefaultResponder == PR_FALSE);
         CERT_DestroyCertificate(cert);
         /*OCSP currently not enabled, no need to clear cache*/
     }
 
     return SECSuccess;
 
 loser:
--- a/lib/certhigh/ocspsig.c
+++ b/lib/certhigh/ocspsig.c
@@ -455,26 +455,24 @@ CERT_CreateEncodedOCSPSuccessResponse(
 
         /* match the regular signature code, which doesn't use the arena */
         if (!SECITEM_AllocItem(NULL, &br->responseSignature.signature, 1))
             goto done;
         PORT_Memcpy(br->responseSignature.signature.data, &dummyChar, 1);
 
         /* convert len-in-bytes to len-in-bits */
         br->responseSignature.signature.len = br->responseSignature.signature.len << 3;
-    }
-    else {
+    } else {
         rid->responderIDType = responderIDType;
         if (responderIDType == ocspResponderID_byName) {
             responderIDTemplate = ocsp_ResponderIDByNameTemplate;
             if (CERT_CopyName(tmpArena, &rid->responderIDValue.name,
                               &responderCert->subject) != SECSuccess)
                 goto done;
-        }
-        else {
+        } else {
             responderIDTemplate = ocsp_ResponderIDByKeyTemplate;
             if (!CERT_GetSubjectPublicKeyDigest(tmpArena, responderCert,
                                                 SEC_OID_SHA1, &rid->responderIDValue.keyHash))
                 goto done;
         }
 
         if (!SEC_ASN1EncodeItem(tmpArena, &rd->derResponderID, rid,
                                 responderIDTemplate))
--- a/lib/ckfw/builtins/anchor.c
+++ b/lib/ckfw/builtins/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "builtins.h"
 
 #define MODULE_NAME builtins
-#define INSTANCE_NAME (NSSCKMDInstance *) & nss_builtins_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance
 #include "nssck.api"
--- a/lib/ckfw/builtins/bfind.c
+++ b/lib/ckfw/builtins/bfind.c
@@ -121,18 +121,17 @@ builtins_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    }
-    else {
+    } else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 builtins_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -142,18 +141,17 @@ builtins_match(
 
     for (i = 0; i < ulAttributeCount; i++) {
         CK_ULONG j;
 
         for (j = 0; j < o->n; j++) {
             if (o->types[j] == pTemplate[i].type) {
                 if (CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j])) {
                     return CK_FALSE;
-                }
-                else {
+                } else {
                     break;
                 }
             }
         }
 
         if (j == o->n) {
             /* Loop ran to the end: no matching attribute */
             return CK_FALSE;
--- a/lib/ckfw/capi/anchor.c
+++ b/lib/ckfw/capi/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckcapi.h"
 
 #define MODULE_NAME ckcapi
-#define INSTANCE_NAME (NSSCKMDInstance *) & nss_ckcapi_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
 #include "nssck.api"
--- a/lib/ckfw/capi/cfind.c
+++ b/lib/ckfw/capi/cfind.c
@@ -104,18 +104,17 @@ ckcapi_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    }
-    else {
+    } else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 ckcapi_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -130,35 +129,33 @@ ckcapi_match(
     }
 
     /* Every attribute passed */
     return CK_TRUE;
 }
 
 #define CKAPI_ITEM_CHUNK 20
 
-#define PUT_Object(obj, err)                                                  \
-    {                                                                         \
-        if (count >= size) {                                                  \
-            *listp = *listp ?                                                 \
-                            nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
-                                              (size +                         \
-                                               CKAPI_ITEM_CHUNK))             \
-                            :                                                 \
-                            nss_ZNEWARRAY(NULL, ckcapiInternalObject *,       \
-                                          (size +                             \
-                                           CKAPI_ITEM_CHUNK));                \
-            if ((ckcapiInternalObject **)NULL == *listp) {                    \
-                err = CKR_HOST_MEMORY;                                        \
-                goto loser;                                                   \
-            }                                                                 \
-            size += CKAPI_ITEM_CHUNK;                                         \
-        }                                                                     \
-        (*listp)[count] = (obj);                                              \
-        count++;                                                              \
+#define PUT_Object(obj, err)                                                    \
+    {                                                                           \
+        if (count >= size) {                                                    \
+            *listp = *listp ? nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
+                                                (size +                         \
+                                                 CKAPI_ITEM_CHUNK))             \
+                            : nss_ZNEWARRAY(NULL, ckcapiInternalObject *,       \
+                                            (size +                             \
+                                             CKAPI_ITEM_CHUNK));                \
+            if ((ckcapiInternalObject **)NULL == *listp) {                      \
+                err = CKR_HOST_MEMORY;                                          \
+                goto loser;                                                     \
+            }                                                                   \
+            size += CKAPI_ITEM_CHUNK;                                           \
+        }                                                                       \
+        (*listp)[count] = (obj);                                                \
+        count++;                                                                \
     }
 
 /*
  * pass parameters back through the callback.
  */
 typedef struct BareCollectParamsStr {
     CK_OBJECT_CLASS objClass;
     CK_ATTRIBUTE_PTR pTemplate;
@@ -333,18 +330,17 @@ collect_class(
                         nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
                     nss_ZFreeIf(keyProvInfo);
 
                     if (provName &&
                         (strncmp(provName, "Microsoft", sizeof("Microsoft") -
                                                             1) != 0)) {
                         continue;
                     }
-                }
-                else {
+                } else {
                     int reason =
                         GetLastError();
                     /* we only care if it exists, we don't really need to fetch it yet */
                     nss_ZFreeIf(keyProvInfo);
                     if (reason ==
                         CRYPT_E_NOT_FOUND) {
                         continue;
                     }
@@ -370,18 +366,17 @@ collect_class(
             /* get a 'permanent' context */
             next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
             next->objClass = objClass;
             next->u.cert.certContext = certContext;
             next->u.cert.hasID = hasID;
             next->u.cert.certStore = storeStr;
             PUT_Object(next, *pError);
             next = NULL; /* need to allocate a new one now */
-        }
-        else {
+        } else {
             /* don't cache the values we just loaded */
             memset(&next->u.cert, 0, sizeof(next->u.cert));
         }
     }
 loser:
     CertCloseStore(hStore, 0);
     nss_ZFreeIf(next);
     *sizep = size;
--- a/lib/ckfw/capi/cobject.c
+++ b/lib/ckfw/capi/cobject.c
@@ -466,18 +466,17 @@ nss_ckcapi_FetchKeyContainer(
                 rc =
                     CryptAcquireContext(hProv,
                                         ko->containerName,
                                         ko->provName,
                                         ko->provInfo.dwProvType, 0);
                 if (!rc) {
                     goto loser;
                 }
-            }
-            else {
+            } else {
                 *hProv =
                     ko->hProv;
             }
             *keySpec = ko->provInfo.dwKeySpec;
             break;
     }
 
     /* and get the crypto handle */
@@ -679,18 +678,17 @@ loser:
 }
 
 void
 ckcapi_PopulateModulusExponent(
     ckcapiInternalObject *io)
 {
     if (ckcapiCert == io->type) {
         ckcapi_CertPopulateModulusExponent(io);
-    }
-    else {
+    } else {
         ckcapi_FetchPublicKey(io);
     }
     return;
 }
 
 /*
  * fetch the friendly name attribute.
  * can only be called with ckcapiCert type objects!
@@ -708,18 +706,17 @@ ckcapi_FetchLabel(
     BOOL rv;
 
     rv = CertGetCertificateContextProperty(certContext,
                                            CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
     if (rv) {
         co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16);
         if ((CHAR *)NULL == co->labelData) {
             rv = 0;
-        }
-        else {
+        } else {
             size = strlen(co->labelData);
         }
     }
     label = co->labelData;
     /* we are presuming a user cert, make sure it has a nickname, even if
      * Microsoft never gave it one */
     if (!rv && co->hasID) {
         DWORD mserror = GetLastError();
@@ -857,18 +854,17 @@ ckcapi_KeyFetchHashKey(
  * fetch the hash key.
  */
 void
 ckcapi_FetchHashKey(
     ckcapiInternalObject *io)
 {
     if (ckcapiCert == io->type) {
         ckcapi_CertFetchHashKey(io);
-    }
-    else {
+    } else {
         ckcapi_KeyFetchHashKey(io);
     }
     return;
 }
 
 const NSSItem *
 ckcapi_FetchCertAttribute(
     ckcapiInternalObject *io,
@@ -1331,35 +1327,33 @@ ckcapi_mdObject_Destroy(
         }
         certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0,
                                                  CERT_FIND_EXISTING, io->u.cert.certContext, NULL);
         if ((PCCERT_CONTEXT)NULL == certContext) {
             rc = 0;
             goto loser;
         }
         rc = CertDeleteCertificateFromStore(certContext);
-    }
-    else {
+    } else {
         char *provName = NULL;
         char *containerName = NULL;
         HCRYPTPROV hProv;
         CRYPT_HASH_BLOB msKeyID;
 
         if (0 == io->id.size) {
             ckcapi_FetchID(io);
         }
 
         if (isCertType) {
             CRYPT_KEY_PROV_INFO *provInfo = ckcapi_cert_getProvInfo(io);
             provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName);
             containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName);
             provType = provInfo->dwProvType;
             nss_ZFreeIf(provInfo);
-        }
-        else {
+        } else {
             provName = io->u.key.provName;
             containerName = io->u.key.containerName;
             provType = io->u.key.provInfo.dwProvType;
             io->u.key.provName = NULL;
             io->u.key.containerName = NULL;
         }
         /* first remove the key id pointer */
         msKeyID.cbData = io->id.size;
@@ -1456,18 +1450,17 @@ ckcapi_mdObject_GetAttributeTypes(
         mdObject, fwObject, mdSession, fwSession,
         mdToken, fwToken, mdInstance, fwInstance, &error);
 
     if (size != ulCount) {
         return CKR_BUFFER_TOO_SMALL;
     }
     if (io->type == ckcapiRaw) {
         attrs = io->u.raw.types;
-    }
-    else
+    } else
         switch (io->objClass) {
             case CKO_CERTIFICATE:
                 attrs =
                     certAttrs;
                 break;
             case CKO_PUBLIC_KEY:
                 attrs =
                     pubKeyAttrs;
@@ -1608,18 +1601,17 @@ nss_ckcapi_CreateMDObject(
 
         if (key->size == 0) {
             ckcapi_FetchHashKey(io);
         }
         old_o = (ckcapiInternalObject *)
             nssHash_Lookup(ckcapiInternalObjectHash, key);
         if (!old_o) {
             nssHash_Add(ckcapiInternalObjectHash, key, io);
-        }
-        else if (old_o != io) {
+        } else if (old_o != io) {
             nss_ckcapi_DestroyInternalObject(io);
             io = old_o;
         }
     }
 
     if ((void *)NULL == io->mdObject.etc) {
         (void)nsslibc_memcpy(&io->mdObject, &ckcapi_prototype_mdObject,
                              sizeof(ckcapi_prototype_mdObject));
@@ -1746,25 +1738,22 @@ nss_ckcapi_CreateCertificate(
                                                0, &msKeyID);
         if (!rc) {
             msError = GetLastError();
             *pError = CKR_DEVICE_ERROR;
             goto loser;
         }
 
         /* does it look like a CA */
-    }
-    else if (ckcapi_cert_isCA(certContext)) {
+    } else if (ckcapi_cert_isCA(certContext)) {
         storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root";
         /* does it look like an S/MIME cert */
-    }
-    else if (ckcapi_cert_hasEmail(certContext)) {
+    } else if (ckcapi_cert_hasEmail(certContext)) {
         storeStr = "AddressBook";
-    }
-    else {
+    } else {
         /* just pick a store */
         storeStr = "CA";
     }
 
     /* get the nickname, not an error if we can't find it */
     nickname = nss_ckcapi_GetStringAttribute(CKA_LABEL, pTemplate,
                                              ulAttributeCount, &dummy);
     if (nickname) {
@@ -2218,22 +2207,20 @@ nss_ckcapi_CreateObject(
     if (objClass == CKO_PUBLIC_KEY) {
         return CKR_OK; /* fake public key creation, happens as a side effect of
                         * private key creation */
     }
 #endif
     if (objClass == CKO_CERTIFICATE) {
         io = nss_ckcapi_CreateCertificate(fwSession, pTemplate,
                                           ulAttributeCount, pError);
-    }
-    else if (objClass == CKO_PRIVATE_KEY) {
+    } else if (objClass == CKO_PRIVATE_KEY) {
         io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate,
                                          ulAttributeCount, pError);
-    }
-    else {
+    } else {
         *pError = CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     if ((ckcapiInternalObject *)NULL == io) {
         return (NSSCKMDObject *)NULL;
     }
     return nss_ckcapi_CreateMDObject(NULL, io, pError);
 }
--- a/lib/ckfw/dbm/anchor.c
+++ b/lib/ckfw/dbm/anchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckdbm.h"
 
 #define MODULE_NAME dbm
-#define INSTANCE_NAME (NSSCKMDInstance *) & nss_dbm_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_dbm_mdInstance
 #include "nssck.api"
--- a/lib/ckfw/dbm/db.c
+++ b/lib/ckfw/dbm/db.c
@@ -89,27 +89,25 @@ nss_dbm_db_get_format_version(
         }
 
         dbrv = db->db->get(db->db, &k, &v, 0);
         if (dbrv == 0) {
             CK_ULONG major = 0, minor = 0;
             (void)PR_sscanf(v.data, "%ld.%ld", &major, &minor);
             rv.major = major;
             rv.minor = minor;
-        }
-        else if (dbrv > 0) {
+        } else if (dbrv > 0) {
             (void)PR_snprintf(buffer, sizeof(buffer), "%ld.%ld", nss_dbm_db_format_version.major,
                               nss_dbm_db_format_version.minor);
             v.data = buffer;
             v.size = nssUTF8_Size((NSSUTF8 *)v.data, (PRStatus *)NULL);
             dbrv = db->db->put(db->db, &k, &v, 0);
             (void)db->db->sync(db->db, 0);
             rv = nss_dbm_db_format_version;
-        }
-        else {
+        } else {
             /* No error return.. */
             ;
         }
 
         (void)NSSCKFWMutex_Unlock(db->crustylock);
     }
 
     return rv;
@@ -172,22 +170,20 @@ nss_dbm_db_get_label(
         }
 
         dbrv = db->db->get(db->db, &k, &v, 0);
         if (0 == dbrv) {
             rv = nssUTF8_Duplicate((NSSUTF8 *)v.data, arena);
             if ((NSSUTF8 *)NULL == rv) {
                 *pError = CKR_HOST_MEMORY;
             }
-        }
-        else if (dbrv > 0) {
+        } else if (dbrv > 0) {
             /* Just return null */
             ;
-        }
-        else {
+        } else {
             *pError = CKR_DEVICE_ERROR;
             ;
         }
 
         (void)NSSCKFWMutex_Unlock(db->crustylock);
     }
 
     return rv;
@@ -251,21 +247,19 @@ nss_dbm_db_new_handle(
         k.data = PREFIX_METADATA "LastID";
         k.size = nssUTF8_Size((NSSUTF8 *)k.data, (PRStatus *)NULL);
         (void)memset(&v, 0, sizeof(v));
 
         rv = db->db->get(db->db, &k, &v, 0);
         if (0 == rv) {
             (void)memcpy(&align, v.data, sizeof(CK_ULONG));
             id = ntohl(align);
-        }
-        else if (rv > 0) {
+        } else if (rv > 0) {
             id = 0;
-        }
-        else {
+        } else {
             goto done;
         }
 
         myid = id;
         id++;
         align = htonl(id);
         v.data = &align;
         v.size = sizeof(CK_ULONG);
@@ -757,18 +751,17 @@ nss_dbm_db_object_still_exists(
     ckrv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
     if (CKR_OK != ckrv) {
         return CK_FALSE;
     }
 
     dbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
     if (0 == dbrv) {
         rv = CK_TRUE;
-    }
-    else {
+    } else {
         rv = CK_FALSE;
     }
 
     (void)NSSCKFWMutex_Unlock(dbt->my_db->crustylock);
 
     return rv;
 }
 
@@ -787,22 +780,20 @@ nss_dbm_db_get_object_attribute_count(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        }
-        else if (*pdbrv > 0) {
+        } else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        }
-        else {
+        } else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         rv = ntohl(pulData[0]);
 
     done:
@@ -829,22 +820,20 @@ nss_dbm_db_get_object_attribute_types(
         rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != rv) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        }
-        else if (*pdbrv > 0) {
+        } else if (*pdbrv > 0) {
             rv = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        }
-        else {
+        } else {
             rv = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         n = ntohl(pulData[0]);
 
         if (ulCount < n) {
@@ -880,33 +869,30 @@ nss_dbm_db_get_object_attribute_size(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             return rv;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        }
-        else if (*pdbrv > 0) {
+        } else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        }
-        else {
+        } else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         pulData = (CK_ULONG *)object.data;
         n = ntohl(pulData[0]);
 
         for (i = 0; i < n; i++) {
             if (type == ntohl(pulData[1 + i * 3])) {
-                rv = ntohl(pulData[2 + i *
-                                           3]);
+                rv = ntohl(pulData[2 + i * 3]);
             }
         }
 
         if (i == n) {
             *pError = CKR_ATTRIBUTE_TYPE_INVALID;
             goto done;
         }
 
@@ -937,22 +923,20 @@ nss_dbm_db_get_object_attribute(
         *pError = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != *pError) {
             goto loser;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        }
-        else if (*pdbrv > 0) {
+        } else if (*pdbrv > 0) {
             *pError = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        }
-        else {
+        } else {
             *pError = CKR_DEVICE_ERROR;
             goto done;
         }
 
         *pError = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
         if (CKR_OK != *pError) {
             goto done;
         }
@@ -1012,22 +996,20 @@ nss_dbm_db_set_object_attribute(
         rv = NSSCKFWMutex_Lock(dbt->my_db->crustylock);
         if (CKR_OK != rv) {
             goto loser;
         }
 
         *pdbrv = dbt->my_db->db->get(dbt->my_db->db, &dbt->dbt, &object, 0);
         if (0 == *pdbrv) {
             ;
-        }
-        else if (*pdbrv > 0) {
+        } else if (*pdbrv > 0) {
             rv = CKR_OBJECT_HANDLE_INVALID;
             goto done;
-        }
-        else {
+        } else {
             rv = CKR_DEVICE_ERROR;
             goto done;
         }
 
         rv = nss_dbm_db_unwrap_object(tmp, &object, &pTemplate, &ulAttributeCount);
         if (CKR_OK != rv) {
             goto done;
         }
--- a/lib/ckfw/dbm/slot.c
+++ b/lib/ckfw/dbm/slot.c
@@ -70,18 +70,17 @@ nss_dbm_mdSlot_GetTokenPresent(
     NSSCKFWSlot *fwSlot,
     NSSCKMDInstance *mdInstance,
     NSSCKFWInstance *fwInstance)
 {
     nss_dbm_slot_t *slot = (nss_dbm_slot_t *)mdSlot->etc;
 
     if ((nss_dbm_db_t *)NULL == slot->token_db) {
         return CK_FALSE;
-    }
-    else {
+    } else {
         return CK_TRUE;
     }
 }
 
 static CK_BBOOL
 nss_dbm_mdSlot_GetRemovableDevice(
     NSSCKMDSlot *mdSlot,
     NSSCKFWSlot *fwSlot,
--- a/lib/ckfw/dbm/token.c
+++ b/lib/ckfw/dbm/token.c
@@ -145,18 +145,17 @@ nss_dbm_mdToken_GetIsWriteProtected(
     NSSCKFWToken *fwToken,
     NSSCKMDInstance *mdInstance,
     NSSCKFWInstance *fwInstance)
 {
     nss_dbm_token_t *token = (nss_dbm_token_t *)mdToken->etc;
 
     if (token->slot->flags & O_RDWR) {
         return CK_FALSE;
-    }
-    else {
+    } else {
         return CK_TRUE;
     }
 }
 
 /* GetLoginRequired defaults to CK_FALSE */
 /* GetUserPinInitialized defaults to CK_FALSE */
 /* GetRestoreKeyNotNeeded is irrelevant */
 /* GetHasClockOnToken defaults to CK_FALSE */
--- a/lib/ckfw/find.c
+++ b/lib/ckfw/find.c
@@ -265,18 +265,17 @@ nssCKFWFindObjects_Next(
                 }
 
                 /* All done. */
                 fwFindObjects->mdfo1->Final(fwFindObjects->mdfo1, fwFindObjects,
                                             fwFindObjects->mdSession, fwFindObjects->fwSession,
                                             fwFindObjects->mdToken, fwFindObjects->fwToken,
                                             fwFindObjects->mdInstance, fwFindObjects->fwInstance);
                 fwFindObjects->mdfo1 = (NSSCKMDFindObjects *)NULL;
-            }
-            else {
+            } else {
                 goto wrap;
             }
         }
     }
 
     if (fwFindObjects->mdfo2) {
         if (fwFindObjects->mdfo2->Next) {
             fwFindObjects->mdFindObjects = fwFindObjects->mdfo2;
@@ -291,18 +290,17 @@ nssCKFWFindObjects_Next(
                 }
 
                 /* All done. */
                 fwFindObjects->mdfo2->Final(fwFindObjects->mdfo2, fwFindObjects,
                                             fwFindObjects->mdSession, fwFindObjects->fwSession,
                                             fwFindObjects->mdToken, fwFindObjects->fwToken,
                                             fwFindObjects->mdInstance, fwFindObjects->fwInstance);
                 fwFindObjects->mdfo2 = (NSSCKMDFindObjects *)NULL;
-            }
-            else {
+            } else {
                 goto wrap;
             }
         }
     }
 
     /* No more objects */
     *pError = CKR_OK;
     goto done;
--- a/lib/ckfw/hash.c
+++ b/lib/ckfw/hash.c
@@ -130,18 +130,17 @@ nssCKFWHash_Add(
     error = nssCKFWMutex_Lock(hash->mutex);
     if (CKR_OK != error) {
         return error;
     }
 
     he = PL_HashTableAdd(hash->plHashTable, key, (void *)value);
     if (!he) {
         error = CKR_HOST_MEMORY;
-    }
-    else {
+    } else {
         hash->count++;
     }
 
     (void)nssCKFWMutex_Unlock(hash->mutex);
 
     return error;
 }
 
@@ -206,18 +205,17 @@ nssCKFWHash_Exists(
     }
 
     value = PL_HashTableLookup(hash->plHashTable, it);
 
     (void)nssCKFWMutex_Unlock(hash->mutex);
 
     if (!value) {
         return CK_FALSE;
-    }
-    else {
+    } else {
         return CK_TRUE;
     }
 }
 
