--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6769,17 +6769,17 @@ ssl3_SendDHClientKeyExchange(sslSocket *
         params = &customParams;
         customGroupDef.bits = SECKEY_PublicKeyStrengthInBits(svrPubKey);
         groupDef = &customGroupDef;
     }
 
     rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
-        return SECFailure;
+        goto loser;
     }
     pubKey = keyPair->keys->pubKey;
     PRINT_BUF(50, (ss, "DH public value:",
                    pubKey->u.dh.publicValue.data,
                    pubKey->u.dh.publicValue.len));
 
     if (isTLS)
         target = CKM_TLS_MASTER_KEY_DERIVE_DH;

--- a/lib/ssl/ssl3ecc.c
+++ b/lib/ssl/ssl3ecc.c
@@ -57,29 +57,39 @@ static ECDHEKeyPair gECDHEKeyPairs[29];
 SECStatus
 ssl_NamedGroup2ECParams(PLArenaPool *arena, const namedGroupDef *ecGroup,
                         SECKEYECParams *params)
 {
     SECOidData *oidData = NULL;
     PRUint32 policyFlags = 0;
     SECStatus rv;
 
+    if (!params) {
+        PORT_Assert(0);
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
     if (!ecGroup || ecGroup->type != group_type_ec ||
         (oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {
         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
         return SECFailure;
     }
 
     rv = NSS_GetAlgorithmPolicy(ecGroup->oidTag, &policyFlags);
     if (rv == SECSuccess && !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
         PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
         return SECFailure;
     }
 
-    SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
+    if (SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)) == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return SECFailure;
+    }
+
     /*
      * params->data needs to contain the ASN encoding of an object ID (OID)
      * representing the named curve. The actual OID is in
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     params->data[0] = SEC_ASN1_OBJECT_ID;
     params->data[1] = oidData->oid.len;
     memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
@@ -791,19 +801,16 @@ ssl3_SendECDHServerKeyExchange(
         keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
     } else {
         rv = ssl_CreateECDHEphemeralKeyPair(ecGroup, &keyPair);
         if (rv != SECSuccess) {
             goto loser;
         }
         PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
     }
-    if (rv != SECSuccess) {
-        goto loser;
-    }
 
     PORT_Assert(keyPair);
     if (!keyPair) {
         PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
         return SECFailure;
     }
 
     ec_params.len = sizeof(paramBuf);

--- a/lib/ssl/ssl3ext.c
+++ b/lib/ssl/ssl3ext.c
@@ -184,22 +184,21 @@ ssl3_SessionTicketShutdown(void *appData
     return SECSuccess;
 }
 
 static PRStatus
 ssl3_GenerateSessionTicketKeysPKCS11(void *data)
 {
     SECStatus rv;
     sslSocket *ss = (sslSocket *)data;
-    sslServerCertType certType;
+    sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
     const sslServerCert *sc;
     SECKEYPrivateKey *svrPrivKey;
     SECKEYPublicKey *svrPubKey;
 
-    certType.authType = ssl_auth_rsa_decrypt;
     sc = ssl_FindServerCert(ss, &certType);
     if (!sc || !sc->serverKeyPair) {
         SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
                  SSL_GETPID(), ss->fd));
         goto loser;
     }
     svrPrivKey = sc->serverKeyPair->privKey;
     svrPubKey = sc->serverKeyPair->pubKey;

--- a/lib/ssl/sslcert.c
+++ b/lib/ssl/sslcert.c
@@ -161,27 +161,19 @@ ssl_FindServerCert(const sslSocket *ss,
     return NULL;
 }
 
 sslServerCert *
 ssl_FindServerCertByAuthType(const sslSocket *ss, SSLAuthType authType)
 {
     sslServerCertType certType;
     certType.authType = authType;
-    switch (authType) {
-        /* Setting the named curve to NULL ensures that all EC certificates
-         * are matched when searching for this slot. */
-        case ssl_auth_ecdsa:
-        case ssl_auth_ecdh_rsa:
-        case ssl_auth_ecdh_ecdsa:
-            certType.namedCurve = NULL;
-            break;
-        default:
-            break;
-    }
+    /* Setting the named curve to NULL ensures that all EC certificates
+     * are matched when searching for this slot. */
+    certType.namedCurve = NULL;
     return ssl_FindServerCert(ss, &certType);
 }
 
 SECStatus
 ssl_OneTimeCertSetup(sslSocket *ss, const sslServerCert *sc)
 {
     /* Generate a step-down RSA key. */
     if (sc->certType.authType == ssl_auth_rsa_decrypt &&
@@ -637,27 +629,19 @@ ssl_CertSuitableForAuthType(CERTCertific
  * server cert slot of the right type. */
 static sslServerCert *
 ssl_FindOrMakeCertType(sslSocket *ss, SSLAuthType authType)
 {
     sslServerCert *sc;
     sslServerCertType certType;
 
     certType.authType = authType;
-    switch (authType) {
-        case ssl_auth_ecdsa:
-        case ssl_auth_ecdh_rsa:
-        case ssl_auth_ecdh_ecdsa:
-            /* Setting the named curve to NULL ensures that all EC certificates
-             * are matched when searching for this slot. */
-            certType.namedCurve = NULL;
-            break;
-        default:
-            break;
-    }
+    /* Setting the named curve to NULL ensures that all EC certificates
+     * are matched when searching for this slot. */
+    certType.namedCurve = NULL;
     sc = ssl_FindServerCert(ss, &certType);
     if (sc) {
         PR_REMOVE_LINK(&sc->link);
         return sc;
     }
 
     return ssl_NewServerCert(&certType);
 }