Backed out changeset da0d1b0806f1 (bug 1228410) for [@ SSL_PeerCertificateChain] crashes in multiple jobs a=backout CLOSED TREE
authorWes Kocher <wkocher@mozilla.com>
Wed, 17 Feb 2016 14:52:40 -0800
changeset 318786 e0f6a424331b99f49b9e74ca8e29276828af3ecd
parent 318785 b71f6d0688ead6e674e112a4ac6aa8b050b236b2
child 318787 e397f9ecd8310d03ef19ed9381caf89a137d187a
push id1079
push userjlund@mozilla.com
push dateFri, 15 Apr 2016 21:02:33 +0000
treeherdermozilla-release@575fbf6786d5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout
bugs1228410
milestone46.0a2
backs outda0d1b0806f19a352e842373451f9186e4fd6db7
Backed out changeset da0d1b0806f1 (bug 1228410) for [@ SSL_PeerCertificateChain] crashes in multiple jobs a=backout CLOSED TREE
configure.in
nsprpub/TAG-INFO
nsprpub/config/prdepend.h
nsprpub/configure
nsprpub/configure.in
nsprpub/lib/ds/plarena.h
nsprpub/pr/include/md/_freebsd.cfg
nsprpub/pr/include/md/_freebsd.h
nsprpub/pr/include/md/_linux.h
nsprpub/pr/include/md/_netbsd.h
nsprpub/pr/include/md/_openbsd.h
nsprpub/pr/include/md/_unixos.h
nsprpub/pr/include/prenv.h
nsprpub/pr/include/prinit.h
nsprpub/pr/src/io/prlog.c
nsprpub/pr/src/io/prprf.c
nsprpub/pr/src/io/prscanf.c
nsprpub/pr/src/md/unix/unix.c
nsprpub/pr/src/md/windows/ntinrval.c
nsprpub/pr/src/md/windows/w95thred.c
nsprpub/pr/src/misc/prenv.c
nsprpub/pr/src/misc/prnetdb.c
nsprpub/pr/src/misc/prtpool.c
nsprpub/pr/src/misc/prtrace.c
nsprpub/pr/src/nspr.def
nsprpub/pr/src/pthreads/ptio.c
nsprpub/pr/src/pthreads/ptthread.c
nsprpub/pr/tests/env.c
nsprpub/pr/tests/server_test.c
nsprpub/pr/tests/vercheck.c
security/nss/.clang-format
security/nss/TAG-INFO
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/checkcert/Makefile
security/nss/cmd/checkcert/checkcert.c
security/nss/cmd/checkcert/manifest.mn
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/httpserv/httpserv.c
security/nss/cmd/lib/derprint.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/lib/secutil.h
security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
security/nss/cmd/libpkix/pkixutil/pkixutil.c
security/nss/cmd/makepqg/makepqg.c
security/nss/cmd/manifest.mn
security/nss/cmd/modutil/install-ds.c
security/nss/cmd/modutil/install-ds.h
security/nss/cmd/modutil/installparse.c
security/nss/cmd/pk11mode/pk11mode.c
security/nss/cmd/pk11util/pk11util.c
security/nss/cmd/pk1sign/pk1sign.c
security/nss/cmd/platlibs.mk
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/shlibsign/shlibsign.c
security/nss/cmd/signtool/javascript.c
security/nss/cmd/signtool/util.c
security/nss/cmd/smimetools/cmsutil.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/coreconf/WIN32.mk
security/nss/coreconf/Werror.mk
security/nss/external_tests/README
security/nss/external_tests/common/gtest.mk
security/nss/external_tests/common/scoped_ptrs.h
security/nss/external_tests/google_test/Makefile
security/nss/external_tests/google_test/gtest/test/gtest_unittest.cc
security/nss/external_tests/manifest.mn
security/nss/external_tests/pk11_gtest/Makefile
security/nss/external_tests/pk11_gtest/manifest.mn
security/nss/external_tests/pk11_gtest/pk11_gtest.cc
security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
security/nss/external_tests/ssl_gtest/Makefile
security/nss/external_tests/ssl_gtest/databuffer.h
security/nss/external_tests/ssl_gtest/manifest.mn
security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
security/nss/external_tests/ssl_gtest/ssl_gtest.cc
security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
security/nss/external_tests/ssl_gtest/tls_agent.cc
security/nss/external_tests/ssl_gtest/tls_agent.h
security/nss/lib/Makefile
security/nss/lib/base/arena.c
security/nss/lib/base/base.h
security/nss/lib/base/baset.h
security/nss/lib/base/error.c
security/nss/lib/base/errorval.c
security/nss/lib/base/hash.c
security/nss/lib/base/hashops.c
security/nss/lib/base/item.c
security/nss/lib/base/libc.c
security/nss/lib/base/list.c
security/nss/lib/base/nssbase.h
security/nss/lib/base/nssbaset.h
security/nss/lib/base/tracker.c
security/nss/lib/base/utf8.c
security/nss/lib/certdb/alg1485.c
security/nss/lib/certdb/cert.h
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certdb.h
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/certt.h
security/nss/lib/certdb/certv3.c
security/nss/lib/certdb/certxutl.c
security/nss/lib/certdb/certxutl.h
security/nss/lib/certdb/crl.c
security/nss/lib/certdb/genname.c
security/nss/lib/certdb/genname.h
security/nss/lib/certdb/polcyxtn.c
security/nss/lib/certdb/secname.c
security/nss/lib/certdb/stanpcertdb.c
security/nss/lib/certdb/xauthkid.c
security/nss/lib/certdb/xbsconst.c
security/nss/lib/certdb/xconst.c
security/nss/lib/certdb/xconst.h
security/nss/lib/certhigh/certhigh.c
security/nss/lib/certhigh/certhtml.c
security/nss/lib/certhigh/certreq.c
security/nss/lib/certhigh/certvfy.c
security/nss/lib/certhigh/certvfypkix.c
security/nss/lib/certhigh/crlv2.c
security/nss/lib/certhigh/ocsp.c
security/nss/lib/certhigh/ocsp.h
security/nss/lib/certhigh/ocspi.h
security/nss/lib/certhigh/ocspsig.c
security/nss/lib/certhigh/ocspt.h
security/nss/lib/certhigh/ocspti.h
security/nss/lib/certhigh/xcrldist.c
security/nss/lib/ckfw/builtins/anchor.c
security/nss/lib/ckfw/builtins/bfind.c
security/nss/lib/ckfw/builtins/binst.c
security/nss/lib/ckfw/builtins/bobject.c
security/nss/lib/ckfw/builtins/bsession.c
security/nss/lib/ckfw/builtins/bslot.c
security/nss/lib/ckfw/builtins/btoken.c
security/nss/lib/ckfw/builtins/builtins.h
security/nss/lib/ckfw/builtins/ckbiver.c
security/nss/lib/ckfw/builtins/constants.c
security/nss/lib/ckfw/builtins/nssckbi.h
security/nss/lib/ckfw/capi/anchor.c
security/nss/lib/ckfw/capi/cfind.c
security/nss/lib/ckfw/capi/cinst.c
security/nss/lib/ckfw/capi/ckcapi.h
security/nss/lib/ckfw/capi/ckcapiver.c
security/nss/lib/ckfw/capi/cobject.c
security/nss/lib/ckfw/capi/constants.c
security/nss/lib/ckfw/capi/crsa.c
security/nss/lib/ckfw/capi/csession.c
security/nss/lib/ckfw/capi/cslot.c
security/nss/lib/ckfw/capi/ctoken.c
security/nss/lib/ckfw/capi/nsscapi.h
security/nss/lib/ckfw/capi/staticobj.c
security/nss/lib/ckfw/ckfw.h
security/nss/lib/ckfw/ckfwm.h
security/nss/lib/ckfw/ckfwtm.h
security/nss/lib/ckfw/ckmd.h
security/nss/lib/ckfw/crypto.c
security/nss/lib/ckfw/dbm/anchor.c
security/nss/lib/ckfw/dbm/ckdbm.h
security/nss/lib/ckfw/dbm/db.c
security/nss/lib/ckfw/dbm/find.c
security/nss/lib/ckfw/dbm/instance.c
security/nss/lib/ckfw/dbm/object.c
security/nss/lib/ckfw/dbm/session.c
security/nss/lib/ckfw/dbm/slot.c
security/nss/lib/ckfw/dbm/token.c
security/nss/lib/ckfw/find.c
security/nss/lib/ckfw/hash.c
security/nss/lib/ckfw/instance.c
security/nss/lib/ckfw/mechanism.c
security/nss/lib/ckfw/mutex.c
security/nss/lib/ckfw/nssckfw.h
security/nss/lib/ckfw/nssckfwc.h
security/nss/lib/ckfw/nssckfwt.h
security/nss/lib/ckfw/nssckmdt.h
security/nss/lib/ckfw/nssckt.h
security/nss/lib/ckfw/nssmkey/ckmk.h
security/nss/lib/ckfw/nssmkey/ckmkver.c
security/nss/lib/ckfw/nssmkey/manchor.c
security/nss/lib/ckfw/nssmkey/mconstants.c
security/nss/lib/ckfw/nssmkey/mfind.c
security/nss/lib/ckfw/nssmkey/minst.c
security/nss/lib/ckfw/nssmkey/mobject.c
security/nss/lib/ckfw/nssmkey/mrsa.c
security/nss/lib/ckfw/nssmkey/msession.c
security/nss/lib/ckfw/nssmkey/mslot.c
security/nss/lib/ckfw/nssmkey/mtoken.c
security/nss/lib/ckfw/nssmkey/nssmkey.h
security/nss/lib/ckfw/nssmkey/staticobj.c
security/nss/lib/ckfw/object.c
security/nss/lib/ckfw/session.c
security/nss/lib/ckfw/sessobj.c
security/nss/lib/ckfw/slot.c
security/nss/lib/ckfw/token.c
security/nss/lib/ckfw/wrap.c
security/nss/lib/crmf/asn1cmn.c
security/nss/lib/crmf/challcli.c
security/nss/lib/crmf/cmmf.h
security/nss/lib/crmf/cmmfasn1.c
security/nss/lib/crmf/cmmfchal.c
security/nss/lib/crmf/cmmfi.h
security/nss/lib/crmf/cmmfit.h
security/nss/lib/crmf/cmmfrec.c
security/nss/lib/crmf/cmmfresp.c
security/nss/lib/crmf/cmmft.h
security/nss/lib/crmf/crmf.h
security/nss/lib/crmf/crmfcont.c
security/nss/lib/crmf/crmfdec.c
security/nss/lib/crmf/crmfenc.c
security/nss/lib/crmf/crmffut.h
security/nss/lib/crmf/crmfget.c
security/nss/lib/crmf/crmfi.h
security/nss/lib/crmf/crmfit.h
security/nss/lib/crmf/crmfpop.c
security/nss/lib/crmf/crmfreq.c
security/nss/lib/crmf/crmft.h
security/nss/lib/crmf/crmftmpl.c
security/nss/lib/crmf/encutil.c
security/nss/lib/crmf/respcli.c
security/nss/lib/crmf/respcmn.c
security/nss/lib/crmf/servget.c
security/nss/lib/cryptohi/cryptohi.h
security/nss/lib/cryptohi/cryptoht.h
security/nss/lib/cryptohi/dsautil.c
security/nss/lib/cryptohi/keyhi.h
security/nss/lib/cryptohi/keyi.h
security/nss/lib/cryptohi/keythi.h
security/nss/lib/cryptohi/sechash.c
security/nss/lib/cryptohi/sechash.h
security/nss/lib/cryptohi/seckey.c
security/nss/lib/cryptohi/secsign.c
security/nss/lib/cryptohi/secvfy.c
security/nss/lib/freebl/ecl/ec_naf.c
security/nss/lib/freebl/ecl/ecp_256_32.c
security/nss/lib/freebl/ecl/ecp_aff.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/mpi/mpmontg.c
security/nss/lib/freebl/mpi/mpprime.c
security/nss/lib/freebl/mpi/utils/isprime.c
security/nss/lib/freebl/mpi/utils/metime.c
security/nss/lib/freebl/mpi/utils/primegen.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/rsa.c
security/nss/lib/freebl/stubs.c
security/nss/lib/freebl/stubs.h
security/nss/lib/freebl/unix_rand.c
security/nss/lib/libpkix/pkix/util/pkix_tools.h
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
security/nss/lib/manifest.mn
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/nss/nssinit.c
security/nss/lib/nss/nssoptions.c
security/nss/lib/pk11wrap/debug_module.c
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11load.c
security/nss/lib/pk11wrap/pk11obj.c
security/nss/lib/pk11wrap/pk11pars.c
security/nss/lib/pk11wrap/pk11pbe.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pk11wrap/secmodi.h
security/nss/lib/pkcs7/secmime.c
security/nss/lib/pki/certificate.c
security/nss/lib/pki/pki3hack.c
security/nss/lib/smime/cmscipher.c
security/nss/lib/smime/smimeutil.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/legacydb/lginit.c
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/lowkey.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/lgglue.c
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/lowpbe.c
security/nss/lib/softoken/lowpbe.h
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/sdb.c
security/nss/lib/softoken/sftkpars.c
security/nss/lib/softoken/sftkpwd.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.h
security/nss/lib/ssl/dtlscon.c
security/nss/lib/ssl/ssl.def
security/nss/lib/ssl/ssl.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslinit.c
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslsnce.c
security/nss/lib/ssl/sslsock.c
security/nss/lib/ssl/sslt.h
security/nss/lib/sysinit/nsssysinit.c
security/nss/lib/util/dertime.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11t.h
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/lib/util/secport.c
security/nss/lib/util/templates.c
security/nss/lib/util/utilmod.c
security/nss/lib/util/utilpars.c
security/nss/lib/util/utilpars.h
security/nss/tests/all.sh
security/nss/tests/common/init.sh
security/nss/tests/common/parsegtestreport.sed
security/nss/tests/pk11_gtests/pk11_gtests.sh
security/nss/tests/ssl/ssl.sh
security/nss/tests/ssl/sslpolicy.txt
security/nss/tests/ssl_gtests/parsereport.sed
security/nss/tests/ssl_gtests/ssl_gtests.sh
--- a/configure.in
+++ b/configure.in
@@ -48,17 +48,17 @@ dnl ====================================
 _SUBDIR_HOST_LDFLAGS="$HOST_LDFLAGS"
 _SUBDIR_CONFIG_ARGS="$ac_configure_args"
 