 /*
  * nssCKFWHash_Lookup
  *
  */
--- a/lib/ckfw/instance.c
+++ b/lib/ckfw/instance.c
@@ -185,23 +185,21 @@ nssCKFWInstance_Create(
     fwInstance->mdInstance = mdInstance;
 
     fwInstance->LockingState = LockingState;
     if ((CK_C_INITIALIZE_ARGS_PTR)NULL != pInitArgs) {
         fwInstance->initArgs = *pInitArgs;
         fwInstance->pInitArgs = &fwInstance->initArgs;
         if (pInitArgs->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
             fwInstance->mayCreatePthreads = CK_FALSE;
-        }
-        else {
+        } else {
             fwInstance->mayCreatePthreads = CK_TRUE;
         }
         fwInstance->configurationData = (NSSUTF8 *)(pInitArgs->pReserved);
-    }
-    else {
+    } else {
         fwInstance->mayCreatePthreads = CK_TRUE;
     }
 
     fwInstance->mutex = nssCKFWMutex_Create(pInitArgs, LockingState, arena,
                                             pError);
     if (!fwInstance->mutex) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
@@ -216,18 +214,17 @@ nssCKFWInstance_Create(
         }
 
         called_Initialize = CK_TRUE;
     }
 
     if (mdInstance->ModuleHandlesSessionObjects) {
         fwInstance->moduleHandlesSessionObjects =
             mdInstance->ModuleHandlesSessionObjects(mdInstance, fwInstance);
-    }
-    else {
+    } else {
         fwInstance->moduleHandlesSessionObjects = CK_FALSE;
     }
 
     if (!mdInstance->GetNSlots) {
         /* That routine is required */
         *pError = CKR_GENERAL_ERROR;
         goto loser;
     }
@@ -874,18 +871,17 @@ nssCKFWInstance_GetCryptokiVersion(
         (0 != fwInstance->cryptokiVersion.minor)) {
         rv = fwInstance->cryptokiVersion;
         goto done;
     }
 
     if (fwInstance->mdInstance->GetCryptokiVersion) {
         fwInstance->cryptokiVersion = fwInstance->mdInstance->GetCryptokiVersion(
             fwInstance->mdInstance, fwInstance);
-    }
-    else {
+    } else {
         fwInstance->cryptokiVersion.major = 2;
         fwInstance->cryptokiVersion.minor = 1;
     }
 
     rv = fwInstance->cryptokiVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwInstance->mutex);
@@ -921,18 +917,17 @@ nssCKFWInstance_GetManufacturerID(
 
     if (!fwInstance->manufacturerID) {
         if (fwInstance->mdInstance->GetManufacturerID) {
             fwInstance->manufacturerID = fwInstance->mdInstance->GetManufacturerID(
                 fwInstance->mdInstance, fwInstance, &error);
             if ((!fwInstance->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwInstance->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -987,18 +982,17 @@ nssCKFWInstance_GetLibraryDescription(
 
     if (!fwInstance->libraryDescription) {
         if (fwInstance->mdInstance->GetLibraryDescription) {
             fwInstance->libraryDescription = fwInstance->mdInstance->GetLibraryDescription(
                 fwInstance->mdInstance, fwInstance, &error);
             if ((!fwInstance->libraryDescription) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwInstance->libraryDescription = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwInstance->libraryDescription, (char *)libraryDescription, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -1032,18 +1026,17 @@ nssCKFWInstance_GetLibraryVersion(
         (0 != fwInstance->libraryVersion.minor)) {
         rv = fwInstance->libraryVersion;
         goto done;
     }
 
     if (fwInstance->mdInstance->GetLibraryVersion) {
         fwInstance->libraryVersion = fwInstance->mdInstance->GetLibraryVersion(
             fwInstance->mdInstance, fwInstance);
-    }
-    else {
+    } else {
         fwInstance->libraryVersion.major = 0;
         fwInstance->libraryVersion.minor = 3;
     }
 
     rv = fwInstance->libraryVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwInstance->mutex);
     return rv;
--- a/lib/ckfw/nssmkey/manchor.c
+++ b/lib/ckfw/nssmkey/manchor.c
@@ -8,10 +8,10 @@
  * This file "anchors" the actual cryptoki entry points in this module's
  * shared library, which is required for dynamic loading.  See the
  * comments in nssck.api for more information.
  */
 
 #include "ckmk.h"
 
 #define MODULE_NAME ckmk
-#define INSTANCE_NAME (NSSCKMDInstance *) & nss_ckmk_mdInstance
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckmk_mdInstance
 #include "nssck.api"
--- a/lib/ckfw/nssmkey/mfind.c
+++ b/lib/ckfw/nssmkey/mfind.c
@@ -105,18 +105,17 @@ ckmk_attrmatch(
         }
         return CK_FALSE;
     }
 
     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
 
     if (PR_TRUE == prb) {
         return CK_TRUE;
-    }
-    else {
+    } else {
         return CK_FALSE;
     }
 }
 
 static CK_BBOOL
 ckmk_match(
     CK_ATTRIBUTE_PTR pTemplate,
     CK_ULONG ulAttributeCount,
@@ -131,35 +130,33 @@ ckmk_match(
     }
 
     /* Every attribute passed */
     return CK_TRUE;
 }
 
 #define CKMK_ITEM_CHUNK 20
 
-#define PUT_OBJECT(obj, err, size, count, list)                           \
-    {                                                                     \
-        if (count >= size) {                                              \
-            (list) = (list) ?                                             \
-                            nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
-                                              ((size) +                   \
-                                               CKMK_ITEM_CHUNK))          \
-                            :                                             \
-                            nss_ZNEWARRAY(NULL, ckmkInternalObject *,     \
-                                          ((size) +                       \
-                                           CKMK_ITEM_CHUNK));             \
-            if ((ckmkInternalObject **)NULL == list) {                    \
-                err = CKR_HOST_MEMORY;                                    \
-                goto loser;                                               \
-            }                                                             \
-            (size) += CKMK_ITEM_CHUNK;                                    \
-        }                                                                 \
-        (list)[count] = (obj);                                            \
-        count++;                                                          \
+#define PUT_OBJECT(obj, err, size, count, list)                             \
+    {                                                                       \
+        if (count >= size) {                                                \
+            (list) = (list) ? nss_ZREALLOCARRAY(list, ckmkInternalObject *, \
+                                                ((size) +                   \
+                                                 CKMK_ITEM_CHUNK))          \
+                            : nss_ZNEWARRAY(NULL, ckmkInternalObject *,     \
+                                            ((size) +                       \
+                                             CKMK_ITEM_CHUNK));             \
+            if ((ckmkInternalObject **)NULL == list) {                      \
+                err = CKR_HOST_MEMORY;                                      \
+                goto loser;                                                 \
+            }                                                               \
+            (size) += CKMK_ITEM_CHUNK;                                      \
+        }                                                                   \
+        (list)[count] = (obj);                                              \
+        count++;                                                            \
     }
 
 /* find all the certs that represent the appropriate object (cert, priv key, or
  *  pub key) in the cert store.
  */
 static PRUint32
 collect_class(
     CK_OBJECT_CLASS objClass,
@@ -196,18 +193,17 @@ collect_class(
         next->u.item.itemRef = itemRef;
         next->u.item.itemClass = itemClass;
 
         /* see if this is one of the objects we are looking for */
         if (CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next)) {
             /* yes, put it on the list */
             PUT_OBJECT(next, *pError, *sizep, count, *listp);
             next = NULL; /* this one is on the list, need to allocate a new one now */
-        }
-        else {
+        } else {
             /* no , release the current item and clear out the structure for reuse */
             CFRelease(itemRef);
             /* don't cache the values we just loaded */
             nsslibc_memset(next, 0, sizeof(*next));
         }
     }
 loser:
     if (searchRef) {
--- a/lib/ckfw/nssmkey/mobject.c
+++ b/lib/ckfw/nssmkey/mobject.c
@@ -317,18 +317,17 @@ ckmk_encodeInt(NSSItem *dest, void *src,
     encLen = 1 + lenLen + dataLen;
     data = nss_ZNEWARRAY(NULL, unsigned char, encLen);
     if ((unsigned char *)NULL == data) {
         return CKR_HOST_MEMORY;
     }
     data[0] = DER_INTEGER;
     if (1 == lenLen) {
         data[1] = dataLen;
-    }
-    else {
+    } else {
         data[1] = 0x80 + lenLen;
         for (i = 0; i < lenLen; i++) {
             data[i + 1] = ((dataLen >> ((lenLen -
                                          i - 1) *
                                         8)) &
                            0xff);
         }
     }
@@ -500,17 +499,17 @@ loser:
 #define CKMK_HANDLE_ITEM(func, io, type, loc, item, error, str) \
     if (0 == (item)->loc.size) {                                \
         error = func(io, type, &(item)->loc, str);              \
     }                                                           \
     return (CKR_OK == (error)) ? &(item)->loc : NULL;
 
 #define CKMK_HANDLE_OPT_ITEM(func, io, type, loc, item, error, str) \
     if (0 == (item)->loc.size) {                                    \
-        (void) func(io, type, &(item)->loc, str);                   \
+        (void)func(io, type, &(item)->loc, str);                    \
     }                                                               \
     return &(item)->loc;
 
 #define CKMK_HANDLE_BOOL_ITEM(io, type, loc, item, error, str) \
     CKMK_HANDLE_ITEM(ckmk_GetBoolAttribute, io, type, loc, item, error, str)
 #define CKMK_HANDLE_DATA_ITEM(io, type, loc, item, error, str) \
     CKMK_HANDLE_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str)
 #define CKMK_HANDLE_OPT_DATA_ITEM(io, type, loc, item, error, str) \
@@ -523,18 +522,17 @@ static void
 ckmk_FetchHashKey(
     ckmkInternalObject *io)
 {
     NSSItem *key = &io->hashKey;
 
     if (io->objClass == CKO_CERTIFICATE) {
         ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr,
                                 PR_TRUE, key, "Fetching HashKey (cert)");
-    }
-    else {
+    } else {
         ckmk_GetCommonAttribute(io, kSecKeyLabel,
                                 PR_FALSE, key, "Fetching HashKey (key)");
     }
 }
 
 /*
  * Apple mucks with the actual subject and issuer, so go fetch
  * the real ones ourselves.
@@ -987,18 +985,17 @@ ckmk_mdObject_GetAttributeTypes(
         mdObject, fwObject, mdSession, fwSession,
         mdToken, fwToken, mdInstance, fwInstance, &error);
 
     if (size != ulCount) {
         return CKR_BUFFER_TOO_SMALL;
     }
     if (io->type == ckmkRaw) {
         attrs = io->u.raw.types;
-    }
-    else
+    } else
         switch (io->objClass) {
             case CKO_CERTIFICATE:
                 attrs =
                     certAttrs;
                 break;
             case CKO_PUBLIC_KEY:
                 attrs =
                     pubKeyAttrs;
@@ -1179,18 +1176,17 @@ nss_ckmk_CreateMDObject(
 
         if (key->size == 0) {
             ckmk_FetchHashKey(io);
         }
         old_o = (ckmkInternalObject *)
             nssHash_Lookup(ckmkInternalObjectHash, key);
         if (!old_o) {
             nssHash_Add(ckmkInternalObjectHash, key, io);
-        }
-        else if (old_o != io) {
+        } else if (old_o != io) {
             nss_ckmk_DestroyInternalObject(io);
             io = old_o;
         }
     }
 
     if ((void *)NULL == io->mdObject.etc) {
         (void)nsslibc_memcpy(&io->mdObject, &ckmk_prototype_mdObject,
                              sizeof(ckmk_prototype_mdObject));
@@ -1780,18 +1776,17 @@ nss_ckmk_CreatePrivateKey(
         itemdump("key id: ", keyID.data, keyID.size, error);
 #endif
     }
     nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate,
                                            ulAttributeCount, &error);
     if (nickname) {
         ckmk_updateAttribute(itemRef, kSecKeyPrintName, nickname,
                              strlen(nickname) + 1, "Modify Key Label");
-    }
-    else {
+    } else {
 #define DEFAULT_NICKNAME "NSS Imported Key"
         ckmk_updateAttribute(itemRef, kSecKeyPrintName, DEFAULT_NICKNAME,
                              sizeof(DEFAULT_NICKNAME), "Modify Key Label");
     }
 
     io = nss_ckmk_NewInternalObject(CKO_PRIVATE_KEY, itemRef,
                                     CSSM_DL_DB_RECORD_PRIVATE_KEY, pError);
     if ((ckmkInternalObject *)NULL == io) {
@@ -1847,22 +1842,20 @@ nss_ckmk_CreateObject(
     if (objClass == CKO_PUBLIC_KEY) {
         return CKR_OK; /* fake public key creation, happens as a side effect of
                         * private key creation */
     }
 #endif
     if (objClass == CKO_CERTIFICATE) {
         io = nss_ckmk_CreateCertificate(fwSession, pTemplate,
                                         ulAttributeCount, pError);
-    }
-    else if (objClass == CKO_PRIVATE_KEY) {
+    } else if (objClass == CKO_PRIVATE_KEY) {
         io = nss_ckmk_CreatePrivateKey(fwSession, pTemplate,
                                        ulAttributeCount, pError);
-    }
-    else {
+    } else {
         *pError = CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     if ((ckmkInternalObject *)NULL == io) {
         return (NSSCKMDObject *)NULL;
     }
     return nss_ckmk_CreateMDObject(NULL, io, pError);
 }
--- a/lib/ckfw/object.c
+++ b/lib/ckfw/object.c
@@ -579,38 +579,35 @@ nssCKFWObject_GetAttribute(
     }
 
     if (!itemOpt) {
         rv = nss_ZNEW(arenaOpt, NSSItem);
         if (!rv) {
             *pError = CKR_HOST_MEMORY;
             goto done;
         }
-    }
-    else {
+    } else {
         rv = itemOpt;
     }
 
     if (!rv->data) {
         rv->size = mdItem.item->size;
         rv->data = nss_ZAlloc(arenaOpt, rv->size);
         if (!rv->data) {
             *pError = CKR_HOST_MEMORY;
             if (!itemOpt) {
                 nss_ZFreeIf(rv);
             }
             rv = (NSSItem *)NULL;
             goto done;
         }
-    }
-    else {
+    } else {
         if (rv->size >= mdItem.item->size) {
             rv->size = mdItem.item->size;
-        }
-        else {
+        } else {
             *pError = CKR_BUFFER_TOO_SMALL;
             /* Should we set rv->size to mdItem->size? */
             /* rv can't have been allocated */
             rv = (NSSItem *)NULL;
             goto done;
         }
     }
 
@@ -709,35 +706,33 @@ nssCKFWObject_SetAttribute(
          */
 
         if (CK_FALSE == *(CK_BBOOL *)value->data) {
             /*
              * New one is a session object, except since we "stole" the fwObject, it's
              * not in the list.  Add it.
              */
             nssCKFWSession_RegisterSessionObject(fwSession, fwObject);
-        }
-        else {
+        } else {
             /*
              * New one is a token object, except since we "stole" the fwObject, it's
              * in the list.  Remove it.
              */
             if (fwObject->fwSession) {
                 nssCKFWSession_DeregisterSessionObject(fwObject->fwSession, fwObject);
             }
         }
 
         /*
          * Now delete the old object.  Remember the names have changed.
          */
         nssCKFWObject_Destroy(newFwObject);
 
         return CKR_OK;
-    }
-    else {
+    } else {
         /*
          * An "ordinary" change.
          */
         if (!fwObject->mdObject->SetAttribute) {
             /* We could fake it with copying, like above.. later */
             return CKR_ATTRIBUTE_READ_ONLY;
         }
 
--- a/lib/ckfw/session.c
+++ b/lib/ckfw/session.c
@@ -691,18 +691,17 @@ nssCKFWSession_Login(
                 break;
             case CKS_RW_USER_FUNCTIONS:
                 return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
             case CKS_RW_SO_FUNCTIONS:
                 return CKR_USER_ALREADY_LOGGED_IN;
             default:
                 return CKR_GENERAL_ERROR;
         }
-    }
-    else /* CKU_USER == userType */ {
+    } else /* CKU_USER == userType */ {
         switch (oldState) {
             case CKS_RO_PUBLIC_SESSION:
                 newState =
                     CKS_RO_USER_FUNCTIONS;
                 break;
             case CKS_RO_USER_FUNCTIONS:
                 return CKR_USER_ALREADY_LOGGED_IN;
             case CKS_RW_PUBLIC_SESSION:
@@ -727,18 +726,17 @@ nssCKFWSession_Login(
      */
 
     if (!fwSession->mdSession->Login) {
         /*
          * The Module doesn't want to be informed (or check the pin)
          * it'll just rely on the Framework as needed.
          */
         ;
-    }
-    else {
+    } else {
         error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
                                             fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                             fwSession->fwInstance, userType, pin, oldState, newState);
         if (CKR_OK != error) {
             return error;
         }
     }
 
@@ -797,18 +795,17 @@ nssCKFWSession_Logout(
      * Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
      */
 
     if (!fwSession->mdSession->Logout) {
         /*
          * The Module doesn't want to be informed.  Okay.
          */
         ;
-    }
-    else {
+    } else {
         error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
                                              fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                              fwSession->fwInstance, oldState, newState);
         if (CKR_OK != error) {
             /*
              * Now what?!  A failure really should end up with the Framework
              * considering it logged out, right?
              */
@@ -1118,25 +1115,23 @@ nssCKFWSession_SetOperationState(
         return CKR_GENERAL_ERROR;
     }
 
     s.size = state->size - 2 * sizeof(CK_ULONG);
     s.data = (void *)&ulBuffer[2];
 
     if (encryptionKey) {
         mdek = nssCKFWObject_GetMDObject(encryptionKey);
-    }
-    else {
+    } else {
         mdek = (NSSCKMDObject *)NULL;
     }
 
     if (authenticationKey) {
         mdak = nssCKFWObject_GetMDObject(authenticationKey);
-    }
-    else {
+    } else {
         mdak = (NSSCKMDObject *)NULL;
     }
 
     error = fwSession->mdSession->SetOperationState(fwSession->mdSession,
                                                     fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
                                                     fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
 
     if (CKR_OK != error) {
@@ -1159,18 +1154,17 @@ nss_attributes_form_token_object(
     CK_BBOOL rv;
 
     for (i = 0; i < ulAttributeCount; i++) {
         if (CKA_TOKEN == pTemplate[i].type) {
             /* If we sanity-check, we can remove this sizeof check */
             if (sizeof(CK_BBOOL) == pTemplate[i].ulValueLen) {
                 (void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
                 return rv;
-            }
-            else {
+            } else {
                 return CK_FALSE;
             }
         }
     }
 
     return CK_FALSE;
 }
 
@@ -1228,18 +1222,17 @@ nssCKFWSession_CreateObject(
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
 
         goto callmdcreateobject;
-    }
-    else {
+    } else {
         /* === SESSION OBJECT === */
 
         arena = nssCKFWSession_GetArena(fwSession, pError);
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
@@ -1250,18 +1243,17 @@ nssCKFWSession_CreateObject(
             /* --- module handles the session object -- */
 
             if (!fwSession->mdSession->CreateObject) {
                 *pError = CKR_GENERAL_ERROR;
                 return (NSSCKFWObject *)NULL;
             }
 
             goto callmdcreateobject;
-        }
-        else {
+        } else {
             /* --- framework handles the session object -- */
             mdObject = nssCKMDSessionObject_Create(fwSession->fwToken,
                                                    arena, pTemplate, ulAttributeCount, pError);
             goto gotmdobject;
         }
     }
 
 callmdcreateobject:
@@ -1274,20 +1266,18 @@ gotmdobject:
     if (!mdObject) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
         }
         return (NSSCKFWObject *)NULL;
     }
 
     fwObject = nssCKFWObject_Create(arena, mdObject,
-                                    isTokenObject ?
-                                                  NULL
-                                                  :
-                                                  fwSession,
+                                    isTokenObject ? NULL
+                                                  : fwSession,
                                     fwSession->fwToken, fwSession->fwInstance, pError);
     if (!fwObject) {
         if (CKR_OK == *pError) {
             *pError = CKR_GENERAL_ERROR;
         }
 
         if (mdObject->Destroy) {
             (void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
@@ -1382,18 +1372,17 @@ nssCKFWSession_CopyObject(
         NSSArena *arena;
         NSSCKMDObject *mdOldObject;
         NSSCKMDObject *mdObject;
 
         mdOldObject = nssCKFWObject_GetMDObject(fwObject);
 
         if (CK_TRUE == newIsToken) {
             arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
-        }
-        else {
+        } else {
             arena = nssCKFWSession_GetArena(fwSession, pError);
         }
         if (!arena) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
@@ -1405,35 +1394,32 @@ nssCKFWSession_CopyObject(
         if (!mdObject) {
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWObject *)NULL;
         }
 
         rv = nssCKFWObject_Create(arena, mdObject,
-                                  newIsToken ?
-                                             NULL
-                                             :
-                                             fwSession,
+                                  newIsToken ? NULL
+                                             : fwSession,
                                   fwSession->fwToken, fwSession->fwInstance, pError);
 
         if (CK_FALSE == newIsToken) {
             if (CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv)) {
                 *pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
                 if (CKR_OK != *pError) {
                     nssCKFWObject_Finalize(rv, PR_TRUE);
                     return (NSSCKFWObject *)NULL;
                 }
             }
         }
 
         return rv;
-    }
-    else {
+    } else {
         /* use create object */
         NSSArena *tmpArena;
         CK_ATTRIBUTE_PTR newTemplate;
         CK_ULONG i, j, n, newLength, k;
         CK_ATTRIBUTE_TYPE_PTR oldTypes;
         NSSCKFWObject *rv;
 
         n = nssCKFWObject_GetAttributeCount(fwObject, pError);
@@ -1488,18 +1474,17 @@ nssCKFWSession_CopyObject(
         k = 0;
         for (j = 0; j < n; j++) {
             for (i = 0; i < ulAttributeCount; i++) {
                 if (oldTypes[j] == pTemplate[i].type) {
                     if ((CK_VOID_PTR)NULL ==
                         pTemplate[i].pValue) {
                         /* This attribute is being deleted */
                         ;
-                    }
-                    else {
+                    } else {
                         /* This attribute is being replaced */
                         newTemplate[k].type =
                             pTemplate[i].type;
                         newTemplate[k].pValue =
                             pTemplate[i].pValue;
                         newTemplate[k].ulValueLen =
                             pTemplate[i].ulValueLen;
                         k++;
@@ -1606,18 +1591,17 @@ nssCKFWSession_FindObjectsInit(
                         goto wrap;
                     }
 
                     mdfo1 =
                         fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                                                               fwSession, fwSession->mdToken, fwSession->fwToken,
                                                               fwSession->mdInstance, fwSession->fwInstance,
                                                               pTemplate, ulAttributeCount, pError);
-                }
-                else {
+                } else {
                     /* Do the search ourselves */
                     mdfo1 =
                         nssCKMDFindSessionObjects_Create(fwSession->fwToken,
                                                          pTemplate, ulAttributeCount, pError);
                 }
 
                 if (!mdfo1) {
                     if (CKR_OK ==
@@ -1660,18 +1644,17 @@ nssCKFWSession_FindObjectsInit(
                                  fwSession->mdInstance, fwSession->fwInstance);
                 }
                 return (NSSCKFWFindObjects *)NULL;
             }
 
             goto wrap;
         }
         /*NOTREACHED*/
-    }
-    else {
+    } else {
         /* Module handles all its own objects.  Pass on to module's search */
         mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
                                                       fwSession, fwSession->mdToken, fwSession->fwToken,
                                                       fwSession->mdInstance, fwSession->fwInstance,
                                                       pTemplate, ulAttributeCount, pError);
 
         if (!mdfo1) {
             if (CKR_OK == *pError) {
@@ -1761,18 +1744,17 @@ nssCKFWSession_GetRandom(
     if (!fwSession->mdSession) {
         return CKR_GENERAL_ERROR;
     }
 #endif /* NSSDEBUG */
 
     if (!fwSession->mdSession->GetRandom) {
         if (CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken)) {
             return CKR_GENERAL_ERROR;
-        }
-        else {
+        } else {
             return CKR_RANDOM_NO_RNG;
         }
     }
 
     if (0 == buffer->size) {
         return CKR_OK;
     }
 
@@ -1875,18 +1857,17 @@ nssCKFWSession_Final(
     }
 
     /* handle buffer issues, note for Verify, the type is an input buffer. */
     if (NSSCKFWCryptoOperationType_Verify == type) {
         if ((CK_BYTE_PTR)NULL == outBuf) {
             error = CKR_ARGUMENTS_BAD;
             goto done;
         }
-    }
-    else {
+    } else {
         CK_ULONG len = nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
         CK_ULONG maxBufLen = *outBufLen;
 
         if (CKR_OK != error) {
             goto done;
         }
         *outBufLen = len;
         if ((CK_BYTE_PTR)NULL == outBuf) {
@@ -2122,26 +2103,23 @@ nssCKFWSession_UpdateFinal(
                                 (NSSCKFWCryptoOperationType_Decrypt == type));
 