 dnl Set the version number of the libs included with mozilla
 dnl ========================================================
 MOZJPEG=62
 MOZPNG=10619
 NSPR_VERSION=4
-NSPR_MINVER=4.12
+NSPR_MINVER=4.11
 NSS_VERSION=3
 
 dnl Set the minimum version of toolkit libs used by mozilla
 dnl ========================================================
 GLIB_VERSION=2.22
 # 2_26 is the earliest version we can set GLIB_VERSION_MIN_REQUIRED.
 # The macro won't be used when compiling with earlier versions anyway.
 GLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_26
@@ -3512,17 +3512,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.22.1, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.21, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS="-I${DIST}/include/nss"
 fi
 
--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1,1 +1,1 @@
-NSPR_4_12_RTM
+NSPR_4_11_RTM
--- a/nsprpub/config/prdepend.h
+++ b/nsprpub/config/prdepend.h
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSPR in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -2483,17 +2483,17 @@ case $target_os in *\ *) target_os=`echo
 # The aliases save the names the user supplied, while $host etc.
 # will get canonicalized.
 test -n "$target_alias" &&
   test "$program_prefix$program_suffix$program_transform_name" = \
     NONENONEs,x,x, &&
   program_prefix=${target_alias}-
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=12
+MOD_MINOR_VERSION=11
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
 USE_PTHREADS=
 USE_USER_PTHREADS=
 USE_NSPR_THREADS=
 USE_N32=
 USE_X32=
@@ -7043,16 +7043,20 @@ tools are selected during the Xcode/Deve
     powerpc64)
         if test -n "$USE_64"; then
             CC="$CC -m64"
             CXX="$CXX -m64"
         else
             PR_MD_ASFILES=os_Linux_ppc.s
         fi
         ;;
+    m68k)
+        CFLAGS="$CFLAGS -m68020-60"
+        CXXFLAGS="$CXXFLAGS -m68020-60"
+        ;;
     esac
     ;;
 
 *-mingw*|*-msys*|*-cygwin*|*-mks*)
     $as_echo "#define XP_PC 1" >>confdefs.h
 
     $as_echo "#define WIN32 1" >>confdefs.h
 
@@ -7885,17 +7889,17 @@ fi
 $as_echo "$ac_cv_prog_gcc_traditional" >&6; }
   if test $ac_cv_prog_gcc_traditional = yes; then
     CC="$CC -traditional"
   fi
 fi
 
 _SAVE_LIBS="$LIBS"
 LIBS="$LIBS $OS_LIBS"
-for ac_func in dladdr gettid lchown setpriority strerror syscall  secure_getenv __secure_getenv
+for ac_func in dladdr gettid lchown setpriority strerror syscall
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
 if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -10,17 +10,17 @@ AC_CONFIG_SRCDIR([pr/include/nspr.h])
 
 AC_CONFIG_AUX_DIR(${srcdir}/build/autoconf)
 AC_CANONICAL_TARGET
 
 dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=12
+MOD_MINOR_VERSION=11
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
 USE_PTHREADS=
 USE_USER_PTHREADS=
 USE_NSPR_THREADS=
 USE_N32=
 USE_X32=
@@ -1851,16 +1851,20 @@ tools are selected during the Xcode/Deve
     powerpc64)
         if test -n "$USE_64"; then
             CC="$CC -m64"
             CXX="$CXX -m64"
         else
             PR_MD_ASFILES=os_Linux_ppc.s
         fi
         ;;
+    m68k)
+        CFLAGS="$CFLAGS -m68020-60"
+        CXXFLAGS="$CXXFLAGS -m68020-60"
+        ;;
     esac    
     ;;
 
 *-mingw*|*-msys*|*-cygwin*|*-mks*)
     AC_DEFINE(XP_PC)
     AC_DEFINE(WIN32)
     PR_MD_ARCH_DIR=windows
     RESOLVE_LINK_SYMBOLS=1
@@ -2534,18 +2538,17 @@ dnl Check for typedefs and structs
 dnl ========================================================
 
 dnl ========================================================
 dnl Checks for library functions.
 dnl ========================================================
 AC_PROG_GCC_TRADITIONAL
 _SAVE_LIBS="$LIBS"
 LIBS="$LIBS $OS_LIBS"
-AC_CHECK_FUNCS(dladdr gettid lchown setpriority strerror syscall dnl
- secure_getenv __secure_getenv)
+AC_CHECK_FUNCS(dladdr gettid lchown setpriority strerror syscall)
 LIBS="$_SAVE_LIBS"
 
 dnl ========================================================
 dnl Check options
 dnl ========================================================
 
 dnl ======================================================
 dnl = Enable compiling with ccache
--- a/nsprpub/lib/ds/plarena.h
+++ b/nsprpub/lib/ds/plarena.h
@@ -91,21 +91,21 @@ struct PLArenaPool {
 #elif defined(__SANITIZE_ADDRESS__)
 #define PL_SANITIZE_ADDRESS 1
 #endif
 
 #if defined(PL_SANITIZE_ADDRESS)
 
 /* These definitions are usually provided through the
  * sanitizer/asan_interface.h header installed by ASan.
- * See https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning
+ * See https://code.google.com/p/address-sanitizer/wiki/ManualPoisoning
  */
 
-PR_IMPORT(void) __asan_poison_memory_region(void const volatile *addr, size_t size);
-PR_IMPORT(void) __asan_unpoison_memory_region(void const volatile *addr, size_t size);
+void __asan_poison_memory_region(void const volatile *addr, size_t size);
+void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
 
 #define PL_MAKE_MEM_NOACCESS(addr, size) \
     __asan_poison_memory_region((addr), (size))
 
 #define PL_MAKE_MEM_UNDEFINED(addr, size) \
     __asan_unpoison_memory_region((addr), (size))
 
 #define PL_MAKE_MEM_DEFINED(addr, size) \
--- a/nsprpub/pr/include/md/_freebsd.cfg
+++ b/nsprpub/pr/include/md/_freebsd.cfg
@@ -337,62 +337,16 @@
 #define PR_ALIGN_OF_FLOAT   4
 #define PR_ALIGN_OF_DOUBLE  8
 #define PR_ALIGN_OF_POINTER 4
 #define PR_ALIGN_OF_WORD    4
 
 #define PR_BYTES_PER_WORD_LOG2   2
 #define PR_BYTES_PER_DWORD_LOG2  3
 
-#elif defined(__aarch64__)
-
-#undef  IS_BIG_ENDIAN
-#define IS_LITTLE_ENDIAN 1
-#define IS_64
-
-#define PR_BYTES_PER_BYTE   1
-#define PR_BYTES_PER_SHORT  2
-#define PR_BYTES_PER_INT    4
-#define PR_BYTES_PER_INT64  8
-#define PR_BYTES_PER_LONG   8
-#define PR_BYTES_PER_FLOAT  4
-#define PR_BYTES_PER_DOUBLE 8
-#define PR_BYTES_PER_WORD   8
-#define PR_BYTES_PER_DWORD  8
-
-#define PR_BITS_PER_BYTE    8
-#define PR_BITS_PER_SHORT   16
-#define PR_BITS_PER_INT     32
-#define PR_BITS_PER_INT64   64
-#define PR_BITS_PER_LONG    64
-#define PR_BITS_PER_FLOAT   32
-#define PR_BITS_PER_DOUBLE  64
-#define PR_BITS_PER_WORD    64
-
-#define PR_BITS_PER_BYTE_LOG2   3
-#define PR_BITS_PER_SHORT_LOG2  4
-#define PR_BITS_PER_INT_LOG2    5
-#define PR_BITS_PER_INT64_LOG2  6
-#define PR_BITS_PER_LONG_LOG2   6
-#define PR_BITS_PER_FLOAT_LOG2  5
-#define PR_BITS_PER_DOUBLE_LOG2 6
-#define PR_BITS_PER_WORD_LOG2   6
-
-#define PR_ALIGN_OF_SHORT   2
-#define PR_ALIGN_OF_INT     4
-#define PR_ALIGN_OF_LONG    8
-#define PR_ALIGN_OF_INT64   8
-#define PR_ALIGN_OF_FLOAT   4
-#define PR_ALIGN_OF_DOUBLE  8
-#define PR_ALIGN_OF_POINTER 8
-#define PR_ALIGN_OF_WORD    8
-
-#define PR_BYTES_PER_WORD_LOG2  3
-#define PR_BYTES_PER_DWORD_LOG2 3
-
 #elif defined(__arm__)
 
 #if defined(__ARMEB__) || defined(__ARM_BIG_ENDIAN__)
 #undef  IS_LITTLE_ENDIAN
 #define IS_BIG_ENDIAN    1
 #else
 #undef  IS_BIG_ENDIAN
 #define IS_LITTLE_ENDIAN 1
--- a/nsprpub/pr/include/md/_freebsd.h
+++ b/nsprpub/pr/include/md/_freebsd.h
@@ -24,18 +24,16 @@
 #elif defined(__ia64__)
 #define _PR_SI_ARCHITECTURE "ia64"
 #elif defined(__amd64__)
 #define _PR_SI_ARCHITECTURE "amd64"
 #elif defined(__powerpc64__)
 #define _PR_SI_ARCHITECTURE "powerpc64"
 #elif defined(__powerpc__)
 #define _PR_SI_ARCHITECTURE "powerpc"
-#elif defined(__aarch64__)
-#define _PR_SI_ARCHITECTURE "aarch64"
 #elif defined(__arm__)
 #define _PR_SI_ARCHITECTURE "arm"
 #elif defined(__mips64__)
 #define _PR_SI_ARCHITECTURE "mips64"
 #elif defined(__mips__)
 #define _PR_SI_ARCHITECTURE "mips"
 #else
 #error "Unknown CPU architecture"
@@ -225,17 +223,17 @@ extern PRStatus _MD_WAKEUP_WAITER(PRThre
 extern void _MD_YIELD(void);
 
 #endif /* ! _PR_PTHREADS */
 
 extern void _MD_EarlyInit(void);
 
 #define _MD_EARLY_INIT                  _MD_EarlyInit
 #define _MD_FINAL_INIT			_PR_UnixInit
-#define _PR_HAVE_CLOCK_MONOTONIC
+#define _MD_INTERVAL_USE_GTOD
 
 /*
  * We wrapped the select() call.  _MD_SELECT refers to the built-in,
  * unwrapped version.
  */
 #define _MD_SELECT(nfds,r,w,e,tv) syscall(SYS_select,nfds,r,w,e,tv)
 
 #if defined(_PR_POLL_AVAILABLE)
--- a/nsprpub/pr/include/md/_linux.h
+++ b/nsprpub/pr/include/md/_linux.h
@@ -666,17 +666,17 @@ extern PRStatus _MD_WAKEUP_WAITER(PRThre
 extern void _MD_YIELD(void);
 
 #endif /* ! _PR_PTHREADS */
 
 extern void _MD_EarlyInit(void);
 
 #define _MD_EARLY_INIT                  _MD_EarlyInit
 #define _MD_FINAL_INIT                  _PR_UnixInit
-#define _PR_HAVE_CLOCK_MONOTONIC
+#define HAVE_CLOCK_MONOTONIC
 
 /*
  * We wrapped the select() call.  _MD_SELECT refers to the built-in,
  * unwrapped version.
  */
 #define _MD_SELECT __select
 