     /* handle buffer issues, note for Verify, the type is an input buffer. */
     if (NSSCKFWCryptoOperationType_Verify == type) {
         if ((CK_BYTE_PTR)NULL == outBuf) {
             error = CKR_ARGUMENTS_BAD;
             goto done;
         }
-    }
-    else {
+    } else {
         CK_ULONG maxBufLen = *outBufLen;
         CK_ULONG len;
 
-        len = (isEncryptDecrypt) ?
-                                 nssCKFWCryptoOperation_GetOperationLength(fwOperation,
-                                                                           &inputBuffer, &error)
-                                 :
-                                 nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
+        len = (isEncryptDecrypt) ? nssCKFWCryptoOperation_GetOperationLength(fwOperation,
+                                                                             &inputBuffer, &error)
+                                 : nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
 
         if (CKR_OK != error) {
             goto done;
         }
 
         *outBufLen = len;
         if ((CK_BYTE_PTR)NULL == outBuf) {
             return CKR_OK;
@@ -2154,20 +2132,18 @@ nssCKFWSession_UpdateFinal(
     outputBuffer.data = outBuf;
     outputBuffer.size = *outBufLen;
 
     error = nssCKFWCryptoOperation_UpdateFinal(fwOperation,
                                                &inputBuffer, &outputBuffer);
 
     /* UpdateFinal isn't support, manually use Update and Final */
     if (CKR_FUNCTION_FAILED == error) {
-        error = isEncryptDecrypt ?
-                                 nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer)
-                                 :
-                                 nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
+        error = isEncryptDecrypt ? nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer)
+                                 : nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
 
         if (CKR_OK == error) {
             error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
         }
     }
 
 done:
     if (CKR_BUFFER_TOO_SMALL == error) {
--- a/lib/ckfw/sessobj.c
+++ b/lib/ckfw/sessobj.c
@@ -789,18 +789,17 @@ items_match(
     CK_ULONG ulValueLen)
 {
     if (a->size != ulValueLen) {
         return CK_FALSE;
     }
 
     if (PR_TRUE == nsslibc_memequal(a->data, pValue, ulValueLen, (PRStatus *)NULL)) {
         return CK_TRUE;
-    }
-    else {
+    } else {
         return CK_FALSE;
     }
 }
 
 /*
  * Our hashtable iterator
  */
 static void
@@ -821,18 +820,17 @@ findfcn(
 
     for (i = 0; i < mdfso->ulCount; i++) {
         CK_ATTRIBUTE_PTR p = &mdfso->pTemplate[i];
 
         for (j = 0; j < mdso->n; j++) {
             if (mdso->types[j] == p->type) {
                 if (!items_match(&mdso->attributes[j], p->pValue, p->ulValueLen)) {
                     return;
-                }
-                else {
+                } else {
                     break;
                 }
             }
         }
 
         if (j == mdso->n) {
             /* Attribute not found */
             return;
--- a/lib/ckfw/slot.c
+++ b/lib/ckfw/slot.c
@@ -331,18 +331,17 @@ nssCKFWSlot_GetSlotDescription(
     if (!fwSlot->slotDescription) {
         if (fwSlot->mdSlot->GetSlotDescription) {
             fwSlot->slotDescription = fwSlot->mdSlot->GetSlotDescription(
                 fwSlot->mdSlot, fwSlot, fwSlot->mdInstance,
                 fwSlot->fwInstance, &error);
             if ((!fwSlot->slotDescription) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwSlot->slotDescription = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->slotDescription, (char *)slotDescription, 64, ' ');
     error = CKR_OK;
 
 done:
@@ -380,18 +379,17 @@ nssCKFWSlot_GetManufacturerID(
     if (!fwSlot->manufacturerID) {
         if (fwSlot->mdSlot->GetManufacturerID) {
             fwSlot->manufacturerID = fwSlot->mdSlot->GetManufacturerID(
                 fwSlot->mdSlot, fwSlot, fwSlot->mdInstance,
                 fwSlot->fwInstance, &error);
             if ((!fwSlot->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwSlot->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwSlot->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -491,18 +489,17 @@ nssCKFWSlot_GetHardwareVersion(
         (0 != fwSlot->hardwareVersion.minor)) {
         rv = fwSlot->hardwareVersion;
         goto done;
     }
 
     if (fwSlot->mdSlot->GetHardwareVersion) {
         fwSlot->hardwareVersion = fwSlot->mdSlot->GetHardwareVersion(
             fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-    }
-    else {
+    } else {
         fwSlot->hardwareVersion.major = 0;
         fwSlot->hardwareVersion.minor = 1;
     }
 
     rv = fwSlot->hardwareVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return rv;
@@ -534,18 +531,17 @@ nssCKFWSlot_GetFirmwareVersion(
         (0 != fwSlot->firmwareVersion.minor)) {
         rv = fwSlot->firmwareVersion;
         goto done;
     }
 
     if (fwSlot->mdSlot->GetFirmwareVersion) {
         fwSlot->firmwareVersion = fwSlot->mdSlot->GetFirmwareVersion(
             fwSlot->mdSlot, fwSlot, fwSlot->mdInstance, fwSlot->fwInstance);
-    }
-    else {
+    } else {
         fwSlot->firmwareVersion.major = 0;
         fwSlot->firmwareVersion.minor = 1;
     }
 
     rv = fwSlot->firmwareVersion;
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return rv;
@@ -592,18 +588,17 @@ nssCKFWSlot_GetToken(
             if (CKR_OK == *pError) {
                 *pError = CKR_GENERAL_ERROR;
             }
             return (NSSCKFWToken *)NULL;
         }
 
         fwToken = nssCKFWToken_Create(fwSlot, mdToken, pError);
         fwSlot->fwToken = fwToken;
-    }
-    else {
+    } else {
         fwToken = fwSlot->fwToken;
     }
 
 done:
     (void)nssCKFWMutex_Unlock(fwSlot->mutex);
     return fwToken;
 }
 
--- a/lib/ckfw/token.c
+++ b/lib/ckfw/token.c
@@ -493,18 +493,17 @@ nssCKFWToken_InitToken(
     if (!fwToken->mdToken->InitToken) {
         error = CKR_DEVICE_ERROR;
         goto done;
     }
 
     if (!pin) {
         if (nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken)) {
             ; /* okay */
-        }
-        else {
+        } else {
             error = CKR_PIN_INCORRECT;
             goto done;
         }
     }
 
     if (!label) {
         label = (NSSUTF8 *)"";
     }
@@ -546,18 +545,17 @@ nssCKFWToken_GetLabel(
 
     if (!fwToken->label) {
         if (fwToken->mdToken->GetLabel) {
             fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
                                                         fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->label) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwToken->label = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -594,18 +592,17 @@ nssCKFWToken_GetManufacturerID(
 
     if (!fwToken->manufacturerID) {
         if (fwToken->mdToken->GetManufacturerID) {
             fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
                                                                           fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->manufacturerID) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwToken->manufacturerID = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
     error = CKR_OK;
 
 done:
@@ -642,18 +639,17 @@ nssCKFWToken_GetModel(
 
     if (!fwToken->model) {
         if (fwToken->mdToken->GetModel) {
             fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
                                                         fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->model) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwToken->model = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
     error = CKR_OK;
 
 done:
@@ -690,18 +686,17 @@ nssCKFWToken_GetSerialNumber(
 
     if (!fwToken->serialNumber) {
         if (fwToken->mdToken->GetSerialNumber) {
             fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken,
                                                                       fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
             if ((!fwToken->serialNumber) && (CKR_OK != error)) {
                 goto done;
             }
-        }
-        else {
+        } else {
             fwToken->serialNumber = (NSSUTF8 *)"";
         }
     }
 
     (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
     error = CKR_OK;
 
 done:
@@ -1087,18 +1082,17 @@ nssCKFWToken_GetHardwareVersion(
         (0 != fwToken->hardwareVersion.minor)) {
         rv = fwToken->hardwareVersion;
         goto done;
     }
 
     if (fwToken->mdToken->GetHardwareVersion) {
         fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
             fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    }
-    else {
+    } else {
         fwToken->hardwareVersion.major = 0;
         fwToken->hardwareVersion.minor = 1;
     }
 
     rv = fwToken->hardwareVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwToken->mutex);
@@ -1131,18 +1125,17 @@ nssCKFWToken_GetFirmwareVersion(
         (0 != fwToken->firmwareVersion.minor)) {
         rv = fwToken->firmwareVersion;
         goto done;
     }
 
     if (fwToken->mdToken->GetFirmwareVersion) {
         fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
             fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
-    }
-    else {
+    } else {
         fwToken->firmwareVersion.major = 0;
         fwToken->firmwareVersion.minor = 1;
     }
 
     rv = fwToken->firmwareVersion;
 
 done:
     (void)nssCKFWMutex_Unlock(fwToken->mutex);
@@ -1213,18 +1206,17 @@ nssCKFWToken_GetUTCTime(
             goto badtime; /* Y3K problem.  heh heh heh */
         if ((M < 1) || (M > 12))
             goto badtime;
         if ((D < 1) || (D > 31))
             goto badtime;
 
         if (D > dims[M - 1])
             goto badtime; /* per-month check */
-        if ((2 == M) && (((Y % 4) || !(Y %
-                                       100)) &&
+        if ((2 == M) && (((Y % 4) || !(Y % 100)) &&
                          (Y % 400)) &&
             (D > 28))
             goto badtime; /* leap years */
 
         if ((h < 0) || (h > 23))
             goto badtime;
         if ((m < 0) || (m > 60))
             goto badtime;
@@ -1287,18 +1279,17 @@ nssCKFWToken_OpenSession(
     }
 
     if (CK_TRUE == rw) {
         /* Read-write session desired */
         if (CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken)) {
             *pError = CKR_TOKEN_WRITE_PROTECTED;
             goto done;
         }
-    }
-    else {
+    } else {
         /* Read-only session desired */
         if (CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken)) {
             *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
             goto done;
         }
     }
 
     /* We could compare sesion counts to any limits we know of, I guess.. */
--- a/lib/ckfw/wrap.c
+++ b/lib/ckfw/wrap.c
@@ -360,18 +360,17 @@ NSSCKFWC_GetSlotList(
      * A purify error here indicates caller error.
      */
     (void)nsslibc_memset(pSlotList, 0, *pulCount * sizeof(CK_SLOT_ID));
 
     if (*pulCount < nSlots) {
         *pulCount = nSlots;
         error = CKR_BUFFER_TOO_SMALL;
         goto loser;
-    }
-    else {
+    } else {
         CK_ULONG i;
         *pulCount = nSlots;
 
         /*
          * Our secret "mapping": CK_SLOT_IDs are integers [1,N], and we
          * just index one when we need it.
          */
 
@@ -798,18 +797,17 @@ NSSCKFWC_GetMechanismList(
      * A purify error here indicates caller error.
      */
     (void)nsslibc_memset(pMechanismList, 0, *pulCount * sizeof(CK_MECHANISM_TYPE));
 
     *pulCount = count;
 
     if (0 != count) {
         error = nssCKFWToken_GetMechanismTypes(fwToken, pMechanismList);
-    }
-    else {
+    } else {
         error = CKR_OK;
     }
 
     if (CKR_OK == error) {
         return CKR_OK;
     }
 
 loser:
@@ -1093,18 +1091,17 @@ NSSCKFWC_InitPIN(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
         arg = (NSSItem *)NULL;
-    }
-    else {
+    } else {
         arg = &pin;
         pin.size = (PRUint32)ulPinLen;
         pin.data = (void *)pPin;
     }
 
     error = nssCKFWSession_InitPIN(fwSession, arg);
     if (CKR_OK != error) {
         goto loser;
@@ -1168,27 +1165,25 @@ NSSCKFWC_SetPIN(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pOldPin) {
         oldArg = (NSSItem *)NULL;
-    }
-    else {
+    } else {
         oldArg = &oldPin;
         oldPin.size = (PRUint32)ulOldLen;
         oldPin.data = (void *)pOldPin;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pNewPin) {
         newArg = (NSSItem *)NULL;
-    }
-    else {
+    } else {
         newArg = &newPin;
         newPin.size = (PRUint32)ulNewLen;
         newPin.data = (void *)pNewPin;
     }
 
     error = nssCKFWSession_SetPIN(fwSession, oldArg, newArg);
     if (CKR_OK != error) {
         goto loser;
@@ -1261,25 +1256,23 @@ NSSCKFWC_OpenSession(
 
     if ((slotID < 1) || (slotID > nSlots)) {
         error = CKR_SLOT_ID_INVALID;
         goto loser;
     }
 
     if (flags & CKF_RW_SESSION) {
         rw = CK_TRUE;
-    }
-    else {
+    } else {
         rw = CK_FALSE;
     }
 
     if (flags & CKF_SERIAL_SESSION) {
         ;
-    }
-    else {
+    } else {
         error = CKR_SESSION_PARALLEL_NOT_SUPPORTED;
         goto loser;
     }
 
     if (flags & ~(CKF_RW_SESSION | CKF_SERIAL_SESSION)) {
         error = CKR_ARGUMENTS_BAD;
         goto loser;
     }
@@ -1694,29 +1687,27 @@ NSSCKFWC_SetOperationState(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_OBJECT_HANDLE)0 == hEncryptionKey) {
         eKey = (NSSCKFWObject *)NULL;
-    }
-    else {
+    } else {
         eKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hEncryptionKey);
         if (!eKey) {
             error = CKR_KEY_HANDLE_INVALID;
             goto loser;
         }
     }
 
     if ((CK_OBJECT_HANDLE)0 == hAuthenticationKey) {
         aKey = (NSSCKFWObject *)NULL;
-    }
-    else {
+    } else {
         aKey = nssCKFWInstance_ResolveObjectHandle(fwInstance, hAuthenticationKey);
         if (!aKey) {
             error = CKR_KEY_HANDLE_INVALID;
             goto loser;
         }
     }
 
     state.data = pOperationState;
@@ -1782,18 +1773,17 @@ NSSCKFWC_Login(
     fwSession = nssCKFWInstance_ResolveSessionHandle(fwInstance, hSession);
     if (!fwSession) {
         error = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     if ((CK_CHAR_PTR)CK_NULL_PTR == pPin) {
         arg = (NSSItem *)NULL;
-    }
-    else {
+    } else {
         arg = &pin;
         pin.size = (PRUint32)ulPinLen;
         pin.data = (void *)pPin;
     }
 
     error = nssCKFWSession_Login(fwSession, userType, arg);
     if (CKR_OK != error) {
         goto loser;
@@ -2272,18 +2262,17 @@ NSSCKFWC_GetAttributeValue(
                     break;
                 default:
                     goto loser;
             }
         }
 
         if ((CK_VOID_PTR)CK_NULL_PTR == pTemplate[i].pValue) {
             pTemplate[i].ulValueLen = size;
-        }
-        else {
+        } else {
             NSSItem it, *p;
 
             if (pTemplate[i].ulValueLen < size) {
                 tooSmall = CK_TRUE;
                 continue;
             }
 
             it.size = (PRUint32)pTemplate[i].ulValueLen;
@@ -2312,22 +2301,20 @@ NSSCKFWC_GetAttributeValue(
 
             pTemplate[i].ulValueLen = size;
         }
     }
 
     if (sensitive) {
         error = CKR_ATTRIBUTE_SENSITIVE;
         goto loser;
-    }
-    else if (invalid) {
+    } else if (invalid) {
         error = CKR_ATTRIBUTE_TYPE_INVALID;
         goto loser;
-    }
-    else if (tooSmall) {
+    } else if (tooSmall) {
         error = CKR_BUFFER_TOO_SMALL;
         goto loser;
     }
 
     return CKR_OK;
 
 loser:
     switch (error) {
--- a/lib/crmf/challcli.c
+++ b/lib/crmf/challcli.c
@@ -177,18 +177,17 @@ loser:
 SECStatus
 CMMF_POPODecKeyChallContentGetRandomNumber(CMMFPOPODecKeyChallContent *inKeyChallCont,
                                            int inIndex,
                                            long *inDest)
 {
     CMMFChallenge *challenge;
 
     PORT_Assert(inKeyChallCont != NULL);
-    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >=
-                                                     inKeyChallCont->numChallenges) {
+    if (inKeyChallCont == NULL || inIndex > 0 || inIndex >= inKeyChallCont->numChallenges) {
         return SECFailure;
     }
     challenge = inKeyChallCont->challenges[inIndex];
     if (challenge->randomNumber.data == NULL) {
         /* There is no random number here, nothing to see. */
         return SECFailure;
     }
     *inDest = DER_GetInteger(&challenge->randomNumber);
--- a/lib/crmf/cmmfchal.c
+++ b/lib/crmf/cmmfchal.c
@@ -209,18 +209,17 @@ CMMF_POPODecKeyChallContentSetNextChalle
     if (inDecKeyChall->numChallenges >= inDecKeyChall->numAllocated) {
         rv = SECFailure;
         goto loser;
     }
 
     if (inDecKeyChall->numChallenges == 0) {
         rv = cmmf_create_first_challenge(inDecKeyChall, inRandom,
                                          genNameDER, inPubKey, passwdArg);
-    }
-    else {
+    } else {
         curChallenge = PORT_ArenaZNew(poolp, CMMFChallenge);
         if (curChallenge == NULL) {
             rv = SECFailure;
             goto loser;
         }
         rv = cmmf_create_witness_and_challenge(poolp, curChallenge, inRandom,
                                                genNameDER, inPubKey,
                                                passwdArg);
--- a/lib/crmf/cmmfrec.c
+++ b/lib/crmf/cmmfrec.c
@@ -102,18 +102,17 @@ CMMF_KeyRecRepContentSetCACerts(CMMFKeyR
     if (inKeyRecRep == NULL || inCACerts == NULL) {
         return SECFailure;
     }
     mark = PORT_ArenaMark(inKeyRecRep->poolp);
     rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
                                    &inKeyRecRep->caCerts);
     if (rv != SECSuccess) {
         PORT_ArenaRelease(inKeyRecRep->poolp, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
     }
     return rv;
 }
 
 SECStatus
 CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
                                          CERTCertificate *inCert,
--- a/lib/crmf/cmmfresp.c
+++ b/lib/crmf/cmmfresp.c
@@ -47,33 +47,31 @@ cmmf_CertOrEncCertSetCertificate(CMMFCer
     SECStatus rv = SECFailure;
 
     if (inCert->derCert.data == NULL) {
         derDest = SEC_ASN1EncodeItem(NULL, NULL, inCert,
                                      CMMFCertOrEncCertCertificateTemplate);
         if (derDest == NULL) {
             goto loser;
         }
-    }
-    else {
+    } else {
         derDest = SECITEM_DupItem(&inCert->derCert);
         if (derDest == NULL) {
             goto loser;
         }
     }
     PORT_Assert(certOrEncCert->cert.certificate == NULL);
     certOrEncCert->cert.certificate = CERT_DupCertificate(inCert);
     certOrEncCert->choice = cmmfCertificate;
     if (poolp != NULL) {
         rv = SECITEM_CopyItem(poolp, &certOrEncCert->derValue, derDest);
         if (rv != SECSuccess) {
             goto loser;
         }
-    }
-    else {
+    } else {
         certOrEncCert->derValue = *derDest;
     }
     PORT_Free(derDest);
     return SECSuccess;
 loser:
     if (derDest != NULL) {
         SECITEM_FreeItem(derDest, PR_TRUE);
     }
@@ -213,18 +211,17 @@ CMMF_CertResponseSetCertificate(CMMFCert
 
     PORT_Assert(inCertResp != NULL && inCertificate != NULL);
     if (inCertResp == NULL || inCertificate == NULL) {
         return SECFailure;
     }
     if (inCertResp->certifiedKeyPair == NULL) {
         keyPair = inCertResp->certifiedKeyPair =
             PORT_ZNew(CMMFCertifiedKeyPair);
-    }
-    else {
+    } else {
         keyPair = inCertResp->certifiedKeyPair;
     }
     if (keyPair == NULL) {
         goto loser;
     }
     rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert, NULL,
                                           inCertificate);
     if (rv != SECSuccess) {
@@ -261,18 +258,17 @@ CMMF_CertRepContentSetCAPubs(CMMFCertRep
     poolp = inCertRepContent->poolp;
     mark = PORT_ArenaMark(poolp);
 
     rv = cmmf_ExtractCertsFromList(inCAPubs, poolp,
                                    &inCertRepContent->caPubs);
 
     if (rv != SECSuccess) {
         PORT_ArenaRelease(poolp, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(poolp, mark);
     }
     return rv;
 }
 