 #ifdef _PR_POLL_AVAILABLE
--- a/nsprpub/pr/include/md/_netbsd.h
+++ b/nsprpub/pr/include/md/_netbsd.h
@@ -206,17 +206,17 @@ struct _MDCPU {
 #define _MD_CLEAN_THREAD(_thread)
 
 #endif /* ! _PR_PTHREADS */
 
 extern void _MD_EarlyInit(void);
 
 #define _MD_EARLY_INIT                  _MD_EarlyInit
 #define _MD_FINAL_INIT			_PR_UnixInit
-#define _PR_HAVE_CLOCK_MONOTONIC
+#define _MD_INTERVAL_USE_GTOD
 
 /*
  * We wrapped the select() call.  _MD_SELECT refers to the built-in,
  * unwrapped version.
  */
 #define _MD_SELECT(nfds,r,w,e,tv) syscall(SYS_select,nfds,r,w,e,tv)
 #if defined(_PR_POLL_AVAILABLE)
 #include <poll.h>
--- a/nsprpub/pr/include/md/_openbsd.h
+++ b/nsprpub/pr/include/md/_openbsd.h
@@ -187,17 +187,17 @@ struct _MDCPU {
 #define _MD_SUSPEND_THREAD(thread)      _MD_suspend_thread
 #define _MD_RESUME_THREAD(thread)       _MD_resume_thread
 #define _MD_CLEAN_THREAD(_thread)
 
 #endif /* ! _PR_PTHREADS */
 
 #define _MD_EARLY_INIT                  _MD_EarlyInit
 #define _MD_FINAL_INIT			_PR_UnixInit
-#define _PR_HAVE_CLOCK_MONOTONIC
+#define _MD_INTERVAL_USE_GTOD
 
 /*
  * We wrapped the select() call.  _MD_SELECT refers to the built-in,
  * unwrapped version.
  */
 #define _MD_SELECT(nfds,r,w,e,tv) syscall(SYS_select,nfds,r,w,e,tv)
 #include <poll.h>
 #define _MD_POLL(fds,nfds,timeout) syscall(SYS_poll,fds,nfds,timeout)
--- a/nsprpub/pr/include/md/_unixos.h
+++ b/nsprpub/pr/include/md/_unixos.h
@@ -297,17 +297,17 @@ extern void		_MD_FreeSegment(PRSegment *
 #ifdef _MD_INTERVAL_USE_GTOD
 extern PRIntervalTime   _PR_UNIX_GetInterval(void);
 extern PRIntervalTime   _PR_UNIX_TicksPerSecond(void);
 #define _MD_INTERVAL_INIT()
 #define _MD_GET_INTERVAL		_PR_UNIX_GetInterval
 #define _MD_INTERVAL_PER_SEC		_PR_UNIX_TicksPerSecond
 #endif
 
-#ifdef _PR_HAVE_CLOCK_MONOTONIC
+#ifdef HAVE_CLOCK_MONOTONIC
 extern PRIntervalTime   _PR_UNIX_GetInterval2(void);
 extern PRIntervalTime   _PR_UNIX_TicksPerSecond2(void);
 #define _MD_INTERVAL_INIT()
 #define _MD_GET_INTERVAL		_PR_UNIX_GetInterval2
 #define _MD_INTERVAL_PER_SEC		_PR_UNIX_TicksPerSecond2
 #endif
 
 #define _MD_INTERVAL_PER_MILLISEC()	(_PR_MD_INTERVAL_PER_SEC() / 1000)
--- a/nsprpub/pr/include/prenv.h
+++ b/nsprpub/pr/include/prenv.h
@@ -86,30 +86,16 @@ PR_BEGIN_EXTERN_C
 **   conceptual environment space than that operated upon by
 **   NSPR's functions or other environment manipulating
 **   functions on the same platform. (!)
 ** 
 */
 NSPR_API(char*) PR_GetEnv(const char *var);
 
 /*
-** PR_GetEnvSecure() -- get a security-sensitive environment variable
-**
-** Description:
-**
-** PR_GetEnvSecure() is similar to PR_GetEnv(), but it returns NULL if
-** the program was run with elevated privilege (e.g., setuid or setgid
-** on Unix).  This can be used for cases like log file paths which
-** could otherwise be used for privilege escalation.  Note that some
-** platforms may have platform-specific privilege elevation mechanisms
-** not recognized by this function; see the implementation for details.
-*/
-NSPR_API(char*) PR_GetEnvSecure(const char *var);
-
-/*
 ** PR_SetEnv() -- set, unset or change an environment variable
 ** 
 ** Description:
 ** PR_SetEnv() is modeled on the Unix putenv() function.
 ** 
 ** Inputs: 
 **   string -- pointer to a caller supplied
 **   constant, persistent string of the form name=value. Where
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -26,19 +26,19 @@ PR_BEGIN_EXTERN_C
 /*
 ** NSPR's version is used to determine the likelihood that the version you
 ** used to build your component is anywhere close to being compatible with
 ** what is in the underlying library.
 **
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.12"
+#define PR_VERSION  "4.11"
 #define PR_VMAJOR   4
-#define PR_VMINOR   12
+#define PR_VMINOR   11
 #define PR_VPATCH   0
 #define PR_BETA     PR_FALSE
 
 /*
 ** PRVersionCheck
 **
 ** The basic signature of the function that is called to provide version
 ** checking. The result will be a boolean that indicates the likelihood
--- a/nsprpub/pr/src/io/prlog.c
+++ b/nsprpub/pr/src/io/prlog.c
@@ -233,17 +233,23 @@ void _PR_InitLog(void)
             }
             /*found:*/
             count = sscanf(&ev[pos], " , %n", &delta);
             pos += delta;
             if (count == EOF) break;
         }
         PR_SetLogBuffering(isSync ? 0 : bufSize);
 
-        ev = PR_GetEnvSecure("NSPR_LOG_FILE");
+#ifdef XP_UNIX
+        if ((getuid() != geteuid()) || (getgid() != getegid())) {
+            return;
+        }
+#endif /* XP_UNIX */
+
+        ev = PR_GetEnv("NSPR_LOG_FILE");
         if (ev && ev[0]) {
             if (!PR_SetLogFile(ev)) {
 #ifdef XP_PC
                 char* str = PR_smprintf("Unable to create nspr log file '%s'\n", ev);
                 if (str) {
                     OutputDebugStringA(str);
                     PR_smprintf_free(str);
                 }
--- a/nsprpub/pr/src/io/prprf.c
+++ b/nsprpub/pr/src/io/prprf.c
@@ -32,17 +32,17 @@
 
 typedef struct SprintfStateStr SprintfState;
 
 struct SprintfStateStr {
     int (*stuff)(SprintfState *ss, const char *sp, PRUint32 len);
 
     char *base;
     char *cur;
-    PRUint32 maxlen;  /* Must not exceed PR_INT32_MAX. */
+    PRUint32 maxlen;
 
     int (*func)(void *arg, const char *sp, PRUint32 len);
     void *arg;
 };
 
 /*
 ** Numbered Argument
 */
@@ -692,17 +692,17 @@ static int dosprintf(SprintfState *ss, c
 #endif
     } u;
     const char *fmt0;
     static char *hex = "0123456789abcdef";
     static char *HEX = "0123456789ABCDEF";
     char *hexp;
     int rv, i;
     struct NumArg* nas = NULL;
-    struct NumArg* nap = NULL;
+    struct NumArg* nap;
     struct NumArg  nasArray[ NAS_DEFAULT_NUM ];
     char  pattern[20];
     const char* dolPt = NULL;  /* in "%4$.2f", dolPt will point to . */
 #ifdef WIN32
     char *pBuf = NULL;
 #endif
 
     /*
@@ -1055,23 +1055,16 @@ static int dosprintf(SprintfState *ss, c
 }
 
 /************************************************************************/
 
 static int FuncStuff(SprintfState *ss, const char *sp, PRUint32 len)
 {
     int rv;
 
-    /*
-    ** We will add len to ss->maxlen at the end of the function. First check
-    ** if ss->maxlen + len would overflow or be greater than PR_INT32_MAX.
-    */
-    if (PR_UINT32_MAX - ss->maxlen < len || ss->maxlen + len > PR_INT32_MAX) {
-	return -1;
-    }
     rv = (*ss->func)(ss->arg, sp, len);
     if (rv < 0) {
 	return rv;
     }
     ss->maxlen += len;
     return 0;
 }
 
@@ -1107,31 +1100,19 @@ PR_IMPLEMENT(PRUint32) PR_vsxprintf(PRSt
 */
 static int GrowStuff(SprintfState *ss, const char *sp, PRUint32 len)
 {
     ptrdiff_t off;
     char *newbase;
     PRUint32 newlen;
 
     off = ss->cur - ss->base;
-    if (PR_UINT32_MAX - len < off) {
-	/* off + len would be too big. */
-	return -1;
-    }
     if (off + len >= ss->maxlen) {
 	/* Grow the buffer */
-	PRUint32 increment = (len > 32) ? len : 32;
-	if (PR_UINT32_MAX - ss->maxlen < increment) {
-	    /* ss->maxlen + increment would overflow. */
-	    return -1;
-	}
-	newlen = ss->maxlen + increment;
-	if (newlen > PR_INT32_MAX) {
-	    return -1;
-	}
+	newlen = ss->maxlen + ((len > 32) ? len : 32);
 	if (ss->base) {
 	    newbase = (char*) PR_REALLOC(ss->base, newlen);
 	} else {
 	    newbase = (char*) PR_MALLOC(newlen);
 	}
 	if (!newbase) {
 	    /* Ran out of memory */
 	    return -1;
@@ -1224,18 +1205,18 @@ PR_IMPLEMENT(PRUint32) PR_snprintf(char 
 }
 
 PR_IMPLEMENT(PRUint32) PR_vsnprintf(char *out, PRUint32 outlen,const char *fmt,
                                   va_list ap)
 {
     SprintfState ss;
     PRUint32 n;
 
-    PR_ASSERT(outlen != 0 && outlen <= PR_INT32_MAX);
-    if (outlen == 0 || outlen > PR_INT32_MAX) {
+    PR_ASSERT((PRInt32)outlen > 0);
+    if ((PRInt32)outlen <= 0) {
 	return 0;
     }
 
     ss.stuff = LimitStuff;
     ss.base = out;
     ss.cur = out;
     ss.maxlen = outlen;
     (void) dosprintf(&ss, fmt, ap);
@@ -1261,20 +1242,17 @@ PR_IMPLEMENT(char *) PR_sprintf_append(c
 
 PR_IMPLEMENT(char *) PR_vsprintf_append(char *last, const char *fmt, va_list ap)
 {
     SprintfState ss;
     int rv;
 
     ss.stuff = GrowStuff;
     if (last) {
-	size_t lastlen = strlen(last);
-	if (lastlen > PR_INT32_MAX) {
-	    return 0;
-	}
+	int lastlen = strlen(last);
 	ss.base = last;
 	ss.cur = last + lastlen;
 	ss.maxlen = lastlen;
     } else {
 	ss.base = 0;
 	ss.cur = 0;
 	ss.maxlen = 0;
     }
--- a/nsprpub/pr/src/io/prscanf.c
+++ b/nsprpub/pr/src/io/prscanf.c
@@ -189,17 +189,17 @@ static PRUint64
  */
 #define FMAX 31
 #define DECIMAL_POINT '.'
 
 static PRStatus
 GetInt(ScanfState *state, int code)
 {
     char buf[FMAX + 1], *p;
-    int ch = 0;
+    int ch;
     static const char digits[] = "0123456789abcdefABCDEF";
     PRBool seenDigit = PR_FALSE;
     int base;
     int dlen;
 
     switch (code) {
         case 'd': case 'u':
             base = 10;
@@ -299,17 +299,17 @@ GetInt(ScanfState *state, int code)
     }
     return PR_SUCCESS;
 }
 
 static PRStatus
 GetFloat(ScanfState *state)
 {
     char buf[FMAX + 1], *p;
-    int ch = 0;
+    int ch;
     PRBool seenDigit = PR_FALSE;
 
     if (state->width == 0 || state->width > FMAX) {
         state->width = FMAX;
     }
     p = buf;
     GET_IF_WITHIN_WIDTH(state, ch);
     if (WITHIN_WIDTH(state) && (ch == '+' || ch == '-')) {
--- a/nsprpub/pr/src/md/unix/unix.c
+++ b/nsprpub/pr/src/md/unix/unix.c
@@ -2710,17 +2710,17 @@ static void* _MD_Unix_mmap64(
 {
     PR_SetError(PR_FILE_TOO_BIG_ERROR, 0);
     return NULL;
 }  /* _MD_Unix_mmap64 */
 #endif /* defined(_PR_NO_LARGE_FILES) || defined(SOLARIS2_5) */
 