 CERTCertificate *
 CMMF_CertifiedKeyPairGetCertificate(CMMFCertifiedKeyPair *inCertKeyPair,
                                     CERTCertDBHandle *inCertdb)
--- a/lib/crmf/crmfcont.c
+++ b/lib/crmf/crmfcont.c
@@ -14,18 +14,17 @@ crmf_modify_control_array(CRMFCertReques
 {
     if (count > 0) {
         void *dummy = PORT_Realloc(inCertReq->controls,
                                    sizeof(CRMFControl *) * (count + 2));
         if (dummy == NULL) {
             return SECFailure;
         }
         inCertReq->controls = dummy;
-    }
-    else {
+    } else {
         inCertReq->controls = PORT_ZNewArray(CRMFControl *, 2);
     }
     return (inCertReq->controls == NULL) ? SECFailure : SECSuccess;
 }
 
 static SECStatus
 crmf_add_new_control(CRMFCertRequest *inCertReq, SECOidTag inTag,
                      CRMFControl **destControl)
@@ -588,18 +587,17 @@ crmf_get_public_value(SECKEYPublicKey *p
         return NULL;
     }
 
     if (dest != NULL) {
         SECStatus rv = SECITEM_CopyItem(NULL, dest, src);
         if (rv != SECSuccess) {
             dest = NULL;
         }
-    }
-    else {
+    } else {
         dest = SECITEM_ArenaDupItem(NULL, src);
     }
     return dest;
 }
 
 static SECItem *
 crmf_decode_params(SECItem *inParams)
 {
@@ -668,18 +666,17 @@ crmf_encrypted_value_unwrap_priv_key(PLA
     oidTag = SECOID_GetAlgorithmTag(encValue->symmAlg);
     wrapMechType = crmf_get_pad_mech_from_tag(oidTag);
     keySize = crmf_get_key_size_from_mech(wrapMechType);
     wrappingKey = PK11_PubUnwrapSymKey(privKey, &encValue->encSymmKey,
                                        wrapMechType, CKA_UNWRAP, keySize);
     if (wrappingKey == NULL) {
         goto loser;
     } /* Make the length a byte length instead of bit length*/
-    params = (encValue->symmAlg != NULL) ?
-                                         crmf_decode_params(&encValue->symmAlg->parameters)
+    params = (encValue->symmAlg != NULL) ? crmf_decode_params(&encValue->symmAlg->parameters)
                                          : NULL;
     origLen = encValue->encValue.len;
     encValue->encValue.len = CRMF_BITS_TO_BYTES(origLen);
     publicValue = crmf_get_public_value(newPubKey, NULL);
     switch (newPubKey->keyType) {
         default:
         case rsaKey:
             keyType = CKK_RSA;
--- a/lib/crmf/crmfget.c
+++ b/lib/crmf/crmfget.c
@@ -38,20 +38,18 @@ crmf_destroy_validity(CRMFOptionalValidi
 static SECStatus
 crmf_copy_cert_request_validity(PLArenaPool *poolp,
                                 CRMFOptionalValidity **destValidity,
                                 CRMFOptionalValidity *srcValidity)
 {
     CRMFOptionalValidity *myValidity = NULL;
     SECStatus rv;
 
-    *destValidity = myValidity = (poolp == NULL) ?
-                                                 PORT_ZNew(CRMFOptionalValidity)
-                                                 :
-                                                 PORT_ArenaZNew(poolp, CRMFOptionalValidity);
+    *destValidity = myValidity = (poolp == NULL) ? PORT_ZNew(CRMFOptionalValidity)
+                                                 : PORT_ArenaZNew(poolp, CRMFOptionalValidity);
     if (myValidity == NULL) {
         goto loser;
     }
     if (srcValidity->notBefore.data != NULL) {
         rv = SECITEM_CopyItem(poolp, &myValidity->notBefore,
                               &srcValidity->notBefore);
         if (rv != SECSuccess) {
             goto loser;
--- a/lib/crmf/crmfpop.c
+++ b/lib/crmf/crmfpop.c
@@ -198,18 +198,17 @@ crmf_create_poposignkey(PLArenaPool *poo
         goto loser;
     }
     certReq = inCertReqMsg->certReq;
     useSignKeyInput = !(CRMF_DoesRequestHaveField(certReq, crmfSubject) &&
                         CRMF_DoesRequestHaveField(certReq, crmfPublicKey));
 
     if (useSignKeyInput) {
         goto loser;
-    }
-    else {
+    } else {
         rv = crmf_sign_certreq(poolp, signKey, certReq, inPrivKey, inAlgID);
         if (rv != SECSuccess) {
             goto loser;
         }
     }
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
--- a/lib/crmf/crmfreq.c
+++ b/lib/crmf/crmfreq.c
@@ -346,18 +346,17 @@ crmf_template_add_extensions(PLArenaPool
     SECStatus rv;
     CRMFCertExtension **extArray;
     CRMFCertExtension *newExt, *currExt;
 
     mark = PORT_ArenaMark(poolp);
     if (inTemplate->extensions == NULL) {
         newSize = extensions->numExtensions;
         extArray = PORT_ZNewArray(CRMFCertExtension *, newSize + 1);
-    }
-    else {
+    } else {
         newSize = inTemplate->numExtensions + extensions->numExtensions;
         extArray = PORT_Realloc(inTemplate->extensions,
                                 sizeof(CRMFCertExtension *) * (newSize + 1));
     }
     if (extArray == NULL) {
         goto loser;
     }
     oldSize = inTemplate->numExtensions;
@@ -454,18 +453,17 @@ CRMF_CertRequestSetTemplateField(CRMFCer
             break;
         case crmfExtension:
             rv = crmf_template_add_extensions(poolp, certTemplate,
                                               (CRMFCertExtCreationInfo *)data);
             break;
     }
     if (rv != SECSuccess) {
         PORT_ArenaRelease(poolp, mark);
-    }
-    else {
+    } else {
         PORT_ArenaUnmark(poolp, mark);
     }
     return rv;
 }
 
 SECStatus
 CRMF_CertReqMsgSetCertRequest(CRMFCertReqMsg *inCertReqMsg,
                               CRMFCertRequest *inCertReq)
@@ -546,20 +544,18 @@ crmf_create_cert_extension(PLArenaPool *
     }
 
     rv = SECITEM_CopyItem(poolp, &(newExt->value), data);
     if (rv != SECSuccess) {
         goto loser;
     }
 
     if (isCritical) {
-        newExt->critical.data = (poolp == NULL) ?
-                                                PORT_New(unsigned char)
-                                                :
-                                                PORT_ArenaNew(poolp, unsigned char);
+        newExt->critical.data = (poolp == NULL) ? PORT_New(unsigned char)
+                                                : PORT_ArenaNew(poolp, unsigned char);
         if (newExt->critical.data == NULL) {
             goto loser;
         }
         newExt->critical.data[0] = hexTrue;
         newExt->critical.len = 1;
     }
     return newExt;
 loser:
--- a/lib/crmf/respcmn.c
+++ b/lib/crmf/respcmn.c
@@ -213,18 +213,17 @@ cmmf_DestroyCertOrEncCert(CMMFCertOrEncC
 
 SECStatus
 cmmf_copy_secitem(PLArenaPool *poolp, SECItem *dest, SECItem *src)
 {
     SECStatus rv;
 
     if (src->data != NULL) {
         rv = SECITEM_CopyItem(poolp, dest, src);
-    }
-    else {
+    } else {
         dest->data = NULL;
         dest->len = 0;
         rv = SECSuccess;
     }
     return rv;
 }
 
 SECStatus
--- a/lib/crmf/servget.c
+++ b/lib/crmf/servget.c
@@ -351,20 +351,18 @@ crmf_copy_poposigningkey(PLArenaPool *po
 
     /* We don't support use of the POPOSigningKeyInput, so we'll only
      * store away the DER encoding.
      */
     if (inPopoSignKey->derInput.data != NULL) {
         rv = SECITEM_CopyItem(poolp, &destPopoSignKey->derInput,
                               &inPopoSignKey->derInput);
     }
-    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ?
-                                                           PORT_ZNew(SECAlgorithmID)
-                                                           :
-                                                           PORT_ArenaZNew(poolp, SECAlgorithmID);
+    destPopoSignKey->algorithmIdentifier = (poolp == NULL) ? PORT_ZNew(SECAlgorithmID)
+                                                           : PORT_ArenaZNew(poolp, SECAlgorithmID);
 
     if (destPopoSignKey->algorithmIdentifier == NULL) {
         goto loser;
     }
     rv = SECOID_CopyAlgorithmID(poolp, destPopoSignKey->algorithmIdentifier,
                                 inPopoSignKey->algorithmIdentifier);
     if (rv != SECSuccess) {
         goto loser;
@@ -629,18 +627,17 @@ CRMF_CertReqMsgGetPOPOSigningKey(CRMFCer
 static SECStatus
 crmf_copy_name(CERTName *destName, CERTName *srcName)
 {
     PLArenaPool *poolp = NULL;
     SECStatus rv;
 
     if (destName->arena != NULL) {
         poolp = destName->arena;
-    }
-    else {
+    } else {
         poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
     }
     if (poolp == NULL) {
         return SECFailure;
     }
     /* Need to do this so that CERT_CopyName doesn't free out
      * the arena from underneath us.
      */
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -343,18 +343,17 @@ seckey_UpdateCertPQGChain(CERTCertificat
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
 
             return SECSuccess;
         }
-    }
-    else {
+    } else {
         return SECFailure; /* return failure if oid is NULL */
     }
 
     /* if cert has PQG parameters, return success */
 
     subjectSpki = &subjectCert->subjectPublicKeyInfo;
 
     if (subjectSpki->algorithm.parameters.len != 0) {
@@ -388,18 +387,17 @@ seckey_UpdateCertPQGChain(CERTCertificat
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
             (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
             (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
             (tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
             (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
             rv = SECFailure;
             goto loser;
         }
-    }
-    else {
+    } else {
         rv = SECFailure; /* return failure if oid is NULL */
         goto loser;
     }
 
     /* at this point the subject cert has no pqg parameters and the
      * issuer cert has a DSA public key.  Update the issuer's
      * pqg parameters with a recursive call to this same function. */
 
@@ -476,18 +474,17 @@ seckey_DSADecodePQG(PLArenaPool *arena, 
 
         if (SECSuccess == rv) {
             /* PQG params are in the standard format */
             prepare_pqg_params_for_asn1(&pubk->u.dsa.params);
             rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params,
                                         SECKEY_PQGParamsTemplate,
                                         &newparams);
         }
-    }
-    else {
+    } else {
 
         if (SECSuccess == rv) {
             /* else the old fortezza-only wrapped format is used. */
             PORT_SetError(SEC_ERROR_BAD_DER);
             rv = SECFailure;
         }
     }
     return rv;
@@ -1075,26 +1072,24 @@ SECKEY_CopyPrivateKey(const SECKEYPrivat
         /* if the key we're referencing was a temparary key we have just
          * created, that we want to go away when we're through, we need
          * to make a copy of it */
         if (privk->pkcs11IsTemp) {
             copyk->pkcs11ID =
                 PK11_CopyKey(privk->pkcs11Slot, privk->pkcs11ID);
             if (copyk->pkcs11ID == CK_INVALID_HANDLE)
                 goto fail;
-        }
-        else {
+        } else {
             copyk->pkcs11ID = privk->pkcs11ID;
         }
         copyk->pkcs11IsTemp = privk->pkcs11IsTemp;
         copyk->wincx = privk->wincx;
         copyk->staticflags = privk->staticflags;
         return copyk;
-    }
-    else {
+    } else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
 fail:
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
@@ -1119,18 +1114,17 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
     }
 
     copyk->arena = arena;
     copyk->keyType = pubk->keyType;
     if (pubk->pkcs11Slot &&
         PK11_IsPermObject(pubk->pkcs11Slot, pubk->pkcs11ID)) {
         copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot);
         copyk->pkcs11ID = pubk->pkcs11ID;
-    }
-    else {
+    } else {
         copyk->pkcs11Slot = NULL; /* go get own reference */
         copyk->pkcs11ID = CK_INVALID_HANDLE;
     }
     switch (pubk->keyType) {
         case rsaKey:
             rv = SECITEM_CopyItem(arena, &copyk->u.rsa.modulus,
                                   &pubk->u.rsa.modulus);
             if (rv == SECSuccess) {
@@ -1353,18 +1347,17 @@ seckey_CreateSubjectPublicKeyInfo_helper
                 }
                 break;
             case dhKey: /* later... */
 
                 break;
             default:
                 break;
         }
-    }
-    else {
+    } else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
 CERTSubjectPublicKeyInfo *
@@ -1440,18 +1433,17 @@ SECKEY_DecodeDERSubjectPublicKeyInfo(con
            into the DER input, which may get freed by the caller */
         rv = SECITEM_CopyItem(arena, &newSpkider, spkider);
         if (rv == SECSuccess) {
             rv = SEC_QuickDERDecodeItem(arena, spki,
                                         CERT_SubjectPublicKeyInfoTemplate, &newSpkider);
         }
         if (rv == SECSuccess)
             return spki;
-    }
-    else {
+    } else {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
 }
 
 /*
@@ -1588,22 +1580,20 @@ SECKEY_DestroyPrivateKeyInfo(SECKEYPriva
             poolp = pvk->arena;
             /* zero structure since PORT_FreeArena does not support
              * this yet.
              */
             PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len);
             PORT_Memset(pvk, 0, sizeof(*pvk));
             if (freeit == PR_TRUE) {
                 PORT_FreeArena(poolp, PR_TRUE);
-            }
-            else {
+            } else {
                 pvk->arena = poolp;
             }
-        }
-        else {
+        } else {
             SECITEM_ZfreeItem(&pvk->version, PR_FALSE);
             SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE);
             SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE);
             PORT_Memset(pvk, 0, sizeof(*pvk));
             if (freeit == PR_TRUE) {
                 PORT_Free(pvk);
             }
         }
@@ -1621,22 +1611,20 @@ SECKEY_DestroyEncryptedPrivateKeyInfo(SE
             poolp = epki->arena;
             /* zero structure since PORT_FreeArena does not support
              * this yet.
              */
             PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len);
             PORT_Memset(epki, 0, sizeof(*epki));
             if (freeit == PR_TRUE) {
                 PORT_FreeArena(poolp, PR_TRUE);
-            }
-            else {
+            } else {
                 epki->arena = poolp;
             }
-        }
-        else {
+        } else {
             SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE);
             SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE);
             PORT_Memset(epki, 0, sizeof(*epki));
             if (freeit == PR_TRUE) {
                 PORT_Free(epki);
             }
         }
     }
@@ -1907,18 +1895,17 @@ SECKEY_AddPublicKeyToListTail(SECKEYPubl
 
 loser:
     return (SECFailure);
 }
 
 #define SECKEY_CacheAttribute(key, attribute)                                                   \
     if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \
         key->staticflags |= SECKEY_##attribute;                                                 \
-    }                                                                                           \
-    else {                                                                                      \
+    } else {                                                                                    \
         key->staticflags &= (~SECKEY_##attribute);                                              \
     }
 
 SECStatus
 SECKEY_CacheStaticFlags(SECKEYPrivateKey *key)
 {
     SECStatus rv = SECFailure;
     if (key && key->pkcs11Slot && key->pkcs11ID) {
--- a/lib/cryptohi/secsign.c
+++ b/lib/cryptohi/secsign.c
@@ -172,18 +172,17 @@ SGN_End(SGNContext *cx, SECItem *result)
         }
 
         /* Der encode the digest as a DigestInfo */
         rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
                         di);
         if (rv != SECSuccess) {
             goto loser;
         }
-    }
-    else {
+    } else {
         digder.data = digest;
         digder.len = part1;
     }
 
     /*
     ** Encrypt signature after constructing appropriate PKCS#1 signature
     ** block
     */
@@ -210,18 +209,17 @@ SGN_End(SGNContext *cx, SECItem *result)
 
     if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) ||
         (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
         /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */
         rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len);
         PORT_Free(sigitem.data);
         if (rv != SECSuccess)
             goto loser;
-    }
-    else {
+    } else {
         result->len = sigitem.len;
         result->data = sigitem.data;
     }
 
 loser:
     SGN_DestroyDigestInfo(di);
     if (arena != NULL) {
         PORT_FreeArena(arena, PR_FALSE);
@@ -391,18 +389,17 @@ SGN_Digest(SECKEYPrivateKey *privKey,
         }
 
         /* Der encode the digest as a DigestInfo */
         rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate,
                         di);
         if (rv != SECSuccess) {
             goto loser;
         }
-    }
-    else {
+    } else {
         digder.data = digest->data;
         digder.len = digest->len;
     }
 
     /*
     ** Encrypt signature after constructing appropriate PKCS#1 signature
     ** block
     */
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -100,18 +100,17 @@ recoverPKCS1DigestInfo(SECOidTag givenDi
 
     if (di) {
         SGN_DestroyDigestInfo(di);
     }
 
     if (rv == SECSuccess) {
         *digestInfoLen = it.len;
         *digestInfo = (unsigned char *)it.data;
-    }
-    else {
+    } else {
         if (it.data) {
             PORT_Free(it.data);
         }
         *digestInfo = NULL;
         *digestInfoLen = 0;
         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
     }
 
@@ -190,18 +189,17 @@ decodeECorDSASignature(SECOidTag algid, 
             PORT_SetError(SEC_ERROR_BAD_DER);
             return SECFailure;
         }
     }
     dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
 
     if ((dsasig == NULL) || (dsasig->len != len)) {
         rv = SECFailure;
-    }
-    else {
+    } else {
         PORT_Memcpy(dsig, dsasig->data, dsasig->len);
     }
 
     if (dsasig != NULL)
         SECITEM_FreeItem(dsasig, PR_TRUE);
     if (rv == SECFailure)
         PORT_SetError(SEC_ERROR_BAD_DER);
     return rv;
@@ -291,27 +289,23 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
             /* This is an EC algorithm. Recommended means the largest
              * hash algorithm that is not reduced by the keysize of
              * the EC algorithm. Note that key strength is in bytes and
              * algorithms are specified in bits. Never use an algorithm
              * weaker than sha1. */
             len = SECKEY_PublicKeyStrength(key);
             if (len < 28) { /* 28 bytes == 224 bits */
                 *hashalg = SEC_OID_SHA1;
-            }
-            else if (len < 32) { /* 32 bytes == 256 bits */
+            } else if (len < 32) { /* 32 bytes == 256 bits */
                 *hashalg = SEC_OID_SHA224;
-            }
-            else if (len < 48) { /* 48 bytes == 384 bits */
+            } else if (len < 48) { /* 48 bytes == 384 bits */
                 *hashalg = SEC_OID_SHA256;
-            }
-            else if (len < 64) { /* 48 bytes == 512 bits */
+            } else if (len < 64) { /* 48 bytes == 512 bits */
                 *hashalg = SEC_OID_SHA384;
-            }
-            else {
+            } else {
                 /* use the largest in this case */
                 *hashalg = SEC_OID_SHA512;
             }
             break;
         case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
             if (param == NULL) {
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                 return SECFailure;
@@ -662,18 +656,17 @@ vfy_VerifyDigest(const SECItem *digest, 
                 dsasig.data = cx->u.buffer;
                 dsasig.len = SECKEY_SignatureLen(cx->key);
                 if (dsasig.len == 0) {
                     break;
                 }
                 if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
                     SECSuccess) {
                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                }
-                else {
+                } else {
                     rv = SECSuccess;
                 }
                 break;
             default:
                 break;
         }
         VFY_DestroyContext(cx, PR_TRUE);
     }
--- a/lib/dbm/include/hash.h
+++ b/lib/dbm/include/hash.h
@@ -158,19 +158,18 @@ typedef struct htab { /* Memory resident
 #define NUMKEY 1038583l
 #define BYTE_SHIFT 3
 #define INT_TO_BYTE 2
 #define INT_BYTE_SHIFT 5
 #define ALL_SET ((uint32)0xFFFFFFFF)
 #define ALL_CLEAR 0
 
 #define PTROF(X) ((ptrdiff_t)(X) == BUF_DISK ? 0 : (X))
-#define ISDISK(X) ((X) ? ((ptrdiff_t)(X) == BUF_DISK ? BUF_DISK    \
-                                                     :             \
-                                                     (X)->is_disk) \
+#define ISDISK(X) ((X) ? ((ptrdiff_t)(X) == BUF_DISK ? BUF_DISK      \
+                                                     : (X)->is_disk) \
                        : 0)
 
 #define BITS_PER_MAP 32
 
 /* Given the address of the beginning of a big map, clear/set the nth bit */
 #define CLRBIT(A, N) ((A)[(N) / BITS_PER_MAP] &= ~(1 << ((N) % BITS_PER_MAP)))
 #define SETBIT(A, N) ((A)[(N) / BITS_PER_MAP] |= (1 << ((N) % BITS_PER_MAP)))
 #define ISSET(A, N) ((A)[(N) / BITS_PER_MAP] & (1 << ((N) % BITS_PER_MAP)))
--- a/lib/dbm/src/dirent.c
+++ b/lib/dbm/src/dirent.c
@@ -76,18 +76,17 @@ getFSType(const char *path)
     static char cache[1 + 26];
     char drive[3], info[512];
     Word unit, infolen;
     char r;
 
     if (isalpha(path[0]) && path[1] == ':') {
         unit = toupper(path[0]) - '@';
         path += 2;
-    }
-    else {
+    } else {
         ULONG driveMap;
 #if OS2 >= 2
         if (DosQueryCurrentDisk(&unit, &driveMap))
 #else
         if (DosQCurDisk(&unit, &driveMap))
 #endif
             return 0;
     }
@@ -104,27 +103,25 @@ getFSType(const char *path)
     drive[2] = '\0';
     infolen = sizeof info;
 #if OS2 >= 2
     if (DosQueryFSAttach(drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen))
         return 0;
     if (infolen >= sizeof(FSQBUFFER2)) {
         FSQBUFFER2 *p = (FSQBUFFER2 *)info;
         r = p->szFSDName[p->cbName];
-    }
-    else
+    } else
 #else
     if (DosQFSAttach((PSZ)drive, 0, FSAIL_QUERYNAME, (PVOID)info, &infolen, 0))
         return 0;
     if (infolen >= 9) {
         char *p = info + sizeof(USHORT);
         p += sizeof(USHORT) + *(USHORT *)p + 1 + sizeof(USHORT);
         r = *p;
-    }
-    else
+    } else
 #endif
         r = 0;
     return cache[unit] = r;
 }
 
 char *
 abs_path(const char *name, char *buffer, int len)
 {
--- a/lib/dbm/src/dirent.h
+++ b/lib/dbm/src/dirent.h
@@ -56,17 +56,17 @@ struct dirent {
     char d_name[MAXNAMLEN + 1];
     unsigned long d_size;
     unsigned short d_attribute; /* attributes (see above) */
     unsigned short d_time;      /* modification time */
     unsigned short d_date;      /* modification date */
 #else
     char d_name[MAXNAMLEN + 1]; /* garentee null termination */
     char d_attribute;           /* .. extension .. */
-    unsigned long d_size;       /* .. extension .. */
+    unsigned long d_size; /* .. extension .. */
 #endif
 };
 
 typedef struct _dirdescr DIR;
 /* the structs do not have to be defined here */
 
 extern DIR *opendir(const char *);
 extern DIR *openxdir(const char *, unsigned);
--- a/lib/dbm/src/h_bigkey.c
+++ b/lib/dbm/src/h_bigkey.c
@@ -124,18 +124,17 @@ extern int
                 off = OFFSET(p) - move_bytes;
                 p[n] = off;
                 memmove(cp + off, val_data, move_bytes);
                 val_data += move_bytes;
                 val_size -= move_bytes;
                 p[n - 2] = FULL_KEY_DATA;
                 FREESPACE(p) = FREESPACE(p) - move_bytes;
                 OFFSET(p) = off;
-            }
-            else
+            } else
                 p[n - 2] = FULL_KEY;
         }
         p = (uint16 *)bufp->page;
         cp = bufp->page;
         bufp->flags |= BUF_MOD;
     }
 