 /* Android <= 19 doesn't have mmap64. */
 #if defined(ANDROID) && __ANDROID_API__ <= 19
-PR_IMPORT(void) *__mmap2(void *, size_t, int, int, int, size_t);
+extern void *__mmap2(void *, size_t, int, int, int, size_t);
 
 #define ANDROID_PAGE_SIZE 4096
 
 static void *
 mmap64(void *addr, size_t len, int prot, int flags, int fd, loff_t offset)
 {
     if (offset & (ANDROID_PAGE_SIZE - 1)) {
         errno = EINVAL;
@@ -3035,17 +3035,17 @@ PRIntervalTime _PR_UNIX_GetInterval()
 }  /* _PR_UNIX_GetInterval */
 
 PRIntervalTime _PR_UNIX_TicksPerSecond()
 {
     return 1000;  /* this needs some work :) */
 }
 #endif
 
-#if defined(_PR_HAVE_CLOCK_MONOTONIC)
+#if defined(HAVE_CLOCK_MONOTONIC)
 PRIntervalTime _PR_UNIX_GetInterval2()
 {
     struct timespec time;
     PRIntervalTime ticks;
 
     if (clock_gettime(CLOCK_MONOTONIC, &time) != 0) {
         fprintf(stderr, "clock_gettime failed: %d\n", errno);
         abort();
--- a/nsprpub/pr/src/md/windows/ntinrval.c
+++ b/nsprpub/pr/src/md/windows/ntinrval.c
@@ -3,20 +3,16 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * NT interval timers
  *
  */
 
-/* Mozilla's build system defines this globally. */
-#ifdef WIN32_LEAN_AND_MEAN
-#undef WIN32_LEAN_AND_MEAN
-#endif
 #include "primpl.h"
 
 #ifdef WINCE
 typedef DWORD (*IntervalFuncType)(void);
 static IntervalFuncType intervalFunc;
 #endif
 
 void
--- a/nsprpub/pr/src/md/windows/w95thred.c
+++ b/nsprpub/pr/src/md/windows/w95thred.c
@@ -60,29 +60,24 @@ PRStatus
         ** Warning:
         ** --------
         ** NSPR requires a real handle to every thread.
         ** GetCurrentThread() returns a pseudo-handle which
         ** is not suitable for some thread operations (e.g.,
         ** suspending).  Therefore, get a real handle from
         ** the pseudo handle via DuplicateHandle(...)
         */
-        BOOL ok = DuplicateHandle(
+        DuplicateHandle(
                 GetCurrentProcess(),     /* Process of source handle */
                 GetCurrentThread(),      /* Pseudo Handle to dup */
                 GetCurrentProcess(),     /* Process of handle */
                 &(thread->md.handle),    /* resulting handle */
                 0L,                      /* access flags */
                 FALSE,                   /* Inheritable */
                 DUPLICATE_SAME_ACCESS);  /* Options */
-        if (!ok) {
-            return PR_FAILURE;
-        }
-        thread->id = GetCurrentThreadId();
-        thread->md.id = thread->id;
     }
 
     /* Create the blocking IO semaphore */
     thread->md.blocked_sema = CreateSemaphore(NULL, 0, 1, NULL);
     if (thread->md.blocked_sema == NULL)
         return PR_FAILURE;
 	else
 		return PR_SUCCESS;
--- a/nsprpub/pr/src/misc/prenv.c
+++ b/nsprpub/pr/src/misc/prenv.c
@@ -1,34 +1,27 @@
 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <string.h>
-#include <stdlib.h>
 #include "primpl.h"
 #include "prmem.h"
 
 #if defined(XP_UNIX)
-#include <unistd.h>
 #if defined(DARWIN)
 #if defined(HAVE_CRT_EXTERNS_H)
 #include <crt_externs.h>
 #endif /* HAVE_CRT_EXTERNS_H */
 #else  /* DARWIN */
 PR_IMPORT_DATA(char **) environ;
 #endif /* DARWIN */
 #endif /* XP_UNIX */
 
-#if !defined(HAVE_SECURE_GETENV) && defined(HAVE___SECURE_GETENV)
-#define secure_getenv __secure_getenv
-#define HAVE_SECURE_GETENV 1
-#endif
-
 /* Lock used to lock the environment */
 #if defined(_PR_NO_PREEMPT)
 #define _PR_NEW_LOCK_ENV()
 #define _PR_DELETE_LOCK_ENV()
 #define _PR_LOCK_ENV()
 #define _PR_UNLOCK_ENV()
 #elif defined(_PR_LOCAL_THREADS_ONLY)
 extern _PRCPU * _pr_primordialCPU;
@@ -65,44 +58,16 @@ PR_IMPLEMENT(char*) PR_GetEnv(const char
     if (!_pr_initialized) _PR_ImplicitInitialization();
 
     _PR_LOCK_ENV();
     ev = _PR_MD_GET_ENV(var);
     _PR_UNLOCK_ENV();
     return ev;
 }
 
-PR_IMPLEMENT(char*) PR_GetEnvSecure(const char *var)
-{
-#ifdef HAVE_SECURE_GETENV
-  char *ev;
-
-  if (!_pr_initialized) _PR_ImplicitInitialization();
-
-  _PR_LOCK_ENV();
-  ev = secure_getenv(var);
-  _PR_UNLOCK_ENV();
-
-  return ev;
-#else
-#ifdef XP_UNIX
-  /*
-  ** Fall back to checking uids and gids.  This won't detect any other
-  ** privilege-granting mechanisms the platform may have.  This also
-  ** can't detect the case where the process already called
-  ** setuid(geteuid()) and/or setgid(getegid()).
-  */
-  if (getuid() != geteuid() || getgid() != getegid()) {
-    return NULL;
-  }
-#endif /* XP_UNIX */
-  return PR_GetEnv(var);
-#endif /* HAVE_SECURE_GETENV */
-}
-
 PR_IMPLEMENT(PRStatus) PR_SetEnv(const char *string)
 {
     PRIntn result;
 
     if (!_pr_initialized) _PR_ImplicitInitialization();
 
     if (!strchr(string, '=')) return(PR_FAILURE);
 
--- a/nsprpub/pr/src/misc/prnetdb.c
+++ b/nsprpub/pr/src/misc/prnetdb.c
@@ -58,17 +58,18 @@ PRLock *_pr_dnsLock = NULL;
 #include <arpa/inet.h>  /* pick up define for inet_addr */
 #include <sys/socket.h>
 #define _PR_HAVE_GETPROTO_R
 #define _PR_HAVE_GETPROTO_R_POINTER
 #endif
 
 #if defined(SOLARIS) || (defined(BSDI) && defined(_REENTRANT)) \
 	|| (defined(LINUX) && defined(_REENTRANT) \
-        && defined(__GLIBC__) && __GLIBC__ < 2)
+        && !(defined(__GLIBC__) && __GLIBC__ >= 2) \
+        && !defined(ANDROID))
 #define _PR_HAVE_GETPROTO_R
 #define _PR_HAVE_GETPROTO_R_POINTER
 #endif
 
 #if defined(OSF1) \
         || defined(AIX4_3_PLUS) || (defined(AIX) && defined(_THREAD_SAFE)) \
 	|| (defined(HPUX10_10) && defined(_REENTRANT)) \
         || (defined(HPUX10_20) && defined(_REENTRANT)) \
--- a/nsprpub/pr/src/misc/prtpool.c
+++ b/nsprpub/pr/src/misc/prtpool.c
@@ -276,18 +276,18 @@ add_to_jobq(PRThreadPool *tp, PRJob *job
  * io worker thread function
  */
 static void io_wstart(void *arg)
 {
 PRThreadPool *tp = (PRThreadPool *) arg;
 int pollfd_cnt, pollfds_used;
 int rv;
 PRCList *qp, *nextqp;
-PRPollDesc *pollfds = NULL;
-PRJob **polljobs = NULL;
+PRPollDesc *pollfds;
+PRJob **polljobs;
 int poll_timeout;
 PRIntervalTime now;
 
 	/*
 	 * scan io_jobq
 	 * construct poll list
 	 * call PR_Poll
 	 * for all fds, for which poll returns true, move the job to
--- a/nsprpub/pr/src/misc/prtrace.c
+++ b/nsprpub/pr/src/misc/prtrace.c
@@ -652,18 +652,24 @@ static PRFileDesc * InitializeRecording(
         _PR_InitializeTrace();
 
     PR_LOG( lm, PR_LOG_DEBUG,
         ("PR_RecordTraceEntries: begins"));
 
     logLostData = 0; /* reset at entry */
     logState = LogReset;
 
+#ifdef XP_UNIX
+    if ((getuid() != geteuid()) || (getgid() != getegid())) {
+        return NULL;
+    }
+#endif /* XP_UNIX */
+
     /* Get the filename for the logfile from the environment */
-    logFileName = PR_GetEnvSecure( "NSPR_TRACE_LOG" );
+    logFileName = PR_GetEnv( "NSPR_TRACE_LOG" );
     if ( logFileName == NULL )
     {
         PR_LOG( lm, PR_LOG_ERROR,
             ("RecordTraceEntries: Environment variable not defined. Exiting"));
         return NULL;
     }
     
     /* Open the logfile */
--- a/nsprpub/pr/src/nspr.def
+++ b/nsprpub/pr/src/nspr.def
@@ -450,15 +450,8 @@ EXPORTS ;-
 ;+      global:
 		PR_GetThreadName;
 		PR_SetCurrentThreadName;
 ;+} NSPR_4.8.9;
 ;+NSPR_4.10.3 {
 ;+      global:
 		PR_SyncMemMap;
 ;+} NSPR_4.9.2;
-;+# Function PR_DuplicateEnvironment had been added in NSPR 4.10.9,
-;+# but we neglected to add it to nspr.def until NSPR 4.12
-;+NSPR_4.12 {
-;+      global:
-		PR_DuplicateEnvironment;
-		PR_GetEnvSecure;
-;+} NSPR_4.10.3;
--- a/nsprpub/pr/src/pthreads/ptio.c
+++ b/nsprpub/pr/src/pthreads/ptio.c
@@ -3760,17 +3760,17 @@ static PRInt32 _pr_poll_with_poll(
     PRPollDesc *pds, PRIntn npds, PRIntervalTime timeout)
 {
     PRInt32 ready = 0;
     /*
      * For restarting poll() if it is interrupted by a signal.
      * We use these variables to figure out how much time has
      * elapsed and how much of the timeout still remains.
      */
-    PRIntervalTime start = 0, elapsed, remaining;
+    PRIntervalTime start, elapsed, remaining;
 
     if (pt_TestAbort()) return -1;
 
     if (0 == npds) PR_Sleep(timeout);
     else
     {
 #define STACK_POLL_DESC_COUNT 64
         struct pollfd stack_syspoll[STACK_POLL_DESC_COUNT];
@@ -4014,17 +4014,17 @@ static PRInt32 _pr_poll_with_select(
     PRPollDesc *pds, PRIntn npds, PRIntervalTime timeout)
 {
     PRInt32 ready = 0;
     /*
      * For restarting select() if it is interrupted by a signal.
      * We use these variables to figure out how much time has
      * elapsed and how much of the timeout still remains.
      */
-    PRIntervalTime start = 0, elapsed, remaining;
+    PRIntervalTime start, elapsed, remaining;
 
     if (pt_TestAbort()) return -1;
 
     if (0 == npds) PR_Sleep(timeout);
     else
     {
 #define STACK_POLL_DESC_COUNT 64
         int stack_selectfd[STACK_POLL_DESC_COUNT];
@@ -4914,17 +4914,17 @@ PR_IMPLEMENT(PRInt32) PR_Select(
     struct timeval tv, *tvp;
     PRInt32 max, max_fd;
     PRInt32 rv;
     /*
      * For restarting select() if it is interrupted by a Unix signal.
      * We use these variables to figure out how much time has elapsed
      * and how much of the timeout still remains.
      */
-    PRIntervalTime start = 0, elapsed, remaining;
+    PRIntervalTime start, elapsed, remaining;
 
     static PRBool unwarned = PR_TRUE;
     if (unwarned) unwarned = _PR_Obsolete( "PR_Select", "PR_Poll");
 
     FD_ZERO(&rd);
     FD_ZERO(&wr);
     FD_ZERO(&ex);
 
--- a/nsprpub/pr/src/pthreads/ptthread.c
+++ b/nsprpub/pr/src/pthreads/ptthread.c
@@ -16,20 +16,16 @@
 #include "prpdce.h"
 
 #include <pthread.h>
 #include <unistd.h>
 #include <string.h>
 #include <signal.h>
 #include <dlfcn.h>
 
-#if defined(OPENBSD) || defined(FREEBSD) || defined(DRAGONFLY)
-#include <pthread_np.h>
-#endif
-
 #ifdef SYMBIAN
 /* In Open C sched_get_priority_min/max do not work properly, so we undefine
  * _POSIX_THREAD_PRIORITY_SCHEDULING here.
  */
 #undef _POSIX_THREAD_PRIORITY_SCHEDULING
 #endif
 
 #ifdef _PR_NICE_PRIORITY_SCHEDULING
@@ -1732,17 +1728,17 @@ PR_IMPLEMENT(void*)PR_GetSP(PRThread *th
 }  /* PR_GetSP */
 
 #endif /* !defined(_PR_DCETHREADS) */
 
 PR_IMPLEMENT(PRStatus) PR_SetCurrentThreadName(const char *name)
 {
     PRThread *thread;
     size_t nameLen;
-    int result = 0;
+    int result;
 
     if (!name) {
         PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
         return PR_FAILURE;
     }
 
     thread = PR_GetCurrentThread();
     if (!thread)
@@ -1750,20 +1746,18 @@ PR_IMPLEMENT(PRStatus) PR_SetCurrentThre
 
     PR_Free(thread->name);
     nameLen = strlen(name);
     thread->name = (char *)PR_Malloc(nameLen + 1);
     if (!thread->name)
         return PR_FAILURE;
     memcpy(thread->name, name, nameLen + 1);
 
-#if defined(OPENBSD) || defined(FREEBSD) || defined(DRAGONFLY)
-    pthread_set_name_np(thread->id, name);
-#elif defined(NETBSD)
-    result = pthread_setname_np(thread->id, "%s", (void *)name);
+#if defined(OPENBSD) || defined(FREEBSD)
+    result = pthread_set_name_np(thread->id, name);
 #else /* not BSD */
     /*
      * On OSX, pthread_setname_np is only available in 10.6 or later, so test
      * for it at runtime.  It also may not be available on all linux distros.
      */
 #if defined(DARWIN)
     int (*dynamic_pthread_setname_np)(const char*);
 #else
--- a/nsprpub/pr/tests/env.c
+++ b/nsprpub/pr/tests/env.c
@@ -13,17 +13,16 @@
 #include "plgetopt.h"
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
 PRIntn  debug = 0;
 PRIntn  verbose = 0;
-PRIntn  secure = 0;
 PRBool  failedAlready = PR_FALSE;
 
 #define  ENVNAME    "NSPR_ENVIRONMENT_TEST_VARIABLE"
 #define  ENVVALUE   "The expected result"
 #define  ENVBUFSIZE 256
 
 char    *envBuf; /* buffer pointer. We leak memory here on purpose! */
 
@@ -39,38 +38,29 @@ static char * NewBuffer( size_t size )
 
 int main(int argc, char **argv)
 {
     char    *value;
     PRStatus    rc;
 
     {   /* Get command line options */
         PLOptStatus os;
-        PLOptState *opt = PL_CreateOptState(argc, argv, "vds");
+        PLOptState *opt = PL_CreateOptState(argc, argv, "vd");
 
 	    while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
         {
 		    if (PL_OPT_BAD == os) continue;
             switch (opt->option)
             {
             case 'd':  /* debug */
                 debug = 1;
                 break;
             case 'v':  /* verbose */
                 verbose = 1;
                 break;
-            case 's':  /* secure / set[ug]id */
-                /*
-                ** To test PR_GetEnvSecure, make this executable (or a
-                ** copy of it) setuid / setgid / otherwise inherently
-                ** privileged (e.g., file capabilities) and run it
-                ** with this flag.
-                */
-                secure = 1;
-                break;
              default:
                 break;
             }
         }
 	    PL_DestroyOptState(opt);
     } /* end block "Get command line options" */
 
 #if 0 
@@ -118,42 +108,16 @@ int main(int argc, char **argv)
     value = PR_GetEnv( ENVNAME );
     if ( (NULL == value ) || (strcmp( value, ENVVALUE)))  {
         if (debug) printf( "env: PR_GetEnv() Failed after setting\n" );
         failedAlready = PR_TRUE;
     } else {
         if (verbose) printf("env: PR_GetEnv() worked after setting it. Found: %s\n", value );
     }
 
-    if ( secure ) {
-        /*
-        ** In this case we've been run with elevated privileges, so
-        ** test that PR_GetEnvSecure *doesn't* find that env var.
-        */
-        value = PR_GetEnvSecure( ENVNAME );
-        if ( NULL != value ) {
-            if (debug) printf( "env: PR_GetEnvSecure() failed; expected NULL, found \"%s\"\n", value );
-            failedAlready = PR_TRUE;
-        } else {
-            if (verbose) printf("env: PR_GetEnvSecure() worked\n" );
-        }
-    } else {
-        /*
-        ** In this case the program is being run normally, so do the
-        ** same check for PR_GetEnvSecure as for PR_GetEnv.
-        */
-        value = PR_GetEnvSecure( ENVNAME );
-        if ( (NULL == value ) || (strcmp( value, ENVVALUE)))  {
-            if (debug) printf( "env: PR_GetEnvSecure() Failed after setting\n" );
-            failedAlready = PR_TRUE;
-        } else {
-            if (verbose) printf("env: PR_GetEnvSecure() worked after setting it. Found: %s\n", value );
-        }
-    }
-
 /* ---------------------------------------------------------------------- */
     /* check that PR_DuplicateEnvironment() agrees with PR_GetEnv() */
     {
 #if defined(XP_UNIX) && (!defined(DARWIN) || defined(HAVE_CRT_EXTERNS_H))
         static const PRBool expect_failure = PR_FALSE;
 #else
         static const PRBool expect_failure = PR_TRUE;
 #endif
--- a/nsprpub/pr/tests/server_test.c
+++ b/nsprpub/pr/tests/server_test.c
@@ -32,17 +32,16 @@
 #include <string.h>
 
 #define PORT 15004
 #define THREAD_STACKSIZE 0
 
 #define PASS 0
 #define FAIL 1
 static int debug_mode = 0;
-static int failed_already = 0;
 
 static int _iterations = 1000;
 static int _clients = 1;
 static int _client_data = 250;
 static int _server_data = (8*1024);
 
 static PRThreadScope ServerScope, ClientScope;
 
@@ -86,17 +85,16 @@ static void Test_Result (int result)
 {
 	switch (result)
 	{
 		case PASS:
 			printf ("PASS\n");
 			break;
 		case FAIL:
 			printf ("FAIL\n");
-			failed_already = 1;
 			break;
 		default:
 			break;
 	}
 }
 
 static void do_work(void);
 
@@ -243,50 +241,39 @@ WorkerThreadFunc(void *_listenSock)
         PR_AtomicDecrement(&workerThreadsBusy);
     }
 }
 
 PRFileDesc *
 ServerSetup(void)
 {
     PRFileDesc *listenSocket;
-    PRSocketOptionData sockOpt;
     PRNetAddr serverAddr;
     PRThread *WorkerThread;
 
-    if ((listenSocket = PR_NewTCPSocket()) == NULL) {
+    if ( (listenSocket = PR_NewTCPSocket()) == NULL) {
         if (debug_mode) printf("\tServer error creating listen socket\n");
 		else Test_Result(FAIL);
         return NULL;
     }
 
-    sockOpt.option = PR_SockOpt_Reuseaddr;
-    sockOpt.value.reuse_addr = PR_TRUE;
-    if (PR_SetSocketOption(listenSocket, &sockOpt) != PR_SUCCESS) {
-        if (debug_mode) printf("\tServer error setting socket option: OS error %d\n",
-                PR_GetOSError());
-        else Test_Result(FAIL);
-        PR_Close(listenSocket);
-        return NULL;
-    }
-
     memset(&serverAddr, 0, sizeof(PRNetAddr));
     serverAddr.inet.family = PR_AF_INET;
     serverAddr.inet.port = PR_htons(PORT);
     serverAddr.inet.ip = PR_htonl(PR_INADDR_ANY);
 
-    if (PR_Bind(listenSocket, &serverAddr) != PR_SUCCESS) {
+    if ( PR_Bind(listenSocket, &serverAddr) == PR_FAILURE) {
         if (debug_mode) printf("\tServer error binding to server address: OS error %d\n",
                 PR_GetOSError());
 		else Test_Result(FAIL);
         PR_Close(listenSocket);
         return NULL;
     }
 
-    if (PR_Listen(listenSocket, 128) != PR_SUCCESS) {
+    if ( PR_Listen(listenSocket, 128) == PR_FAILURE) {
         if (debug_mode) printf("\tServer error listening to server socket\n");
 		else Test_Result(FAIL);
         PR_Close(listenSocket);
 
         return NULL;
     }
 
     /* Create Clients */
@@ -556,17 +543,17 @@ int main(int argc, char **argv)
 {
 	/* The command line argument: -d is used to determine if the test is being run
 	in debug mode. The regress tool requires only one line output:PASS or FAIL.
 	All of the printfs associated with this test has been handled with a if (debug_mode)
 	test.
 	Usage: test_name -d
 	*/
 	PLOptStatus os;
-	PLOptState *opt = PL_CreateOptState(argc, argv, "d");
+	PLOptState *opt = PL_CreateOptState(argc, argv, "d:");
 	while (PL_OPT_EOL != (os = PL_GetNextOpt(opt)))
     {
 		if (PL_OPT_BAD == os) continue;
         switch (opt->option)
         {
         case 'd':  /* debug mode */
 			debug_mode = 1;
             break;
@@ -614,10 +601,10 @@ int main(int argc, char **argv)
  #if 0 
     Measure(do_workUK, "server loop user/kernel");
     Measure(do_workKU, "server loop kernel/user");
     Measure(do_workKK, "server loop kernel/kernel");
  #endif 
 
     PR_Cleanup();
 
-    return failed_already;
+    return 0;
 }
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -17,51 +17,51 @@
 #include "prinit.h"
 
 #include <stdio.h>
 #include <stdlib.h>
 
 /*
  * This release (4.10.10) is backward compatible with the
  * 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 4.5.x, 4.6.x, 4.7.x,
- * 4.8.x, 4.9.x, 4.10.x and 4.11.X releases.
+ * 4.8.x, 4.9.x, and 4.10.x releases.
  * It, of course, is compatible with itself.
  */
 static char *compatible_version[] = {
     "4.0", "4.0.1", "4.1", "4.1.1", "4.1.2", "4.1.3",
     "4.2", "4.2.1", "4.2.2", "4.3", "4.4", "4.4.1",
     "4.5", "4.5.1",
     "4.6", "4.6.1", "4.6.2", "4.6.3", "4.6.4", "4.6.5",
     "4.6.6", "4.6.7", "4.6.8",
     "4.7", "4.7.1", "4.7.2", "4.7.3", "4.7.4", "4.7.5",
     "4.7.6",
     "4.8", "4.8.1", "4.8.2", "4.8.3", "4.8.4", "4.8.5",
     "4.8.6", "4.8.7", "4.8.8", "4.8.9",
     "4.9", "4.9.1", "4.9.2", "4.9.3", "4.9.4", "4.9.5",
     "4.9.6",
     "4.10", "4.10.1", "4.10.2", "4.10.3", "4.10.4",
     "4.10.5", "4.10.6", "4.10.7", "4.10.8", "4.10.9",
-    "4.10.10", "4.11",
+    "4.10.10",
     PR_VERSION
 };
 