     /* Now move the data */
@@ -159,18 +158,17 @@ extern int
         OFFSET(p) = off;
         if (val_size) {
             p[n] = FULL_KEY;
             bufp = __add_ovflpage(hashp, bufp);
             if (!bufp)
                 return (-1);
             cp = bufp->page;
             p = (uint16 *)cp;
-        }
-        else
+        } else
             p[n] = FULL_KEY_DATA;
         bufp->flags |= BUF_MOD;
     }
     return (0);
 }
 
 /*
  * Called when bufp's page  contains a partial key (index should be 1)
@@ -231,18 +229,17 @@ extern int
 
     /* Now, bp is the first page of the pair. */
     bp = (uint16 *)bufp->page;
     if (n > 2) {
         /* There is an overflow page. */
         bp[1] = pageno;
         bp[2] = OVFLPAGE;
         bufp->ovfl = rbufp->ovfl;
-    }
-    else
+    } else
         /* This is the last page. */
         bufp->ovfl = NULL;
     n -= 2;
     bp[0] = n;
     FREESPACE(bp) = hashp->BSIZE - PAGE_META(n);
     OFFSET(bp) = hashp->BSIZE - 1;
 
     bufp->flags |= BUF_MOD;
@@ -290,18 +287,17 @@ extern int
         ndx = 1;
     }
 
     if (bytes != ksize || memcmp(p + bp[ndx], kkey, bytes)) {
 #ifdef HASH_STATISTICS
         ++hash_collisions;
 #endif
         return (-2);
-    }
-    else
+    } else
         return (ndx);
 }
 
 /*
  * Given the buffer pointer of the first overflow page of a big pair,
  * find the end of the big pair
  *
  * This will set bpp to the buffer header of the last page of the big pair.
@@ -379,48 +375,45 @@ extern int
         bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!bufp)
             return (-1);
         bp = (uint16 *)bufp->page;
         save_p = bufp;
         save_addr = save_p->addr;
         off = bp[1];
         len = 0;
-    }
-    else if (!FREESPACE(bp)) {
+    } else if (!FREESPACE(bp)) {
         /*
              * This is a hack.  We can't distinguish between
              * FULL_KEY_DATA that contains complete data or
              * incomplete data, so we require that if the data
              * is complete, there is at least 1 byte of free
              * space left.
              */
         off = bp[bp[0]];
         len = bp[1] - off;
         save_p = bufp;
         save_addr = bufp->addr;
         bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!bufp)
             return (-1);
         bp = (uint16 *)bufp->page;
-    }
-    else {
+    } else {
         /* The data is all on one page. */
         tp = (char *)bp;
         off = bp[bp[0]];
         val->data = (uint8 *)tp + off;
         val->size = bp[1] - off;
         if (set_current) {
             if (bp[0] == 2) { /* No more buckets in
                              * chain */
                 hashp->cpage = NULL;
                 hashp->cbucket++;
                 hashp->cndx = 1;
-            }
-            else {
+            } else {
                 hashp->cpage = __get_buf(hashp,
                                          bp[bp[0] - 1], bufp, 0);
                 if (!hashp->cpage)
                     return (-1);
                 hashp->cndx = 1;
                 if (!((uint16 *)
                           hashp->cpage->page)[0]) {
                     hashp->cbucket++;
@@ -523,18 +516,17 @@ collect_data(
     save_bufp->flags = save_flags;
 
     /* update the database cursor */
     if (set) {
         hashp->cndx = 1;
         if (bp[0] == 2) { /* No more buckets in chain */
             hashp->cpage = NULL;
             hashp->cbucket++;
-        }
-        else {
+        } else {
             hashp->cpage = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!hashp->cpage)
                 return (-1);
             else if (!((uint16 *)hashp->cpage->page)[0]) {
                 hashp->cbucket++;
                 hashp->cpage = NULL;
             }
         }
@@ -584,18 +576,17 @@ collect_key(
     totlen = len + mylen;
     if (bp[2] == FULL_KEY || bp[2] == FULL_KEY_DATA) { /* End of Key. */
         if (hashp->tmp_key != NULL)
             free(hashp->tmp_key);
         if ((hashp->tmp_key = (char *)malloc((size_t)totlen)) == NULL)
             return (-1);
         if (__big_return(hashp, bufp, 1, val, set))
             return (-1);
-    }
-    else {
+    } else {
         xbp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
         if (!xbp || ((totlen =
                           collect_key(hashp, xbp, totlen, val, set)) < 1))
             return (-1);
     }
     if (bufp->addr != save_addr) {
         errno = EINVAL; /* MIS -- OUT OF BUFFERS */
         return (-1);
@@ -634,18 +625,17 @@ extern int
         return (-1);
     change = (__call_hash(hashp, (char *)key.data, key.size) != obucket);
 
     if ((ret->next_addr = __find_last_page(hashp, &big_keyp))) {
         if (!(ret->nextp =
                   __get_buf(hashp, ret->next_addr, big_keyp, 0)))
             return (-1);
         ;
-    }
-    else
+    } else
         ret->nextp = NULL;
 
 /* Now make one of np/op point to the big key/data pair */
 #ifdef DEBUG
     assert(np->ovfl == NULL);
 #endif
     if (change)
         tmpp = np;
@@ -701,18 +691,17 @@ extern int
         off = OFFSET(tp);
         tp[0] -= 2;
         FREESPACE(tp) = free_space + OVFLSIZE;
         OFFSET(tp) = off;
         tmpp = __add_ovflpage(hashp, big_keyp);
         if (!tmpp)
             return (-1);
         tp[4] = n;
-    }
-    else
+    } else
         tmpp = big_keyp;
 
     if (change)
         ret->newp = tmpp;
     else
         ret->oldp = tmpp;
     return (0);
 }
--- a/lib/dbm/src/h_page.c
+++ b/lib/dbm/src/h_page.c
@@ -251,18 +251,17 @@ extern int
 
         memmove(dst, src, length);
 
         /* Now adjust the pointers */
         for (i = ndx + 2; i <= n; i += 2) {
             if (bp[i + 1] == OVFLPAGE) {
                 bp[i - 2] = bp[i];
                 bp[i - 1] = bp[i + 1];
-            }
-            else {
+            } else {
                 bp[i - 2] = bp[i] + pairlen;
                 bp[i - 1] = bp[i + 1] + pairlen;
             }
         }
     }
     /* Finally adjust the page data */
     bp[n] = OFFSET(bp) + pairlen;
     bp[n - 1] = bp[n + 1] + pairlen + 2 * sizeof(uint16);
@@ -336,22 +335,20 @@ extern int
             /* Don't switch page */
             diff = copyto - off;
             if (diff) {
                 copyto = ino[n + 1] + diff;
                 memmove(op + copyto, op + ino[n + 1],
                         off - ino[n + 1]);
                 ino[ndx] = copyto + ino[n] - ino[n + 1];
                 ino[ndx + 1] = copyto;
-            }
-            else
+            } else
                 copyto = ino[n + 1];
             ndx += 2;
-        }
-        else {
+        } else {
             /* Switch page */
             val.data = (uint8 *)op + ino[n + 1];
             val.size = ino[n] - ino[n + 1];
 
             /* if the pair doesn't fit something is horribly
              * wrong.  LJM
              */
             tmp_uint16_array = (uint16 *)np;
@@ -455,18 +452,17 @@ ugly_split(HTAB *hashp, uint32 obucket, 
                 return (-1);
             np = (uint16 *)new_bufp->page;
             bufp = ret.nextp;
             if (!bufp)
                 return (0);
             cino = (char *)bufp->page;
             ino = (uint16 *)cino;
             last_bfp = ret.nextp;
-        }
-        else if (ino[n + 1] == OVFLPAGE) {
+        } else if (ino[n + 1] == OVFLPAGE) {
             ov_addr = ino[n];
             /*
              * Fix up the old page -- the extra 2 are the fields
              * which contained the overflow information.
              */
             ino[0] -= (moved + 2);
             FREESPACE(ino) =
                 scopyto - sizeof(uint16) * (ino[0] + 3);
@@ -503,18 +499,17 @@ ugly_split(HTAB *hashp, uint32 obucket, 
                     old_bufp =
                         __add_ovflpage(hashp, old_bufp);
                     if (!old_bufp)
                         return (-1);
                     op = (uint16 *)old_bufp->page;
                     putpair((char *)op, &key, &val);
                 }
                 old_bufp->flags |= BUF_MOD;
-            }
-            else {
+            } else {
                 /* Move to new page */
                 if (PAIRFITS(np, (&key), (&val)))
                     putpair((char *)np, &key, &val);
                 else {
                     new_bufp =
                         __add_ovflpage(hashp, new_bufp);
                     if (!new_bufp)
                         return (-1);
@@ -555,33 +550,31 @@ extern int
             bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!bufp) {
 #ifdef DEBUG
                 assert(0);
 #endif
                 return (-1);
             }
             bp = (uint16 *)bufp->page;
-        }
-        else
+        } else
             /* Try to squeeze key on this page */
             if (FREESPACE(bp) > PAIRSIZE(key, val)) {
             {
                 squeeze_key(bp, key, val);
 
                 /* LJM: I added this because I think it was
                  * left out on accident.
                  * if this isn't incremented nkeys will not
                  * be the actual number of keys in the db.
                  */
                 hashp->NKEYS++;
                 return (0);
             }
-        }
-        else {
+        } else {
             bufp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
             if (!bufp) {
 #ifdef DEBUG
                 assert(0);
 #endif
                 return (-1);
             }
             bp = (uint16 *)bufp->page;
@@ -711,28 +704,26 @@ extern int
         bp[0] = 0; /* We hit the EOF, so initialize a new page */
     else if ((unsigned)rsize != size) {
         errno = EFTYPE;
         return (-1);
     }
 
     if (!is_bitmap && !bp[0]) {
         PAGE_INIT(p);
-    }
-    else {
+    } else {
 
         if (hashp->LORDER != BYTE_ORDER) {
             register int i, max;
 
             if (is_bitmap) {
                 max = hashp->BSIZE >> 2; /* divide by 4 */
                 for (i = 0; i < max; i++)
                     M_32_SWAP(((int *)p)[i]);
-            }
-            else {
+            } else {
                 M_16_SWAP(bp[0]);
                 max = bp[0] + 2;
 
                 /* bound the size of max by
                  * the maximum number of entries
                  * in the array
                  */
                 if ((unsigned)max > (size / sizeof(uint16)))
@@ -774,18 +765,17 @@ extern int
             for (i = 1; i <= num_keys; i += 2) {
                 /* ignore overflow pages etc. */
                 if (bp[i + 1] >= REAL_KEY) {
 
                     if (bp[i] > offset || bp[i + 1] > bp[i])
                         return (DATABASE_CORRUPTED_ERROR);
 
                     offset = bp[i + 1];
-                }
-                else {
+                } else {
                     /* there are no other valid keys after
                      * seeing a non REAL_KEY
                      */
                     break;
                 }
             }
         }
     }
@@ -815,18 +805,17 @@ extern int
     if (hashp->LORDER != BYTE_ORDER) {
         register int i;
         register int max;
 
         if (is_bitmap) {
             max = hashp->BSIZE >> 2; /* divide by 4 */
             for (i = 0; i < max; i++)
                 M_32_SWAP(((int *)p)[i]);
-        }
-        else {
+        } else {
             max = ((uint16 *)p)[0] + 2;
 
             /* bound the size of max by
              * the maximum number of entries
              * in the array
              */
             if ((unsigned)max > (size / sizeof(uint16)))
                 return (DATABASE_CORRUPTED_ERROR);
@@ -860,18 +849,17 @@ extern int
     if (hashp->LORDER != BYTE_ORDER) {
         register int i;
         register int max;
 
         if (is_bitmap) {
             max = hashp->BSIZE >> 2; /* divide by 4 */
             for (i = 0; i < max; i++)
                 M_32_SWAP(((int *)p)[i]);
-        }
-        else {
+        } else {
             uint16 *bp = (uint16 *)p;
 
             M_16_SWAP(bp[0]);
             max = bp[0] + 2;
 
             /* no need to bound the size if max again
              * since it was done already above
              */
@@ -954,18 +942,17 @@ overflow_page(HTAB *hashp)
         else
             in_use_bits = (hashp->BSIZE << BYTE_SHIFT) - 1;
 
         if (i == (unsigned)first_page) {
             bit = hashp->LAST_FREED &
                   ((hashp->BSIZE << BYTE_SHIFT) - 1);
             j = bit / BITS_PER_MAP;
             bit = bit & ~(BITS_PER_MAP - 1);
-        }
-        else {
+        } else {
             bit = 0;
             j = 0;
         }
         for (; bit <= in_use_bits; j++, bit += BITS_PER_MAP)
             if (freep[j] != ALL_SET)
                 goto found;
     }
 
@@ -1024,18 +1011,17 @@ overflow_page(HTAB *hashp)
 #endif
                 return (0);
             }
             hashp->OVFL_POINT = splitnum;
             hashp->SPARES[splitnum] = hashp->SPARES[splitnum - 1];
             hashp->SPARES[splitnum - 1]--;
             offset = 0;
         }
-    }
-    else {
+    } else {
         /*
          * Free_bit addresses the last used bit.  Bump it to address
          * the first available bit.
          */
         free_bit++;
         SETBIT(freep, free_bit);
     }
 
--- a/lib/dbm/src/hash.c
+++ b/lib/dbm/src/hash.c
@@ -168,18 +168,17 @@ extern DB *
      */
     hashp->flags = flags;
 
     new_table = 0;
     if (!file || (flags & O_TRUNC) || (stat(file, &statbuf) && (errno == ENOENT))) {
         if (errno == ENOENT)
             errno = 0; /* Just in case someone looks at errno */
         new_table = 1;
-    }
-    else if (statbuf.st_mtime && statbuf.st_size == 0) {
+    } else if (statbuf.st_mtime && statbuf.st_size == 0) {
         /* check for a zero length file and delete it
          * if it exists
          */
         new_table = 1;
     }
     hashp->file_size = statbuf.st_size;
 
     if (file) {
@@ -190,18 +189,17 @@ extern DB *
         if ((hashp->fp = open(file, flags, mode)) == -1)
             RETURN_ERROR(errno, error1);
         (void)fcntl(hashp->fp, F_SETFD, 1);
 #endif
     }
     if (new_table) {
         if (!init_hash(hashp, file, (HASHINFO *)info))
             RETURN_ERROR(errno, error1);
-    }
-    else {
+    } else {
         /* Table already exists */
         if (info && info->hash)
             hashp->hash = info->hash;
         else
             hashp->hash = __default_hash;
 
         hdrsize = read(hashp->fp, (char *)&hashp->hdr, sizeof(HASHHDR));
         if (hdrsize == -1)
@@ -701,20 +699,18 @@ hash_put(
         hashp->dbmerrno = errno = EINVAL;
         return (DBM_ERROR);
     }
     if ((hashp->flags & O_ACCMODE) == O_RDONLY) {
         hashp->dbmerrno = errno = EPERM;
         return (DBM_ERROR);
     }
 
-    rv = hash_access(hashp, flag == R_NOOVERWRITE ?
-                                                  HASH_PUTNEW
-                                                  :
-                                                  HASH_PUT,
+    rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW
+                                                  : HASH_PUT,
                      (DBT *)key, (DBT *)data);
 
     if (rv == DATABASE_CORRUPTED_ERROR) {
 #if defined(unix) && defined(DEBUG)
         printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
 #endif
         __remove_database((DB *)dbp);
     }
@@ -797,18 +793,17 @@ hash_access(
                 memcmp(kp, rbufp->page + *bp, size) == 0)
                 goto found;
             off = bp[1];
 #ifdef HASH_STATISTICS
             hash_collisions++;
 #endif
             bp += 2;
             ndx += 2;
-        }
-        else if (bp[1] == OVFLPAGE) {
+        } else if (bp[1] == OVFLPAGE) {
 
             /* database corruption: overflow loop detection */
             if (last_overflow_page_no == (int32)*bp)
                 return (DATABASE_CORRUPTED_ERROR);
 
             last_overflow_page_no = *bp;
 
             rbufp = __get_buf(hashp, *bp, rbufp, 0);
@@ -821,18 +816,17 @@ hash_access(
             if (ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
                 return (DATABASE_CORRUPTED_ERROR);
 
             /* FOR LOOP INIT */
             bp = (uint16 *)rbufp->page;
             n = *bp++;
             ndx = 1;
             off = hashp->BSIZE;
-        }
-        else if (bp[1] < REAL_KEY) {
+        } else if (bp[1] < REAL_KEY) {
             if ((ndx =
                      __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0)
                 goto found;
             if (ndx == -2) {
                 bufp = rbufp;
                 if (!(pageno =
                           __find_last_page(hashp, &bufp))) {
                     ndx = 0;
@@ -844,33 +838,31 @@ hash_access(
                     save_bufp->flags &= ~BUF_PIN;
                     return (DBM_ERROR);
                 }
                 /* FOR LOOP INIT */
                 bp = (uint16 *)rbufp->page;
                 n = *bp++;
                 ndx = 1;
                 off = hashp->BSIZE;
-            }
-            else {
+            } else {
                 save_bufp->flags &= ~BUF_PIN;
                 return (DBM_ERROR);
             }
         }
     }
 
     /* Not found */
     switch (action) {
         case HASH_PUT:
         case HASH_PUTNEW:
             if (__addel(hashp, rbufp, key, val)) {
                 save_bufp->flags &= ~BUF_PIN;
                 return (DBM_ERROR);
-            }
-            else {
+            } else {
                 save_bufp->flags &= ~BUF_PIN;
                 return (SUCCESS);
             }
         case HASH_GET:
         case HASH_DELETE:
         default:
             save_bufp->flags &= ~BUF_PIN;
             return (ABNORMAL);
@@ -881,18 +873,17 @@ found:
         case HASH_PUTNEW:
             save_bufp->flags &= ~BUF_PIN;
             return (ABNORMAL);
         case HASH_GET:
             bp = (uint16 *)rbufp->page;
             if (bp[ndx + 1] < REAL_KEY) {
                 if (__big_return(hashp, rbufp, ndx, val, 0))
                     return (DBM_ERROR);
-            }
-            else {
+            } else {
                 val->data = (uint8 *)rbufp->page + (int)bp[ndx + 1];
                 val->size = bp[ndx] - bp[ndx + 1];
             }
             break;
         case HASH_PUT:
             if ((__delpair(hashp, rbufp, ndx)) ||
                 (__addel(hashp, rbufp, key, val))) {
                 save_bufp->flags &= ~BUF_PIN;
@@ -951,18 +942,17 @@ hash_seq(
                 if (bp[0])
                     break;
             }
             hashp->cbucket = bucket;
             if (hashp->cbucket > hashp->MAX_BUCKET) {
                 hashp->cbucket = -1;
                 return (ABNORMAL);
             }
-        }
-        else
+        } else
             bp = (uint16 *)hashp->cpage->page;
 
 #ifdef DEBUG
         assert(bp);
         assert(bufp);
 #endif
         while (bp[hashp->cndx + 1] == OVFLPAGE) {
             bufp = hashp->cpage =
@@ -976,29 +966,27 @@ hash_seq(
             hashp->cpage = NULL;
             ++hashp->cbucket;
         }
     }
     ndx = hashp->cndx;
     if (bp[ndx + 1] < REAL_KEY) {
         if (__big_keydata(hashp, bufp, key, data, 1))
             return (DBM_ERROR);
-    }
-    else {
+    } else {
         key->data = (uint8 *)hashp->cpage->page + bp[ndx];
         key->size = (ndx > 1 ? bp[ndx - 1] : hashp->BSIZE) - bp[ndx];
         data->data = (uint8 *)hashp->cpage->page + bp[ndx + 1];
         data->size = bp[ndx] - bp[ndx + 1];
         ndx += 2;
         if (ndx > bp[0]) {
             hashp->cpage = NULL;
             hashp->cbucket++;
             hashp->cndx = 1;
-        }
-        else
+        } else
             hashp->cndx = ndx;
     }
     return (SUCCESS);
 }
 
 /********************************* UTILITIES ************************/
 
 /*
--- a/lib/dbm/src/hash_buf.c
+++ b/lib/dbm/src/hash_buf.c
@@ -115,18 +115,17 @@ extern BUFHEAD *
     is_disk = 0;
     is_disk_mask = 0;
     if (prev_bp) {
         bp = prev_bp->ovfl;
         if (!bp || (bp->addr != addr))
             bp = NULL;
         if (!newpage)
             is_disk = BUF_DISK;
-    }
-    else {
+    } else {
         /* Grab buffer out of directory */
         segment_ndx = addr & (hashp->SGSIZE - 1);
 
         /* valid segment ensured by __call_hash() */
         segp = hashp->dir[addr >> hashp->SSHIFT];
 #ifdef DEBUG
         assert(segp != NULL);
 #endif
@@ -168,18 +167,17 @@ extern BUFHEAD *
                 (BUFHEAD *)((ptrdiff_t)bp | is_disk_mask);
 #else
             /* set the is_disk thing inside the structure
              */
             bp->is_disk = is_disk_mask;
             segp[segment_ndx] = bp;
 #endif
         }
-    }
-    else {
+    } else {
         BUF_REMOVE(bp);
         MRU_INSERT(bp);
     }
     return (bp);
 }
 
 /*
  * We need a buffer for this page. Either allocate one, or evict a resident
@@ -220,18 +218,17 @@ newbuf(HTAB *hashp, uint32 addr, BUFHEAD
 