 /*
  * This release is not backward compatible with the old
  * NSPR 2.1 and 3.x releases.
  *
  * Any release is incompatible with future releases and
  * patches.
  */
 static char *incompatible_version[] = {
     "2.1 19980529",
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
     "4.11.1",
-    "4.12.1",
+    "4.12", "4.12.1",
     "10.0", "11.1", "12.14.20"
 };
 
 int main(int argc, char **argv)
 {
     int idx;
     int num_compatible = sizeof(compatible_version) / sizeof(char *);
     int num_incompatible = sizeof(incompatible_version) / sizeof(char *);
deleted file mode 100644
--- a/security/nss/.clang-format
+++ /dev/null
@@ -1,64 +0,0 @@
----
-Language:        Cpp
-# BasedOnStyle:  Mozilla
-AccessModifierOffset: -2
-AlignAfterOpenBracket: true
-AlignEscapedNewlinesLeft: false
-AlignOperands:   true
-AlignTrailingComments: true
-AllowAllParametersOfDeclarationOnNextLine: false
-AllowShortBlocksOnASingleLine: false
-AllowShortCaseLabelsOnASingleLine: false
-AllowShortIfStatementsOnASingleLine: false
-AllowShortLoopsOnASingleLine: false
-AllowShortFunctionsOnASingleLine: All
-AlwaysBreakAfterDefinitionReturnType: true
-AlwaysBreakTemplateDeclarations: false
-AlwaysBreakBeforeMultilineStrings: false
-BreakBeforeBinaryOperators: None
-BreakBeforeTernaryOperators: true
-BreakConstructorInitializersBeforeComma: false
-BinPackParameters: true
-BinPackArguments: true
-ColumnLimit:     0
-ConstructorInitializerAllOnOneLineOrOnePerLine: true
-ConstructorInitializerIndentWidth: 4
-DerivePointerAlignment: true
-ExperimentalAutoDetectBinPacking: false
-IndentCaseLabels: true
-IndentWrappedFunctionNames: false
-IndentFunctionDeclarationAfterType: false
-MaxEmptyLinesToKeep: 1
-KeepEmptyLinesAtTheStartOfBlocks: true
-NamespaceIndentation: None
-ObjCBlockIndentWidth: 2
-ObjCSpaceAfterProperty: true
-ObjCSpaceBeforeProtocolList: false
-PenaltyBreakBeforeFirstCallParameter: 19
-PenaltyBreakComment: 300
-PenaltyBreakString: 1000
-PenaltyBreakFirstLessLess: 120
-PenaltyExcessCharacter: 1000000
-PenaltyReturnTypeOnItsOwnLine: 200
-PointerAlignment: Right
-SpacesBeforeTrailingComments: 1
-Cpp11BracedListStyle: false
-Standard:        Cpp03
-IndentWidth:     4
-TabWidth:        8
-UseTab:          Never
-BreakBeforeBraces: Linux
-SpacesInParentheses: false
-SpacesInSquareBrackets: false
-SpacesInAngles:  false
-SpaceInEmptyParentheses: false
-SpacesInCStyleCastParentheses: false
-SpaceAfterCStyleCast: false
-SpacesInContainerLiterals: true
-SpaceBeforeAssignmentOperators: true
-ContinuationIndentWidth: 4
-CommentPragmas:  '^ IWYU pragma:'
-ForEachMacros:   [ foreach, Q_FOREACH, BOOST_FOREACH ]
-SpaceBeforeParens: ControlStatements
-DisableFormat:   false
-...
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_22_1_RTM
+NSS_3_21_RTM
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -3491,19 +3491,16 @@ shutdown:
 	PR_Close(outFile);
     }
     SECITEM_FreeItem(&certReqDER, PR_FALSE);
     SECITEM_FreeItem(&certDER, PR_FALSE);
     if (pwdata.data && pwdata.source == PW_PLAINTEXT) {
 	/* Allocated by a PL_strdup call in SECU_GetModulePassword. */
 	PL_strfree(pwdata.data);
     }
-    if (email) {
-	PL_strfree(email);
-    }
 
     /* Open the batch command file.
      *
      * - If -B <command line> option is specified, the contents in the
      * command file will be interpreted as subsequent certutil
      * commands to be executed in the current certutil process
      * context after the current certutil command has been executed.
      * - Each line in the command file consists of the command
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -37,17 +37,17 @@ extern char *sys_errlist[];
 
 #define ERROR_BREAK rv = SECFailure;break;
 
 const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0 }
+    { 0, }
 };
 
 /* returns 0 for success, -1 for failure (EOF encountered) */
 static int
 UpdateRNG(void)
 {
     char           randbuf[RAND_BUF_SIZE];
     int            fd,  count;
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/checkcert/Makefile
@@ -0,0 +1,48 @@
+#! gmake
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+
+include ../platrules.mk
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/checkcert/checkcert.c
@@ -0,0 +1,575 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "secutil.h"
+#include "plgetopt.h"
+#include "cert.h"
+#include "secoid.h"
+#include "cryptohi.h"
+
+/* maximum supported modulus length in bits (indicate problem if over this) */
+#define MAX_MODULUS (1024)
+
+
+static void Usage(char *progName)
+{
+    fprintf(stderr, "Usage: %s [aAvf] [certtocheck] [issuingcert]\n",
+	    progName);
+    fprintf(stderr, "%-20s Cert to check is base64 encoded\n",
+	    "-a");
+    fprintf(stderr, "%-20s Issuer's cert is base64 encoded\n",
+	    "-A");
+    fprintf(stderr, "%-20s Verbose (indicate decoding progress etc.)\n",
+	    "-v");
+    fprintf(stderr, "%-20s Force sanity checks even if pretty print fails.\n",
+	    "-f");
+    fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n",
+	    "-o output");
+    fprintf(stderr, "%-20s Specify the input type (no default)\n",
+	    "-t type");
+    exit(-1);
+}
+
+
+/*
+ * Check integer field named fieldName, printing out results and
+ * returning the length of the integer in bits
+ */   
+
+static
+int checkInteger(SECItem *intItem, char *fieldName, int verbose) 
+{
+    int len, bitlen;
+    if (verbose) {
+	printf("Checking %s\n", fieldName);
+    }
+
+    len = intItem->len;
+
+    if (len && (intItem->data[0] & 0x80)) {
+	printf("PROBLEM: %s is NEGATIVE 2's-complement integer.\n",
+	       fieldName);
+    }
+
+
+    /* calculate bit length and check for unnecessary leading zeros */
+    bitlen = len << 3;
+    if (len > 1 && intItem->data[0] == 0) {
+	/* leading zero byte(s) */
+	if (!(intItem->data[1] & 0x80)) {
+	    printf("PROBLEM: %s has unneeded leading zeros.  Violates DER.\n",
+		   fieldName);
+	}
+	/* strip leading zeros in length calculation */
+	{
+	    int i=0;
+	    while (bitlen > 8 && intItem->data[i] == 0) {
+		bitlen -= 8;
+		i++;
+	    }
+	}
+    }
+    return bitlen;
+}
+
+
+
+
+static
+void checkName(CERTName *n, char *fieldName, int verbose)
+{
+    char *v=0;
+    if (verbose) {
+	printf("Checking %s\n", fieldName);
+    }
+
+    v = CERT_GetCountryName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Country Name (C)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+
+    v = CERT_GetOrgName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Organization Name (O)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+
+    v = CERT_GetOrgUnitName(n);
+    if (!v) {
+	printf("WARNING: %s lacks Organization Unit Name (OU)\n",
+	       fieldName);
+    }
+    PORT_Free(v);	
+
+    v = CERT_GetCommonName(n);
+    if (!v) {
+	printf("PROBLEM: %s lacks Common Name (CN)\n",
+	       fieldName);
+    }
+    PORT_Free(v);
+}
+
+
+static
+SECStatus
+OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
+	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
+{
+    SECStatus rv;
+    VFYContext *cx;
+    SECOidData *sigAlgOid, *oiddata;
+    SECOidTag hashAlgTag;
+    int showDigestOid=0;
+
+    cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
+                                          NULL);
+    if (cx == NULL)
+	return SECFailure;
+
+    sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
+    if (sigAlgOid == 0)
+	return SECFailure;
+
+    if (showDigestOid) {
+	oiddata = SECOID_FindOIDByTag(hashAlgTag);
+	if ( oiddata ) {
+	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
+	} else {
+	    SECU_PrintAsHex(stdout,
+			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
+	}
+    }
+
+    rv = VFY_Begin(cx);
+    if (rv == SECSuccess) {
+	rv = VFY_Update(cx, buf, len);
+	if (rv == SECSuccess)
+	    rv = VFY_End(cx);
+    }
+
+    VFY_DestroyContext(cx, PR_TRUE);
+    return rv;
+}
+
+
+
+static
+SECStatus
+OurVerifySignedData(CERTSignedData *sd, CERTCertificate *cert)
+{
+    SECItem sig;
+    SECKEYPublicKey *pubKey = 0;
+    SECStatus rv;
+
+    /* check the certificate's validity */
+    rv = CERT_CertTimesValid(cert);
+    if ( rv ) {
+	return(SECFailure);
+    }
+
+    /* get cert's public key */
+    pubKey = CERT_ExtractPublicKey(cert);
+    if ( !pubKey ) {
+	return(SECFailure);
+    }
+
+    /* check the signature */
+    sig = sd->signature;
+    DER_ConvertBitString(&sig);
+    rv = OurVerifyData(sd->data.data, sd->data.len, pubKey, &sig,
+		       &sd->signatureAlgorithm);
+
+    SECKEY_DestroyPublicKey(pubKey);
+
+    if ( rv ) {
+	return(SECFailure);
+    }
+
+    return(SECSuccess);
+}
+
+
+
+
+static
+CERTCertificate *createEmptyCertificate(void)
+{
+    PLArenaPool *arena = 0;
+    CERTCertificate *c = 0;
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if ( !arena ) {
+	return 0;
+    }
+
+
+    c = (CERTCertificate *) PORT_ArenaZAlloc(arena, sizeof(CERTCertificate));
+
+    if (c) {
+	c->referenceCount = 1;
+	c->arena = arena;
+    } else {
+	PORT_FreeArena(arena,PR_TRUE);
+    }
+
+    return c;
+}
+
+
+int main(int argc, char **argv)
+{
+    int verbose=0, force=0;
+    int ascii=0, issuerAscii=0;
+    char *progName=0;
+    PRFileDesc *inFile=0, *issuerCertFile=0;
+    SECItem derCert, derIssuerCert;
+    PLArenaPool *arena=0;
+    CERTSignedData *signedData=0;
+    CERTCertificate *cert=0, *issuerCert=0;
+    SECKEYPublicKey *rsapubkey=0;
+    SECAlgorithmID md5WithRSAEncryption, md2WithRSAEncryption;
+    SECAlgorithmID sha1WithRSAEncryption, rsaEncryption;
+    SECItem spk;
+    int selfSigned=0;
+    int invalid=0;
+    char *inFileName = NULL, *issuerCertFileName = NULL;
+    PLOptState *optstate;
+    PLOptStatus status;
+    SECStatus rv;
+
+    PORT_Memset(&md5WithRSAEncryption, 0, sizeof(md5WithRSAEncryption));
+    PORT_Memset(&md2WithRSAEncryption, 0, sizeof(md2WithRSAEncryption));
+    PORT_Memset(&sha1WithRSAEncryption, 0, sizeof(sha1WithRSAEncryption));
+    PORT_Memset(&rsaEncryption, 0, sizeof(rsaEncryption));
+
+    progName = strrchr(argv[0], '/');
+    progName = progName ? progName+1 : argv[0];
+
+    optstate = PL_CreateOptState(argc, argv, "aAvf");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+	switch (optstate->option) {
+	  case 'v':
+	    verbose = 1;
+	    break;
+
+	  case 'f':
+	    force = 1;
+	    break;
+
+	  case 'a':
+	    ascii = 1;
+	    break;
+
+	  case 'A':
+	    issuerAscii = 1;
+	    break;
+
+	  case '\0':
+	    if (!inFileName)
+		inFileName = PL_strdup(optstate->value);
+	    else if (!issuerCertFileName)
+		issuerCertFileName = PL_strdup(optstate->value);
+	    else
+		Usage(progName);
+	    break;
+	}
+    }
+
+    if (!inFileName || !issuerCertFileName || status == PL_OPT_BAD) {
+	/* insufficient or excess args */
+	Usage(progName);
+    }
+
+    inFile = PR_Open(inFileName, PR_RDONLY, 0);
+    if (!inFile) {
+	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+	                 progName, inFileName);
+	exit(1);
+    }
+
+    issuerCertFile = PR_Open(issuerCertFileName, PR_RDONLY, 0);
+    if (!issuerCertFile) {
+	fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+	                 progName, issuerCertFileName);
+	exit(1);
+    }
+
+    if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) {
+	printf("Couldn't read input certificate as DER binary or base64\n");
+	exit(1);
+    }
+
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (arena == 0) {
+	fprintf(stderr,"%s: can't allocate scratch arena!", progName);
+	exit(1);
+    }
+
+    if (issuerCertFile) {
+	CERTSignedData *issuerCertSD=0;
+	if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii,
+	                         PR_FALSE) != SECSuccess) {
+	    printf("Couldn't read issuer certificate as DER binary or base64.\n");
+	    exit(1);
+	}
+	issuerCertSD = PORT_ArenaZNew(arena, CERTSignedData);
+	if (!issuerCertSD) {
+	    fprintf(stderr,"%s: can't allocate issuer signed data!", progName);
+	    exit(1);
+	}
+	rv = SEC_ASN1DecodeItem(arena, issuerCertSD, 
+	                        SEC_ASN1_GET(CERT_SignedDataTemplate),
+				&derIssuerCert);
+	if (rv) {
+	    fprintf(stderr, "%s: Issuer cert isn't X509 SIGNED Data?\n",
+		    progName);
+	    exit(1);
+	}
+	issuerCert = createEmptyCertificate();
+	if (!issuerCert) {
+	    printf("%s: can't allocate space for issuer cert.", progName);
+	    exit(1);
+	}
+	rv = SEC_ASN1DecodeItem(arena, issuerCert, 
+	                    SEC_ASN1_GET(CERT_CertificateTemplate),
+			    &issuerCertSD->data);
+	if (rv) {
+	    printf("%s: Does not appear to be an X509 Certificate.\n",
+		   progName);
+	    exit(1);
+	}
+    }
+
+    signedData =  PORT_ArenaZNew(arena,CERTSignedData);
+    if (!signedData) {
+	fprintf(stderr,"%s: can't allocate signedData!", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, signedData, 
+                            SEC_ASN1_GET(CERT_SignedDataTemplate), 
+			    &derCert);
+    if (rv) {
+	fprintf(stderr, "%s: Does not appear to be X509 SIGNED Data.\n",
+		progName);
+	exit(1);
+    }
+
+    if (verbose) {
+	printf("Decoded ok as X509 SIGNED data.\n");
+    }
+
+    cert = createEmptyCertificate();
+    if (!cert) {
+	fprintf(stderr, "%s: can't allocate cert", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, cert, 
+                        SEC_ASN1_GET(CERT_CertificateTemplate), 
+			&signedData->data);
+    if (rv) {
+	fprintf(stderr, "%s: Does not appear to be an X509 Certificate.\n",
+		progName);
+	exit(1);
+    }
+
+
+    if (verbose) {
+	printf("Decoded ok as an X509 certificate.\n");
+    }
+
+    SECU_RegisterDynamicOids();
+    rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
+			      (SECU_PPFunc)SECU_PrintCertificate);
+
+    if (rv) {
+	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
+		progName, PORT_GetError());
+	if (!force) {
+	    exit(1);
+	}
+    }
+
+
+    /* Do various checks on the cert */
+
+    printf("\n");
+
+    /* Check algorithms */
+    rv = SECOID_SetAlgorithmID(arena, &md5WithRSAEncryption,
+		       SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &md2WithRSAEncryption,
+		       SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &sha1WithRSAEncryption,
+		       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
+
+    rv = SECOID_SetAlgorithmID(arena, &rsaEncryption,
+		       SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
+    if (rv) {
+	fprintf(stderr, "%s: failed to set algorithm ID for SEC_OID_PKCS1_RSA_ENCRYPTION.\n",
+                progName);
+	exit(1);
+    }
+
+    {
+	int isMD5RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &md5WithRSAEncryption) == 0);
+	int isMD2RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &md2WithRSAEncryption) == 0);
+	int isSHA1RSA = (SECOID_CompareAlgorithmID(&cert->signature,
+					       &sha1WithRSAEncryption) == 0);
+
+	if (verbose) {
+	    printf("\nDoing algorithm checks.\n");
+	}
+
+	if (!(isMD5RSA || isMD2RSA || isSHA1RSA)) {
+	    printf("PROBLEM: Signature not PKCS1 MD5, MD2, or SHA1 + RSA.\n");
+	} else if (!isMD5RSA) {
+	    printf("WARNING: Signature not PKCS1 MD5 with RSA Encryption\n");
+	}
+
+	if (SECOID_CompareAlgorithmID(&cert->signature,
+				   &signedData->signatureAlgorithm)) {
+	    printf("PROBLEM: Algorithm in sig and certInfo don't match.\n");
+	}
+    }
+
+    if (SECOID_CompareAlgorithmID(&cert->subjectPublicKeyInfo.algorithm,
+			       &rsaEncryption)) {
+	printf("PROBLEM: Public key algorithm is not PKCS1 RSA Encryption.\n");
+    }
+
+    /* Check further public key properties */
+    spk = cert->subjectPublicKeyInfo.subjectPublicKey;
+    DER_ConvertBitString(&spk);
+
+    if (verbose) {
+	printf("\nsubjectPublicKey DER\n");
+	rv = DER_PrettyPrint(stdout, &spk, PR_FALSE);
+	printf("\n");
+    }
+
+    rsapubkey = (SECKEYPublicKey *) 
+	             PORT_ArenaZAlloc(arena,sizeof(SECKEYPublicKey));
+    if (!rsapubkey) {
+	fprintf(stderr, "%s: rsapubkey allocation failed.\n", progName);
+	exit(1);
+    }
+
+    rv = SEC_ASN1DecodeItem(arena, rsapubkey, 
+                            SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), &spk);
+    if (rv) {
+	printf("PROBLEM: subjectPublicKey is not a DER PKCS1 RSAPublicKey.\n");
+    } else {
+	int mlen;
+	int pubexp;
+	if (verbose) {
+	    printf("Decoded RSA Public Key ok.  Doing key checks.\n");
+	}
+	PORT_Assert(rsapubkey->keyType == rsaKey); /* XXX RSA */
+	mlen = checkInteger(&rsapubkey->u.rsa.modulus, "Modulus", verbose);
+	printf("INFO: Public Key modulus length in bits: %d\n", mlen);
+	if (mlen > MAX_MODULUS) {
+	    printf("PROBLEM: Modulus length exceeds %d bits.\n",
+		   MAX_MODULUS);
+	}
+	if (mlen < 512) {
+	    printf("WARNING: Short modulus.\n");
+	}
+	if (mlen != (1 << (ffs(mlen)-1))) {
+	    printf("WARNING: Unusual modulus length (not a power of two).\n");
+	}
+	checkInteger(&rsapubkey->u.rsa.publicExponent, "Public Exponent",
+                     verbose);
+	pubexp = DER_GetInteger(&rsapubkey->u.rsa.publicExponent);
+	if (pubexp != 17 && pubexp != 3 && pubexp != 65537) {
+	    printf("WARNING: Public exponent not any of: 3, 17, 65537\n");
+	}
+    }
+
+
+    /* Name checks */
+    checkName(&cert->issuer, "Issuer Name", verbose);
+    checkName(&cert->subject, "Subject Name", verbose);
+
+    if (issuerCert) {
+	SECComparison c =
+	    CERT_CompareName(&cert->issuer, &issuerCert->subject);
+	if (c) {
+         printf("PROBLEM: Issuer Name and Subject in Issuing Cert differ\n");
+        }
+    }
+
+    /* Check if self-signed */
+    selfSigned = (CERT_CompareName(&cert->issuer, &cert->subject) == 0);
+    if (selfSigned) {
+	printf("INFO: Certificate is self signed.\n");
+    } else {
+	printf("INFO: Certificate is NOT self-signed.\n");
+    }
+
+
+    /* Validity time check */
+    if (CERT_CertTimesValid(cert) == SECSuccess) {
+	printf("INFO: Inside validity period of certificate.\n");
+    } else {
+	printf("PROBLEM: Not in validity period of certificate.\n");
+	invalid = 1;
+    }
+
+    /* Signature check if self-signed */
+    if (selfSigned && !invalid) {
+	if (rsapubkey->u.rsa.modulus.len) {
+	    SECStatus ver;
+	    if (verbose) {
+		printf("Checking self signature.\n");
+	    }
+	    ver = OurVerifySignedData(signedData, cert);
+	    if (ver != SECSuccess) {
+		printf("PROBLEM: Verification of self-signature failed!\n");
+	    } else {
+		printf("INFO: Self-signature verifies ok.\n");
+	    }
+	} else {
+	    printf("INFO: Not checking signature due to key problems.\n");
+	}
+    } else if (!selfSigned && !invalid && issuerCert) {
+	SECStatus ver;
+	ver = OurVerifySignedData(signedData, issuerCert);
+	if (ver != SECSuccess) {
+	    printf("PROBLEM: Verification of issuer's signature failed!\n");
+	} else {
+	    printf("INFO: Issuer's signature verifies ok.\n");
+	}
+    } else {
+	printf("INFO: Not checking signature.\n");
+    }
+
+    return 0;    
+}
+
+
+
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/checkcert/manifest.mn
@@ -0,0 +1,19 @@
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH	= ../..
+
+# MODULE public and private header  directories are implicitly REQUIRED.
+MODULE = nss 
+
+# This next line is used by .mk files
+# and gets translated into $LINCS in manifest.mnw
+REQUIRES = seccmd dbm 
+
+DEFINES = -DNSPR20
+
+CSRCS = checkcert.c
+
+PROGRAM	= checkcert
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -5339,19 +5339,19 @@ rsa_siggen_test(char *reqfn)
 
             unsigned char msg[128]; /* MAX msg 128 */
             unsigned int rsa_bytes_signed;
             unsigned char rsa_computed_signature[RSA_MAX_TEST_MODULUS_BYTES];
             SECStatus       rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPrivateKey * rsa_private_key;
             NSSLOWKEYPrivateKey   low_RSA_private_key = { NULL,
-                                                NSSLOWKEYRSAKey };
+                                                NSSLOWKEYRSAKey, };
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                NSSLOWKEYRSAKey };
+                                                NSSLOWKEYRSAKey, };
 
             low_RSA_private_key.u.rsa = *rsaBlapiPrivKey;
             low_RSA_public_key.u.rsa = *rsaBlapiPublicKey;
 
             rsa_private_key = &low_RSA_private_key;
             rsa_public_key = &low_RSA_public_key;
 
             memset(sha, 0, sizeof sha);
@@ -5605,17 +5605,17 @@ rsa_sigver_test(char *reqfn)
 
         }
 
         /* S = ... */
         if (buf[0] == 'S') {
             SECStatus rv = SECFailure;
             NSSLOWKEYPublicKey  * rsa_public_key;
             NSSLOWKEYPublicKey    low_RSA_public_key = { NULL,
-                                                  NSSLOWKEYRSAKey };
+                                                  NSSLOWKEYRSAKey, };
 
             /* convert to a low RSA public key */
             low_RSA_public_key.u.rsa = rsaBlapiPublicKey;
             rsa_public_key = &low_RSA_public_key;
 
             memset(signature, 0, sizeof(signature));
             i = 1;
             while (isspace(buf[i]) || buf[i] == '=') {
--- a/security/nss/cmd/httpserv/httpserv.c
+++ b/security/nss/cmd/httpserv/httpserv.c
@@ -1263,21 +1263,21 @@ main(int argc, char **argv)
 	FILE *tmpfile=fopen(pidFile,"w+");
 
 	if (tmpfile) {
 	    fprintf(tmpfile,"%d",getpid());
 	    fclose(tmpfile);
 	}
     }
 
-    tmp = PR_GetEnvSecure("TMP");
+    tmp = getenv("TMP");
     if (!tmp)
-	tmp = PR_GetEnvSecure("TMPDIR");
+	tmp = getenv("TMPDIR");
     if (!tmp)
-	tmp = PR_GetEnvSecure("TEMP");
+	tmp = getenv("TEMP");
     /* we're an ordinary single process server. */
     listen_sock = getBoundListenSocket(port);
     prStatus = PR_SetFDInheritable(listen_sock, PR_FALSE);
     if (prStatus != PR_SUCCESS)
         errExit("PR_SetFDInheritable");
 
     lm = PR_NewLogModule("TestCase");
 
--- a/security/nss/cmd/lib/derprint.c
+++ b/security/nss/cmd/lib/derprint.c
@@ -25,23 +25,16 @@ getInteger256(const unsigned char *data,
 	break;
       case 2:
 	val = (data[0] << 8) | data[1];
 	break;
       case 3:
 	val = (data[0] << 16) | (data[1] << 8) | data[2];
 	break;
       case 4:
-	/* If the most significant bit of data[0] is 1, val would be negative.
-	 * Treat it as an error.
-	 */
-	if (data[0] & 0x80) {
-	    PORT_SetError(SEC_ERROR_BAD_DER);
-	    return -1;
-	}
 	val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
 	break;
       default:
 	PORT_SetError(SEC_ERROR_BAD_DER);
 	return -1;
     }
 
     return val;
@@ -234,20 +227,16 @@ prettyPrintObjectID(FILE *out, const uns
     /*
      * First print the Object Id in numeric format
      */
 
     rv = prettyIndent(out, level);
     if (rv < 0)
 	return rv;
 
-    if (len == 0) {
-	PORT_SetError(SEC_ERROR_BAD_DER);
-	return -1;
-    }
     val = data[0];
     i   = val % 40;
     val = val / 40;
     rv = fprintf(out, "%lu %u ", val, i);
     if (rv < 0) {
 	PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
@@ -288,27 +277,34 @@ prettyPrintObjectID(FILE *out, const uns
 
 	rv = fprintf(out, "(%s)", oiddata->desc);
 	if (rv < 0) {
 	    PORT_SetError(SEC_ERROR_IO);
 	    return rv;
 	}
     }
 
-    rv = prettyNewline(out);
-    if (rv < 0)
-	return rv;
+    /*
+     * Finally, on a new line, print the raw bytes (if requested).
+     */
+    if (raw) {
+	rv = prettyNewline(out);
+	if (rv < 0) {
+	    PORT_SetError(SEC_ERROR_IO);
+	    return rv;
+	}
 
-    if (raw) {
-	rv = prettyPrintLeaf(out, data, len, level);
-	if (rv < 0)
-	    return rv;
+	for (i = 0; i < len; i++) {
+	    rv = prettyPrintByte(out, *data++, level);
+	    if (rv < 0)
+		return rv;
+	}
     }
 