         /* this memset is supposedly unnecessary but lets add
          * it anyways.
          */
         memset(bp->page, 0xff, (size_t)hashp->BSIZE);
 
         if (hashp->nbufs)
             hashp->nbufs--;
-    }
-    else {
+    } else {
         /* Kick someone out */
         BUF_REMOVE(bp);
         /*
          * If this is an overflow page with addr 0, it's already been
          * flushed back in an overflow chain and initialized.
          */
         if ((bp->addr != 0) || (bp->flags & BUF_BUCKET)) {
             /*
@@ -326,18 +323,17 @@ newbuf(HTAB *hashp, uint32 addr, BUFHEAD
          */
 #ifdef DEBUG1
         (void)fprintf(stderr, "NEWBUF2: %d->ovfl was %d is now %d\n",
                       prev_bp->addr, (prev_bp->ovfl ? bp->ovfl->addr : 0),
                       (bp ? bp->addr : 0));
 #endif
         prev_bp->ovfl = bp;
         bp->flags = 0;
-    }
-    else
+    } else
         bp->flags = BUF_BUCKET;
     MRU_INSERT(bp);
     return (bp);
 }
 
 extern void
 __buf_init(HTAB *hashp, int32 nbytes)
 {
@@ -389,18 +385,17 @@ extern int
         }
         /* Check if we are freeing stuff */
         if (do_free) {
             if (bp->page)
                 free(bp->page);
             BUF_REMOVE(bp);
             free(bp);
             bp = LRU;
-        }
-        else
+        } else
             bp = bp->prev;
     }
     return (0);
 }
 
 extern void
 __reclaim_buf(HTAB *hashp, BUFHEAD *bp)
 {
--- a/lib/dbm/src/memmove.c
+++ b/lib/dbm/src/memmove.c
@@ -106,18 +106,17 @@ register size_t length;
         }
         /*
          * Copy whole words, then mop up any trailing bytes.
          */
         t = length / wsize;
         TLOOP(*(word *)dst = *(word *)src; src += wsize; dst += wsize);
         t = length & wmask;
         TLOOP(*dst++ = *src++);
-    }
-    else {
+    } else {
         /*
          * Copy backwards.  Otherwise essentially the same.
          * Alignment works as before, except that it takes
          * (t&wmask) bytes to align, not wsize-(t&wmask).
          */
         src += length;
         dst += length;
         t = (int)src;
--- a/lib/dbm/src/mktemp.c
+++ b/lib/dbm/src/mktemp.c
@@ -122,18 +122,17 @@ static int
 
     for (;;) {
         if (doopen) {
             if ((*doopen =
                      open(path, O_CREAT | O_EXCL | O_RDWR | extraFlags, 0600)) >= 0)
                 return (1);
             if (errno != EEXIST)
                 return (0);
-        }
-        else if (stat(path, &sbuf))
+        } else if (stat(path, &sbuf))
             return (errno == ENOENT ? 1 : 0);
 
         /* tricky little algorithm for backward compatibility */
         for (trv = start;;) {
             if (!*trv)
                 return (0);
             if (*trv == 'z')
                 *trv++ = 'a';
--- a/lib/dbm/tests/lots.c
+++ b/lib/dbm/tests/lots.c
@@ -244,29 +244,26 @@ VerifyRange(int32 low, int32 high, int32
         key = GenKey(num, key_type);
 
         status = (*database->get)(database, key, &data, 0);
 
         if (status == 0) {
             /* got the item */
             if (!should_exist) {
                 ReportError("Item exists but shouldn't: %ld", num);
-            }
-            else {
+            } else {
                 /* else verify the data */
                 VerifyData(&data, num, key_type);
             }
-        }
-        else if (status > 0) {
+        } else if (status > 0) {
             /* item not found */
             if (should_exist) {
                 ReportError("Item not found but should be: %ld", num);
             }
-        }
-        else {
+        } else {
             /* database error */
             ReportError("Database error");
             return (-1);
         }
     }
 
     TraceMe(1, ("Correctly verified: %ld to %ld", low, high));
 
@@ -280,18 +277,17 @@ GenData(int32 num)
     static DBT *data = 0;
     int32 *int32_array;
     size_t size;
 
     if (!data) {
         data = (DBT *)malloc(sizeof(DBT));
         data->size = 0;
         data->data = 0;
-    }
-    else if (data->data) {
+    } else if (data->data) {
         free(data->data);
     }
 
     n = rand();
 
     n = n % 512; /* bound to a 2K size */
 
     size = sizeof(int32) * (n + 1);
@@ -323,45 +319,41 @@ AddOrDelRange(int32 low, int32 high, int
     int status;
 
     if (action != ADD_RANGE && action != DELETE_RANGE)
         assert(0);
 
     if (action == ADD_RANGE) {
         TraceMe(1, ("Adding: %ld to %ld: %s keys", low, high,
                     key_type == USE_SMALL_KEY ? "SMALL" : "LARGE"));
-    }
-    else {
+    } else {
         TraceMe(1, ("Deleting: %ld to %ld: %s keys", low, high,
                     key_type == USE_SMALL_KEY ? "SMALL" : "LARGE"));
     }
 
     for (num = low; num <= high; num++) {
 
         key = GenKey(num, key_type);
 
         if (action == ADD_RANGE) {
             data = GenData(num);
             status = (*database->put)(database, key, data, 0);
-        }
-        else {
+        } else {
             status = (*database->del)(database, key, 0);
         }
 
         if (status < 0) {
             ReportError("Database error %s item: %ld",
                         action == ADD_RANGE ? "ADDING" : "DELETING",
                         num);
-        }
-        else if (status > 0) {
+        } else if (status > 0) {
             ReportError("Could not %s item: %ld",
                         action == ADD_RANGE ? "ADD" : "DELETE",
                         num);
-        }
-        else if (action == ADD_RANGE) {
+        } else if (action == ADD_RANGE) {
 #define SYNC_EVERY_TIME
 #ifdef SYNC_EVERY_TIME
             status = (*database->sync)(database, 0);
             if (status != 0)
                 ReportError("Database error syncing after add");
 #endif
 
 #if 0 /* only do this if your really analy checking the puts */
@@ -383,18 +375,17 @@ AddOrDelRange(int32 low, int32 high, int
 				VerifyRange(low, num, SHOULD_EXIST, key_type);
 			  }
 #endif
         }
     }
 
     if (action == ADD_RANGE) {
         TraceMe(1, ("Successfully added: %ld to %ld", low, high));
-    }
-    else {
+    } else {
         TraceMe(1, ("Successfully deleted: %ld to %ld", low, high));
     }
 
     return (0);
 }
 
 int
 TestRange(int32 low, int32 range, key_type_enum key_type)
@@ -519,18 +510,17 @@ main(int argc, char **argv)
         (*database->close)(database);
         exit(0);
     }
 
     for (i = 100; i < 10000000; i += 200) {
         if (1 || j) {
             TestRange(START_RANGE, i, USE_LARGE_KEY);
             j = 0;
-        }
-        else {
+        } else {
             TestRange(START_RANGE, i, USE_SMALL_KEY);
             j = 1;
         }
 
         if (1 == rand() % 3) {
             (*database->sync)(database, 0);
         }
 
@@ -540,18 +530,17 @@ main(int argc, char **argv)
             database = dbopen("test.db", O_RDWR | O_CREAT, 0644, DB_HASH, 0);
             if (!database) {
                 ReportError("Could not reopen database");
 #ifdef unix
                 perror("");
 #endif
                 exit(1);
             }
-        }
-        else {
+        } else {
             /* reopen database without closeing the other */
             database = dbopen("test.db", O_RDWR | O_CREAT, 0644, DB_HASH, 0);
             if (!database) {
                 ReportError("Could not reopen database "
                             "after not closing the other");
 #ifdef unix
                 perror("");
 #endif
--- a/lib/dev/ckhelper.c
+++ b/lib/dev/ckhelper.c
@@ -140,18 +140,17 @@ nssCKObject_GetAttributes(
         }
     }
     return PR_SUCCESS;
 loser:
     if (alloced) {
         if (arenaOpt) {
             /* release all arena memory allocated before the failure. */
             (void)nssArena_Release(arenaOpt, mark);
-        }
-        else {
+        } else {
             CK_ULONG j;
             /* free each heap object that was allocated before the failure. */
             for (j = 0; j < i; j++) {
                 nss_ZFreeIf(obj_template[j].pValue);
             }
         }
     }
     return PR_FAILURE;
@@ -217,18 +216,17 @@ nssCKObject_SetAttributes(
     CK_RV ckrv;
     void *epv = nssSlot_GetCryptokiEPV(slot);
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, object,
                                            obj_template, count);
     nssSession_ExitMonitor(session);
     if (ckrv == CKR_OK) {
         return PR_SUCCESS;
-    }
-    else {
+    } else {
         return PR_FAILURE;
     }
 }
 
 NSS_IMPLEMENT PRBool
 nssCKObject_IsTokenObjectTemplate(
     CK_ATTRIBUTE_PTR objectTemplate,
     CK_ULONG otsize)
@@ -306,20 +304,18 @@ nssCryptokiCertificate_GetAttributes(
         return PR_SUCCESS;
     }
 
     status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt,
                                                 certObject, CKO_CERTIFICATE,
                                                 cert_template, template_size);
     if (status != PR_SUCCESS) {
 
-        session = sessionOpt ?
-                             sessionOpt
-                             :
-                             nssToken_GetDefaultSession(certObject->token);
+        session = sessionOpt ? sessionOpt
+                             : nssToken_GetDefaultSession(certObject->token);
         if (!session) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(certObject->token);
         status = nssCKObject_GetAttributes(certObject->handle,
                                            cert_template, template_size,
@@ -424,20 +420,18 @@ nssCryptokiTrust_GetAttributes(
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, sha1_hash);
     NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size);
 
     status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL,
                                                 trustObject,
                                                 CKO_NSS_TRUST,
                                                 trust_template, trust_size);
     if (status != PR_SUCCESS) {
-        session = sessionOpt ?
-                             sessionOpt
-                             :
-                             nssToken_GetDefaultSession(trustObject->token);
+        session = sessionOpt ? sessionOpt
+                             : nssToken_GetDefaultSession(trustObject->token);
         if (!session) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(trustObject->token);
         status = nssCKObject_GetAttributes(trustObject->handle,
                                            trust_template, trust_size,
@@ -498,20 +492,18 @@ nssCryptokiCRL_GetAttributes(
     }
     NSS_CK_TEMPLATE_FINISH(crl_template, attr, crl_size);
 
     status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL,
                                                 crlObject,
                                                 CKO_NSS_CRL,
                                                 crl_template, crl_size);
     if (status != PR_SUCCESS) {
-        session = sessionOpt ?
-                             sessionOpt
-                             :
-                             nssToken_GetDefaultSession(crlObject->token);
+        session = sessionOpt ? sessionOpt
+                             : nssToken_GetDefaultSession(crlObject->token);
         if (session == NULL) {
             nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
             return PR_FAILURE;
         }
 
         slot = nssToken_GetSlot(crlObject->token);
         status = nssCKObject_GetAttributes(crlObject->handle,
                                            crl_template, crl_size,
@@ -570,21 +562,19 @@ nssCryptokiPrivateKey_SetCertificate(
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size);
 
     if (sessionOpt) {
         if (!nssSession_IsReadWrite(sessionOpt)) {
             return PR_FAILURE;
         }
         session = sessionOpt;
-    }
-    else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
+    } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) {
         session = defaultSession;
-    }
-    else {
+    } else {
         NSSSlot *slot = nssToken_GetSlot(token);
         session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
         nssSlot_Destroy(slot);
         if (!session) {
             return PR_FAILURE;
         }
         createdSession = PR_TRUE;
     }
--- a/lib/dev/ckhelper.h
+++ b/lib/dev/ckhelper.h
@@ -63,28 +63,26 @@ NSS_EXTERN_DATA const NSSItem g_ck_class
 /* NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)
  *
  * Convert a CK_ATTRIBUTE to an NSSItem.
  */
 #define NSS_CK_ATTRIBUTE_TO_ITEM(attrib, item)         \
     if ((CK_LONG)(attrib)->ulValueLen > 0) {           \
         (item)->data = (void *)(attrib)->pValue;       \
         (item)->size = (PRUint32)(attrib)->ulValueLen; \
-    }                                                  \
-    else {                                             \
+    } else {                                           \
         (item)->data = 0;                              \
         (item)->size = 0;                              \
     }
 
 #define NSS_CK_ATTRIBUTE_TO_BOOL(attrib, boolvar)         \
     if ((attrib)->ulValueLen > 0) {                       \
         if (*((CK_BBOOL *)(attrib)->pValue) == CK_TRUE) { \
             boolvar = PR_TRUE;                            \
-        }                                                 \
-        else {                                            \
+        } else {                                          \
             boolvar = PR_FALSE;                           \
         }                                                 \
     }
 
 #define NSS_CK_ATTRIBUTE_TO_ULONG(attrib, ulongvar) \
     if ((attrib)->ulValueLen > 0) {                 \
         ulongvar = *((CK_ULONG *)(attrib)->pValue); \
     }
--- a/lib/dev/devtoken.c
+++ b/lib/dev/devtoken.c
@@ -130,18 +130,17 @@ nssToken_DeleteStoredObject(
     void *epv = nssToken_GetCryptokiEPV(instance->token);
     if (token->cache) {
         nssTokenObjectCache_RemoveObject(token->cache, instance);
     }
     if (instance->isTokenObject) {
         if (token->defaultSession &&
             nssSession_IsReadWrite(token->defaultSession)) {
             session = token->defaultSession;
-        }
-        else {
+        } else {
             session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE);
             createdSession = PR_TRUE;
         }
     }
     if (session == NULL) {
         return PR_FAILURE;
     }
     nssSession_EnterMonitor(session);
@@ -175,42 +174,38 @@ import_object(
     void *epv = nssToken_GetCryptokiEPV(tok);
     if (nssCKObject_IsTokenObjectTemplate(objectTemplate, otsize)) {
         if (sessionOpt) {
             if (!nssSession_IsReadWrite(sessionOpt)) {
                 nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
                 return NULL;
             }
             session = sessionOpt;
-        }
-        else if (tok->defaultSession &&
-                 nssSession_IsReadWrite(tok->defaultSession)) {
+        } else if (tok->defaultSession &&
+                   nssSession_IsReadWrite(tok->defaultSession)) {
             session = tok->defaultSession;
-        }
-        else {
+        } else {
             session = nssSlot_CreateSession(tok->slot, NULL, PR_TRUE);
             createdSession = PR_TRUE;
         }
-    }
-    else {
+    } else {
         session = (sessionOpt) ? sessionOpt : tok->defaultSession;
     }
     if (session == NULL) {
         nss_SetError(NSS_ERROR_INVALID_ARGUMENT);
         return NULL;
     }
     nssSession_EnterMonitor(session);
     ckrv = CKAPI(epv)->C_CreateObject(session->handle,
                                       objectTemplate, otsize,
                                       &handle);
     nssSession_ExitMonitor(session);
     if (ckrv == CKR_OK) {
         object = nssCryptokiObject_Create(tok, session, handle);
-    }
-    else {
+    } else {
         nss_SetError(ckrv);
         nss_SetError(NSS_ERROR_PKCS11);
     }
     if (createdSession) {
         nssSession_Destroy(session);
     }
     return object;
 }
@@ -263,25 +258,23 @@ find_objects(
     if (!session || session->handle == CK_INVALID_SESSION) {
         ckrv = CKR_SESSION_HANDLE_INVALID;
         goto loser;
     }
 
     /* the arena is only for the array of object handles */
     if (maximumOpt > 0) {
         arraySize = maximumOpt;
-    }
-    else {
+    } else {
         arraySize = OBJECT_STACK_SIZE;
     }
     numHandles = 0;
     if (arraySize <= OBJECT_STACK_SIZE) {
         objectHandles = staticObjects;
-    }
-    else {
+    } else {
         objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
     }
     if (!objectHandles) {
         ckrv = CKR_HOST_MEMORY;
         goto loser;
     }
     nssSession_EnterMonitor(session); /* ==== session lock === */
     /* Initialize the find with the template */
@@ -313,18 +306,17 @@ find_objects(
         /* the array is filled, double it and continue */
         arraySize *= 2;
         if (objectHandles == staticObjects) {
             objectHandles = nss_ZNEWARRAY(NULL, CK_OBJECT_HANDLE, arraySize);
             if (objectHandles) {
                 PORT_Memcpy(objectHandles, staticObjects,
                             OBJECT_STACK_SIZE * sizeof(objectHandles[1]));
             }
-        }
-        else {
+        } else {
             objectHandles = nss_ZREALLOCARRAY(objectHandles,
                                               CK_OBJECT_HANDLE,
                                               arraySize);
         }
         if (!objectHandles) {
             nssSession_ExitMonitor(session);
             ckrv = CKR_HOST_MEMORY;
             goto loser;
@@ -333,18 +325,17 @@ find_objects(
     ckrv = CKAPI(epv)->C_FindObjectsFinal(session->handle);
     nssSession_ExitMonitor(session); /* ==== end session lock === */
     if (ckrv != CKR_OK) {
         goto loser;
     }
     if (numHandles > 0) {
         objects = create_objects_from_handles(tok, session,
                                               objectHandles, numHandles);
-    }
-    else {
+    } else {
         nss_SetError(NSS_ERROR_NOT_FOUND);
         objects = NULL;
     }
     if (objectHandles && objectHandles != staticObjects) {
         nss_ZFreeIf(objectHandles);
     }
     if (statusOpt)
         *statusOpt = PR_SUCCESS;
@@ -363,18 +354,17 @@ loser:
         (ckrv == CKR_DATA_LEN_RANGE) ||
         (ckrv == CKR_FUNCTION_NOT_SUPPORTED) ||
         (ckrv == CKR_TEMPLATE_INCOMPLETE) ||
         (ckrv == CKR_TEMPLATE_INCONSISTENT)) {
 
         nss_SetError(NSS_ERROR_NOT_FOUND);
         if (statusOpt)
             *statusOpt = PR_SUCCESS;
-    }
-    else {
+    } else {
         nss_SetError(ckrv);
         nss_SetError(NSS_ERROR_PKCS11);
         if (statusOpt)
             *statusOpt = PR_FAILURE;
     }
     return (nssCryptokiObject **)NULL;
 }
 
@@ -458,26 +448,24 @@ nssToken_ImportCertificate(
     nssCryptokiObject *rvObject = NULL;
 
     if (!tok) {
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return NULL;
     }
     if (certType == NSSCertificateType_PKIX) {
         cert_type = CKC_X_509;
-    }
-    else {
+    } else {
         return (nssCryptokiObject *)NULL;
     }
     NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
         searchType = nssTokenSearchType_TokenOnly;
-    }
-    else {
+    } else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
         searchType = nssTokenSearchType_SessionOnly;
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CERTIFICATE_TYPE, cert_type);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding);
@@ -541,18 +529,17 @@ nssToken_ImportCertificate(
         nssCKObject_SetAttributes(rvObject->handle,
                                   cert_tmpl, ctsize,
                                   session, slot);
         if (!rvObject->label && nickname) {
             rvObject->label = nssUTF8_Duplicate(nickname, NULL);
         }
         nssSession_Destroy(session);
         nssSlot_Destroy(slot);
-    }
-    else {
+    } else {
         /* Import the certificate onto the token */
         rvObject = import_object(tok, sessionOpt, cert_tmpl, ctsize);
     }
     if (rvObject && tok->cache) {
         /* The cache will overwrite the attributes if the object already
          * exists.
          */
         nssTokenObjectCache_ImportObject(tok->cache, rvObject,
@@ -577,30 +564,28 @@ nssToken_FindObjects(
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE obj_template[2];
     CK_ULONG obj_size;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(obj_template, attr, obj_size);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly ||
-             searchType == nssTokenSearchType_TokenForced) {
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, objclass);
     NSS_CK_TEMPLATE_FINISH(obj_template, attr, obj_size);
 
     if (searchType == nssTokenSearchType_TokenForced) {
         objects = find_objects(token, sessionOpt,
                                obj_template, obj_size,
                                maximumOpt, statusOpt);
-    }
-    else {
+    } else {
         objects = find_objects_by_template(token, sessionOpt,
                                            obj_template, obj_size,
                                            maximumOpt, statusOpt);
     }
     return objects;
 }
 
 NSS_IMPLEMENT nssCryptokiObject **
@@ -615,18 +600,17 @@ nssToken_FindCertificatesBySubject(
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE subj_template[3];
     CK_ULONG stsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(subj_template, attr, stsize);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(subj_template, attr, stsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        subj_template, stsize,
@@ -647,18 +631,17 @@ nssToken_FindCertificatesByNickname(
     CK_ATTRIBUTE nick_template[3];
     CK_ULONG ntsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(nick_template, attr, ntsize);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, name);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(nick_template, attr, ntsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        nick_template, ntsize,
                                        maximumOpt, statusOpt);
@@ -696,18 +679,17 @@ nssToken_FindCertificatesByEmail(
     CK_ATTRIBUTE email_template[3];
     CK_ULONG etsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(email_template, attr, etsize);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_EMAIL, email);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
     /* now locate the token certs matching this template */
     objects = find_objects(token, sessionOpt,
                            email_template, etsize,
                            maximumOpt, statusOpt);
@@ -739,18 +721,17 @@ nssToken_FindCertificatesByID(
     CK_ATTRIBUTE id_template[3];
     CK_ULONG idtsize;
     nssCryptokiObject **objects;
     NSS_CK_TEMPLATE_START(id_template, attr, idtsize);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(id_template, attr, idtsize);
     /* now locate the token certs matching this template */
     objects = find_objects_by_template(token, sessionOpt,
                                        id_template, idtsize,
                                        maximumOpt, statusOpt);
@@ -820,34 +801,32 @@ nssToken_FindCertificateByIssuerAndSeria
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         if (statusOpt)
             *statusOpt = PR_FAILURE;
         return NULL;
     }
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if ((searchType == nssTokenSearchType_TokenOnly) ||
-             (searchType == nssTokenSearchType_TokenForced)) {
+    } else if ((searchType == nssTokenSearchType_TokenOnly) ||
+               (searchType == nssTokenSearchType_TokenForced)) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     /* Set the unique id */
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, issuer);
     serialAttr = attr;
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, serial);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
     /* get the object handle */
     if (searchType == nssTokenSearchType_TokenForced) {
         objects = find_objects(token, sessionOpt,
                                cert_template, ctsize,
                                1, statusOpt);
-    }
-    else {
+    } else {
         objects = find_objects_by_template(token, sessionOpt,
                                            cert_template, ctsize,
                                            1, statusOpt);
     }
     if (objects) {
         rvObject = objects[0];
         nss_ZFreeIf(objects);
     }
@@ -864,18 +843,17 @@ nssToken_FindCertificateByIssuerAndSeria
         if (status != PR_SUCCESS) {
             return NULL;
         }
         NSS_CK_SET_ATTRIBUTE_ITEM(serialAttr, CKA_SERIAL_NUMBER, &serialDecode);
         if (searchType == nssTokenSearchType_TokenForced) {
             objects = find_objects(token, sessionOpt,
                                    cert_template, ctsize,
                                    1, statusOpt);
-        }
-        else {
+        } else {
             objects = find_objects_by_template(token, sessionOpt,
                                                cert_template, ctsize,
                                                1, statusOpt);
         }
         if (objects) {
             rvObject = objects[0];
             nss_ZFreeIf(objects);
         }
@@ -895,18 +873,17 @@ nssToken_FindCertificateByEncodedCertifi
     CK_ATTRIBUTE cert_template[3];
     CK_ULONG ctsize;
     nssCryptokiObject **objects;
     nssCryptokiObject *rvObject = NULL;
     NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
     /* Set the search to token/session only if provided */
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encodedCertificate);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
     /* get the object handle */
     objects = find_objects_by_template(token, sessionOpt,
                                        cert_template, ctsize,
@@ -930,18 +907,17 @@ nssToken_FindPrivateKeys(
     CK_ATTRIBUTE key_template[2];
     CK_ULONG ktsize;
     nssCryptokiObject **objects;
 
     NSS_CK_TEMPLATE_START(key_template, attr, ktsize);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_privkey);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly) {
+    } else if (searchType == nssTokenSearchType_TokenOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_TEMPLATE_FINISH(key_template, attr, ktsize);
 
     objects = find_objects_by_template(token, sessionOpt,
                                        key_template, ktsize,
                                        maximumOpt, statusOpt);
     return objects;
@@ -1089,35 +1065,33 @@ nssToken_ImportTrust(
     md5_hash(certEncoding, &md5_result);
     ckSA = get_ck_trust(serverAuth);
     ckCA = get_ck_trust(clientAuth);
     ckCS = get_ck_trust(codeSigning);
     ckEP = get_ck_trust(emailProtection);
     NSS_CK_TEMPLATE_START(trust_tmpl, attr, tsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    else {
+    } else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, tobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ISSUER, certIssuer);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SERIAL_NUMBER, certSerial);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, &sha1_result);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_MD5_HASH, &md5_result);
     /* now set the trust values */
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH, ckSA);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH, ckCA);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, ckCS);
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, ckEP);
     if (stepUpApproved) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED,
                                   &g_ck_true);
-    }
-    else {
+    } else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TRUST_STEP_UP_APPROVED,
                                   &g_ck_false);
     }
     NSS_CK_TEMPLATE_FINISH(trust_tmpl, attr, tsize);
     /* import the trust object onto the token */
     object = import_object(tok, sessionOpt, trust_tmpl, tsize);
     if (object && tok->cache) {
         nssTokenObjectCache_ImportObject(tok->cache, object, tobjc,
@@ -1180,28 +1154,26 @@ nssToken_ImportCRL(
     CK_OBJECT_CLASS crlobjc = CKO_NSS_CRL;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE crl_tmpl[6];
     CK_ULONG crlsize;
 
     NSS_CK_TEMPLATE_START(crl_tmpl, attr, crlsize);
     if (asTokenObject) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
-    }
-    else {
+    } else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, crlobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, encoding);
     NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_NSS_URL, url);
     if (isKRL) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_true);
-    }
-    else {
+    } else {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_NSS_KRL, &g_ck_false);
     }
     NSS_CK_TEMPLATE_FINISH(crl_tmpl, attr, crlsize);
 
     /* import the crl object onto the token */
     object = import_object(token, sessionOpt, crl_tmpl, crlsize);
     if (object && token->cache) {
         nssTokenObjectCache_ImportObject(token->cache, object, crlobjc,
@@ -1230,19 +1202,18 @@ nssToken_FindCRLsBySubject(
     if (!session || session->handle == CK_INVALID_SESSION) {
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return objects;
     }
 
     NSS_CK_TEMPLATE_START(crlobj_template, attr, crlobj_size);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly ||
-             searchType == nssTokenSearchType_TokenForced) {
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_CLASS, crlobjc);
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject);
     NSS_CK_TEMPLATE_FINISH(crlobj_template, attr, crlobj_size);
 
     objects = find_objects_by_template(token, session,
                                        crlobj_template, crlobj_size,
@@ -1483,19 +1454,18 @@ nssToken_TraverseCertificates(
         PORT_SetError(SEC_ERROR_NO_TOKEN);
         return PR_FAILURE;
     }
 
     /* template for all certs */
     NSS_CK_TEMPLATE_START(cert_template, attr, ctsize);
     if (searchType == nssTokenSearchType_SessionOnly) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false);
-    }
-    else if (searchType == nssTokenSearchType_TokenOnly ||
-             searchType == nssTokenSearchType_TokenForced) {
+    } else if (searchType == nssTokenSearchType_TokenOnly ||
+               searchType == nssTokenSearchType_TokenForced) {
         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true);
     }
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(cert_template, attr, ctsize);
 
     /* the arena is only for the array of object handles */
     arena = nssArena_Create();
     if (!arena) {
--- a/lib/dev/devutil.c
+++ b/lib/dev/devutil.c
@@ -168,17 +168,17 @@ nssCryptokiObjectArray_Destroy(
         }
         nss_ZFreeIf(objects);
     }
 }
 
 /* object cache for token */
 
 typedef struct
-    {
+{
     NSSArena *arena;
     nssCryptokiObject *object;
     CK_ATTRIBUTE_PTR attributes;
     CK_ULONG numAttributes;
 } nssCryptokiObjectAndAttributes;
 
 enum {
     cachedCerts = 0,
@@ -310,18 +310,17 @@ create_object_array(
     if (*numObjects >= MAX_LOCAL_CACHE_OBJECTS) {
         /* Hit the maximum allowed, so don't use a cache (there are
          * too many objects to make caching worthwhile, presumably, if
          * the token can handle that many objects, it can handle searching.
          */
         *doObjects = PR_FALSE;
         *status = PR_FAILURE;
         *numObjects = 0;
-    }
-    else {
+    } else {
         rvOandA = nss_ZNEWARRAY(NULL,
                                 nssCryptokiObjectAndAttributes *,
                                 *numObjects + 1);
         *status = rvOandA ? PR_SUCCESS : PR_FAILURE;
     }
     return rvOandA;
 }
 
@@ -432,26 +431,24 @@ search_for_objects(
     PRBool doSearch = PR_FALSE;
     NSSSlot *slot = nssToken_GetSlot(cache->token);
     /* Handle non-friendly slots (slots which require login for objects) */
     if (!nssSlot_IsFriendly(slot)) {
         if (nssSlot_IsLoggedIn(slot)) {
             /* Either no state change, or went from !logged in -> logged in */
             cache->loggedIn = PR_TRUE;
             doSearch = PR_TRUE;
-        }
-        else {
+        } else {
             if (cache->loggedIn) {
                 /* went from logged in -> !logged in, destroy cached objects */
                 clear_cache(cache);
                 cache->loggedIn = PR_FALSE;
             } /* else no state change, still not logged in, so exit */
         }
-    }
-    else {
+    } else {
         /* slot is friendly, thus always available for search */
         doSearch = PR_TRUE;
     }
     nssSlot_Destroy(slot);
     return doSearch;
 }
 
 static nssCryptokiObjectAndAttributes *
@@ -573,18 +570,17 @@ get_token_objects_for_cache(
                                                               objectType,
                                                               &status);
         if (status != PR_SUCCESS) {
             break;
         }
     }
     if (status == PR_SUCCESS) {
         nss_ZFreeIf(objects);
-    }
-    else {
+    } else {
         PRUint32 j;
         for (j = 0; j < i; j++) {
             /* sigh */
             nssToken_AddRef(cache->objects[objectType][j]->object->token);
             nssArena_Destroy(cache->objects[objectType][j]->arena);
         }
         nss_ZFreeIf(cache->objects[objectType]);
         cache->objects[objectType] = NULL;
@@ -819,18 +815,17 @@ nssTokenObjectCache_GetObjectAttributes(
                     cachedOA->attributes[j].ulValueLen == (CK_ULONG)-1) {
                     break; /* invalid attribute */
                 }
                 if (atemplate[i].ulValueLen > 0) {
                     if (atemplate[i].pValue == NULL ||
                         atemplate[i].ulValueLen < attr->ulValueLen) {
                         goto loser;
                     }
-                }
-                else {
+                } else {
                     atemplate[i].pValue = nss_ZAlloc(arena, attr->ulValueLen);
                     if (!atemplate[i].pValue) {
                         goto loser;
                     }
                 }
                 nsslibc_memcpy(atemplate[i].pValue,
                                attr->pValue, attr->ulValueLen);
                 atemplate[i].ulValueLen = attr->ulValueLen;
@@ -901,34 +896,31 @@ nssTokenObjectCache_ImportObject(
         count++;
         oa++;
     }
     if (haveIt) {
         /* Destroy the old entry */
         (*oa)->object->token = NULL;
         nssCryptokiObject_Destroy((*oa)->object);
         nssArena_Destroy((*oa)->arena);
-    }
-    else {
+    } else {
         /* Create space for a new entry */
         if (count > 0) {
             *otype = nss_ZREALLOCARRAY(*otype,
                                        nssCryptokiObjectAndAttributes *,
                                        count + 2);
-        }
-        else {
+        } else {
             *otype = nss_ZNEWARRAY(NULL, nssCryptokiObjectAndAttributes *, 2);
         }
     }
     if (*otype) {
         nssCryptokiObject *copyObject = nssCryptokiObject_Clone(object);
         (*otype)[count] = create_object_of_type(copyObject, objectType,
                                                 &status);
-    }
-    else {
+    } else {
         status = PR_FAILURE;
     }
     PZ_Unlock(cache->lock);
     return status;
 }
 
 NSS_IMPLEMENT void
 nssTokenObjectCache_RemoveObject(
--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
@@ -40,23 +40,21 @@ NSS_GetClientAuthData(void *arg,
     if (chosenNickName) {
         cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
                                         chosenNickName, certUsageSSLClient,
                                         PR_FALSE, proto_win);
         if (cert) {
             privkey = PK11_FindKeyByAnyCert(cert, proto_win);
             if (privkey) {
                 rv = SECSuccess;
-            }
-            else {
+            } else {
                 CERT_DestroyCertificate(cert);
             }
         }
-    }
-    else { /* no name given, automatically find the right cert. */
+    } else { /* no name given, automatically find the right cert. */
         CERTCertNicknames *names;
         int i;
 
         names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(),
                                       SEC_CERT_NICKNAMES_USER, proto_win);
         if (names != NULL) {
             for (i = 0; i < names->numnicknames; i++) {
                 cert = CERT_FindUserCertByUsage(CERT_GetDefaultCertDB(),
--- a/lib/ssl/cmpcert.c
+++ b/lib/ssl/cmpcert.c
@@ -47,45 +47,42 @@ NSS_CmpCertChainWCANames(CERTCertificate
         /* compute an alternate issuer name for compatibility with 2.0
          * enterprise server, which send the CA names without
          * the outer layer of DER header
          */
         rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
         if (rv == SECSuccess) {
             compatIssuerName.data = &issuerName.data[headerlen];
             compatIssuerName.len = issuerName.len - headerlen;
-        }
-        else {
+        } else {
             compatIssuerName.data = NULL;
             compatIssuerName.len = 0;
         }
 
         for (j = 0; j < caNames->nnames; j++) {
             caname = &caNames->names[j];
             if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
-            }
-            else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
+            } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
                 rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
                 goto done;
             }
         }
         if ((depth <= 20) &&
             (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) !=
              SECEqual)) {
             oldcert = curcert;
             curcert = CERT_FindCertByName(curcert->dbhandle,
                                           &curcert->derIssuer);
             CERT_DestroyCertificate(oldcert);
             depth++;
-        }
-        else {
+        } else {
             CERT_DestroyCertificate(curcert);
             curcert = NULL;
         }
     }
     rv = SECFailure;
 
 done:
     return rv;
--- a/lib/ssl/derive.c
+++ b/lib/ssl/derive.c
@@ -155,27 +155,25 @@ ssl3_KeyAndMacDeriveBypass(
 
         keyblk.type = siBuffer;
         keyblk.data = key_block;
         keyblk.len = block_needed;
 
         if (isTLS12) {
             status = TLS_P_hash(HASH_AlgSHA256, &pwSpec->msItem,
                                 "key expansion", &srcr, &keyblk, isFIPS);
-        }
-        else {
+        } else {
             status = TLS_PRF(&pwSpec->msItem, "key expansion", &srcr, &keyblk,
                              isFIPS);
         }
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
         block_bytes = keyblk.len;
-    }
-    else {
+    } else {
        /* key_block =
         *     MD5(master_secret + SHA('A' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     MD5(master_secret + SHA('BB' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     MD5(master_secret + SHA('CCC' + master_secret +
         *                      ServerHello.random + ClientHello.random)) +
         *     [...];
@@ -210,147 +208,143 @@ ssl3_KeyAndMacDeriveBypass(
      */
     key_block2 = key_block + block_bytes;
     i = 0; /* now shows how much consumed */
 
     /*
      * The key_block is partitioned as follows:
      * client_write_MAC_secret[CipherSpec.hash_size]
      */
-    buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item, \
+    buildSSLKey(&key_block[i], macSize, &pwSpec->client.write_mac_key_item,
                 "Client Write MAC Secret");
     i += macSize;
 
     /*
      * server_write_MAC_secret[CipherSpec.hash_size]
      */
-    buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item, \
+    buildSSLKey(&key_block[i], macSize, &pwSpec->server.write_mac_key_item,
                 "Server Write MAC Secret");
     i += macSize;
 
     if (!keySize) {
         /* only MACing */
-        buildSSLKey(NULL, 0, &pwSpec->client.write_key_item, \
+        buildSSLKey(NULL, 0, &pwSpec->client.write_key_item,
                     "Client Write Key (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->server.write_key_item, \
+        buildSSLKey(NULL, 0, &pwSpec->server.write_key_item,
                     "Server Write Key (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item, \
+        buildSSLKey(NULL, 0, &pwSpec->client.write_iv_item,
                     "Client Write IV (MAC only)");
-        buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item, \
+        buildSSLKey(NULL, 0, &pwSpec->server.write_iv_item,
                     "Server Write IV (MAC only)");
-    }
-    else if (!isExport) {
+    } else if (!isExport) {
         /*
         ** Generate Domestic write keys and IVs.
         ** client_write_key[CipherSpec.key_material]
         */
-        buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item, \
+        buildSSLKey(&key_block[i], keySize, &pwSpec->client.write_key_item,
                     "Domestic Client Write Key");
         i += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         */
-        buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item, \
+        buildSSLKey(&key_block[i], keySize, &pwSpec->server.write_key_item,
                     "Domestic Server Write Key");
         i += keySize;
 
         if (IVSize > 0) {
             if (explicitIV) {
                 static unsigned char zero_block[32];
                 PORT_Assert(IVSize <= sizeof zero_block);
-                buildSSLKey(&zero_block[0], IVSize, \
-                            &pwSpec->client.write_iv_item, \
+                buildSSLKey(&zero_block[0], IVSize,
+                            &pwSpec->client.write_iv_item,
                             "Domestic Client Write IV");
-                buildSSLKey(&zero_block[0], IVSize, \
-                            &pwSpec->server.write_iv_item, \
+                buildSSLKey(&zero_block[0], IVSize,
+                            &pwSpec->server.write_iv_item,
                             "Domestic Server Write IV");
-            }
-            else {
+            } else {
                 /*
                 ** client_write_IV[CipherSpec.IV_size]
                 */
-                buildSSLKey(&key_block[i], IVSize, \
-                            &pwSpec->client.write_iv_item, \
+                buildSSLKey(&key_block[i], IVSize,
+                            &pwSpec->client.write_iv_item,
                             "Domestic Client Write IV");
                 i += IVSize;
 
                 /*
                 ** server_write_IV[CipherSpec.IV_size]
                 */
-                buildSSLKey(&key_block[i], IVSize, \
-                            &pwSpec->server.write_iv_item, \
+                buildSSLKey(&key_block[i], IVSize,
+                            &pwSpec->server.write_iv_item,
                             "Domestic Server Write IV");
                 i += IVSize;
             }
         }
         PORT_Assert(i <= block_bytes);
-    }
-    else if (!isTLS) {
+    } else if (!isTLS) {
         /*
         ** Generate SSL3 Export write keys and IVs.
         */
         unsigned int outLen;
 
         /*
         ** client_write_key[CipherSpec.key_material]
         ** final_client_write_key = MD5(client_write_key +
         **                   ClientHello.random + ServerHello.random);
         */
         MD5_Begin(md5Ctx);
         MD5_Update(md5Ctx, &key_block[i], effKeySize);
         MD5_Update(md5Ctx, crsr.data, crsr.len);
         MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
         i += effKeySize;
-        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item,
                     "SSL3 Export Client Write Key");
         key_block2 += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         ** final_server_write_key = MD5(server_write_key +
         **                    ServerHello.random + ClientHello.random);
         */
         MD5_Begin(md5Ctx);
         MD5_Update(md5Ctx, &key_block[i], effKeySize);
         MD5_Update(md5Ctx, srcr.data, srcr.len);
         MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
         i += effKeySize;
-        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item,
                     "SSL3 Export Server Write Key");
         key_block2 += keySize;
         PORT_Assert(i <= block_bytes);
 
         if (IVSize) {
             /*
             ** client_write_IV =
             **  MD5(ClientHello.random + ServerHello.random);
             */
             MD5_Begin(md5Ctx);
             MD5_Update(md5Ctx, crsr.data, crsr.len);
             MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-            buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item, \
+            buildSSLKey(key_block2, IVSize, &pwSpec->client.write_iv_item,
                         "SSL3 Export Client Write IV");
             key_block2 += IVSize;
 
             /*
             ** server_write_IV =
             **  MD5(ServerHello.random + ClientHello.random);
             */
             MD5_Begin(md5Ctx);
             MD5_Update(md5Ctx, srcr.data, srcr.len);
             MD5_End(md5Ctx, key_block2, &outLen, MD5_LENGTH);
-            buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item, \
+            buildSSLKey(key_block2, IVSize, &pwSpec->server.write_iv_item,
                         "SSL3 Export Server Write IV");
             key_block2 += IVSize;
         }
 
         PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
-    }
-    else {
+    } else {
         /*
         ** Generate TLS Export write keys and IVs.
         */
         SECItem secret;
         SECItem keyblk;
 
         secret.type = siBuffer;
         keyblk.type = siBuffer;
@@ -364,17 +358,17 @@ ssl3_KeyAndMacDeriveBypass(
         secret.len = effKeySize;
         i += effKeySize;
         keyblk.data = key_block2;
         keyblk.len = keySize;
         status = TLS_PRF(&secret, "client write key", &crsr, &keyblk, isFIPS);
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
-        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item, \
+        buildSSLKey(key_block2, keySize, &pwSpec->client.write_key_item,
                     "TLS Export Client Write Key");
         key_block2 += keySize;
 
         /*
         ** server_write_key[CipherSpec.key_material]
         ** final_server_write_key = PRF(server_write_key,
         **                              "server write key",
         **                              client_random + server_random);
@@ -383,17 +377,17 @@ ssl3_KeyAndMacDeriveBypass(
         secret.len = effKeySize;
         i += effKeySize;
         keyblk.data = key_block2;
         keyblk.len = keySize;
         status = TLS_PRF(&secret, "server write key", &crsr, &keyblk, isFIPS);
         if (status != SECSuccess) {
             goto key_and_mac_derive_fail;
         }
-        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item, \
+        buildSSLKey(key_block2, keySize, &pwSpec->server.write_key_item,
                     "TLS Export Server Write Key");
         key_block2 += keySize;
 
         /*
         ** iv_block = PRF("", "IV block", client_random + server_random);
         ** client_write_IV[SecurityParameters.IV_size]
         ** server_write_IV[SecurityParameters.IV_size]
         */
@@ -401,21 +395,21 @@ ssl3_KeyAndMacDeriveBypass(
             secret.data = NULL;
             secret.len = 0;
             keyblk.data = key_block2;
             keyblk.len = 2 * IVSize;
             status = TLS_PRF(&secret, "IV block", &crsr, &keyblk, isFIPS);
             if (status != SECSuccess) {
                 goto key_and_mac_derive_fail;
             }
-            buildSSLKey(key_block2, IVSize, \
-                        &pwSpec->client.write_iv_item, \
+            buildSSLKey(key_block2, IVSize,
+                        &pwSpec->client.write_iv_item,
                         "TLS Export Client Write IV");
-            buildSSLKey(key_block2 + IVSize, IVSize, \
-                        &pwSpec->server.write_iv_item, \
+            buildSSLKey(key_block2 + IVSize, IVSize,
+                        &pwSpec->server.write_iv_item,
                         "TLS Export Server Write IV");
             key_block2 += 2 * IVSize;
         }
         PORT_Assert(key_block2 - key_block <= sizeof pwSpec->key_block);
     }
     rv = SECSuccess;
 
 key_and_mac_derive_fail:
@@ -480,25 +474,23 @@ ssl3_MasterSecretDeriveBypass(
         SECItem master = { siBuffer, NULL, 0 };
 
         master.data = key_block;
         master.len = SSL3_MASTER_SECRET_LENGTH;
 
         if (isTLS12) {
             rv = TLS_P_hash(HASH_AlgSHA256, pms, "master secret", &crsr,
                             &master, isFIPS);
-        }
-        else {
+        } else {
             rv = TLS_PRF(pms, "master secret", &crsr, &master, isFIPS);
         }
         if (rv != SECSuccess) {
             PORT_SetError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         }
-    }
-    else {
+    } else {
         int i;
         unsigned int made = 0;
         for (i = 0; i < 3; i++) {
             unsigned int outLen;
             unsigned char sha_out[SHA1_LENGTH];
 
             SHA1_Begin(shaCtx);
             SHA1_Update(shaCtx, (unsigned char *)mixers[i], i + 1);
@@ -547,18 +539,17 @@ ssl_canExtractMS(PK11SymKey *pms, PRBool
 
     if (isTLS) {
         if (isDH)
             master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
         else
             master_derive = CKM_TLS_MASTER_KEY_DERIVE;
         key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
         keyFlags = CKF_SIGN | CKF_VERIFY;
-    }
-    else {
+    } else {
         if (isDH)
             master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
         else
             master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
         key_derive = CKM_SSL3_KEY_AND_MAC_DERIVE;
         keyFlags = 0;
     }
 
@@ -684,29 +675,27 @@ SSL_CanBypass(CERTCertificate *cert, SEC
      * exhausted or when the first MS extract--not derive--fails.
      */
     privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey);
     protocolmask &= SSL_CBP_SSL3 | SSL_CBP_TLS1_0;
     while (protocolmask) {
         if (protocolmask & SSL_CBP_SSL3) {
             isTLS = PR_FALSE;
             protocolmask ^= SSL_CBP_SSL3;
-        }
-        else {
+        } else {
             isTLS = PR_TRUE;
             protocolmask ^= SSL_CBP_TLS1_0;
         }
 
         if (privKeytype == rsaKey && testrsa_export) {
             if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
                 *pcanbypass = PR_FALSE;
                 rv = SECSuccess;
                 break;
-            }
-            else
+            } else
                 testrsa = PR_TRUE;
         }
         for (; privKeytype == rsaKey && testrsa;) {
             /* TLS_RSA */
             unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
             unsigned int outLen = 0;
             CK_MECHANISM_TYPE target;
             SECStatus irv;
@@ -776,18 +765,17 @@ SSL_CanBypass(CERTCertificate *cert, SEC
             SECKEYPrivateKey *keapriv;
             SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */
             SECKEYPrivateKey *cpriv = NULL;
             SECKEYECParams *pecParams = NULL;
 
             if (privKeytype == ecKey && testecdhe) {
                 /* TLS_ECDHE_ECDSA */
                 pecParams = &srvPubkey->u.ec.DEREncodedParams;
-            }
-            else if (privKeytype == rsaKey && testecdhe) {
+            } else if (privKeytype == rsaKey && testecdhe) {
                 /* TLS_ECDHE_RSA */
                 ECName ec_curve;
                 int serverKeyStrengthInBits;
                 int signatureKeyStrength;
                 int requiredECCbits;
 
                 /* find a curve of equivalent strength to the RSA key's */
                 requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey);
@@ -825,18 +813,17 @@ SSL_CanBypass(CERTCertificate *cert, SEC
                     if (keapriv)
                         SECKEY_DestroyPrivateKey(keapriv);
                     if (keapub)
                         SECKEY_DestroyPublicKey(keapub);
                     PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
                     rv = SECFailure;
                     break;
                 }
-            }
-            else {
+            } else {
                 /* TLS_ECDH_ECDSA */
                 keapub = srvPubkey;
                 keapriv = srvPrivkey;
                 pecParams = &srvPubkey->u.ec.DEREncodedParams;
             }
 
             /* perform client side ops */
             /* generate a pair of ephemeral keys using server's parms */
--- a/lib/ssl/dtlscon.c
+++ b/lib/ssl/dtlscon.c
@@ -282,26 +282,24 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                 ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
             }
 
             rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len);
             if (rv == SECFailure) {
                 /* Do not attempt to process rest of messages in this record */
                 break;
             }
-        }
-        else {
+        } else {
             if (message_seq < ss->ssl3.hs.recvMessageSeq) {
                 /* Case 3: we do an immediate retransmit if we're
                  * in a waiting state*/
                 if (ss->ssl3.hs.rtTimerCb == NULL) {
                     /* Ignore */
-                }
-                else if (ss->ssl3.hs.rtTimerCb ==
-                         dtls_RetransmitTimerExpiredCb) {
+                } else if (ss->ssl3.hs.rtTimerCb ==
+                           dtls_RetransmitTimerExpiredCb) {
                     SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected",
                                  SSL_GETPID(), ss->fd));
                     /* Check to see if we retransmitted recently. If so,
                      * suppress the triggered retransmit. This avoids
                      * retransmit wars after packet loss.
                      * This is not in RFC 5346 but should be
                      */
                     if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) >
@@ -311,52 +309,48 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                                  SSL_GETPID(), ss->fd));
 
                         /* Cancel the timer and call the CB,
                          * which re-arms the timer */
                         dtls_CancelTimer(ss);
                         dtls_RetransmitTimerExpiredCb(ss);
                         rv = SECSuccess;
                         break;
-                    }
-                    else {
+                    } else {
                         SSL_TRC(30,
                                 ("%d: SSL3[%d]: We just retransmitted. Ignoring.",
                                  SSL_GETPID(), ss->fd));
                         rv = SECSuccess;
                         break;
                     }
-                }
-                else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
+                } else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {
                     /* Retransmit the messages and re-arm the timer
                      * Note that we are not backing off the timer here.
                      * The spec isn't clear and my reasoning is that this
                      * may be a re-ordered packet rather than slowness,
                      * so let's be aggressive. */
                     dtls_CancelTimer(ss);
                     rv = dtls_TransmitMessageFlight(ss);
                     if (rv == SECSuccess) {
                         rv = dtls_StartTimer(ss, dtls_FinishedTimerCb);
                     }
                     if (rv != SECSuccess)
                         return rv;
                     break;
                 }
-            }
-            else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
+            } else if (message_seq > ss->ssl3.hs.recvMessageSeq) {
                 /* Case 2
                  *
                  * Ignore this message. This means we don't handle out of
                  * order complete messages that well, but we're still
                  * compliant and this probably does not happen often
                  *
                  * XXX OK for now. Maybe do something smarter at some point?
                  */
-            }
-            else {
+            } else {
                 /* Case 1
                  *
                  * Buffer the fragment for reassembly
                  */
                 /* Make room for the message */
                 if (ss->ssl3.hs.recvdHighWater == -1) {
                     PRUint32 map_length = OFFSET_BYTE(message_length) + 1;
 
@@ -405,18 +399,17 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                  * This avoids having to fill in the bitmask in the common
                  * case of adjacent fragments received in sequence
                  */
                 if (fragment_offset <= (unsigned int)ss->ssl3.hs.recvdHighWater) {
                     /* Either this is the adjacent fragment or an overlapping
                      * fragment */
                     ss->ssl3.hs.recvdHighWater = fragment_offset +
                                                  fragment_length;
-                }
-                else {
+                } else {
                     for (offset = fragment_offset;
                          offset < fragment_offset + fragment_length;
                          offset++) {
                         ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] |=
                             OFFSET_MASK(offset);
                     }
                 }
 
@@ -424,18 +417,17 @@ dtls_HandleHandshake(sslSocket *ss, sslB
                 for (offset = ss->ssl3.hs.recvdHighWater;
                      offset < ss->ssl3.hs.msg_len; offset++) {
                     /* Note that this loop is not efficient, since it counts
                      * bit by bit. If we have a lot of out-of-order packets,
                      * we should optimize this */
                     if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] &
                         OFFSET_MASK(offset)) {
                         ss->ssl3.hs.recvdHighWater++;
-                    }
-                    else {
+                    } else {
                         break;
                     }
                 }
 
                 /* If we have all the bytes, then we are good to go */
                 if (ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) {
                     ss->ssl3.hs.recvdHighWater = -1;
 
@@ -486,18 +478,17 @@ dtls_QueueMessage(sslSocket *ss, SSL3Con
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     msg = dtls_AllocQueuedMessage(ss->ssl3.cwSpec->epoch, type, pIn, nIn);
 
     if (!msg) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         rv = SECFailure;
-    }
-    else {
+    } else {
         PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight);
     }
 
     return rv;
 }
 
 /* Add DTLS handshake message to the pending queue
  * Empty the sendBuf buffer.
@@ -654,18 +645,17 @@ dtls_TransmitMessageFlight(sslSocket *ss
                 rv = SECFailure;
                 if (sent != -1) {
                     PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
                 }
                 break;
             }
 
             room_left = ss->ssl3.mtu - ss->pendingBuf.len;
-        }
-        else {
+        } else {
             /* The message will not fit, so fragment.
              *
              * XXX OK for now. Arrange to coalesce the last fragment
              * of this message with the next message if possible.
              * That would be more efficient.
              */
             PRUint32 fragment_offset = 0;
             unsigned char fragment[DTLS_MAX_MTU]; /* >= than largest
@@ -820,32 +810,29 @@ dtls_CompressMACEncryptRecord(sslSocket 
      */
     if (use_epoch) {
         if (ss->ssl3.cwSpec->epoch == epoch)
             cwSpec = ss->ssl3.cwSpec;
         else if (ss->ssl3.pwSpec->epoch == epoch)
             cwSpec = ss->ssl3.pwSpec;
         else
             cwSpec = NULL;
-    }
-    else {
+    } else {
         cwSpec = ss->ssl3.cwSpec;
     }
 
     if (cwSpec) {
         if (ss->ssl3.cwSpec->version < SSL_LIBRARY_VERSION_TLS_1_3) {
             rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE,
                                                PR_FALSE, type, pIn, contentLen,
                                                wrBuf);
-        }
-        else {
+        } else {
             rv = tls13_ProtectRecord(ss, type, pIn, contentLen, wrBuf);
         }
-    }
-    else {
+    } else {
         PR_NOT_REACHED("Couldn't find a cipher spec matching epoch");
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
     }
     ssl_ReleaseSpecReadLock(ss); /************************************/
 
     return rv;
 }
 
@@ -1155,18 +1142,17 @@ DTLS_GetHandshakeTimeout(PRFileDesc *soc
     if (!ss->ssl3.hs.rtTimerCb)
         return SECFailure;
 
     elapsed = PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted;
     desired = PR_MillisecondsToInterval(ss->ssl3.hs.rtTimeoutMs);
     if (elapsed > desired) {
         /* Timer expired */
         *timeout = PR_INTERVAL_NO_WAIT;
-    }
-    else {
+    } else {
         *timeout = desired - elapsed;
     }
 
     return SECSuccess;
 }
 
 /*
  * DTLS relevance checks:
--- a/lib/ssl/os2_err.c
+++ b/lib/ssl/os2_err.c
@@ -143,17 +143,17 @@ nss_MD_os2_map_recvfrom_error(PRInt32 er
     nss_MD_os2_map_default_error(err);
 }
 
 void
 nss_MD_os2_map_send_error(PRInt32 err)
 {
     PRErrorCode prError;
     switch (err) {
-      //     case WSAEMSGSIZE:  prError = PR_INVALID_ARGUMENT_ERROR; break;
+        //     case WSAEMSGSIZE:  prError = PR_INVALID_ARGUMENT_ERROR; break;
         default:
             nss_MD_os2_map_default_error(err);
             return;
     }
     PR_SetError(prError, err);
 }
 
 void
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -687,18 +687,17 @@ typedef struct tooLongStr {
 #endif
 } tooLong;
 
 void
 SSL_AtomicIncrementLong(long *x)
 {
     if ((sizeof *x) == sizeof(PRInt32)) {
         PR_ATOMIC_INCREMENT((PRInt32 *)x);
-    }
-    else {
+    } else {
         tooLong *tl = (tooLong *)x;
         if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
             PR_ATOMIC_INCREMENT(&tl->high);
     }
 }
 
 static PRBool
 ssl3_CipherSuiteAllowedForVersionRange(
@@ -1037,32 +1036,30 @@ ssl3_SignHashes(SSL3Hashes *hash, SECKEY
             break;
         case dsaKey:
             doDerEncode = isTLS;
             /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
              * In that case, we use just the SHA1 part. */
             if (hash->hashAlg == ssl_hash_none) {
                 hashItem.data = hash->u.s.sha;
                 hashItem.len = sizeof(hash->u.s.sha);
-            }
-            else {
+            } else {
                 hashItem.data = hash->u.raw;
                 hashItem.len = hash->len;
             }
             break;
 #ifndef NSS_DISABLE_ECC
         case ecKey:
             doDerEncode = PR_TRUE;
             /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
              * In that case, we use just the SHA1 part. */
             if (hash->hashAlg == ssl_hash_none) {
                 hashItem.data = hash->u.s.sha;
                 hashItem.len = sizeof(hash->u.s.sha);
-            }
-            else {
+            } else {
                 hashItem.data = hash->u.raw;
                 hashItem.len = hash->len;
             }
             break;
 #endif /* NSS_DISABLE_ECC */
         default:
             PORT_SetError(SEC_ERROR_INVALID_KEY);
             goto done;
@@ -1077,34 +1074,31 @@ ssl3_SignHashes(SSL3Hashes *hash, SECKEY
         }
 
         buf->len = (unsigned)signatureLen;
         buf->data = (unsigned char *)PORT_Alloc(signatureLen);
         if (!buf->data)
             goto done; /* error code was set. */
 
         rv = PK11_Sign(key, buf, &hashItem);
-    }
-    else {
+    } else {
         SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(hash->hashAlg);
         rv = SGN_Digest(key, hashOID, buf, &hashItem);
     }
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
-    }
-    else if (doDerEncode) {
+    } else if (doDerEncode) {
         SECItem derSig = { siBuffer, NULL, 0 };
 
         /* This also works for an ECDSA signature */
         rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
         if (rv == SECSuccess) {
             PORT_Free(buf->data); /* discard unencoded signature. */
             *buf = derSig;        /* give caller encoded signature. */
-        }
-        else if (derSig.data) {
+        } else if (derSig.data) {
             PORT_Free(derSig.data);
         }
     }
 
     PRINT_BUF(60, (NULL, "signed hashes", (unsigned char *)buf->data, buf->len));
 done:
     if (rv != SECSuccess && buf->data) {
         PORT_Free(buf->data);
@@ -1143,18 +1137,17 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash
             break;
         case dsaKey:
             encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
             /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
              * In that case, we use just the SHA1 part. */
             if (hash->hashAlg == ssl_hash_none) {
                 hashItem.data = hash->u.s.sha;
                 hashItem.len = sizeof(hash->u.s.sha);
-            }
-            else {
+            } else {
                 hashItem.data = hash->u.raw;
                 hashItem.len = hash->len;
             }
             /* Allow DER encoded DSA signatures in SSL 3.0 */
             if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
                 signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
                 if (!signature) {
                     PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
@@ -1172,18 +1165,17 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash
              * ECDSA signatures always encode the integers r and s using ASN.1
              * (unlike DSA where ASN.1 encoding is used with TLS but not with
              * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
              */
             if (hash->hashAlg == ssl_hash_none) {
                 hashAlg = SEC_OID_SHA1;
                 hashItem.data = hash->u.s.sha;
                 hashItem.len = sizeof(hash->u.s.sha);
-            }
-            else {
+            } else {
                 hashItem.data = hash->u.raw;
                 hashItem.len = hash->len;
             }
             break;
 #endif /* NSS_DISABLE_ECC */
 
         default:
             SECKEY_DestroyPublicKey(key);
@@ -1196,18 +1188,17 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash
 
     if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
         /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
          * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
          * above always removes the DER encoding of DSA signatures when
          * present. Thus DSA signatures are always verified with PK11_Verify.
          */
         rv = PK11_Verify(key, buf, &hashItem, pwArg);
-    }
-    else {
+    } else {
         rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
                                     pwArg);
     }
     SECKEY_DestroyPublicKey(key);
     if (signature) {
         SECITEM_FreeItem(signature, PR_TRUE);
     }
     if (rv != SECSuccess) {
@@ -1232,55 +1223,48 @@ ssl3_ComputeCommonKeyHash(SSLHashType ha
     SECOidTag hashOID;
 
 #ifndef NO_PKCS11_BYPASS
     if (bypassPKCS11) {
         if (hashAlg == ssl_hash_none) {
             MD5_HashBuf(hashes->u.s.md5, hashBuf, bufLen);
             SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
             hashes->len = MD5_LENGTH + SHA1_LENGTH;
-        }
-        else if (hashAlg == ssl_hash_sha1) {
+        } else if (hashAlg == ssl_hash_sha1) {
             SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA1_LENGTH;
-        }
-        else if (hashAlg == ssl_hash_sha256) {
+        } else if (hashAlg == ssl_hash_sha256) {
             SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA256_LENGTH;
-        }
-        else if (hashAlg == ssl_hash_sha384) {
+        } else if (hashAlg == ssl_hash_sha384) {
             SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA384_LENGTH;
-        }
-        else if (hashAlg == ssl_hash_sha512) {
+        } else if (hashAlg == ssl_hash_sha512) {
             SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
             hashes->len = SHA512_LENGTH;
-        }
-        else {
+        } else {
             PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
             return SECFailure;
         }
-    }
-    else
+    } else
 #endif
     {
         if (hashAlg == ssl_hash_none) {
             rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
             if (rv != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
                 return rv;
             }
             rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
             if (rv != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return rv;
             }
             hashes->len = MD5_LENGTH + SHA1_LENGTH;
-        }
-        else {
+        } else {
             hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg);
             hashes->len = HASH_ResultLenByOidTag(hashOID);
             if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) {
                 ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
                 return SECFailure;
             }
             rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen);
             if (rv != SECSuccess) {
@@ -1307,18 +1291,17 @@ ssl3_ComputeExportRSAKeyHash(SSLHashType
     PRUint8 *pBuf;
     SECStatus rv = SECSuccess;
     unsigned int bufLen;
     PRUint8 buf[2 * SSL3_RANDOM_LENGTH + 2 + 4096 / 8 + 2 + 4096 / 8];
 
     bufLen = 2 * SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
     if (bufLen <= sizeof buf) {
         hashBuf = buf;
-    }
-    else {
+    } else {
         hashBuf = PORT_Alloc(bufLen);
         if (!hashBuf) {
             return SECFailure;
         }
     }
 
     memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
     pBuf = hashBuf + SSL3_RANDOM_LENGTH;
@@ -1340,18 +1323,17 @@ ssl3_ComputeExportRSAKeyHash(SSLHashType
                                    bypassPKCS11);
 
     PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
     if (hashAlg == ssl_hash_none) {
         PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
                        hashes->u.s.md5, MD5_LENGTH));
         PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
                        hashes->u.s.sha, SHA1_LENGTH));
-    }
-    else {
+    } else {
         PRINT_BUF(95, (NULL, "RSAkey hash: result",
                        hashes->u.raw, hashes->len));
     }
 
     if (hashBuf != buf && hashBuf != NULL)
         PORT_Free(hashBuf);
     return rv;
 }
@@ -1368,18 +1350,17 @@ ssl3_ComputeDHKeyHash(SSLHashType hashAl
     PRUint8 *pBuf;
     SECStatus rv = SECSuccess;
     unsigned int bufLen;
     PRUint8 buf[2 * SSL3_RANDOM_LENGTH + 2 + 4096 / 8 + 2 + 4096 / 8];
 
     bufLen = 2 * SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
     if (bufLen <= sizeof buf) {
         hashBuf = buf;
-    }
-    else {
+    } else {
         hashBuf = PORT_Alloc(bufLen);
         if (!hashBuf) {
             return SECFailure;
         }
     }
 
     memcpy(hashBuf, client_rand, SSL3_RANDOM_LENGTH);
     pBuf = hashBuf + SSL3_RANDOM_LENGTH;
@@ -1406,18 +1387,17 @@ ssl3_ComputeDHKeyHash(SSLHashType hashAl
                                    bypassPKCS11);
 
     PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
     if (hashAlg == ssl_hash_none) {
         PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
                        hashes->u.s.md5, MD5_LENGTH));
         PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
                        hashes->u.s.sha, SHA1_LENGTH));
-    }
-    else {
+    } else {
         PRINT_BUF(95, (NULL, "DHkey hash: result",
                        hashes->u.raw, hashes->len));
     }
 
     if (hashBuf != buf && hashBuf != NULL)
         PORT_Free(hashBuf);
     return rv;
 }
@@ -1960,18 +1940,17 @@ ssl3_BuildRecordPseudoHeader(unsigned ch
 
     /* TLS MAC and AEAD additional data include version. */
     if (isDTLS) {
         SSL3ProtocolVersion dtls_version;
 
         dtls_version = dtls_TLSVersionToDTLSVersion(version);
         out[9] = MSB(dtls_version);
         out[10] = LSB(dtls_version);
-    }
-    else {
+    } else {
         out[9] = MSB(version);
         out[10] = LSB(version);
     }
     out[11] = MSB(length);
     out[12] = LSB(length);
     return 13;
 }
 
@@ -1999,18 +1978,17 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
     /* See https://tools.ietf.org/html/rfc5288#section-3 for details of how the
      * nonce is formed. */
     memcpy(nonce, keys->write_iv, 4);
     if (doDecrypt) {
         memcpy(nonce + 4, in, explicitNonceLen);
         in += explicitNonceLen;
         inlen -= explicitNonceLen;
         *outlen = 0;
-    }
-    else {
+    } else {
         if (maxout < explicitNonceLen) {
             PORT_SetError(SEC_ERROR_INPUT_LEN);
             return SECFailure;
         }
         /* Use the 64-bit sequence number as the explicit nonce. */
         memcpy(nonce + 4, additionalData, explicitNonceLen);
         memcpy(out, additionalData, explicitNonceLen);
         out += explicitNonceLen;
@@ -2025,18 +2003,17 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
     gcmParams.ulIvLen = sizeof(nonce);
     gcmParams.pAAD = (unsigned char *)additionalData; /* const cast */
     gcmParams.ulAADLen = additionalDataLen;
     gcmParams.ulTagBits = tagSize * 8;
 
     if (doDecrypt) {
         rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
                           maxout, in, inlen);
-    }
-    else {
+    } else {
         rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, &param, out, &uOutLen,
                           maxout, in, inlen);
     }
     *outlen += (int)uOutLen;
 
     return rv;
 }
 
@@ -2070,18 +2047,17 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
         return SECFailure;
     }
     memcpy(nonce, keys->write_iv_item.data, 4);
     if (doDecrypt) {
         memcpy(nonce + 4, in, explicitNonceLen);
         in += explicitNonceLen;
         inlen -= explicitNonceLen;
         *outlen = 0;
-    }
-    else {
+    } else {
         if (maxout < explicitNonceLen) {
             PORT_SetError(SEC_ERROR_INPUT_LEN);
             return SECFailure;
         }
         /* Use the 64-bit sequence number as the explicit nonce. */
         memcpy(nonce + 4, additionalData, explicitNonceLen);
         memcpy(out, additionalData, explicitNonceLen);
         out += explicitNonceLen;
@@ -2100,18 +2076,17 @@ ssl3_AESGCMBypass(ssl3KeyMaterial *keys,
                          keys->write_key_item.len,
                          (unsigned char *)&gcmParams, NSS_AES_GCM, !doDecrypt,
                          AES_BLOCK_SIZE);
     if (rv != SECSuccess) {
         return rv;
     }
     if (doDecrypt) {
         rv = AES_Decrypt(cx, out, &uOutLen, maxout, in, inlen);
-    }
-    else {
+    } else {
         rv = AES_Encrypt(cx, out, &uOutLen, maxout, in, inlen);
     }
     AES_DestroyContext(cx, PR_FALSE);
     *outlen += (int)uOutLen;
 
     return rv;
 }
 #endif
@@ -2151,18 +2126,17 @@ ssl3_ChaCha20Poly1305(ssl3KeyMaterial *k
     aeadParams.ulNonceLen = sizeof(nonce);
     aeadParams.pAAD = (unsigned char *)additionalData;
     aeadParams.ulAADLen = additionalDataLen;
     aeadParams.ulTagLen = tagSize;
 
     if (doDecrypt) {
         rv = PK11_Decrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
                           out, &uOutLen, maxout, in, inlen);
-    }
-    else {
+    } else {
         rv = PK11_Encrypt(keys->write_key, CKM_NSS_CHACHA20_POLY1305, &param,
                           out, &uOutLen, maxout, in, inlen);
     }
     *outlen = (int)uOutLen;
 
     return rv;
 }
 
@@ -2396,39 +2370,36 @@ ssl3_InitPendingCipherSpec(sslSocket *ss
         rv = ssl3_KeyAndMacDeriveBypass(pwSpec,
                                         (const unsigned char *)&ss->ssl3.hs.client_random,
                                         (const unsigned char *)&ss->ssl3.hs.server_random,
                                         isTLS,
                                         (PRBool)(kea_def->is_limited));
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsBypass(ss);
         }
-    }
-