-    return 0;
+    return prettyNewline(out);
 }
 
 static char *prettyTagType [32] = {
   "End of Contents",
   "Boolean",
   "Integer",
   "Bit String",
   "Octet String",
@@ -422,17 +418,16 @@ prettyPrintLength(FILE *out, const unsig
     if (rv < 0) {
         PORT_SetError(SEC_ERROR_IO);
 	return rv;
     }
 
     *indefinitep = PR_FALSE;
 
     lbyte = *data++;
-    lenLen = 1;
     if (lbyte >= 0x80) {
 	/* Multibyte length */
 	unsigned nb = (unsigned) (lbyte & 0x7f);
 	if (nb > 4) {
 	    PORT_SetError(SEC_ERROR_BAD_DER);
 	    return -1;
 	}
 	if (nb > 0) {
@@ -444,31 +439,32 @@ prettyPrintLength(FILE *out, const unsig
 	    }
 	    il = getInteger256(data, nb);
 	    if (il < 0) return -1;
 	    *lenp = (unsigned) il;
 	} else {
 	    *lenp = 0;
 	    *indefinitep = PR_TRUE;
 	}
-	lenLen += nb;
+	lenLen = nb + 1;
 	if (raw) {
 	    unsigned int i;
 
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	    for (i = 0; i < nb; i++) {
 		rv = prettyPrintByte(out, data[i], lv);
 		if (rv < 0)
 		    return rv;
 	    }
 	}
     } else {
 	*lenp = lbyte;
+	lenLen = 1;
 	if (raw) {
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	}
     }
     if (*indefinitep)
 	rv = fprintf(out, "(indefinite)\n");
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -411,23 +411,20 @@ struct matchobj {
 };
 
 char *
 SECU_DefaultSSLDir(void)
 {
     char *dir;
     static char sslDir[1000];
 
-    dir = PR_GetEnvSecure("SSL_DIR");
+    dir = PR_GetEnv("SSL_DIR");
     if (!dir)
 	return NULL;
 
-    if (strlen(dir) >= PR_ARRAY_SIZE(sslDir)) {
-	return NULL;
-    }
     sprintf(sslDir, "%s", dir);
 
     if (sslDir[strlen(sslDir)-1] == '/')
 	sslDir[strlen(sslDir)-1] = 0;
 
     return sslDir;
 }
 
@@ -450,17 +447,17 @@ SECU_ConfigDirectory(const char* base)
     const char *dir = ".netscape";
     char *home;
     static char buf[1000];
 
     if (initted) return buf;
     
 
     if (base == NULL || *base == 0) {
-	home = PR_GetEnvSecure("HOME");
+	home = PR_GetEnv("HOME");
 	if (!home) home = "";
 
 	if (*home && home[strlen(home) - 1] == '/')
 	    sprintf (buf, "%.900s%s", home, dir);
 	else
 	    sprintf (buf, "%.900s/%s", home, dir);
     } else {
 	sprintf(buf, "%.900s", base);
@@ -3298,17 +3295,16 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case KU_KEY_CERT_SIGN:
 		    errstr = "Cert cannot sign other certs.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
-		break;
 	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
 		flags = (unsigned int)((char *)node->arg - (char *)NULL);
 		switch (flags) {
 		case NS_CERT_TYPE_SSL_CLIENT:
 		case NS_CERT_TYPE_SSL_SERVER:
 		    errstr = "Cert cannot be used for SSL.";
 		    break;
 		case NS_CERT_TYPE_SSL_CA:
@@ -3325,17 +3321,16 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    break;
 		case NS_CERT_TYPE_OBJECT_SIGNING_CA:
 		    errstr = "Cert cannot be used as an object signing CA.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
-		break;
 	    case SEC_ERROR_UNKNOWN_ISSUER:
 	    case SEC_ERROR_UNTRUSTED_ISSUER:
 	    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
 		errstr = node->cert->issuerName;
 		break;
 	    default:
 		break;
 	    }
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -111,17 +111,17 @@ extern SECStatus SEC_WriteDongleFile(int
 extern char *SEC_ReadDongleFile(int fd);
 
 
 /* End stolen headers */
 
 /* Just sticks the two strings together with a / if needed */
 char *SECU_AppendFilenameToDir(char *dir, char *filename);
 
-/* Returns result of PR_GetEnvSecure("SSL_DIR") or NULL */
+/* Returns result of getenv("SSL_DIR") or NULL */
 extern char *SECU_DefaultSSLDir(void);
 
 /*
 ** Should be called once during initialization to set the default 
 **    directory for looking for cert.db, key.db, and cert-nameidx.db files
 ** Removes trailing '/' in 'base' 
 ** If 'base' is NULL, defaults to set to .netscape in home directory.
 */
--- a/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
+++ b/security/nss/cmd/libpkix/pkix/top/test_validatechain_NB.c
@@ -244,17 +244,17 @@ int test_validatechain_NB(int argc, char
                 NULL,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 PKIX_FALSE,
                 chainCerts,
                 plContext);
 
-        ldapName = PR_GetEnvSecure("LDAP");
+        ldapName = PR_GetEnv("LDAP");
         /* Is LDAP set in the environment? */
         if ((ldapName == NULL) || (*ldapName == '\0')) {
                 testError("LDAP not set in environment");
                 goto cleanup;
         }
 
         pkixTestErrorResult = pkix_pl_Socket_CreateByName
                 (PKIX_FALSE,       /* isServer */
@@ -271,17 +271,17 @@ int test_validatechain_NB(int argc, char
                 testError("Unable to connect to LDAP Server");
                 goto cleanup;
         }
 
         PKIX_TEST_DECREF_BC(socket);
 
         testSetupCertStore(valParams, ldapName);
 
-        logging = PR_GetEnvSecure("LOGGING");
+        logging = PR_GetEnv("LOGGING");
         /* Is LOGGING set in the environment? */
         if ((logging != NULL) && (*logging != '\0')) {
 
                 PKIX_TEST_EXPECT_NO_ERROR
                         (PKIX_List_Create(&loggers, plContext));
 
 		testLogErrors
 			(PKIX_VALIDATE_ERROR, 2, loggers, plContext);
--- a/security/nss/cmd/libpkix/pkixutil/pkixutil.c
+++ b/security/nss/cmd/libpkix/pkixutil/pkixutil.c
@@ -149,17 +149,17 @@ testFunctionRef testFnRefTable[] = {
     {"test_hashtable",                 test_hashtable},
     {"test_mem",                       test_mem},
     {"test_monitorlock",               test_monitorlock},
     {"test_mutex",                     test_mutex},
     {"test_mutex2",                    test_mutex2},
     {"test_mutex3",                    test_mutex3},
     {"test_object",                    test_object},
     {"test_oid",                       test_oid},
-/*  {"test_rwlock",                    test_rwlock }*/
+/*  {"test_rwlock",                    test_rwlock, }*/
     {"test_string",                    test_string},
     {"test_string2",                   test_string2},
     {"build_chain",                    build_chain},
     {"dumpcert",                       dumpcert},
     {"dumpcrl",                        dumpcrl},
     {"validate_chain",                 validate_chain},
     {NULL,                             NULL },
 };
--- a/security/nss/cmd/makepqg/makepqg.c
+++ b/security/nss/cmd/makepqg/makepqg.c
@@ -23,17 +23,17 @@
 char  *progName;
 
 
 const SEC_ASN1Template seckey_PQGParamsTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) },
-    { 0 }
+    { 0, }
 };
 
 
 
 void
 Usage(void)
 {
     fprintf(stderr, "Usage:  %s\n", progName);
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -1,53 +1,35 @@
 #
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DEPTH	= ..
 # MODULE	= seccmd
 
-SOFTOKEN_SRCDIRS=
-NSS_SRCDIRS=
-LIB_SRCDIRS=
-
-ifdef NSS_BUILD_UTIL_ONLY
-REQUIRES = nspr
-else
 REQUIRES = nss nspr libdbm
-LIB_SRCDIRS = \
- lib \
- $(NULL)
-endif
 
-ifndef NSS_BUILD_UTIL_ONLY
-SOFTOKEN_SRCDIRS = \
- $(BLTEST_SRCDIR) \
- $(FIPSTEST_SRCDIR)  \
- $(LOWHASHTEST_SRCDIR)  \
- $(SHLIBSIGN_SRCDIR) \
- $(NULL)
-endif
-
-ifndef NSS_BUILD_SOFTOKEN_ONLY
-ifndef NSS_BUILD_UTIL_ONLY
-NSS_SRCDIRS = \
+DIRS = lib  \
  addbuiltin \
  atob  \
+ $(BLTEST_SRCDIR) \
  btoa  \
  certcgi \
  certutil  \
+ checkcert  \
  chktest  \
  crlutil  \
  crmftest \
  dbtest \
  derdump  \
  digest  \
  httpserv  \
+ $(FIPSTEST_SRCDIR)  \
+ $(LOWHASHTEST_SRCDIR)  \
  listsuites \
  makepqg  \
  multinit \
  ocspclnt  \
  ocspresp \
  oidcalc  \
  p7content  \
  p7env  \
@@ -60,33 +42,27 @@ NSS_SRCDIRS = \
  pkix-errcodes \
  pp  \
  pwdecrypt \
  rsaperf \
  sdrtest \
  selfserv  \
  signtool \
  signver \
+ $(SHLIBSIGN_SRCDIR) \
  smimetools  \
  ssltap  \
  strsclnt \
  symkeyutil \
  tests \
  tstclnt  \
  vfychain \
  vfyserv \
  modutil \
  $(NULL)
-endif
-endif
-
-DIRS = \
- $(LIB_SRCDIRS) \
- $(SOFTOKEN_SRCDIRS) \
- $(NSS_SRCDIRS)
 
 TEMPORARILY_DONT_BUILD = \
  $(NULL)
 
 # rsaperf  \
 #
 #       needs to look at what needs to happen to make jar build in
 # the binary release environment.
--- a/security/nss/cmd/modutil/install-ds.c
+++ b/security/nss/cmd/modutil/install-ds.c
@@ -188,29 +188,31 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_RELATIVE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->relativePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
 
 				/* Absolute directory */
 			} else if( !PORT_Strcasecmp(subpair->key, ABSOLUTE_DIR_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)){
 					errStr = PR_smprintf(errString[BOGUS_ABSOLUTE_DIR], 
                                     _this->jarPath);
 					goto loser;
 				}
 				_this->absolutePath = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
 
 			/* file permissions */
 			} else if( !PORT_Strcasecmp(subpair->key,
                                      FILE_PERMISSIONS_STRING)) {
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE) ||
 				   !subval->string || !subval->string[0]){
@@ -220,17 +222,18 @@ Pk11Install_File_Generate(Pk11Install_Fi
 				}
 				_this->permissions = (int) strtol(subval->string, &endp, 8);
 				if(*endp != '\0') {
 					errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS],
                                     _this->jarPath);
 					goto loser;
 				}
 				gotPerms = PR_TRUE;
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				subiter = NULL;
 			}
 		} else {
 			if(!PORT_Strcasecmp(val->string, EXECUTABLE_STRING)) {
 				_this->executable = PR_TRUE;
 			}
 		}
 	}
 
@@ -252,20 +255,22 @@ Pk11Install_File_Generate(Pk11Install_Fi
 	if(!_this->absolutePath) {
 		errStr = PR_smprintf(errString[NO_ABSOLUTE_DIR], _this->jarPath);
 		goto loser;
 	}
 #endif
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(&iter);
+		Pk11Install_ListIter_delete(iter);
+		PR_Free(iter);
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(&subiter);
+		Pk11Install_ListIter_delete(subiter);
+		PR_Free(subiter);
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_File
@@ -626,25 +631,22 @@ Pk11Install_PlatformName_GetVerString(Pk
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:	Print
 // Class:	Pk11Install_PlatformName
 */
 void
 Pk11Install_PlatformName_Print(Pk11Install_PlatformName* _this, int pad)
 {
-	char *str = NULL;
 	PAD(pad); printf("OS: %s\n", _this->OS ? _this->OS : "<NULL>");
 	PAD(pad); printf("Digits: ");
 	if(_this->numDigits == 0) {
 		printf("None\n");
 	} else {
-		str = Pk11Install_PlatformName_GetVerString(_this);
-		printf("%s\n", str);
-		PR_Free(str);
+		printf("%s\n", Pk11Install_PlatformName_GetVerString(_this));
 	}
 	PAD(pad); printf("arch: %s\n", _this->arch ? _this->arch : "<NULL>");
 }
 
 Pk11Install_Platform*
 Pk11Install_Platform_new()
 {
 	Pk11Install_Platform* new_this;
@@ -763,33 +765,37 @@ Pk11Install_Platform_Generate(Pk11Instal
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_FILE],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleFile = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
 				gotModuleFile = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MODULE_NAME_STRING)){
 				if(gotModuleName) {
 					errStr = PR_smprintf(errString[REPEAT_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
 				subval = subiter->current;
 				if(!subval || (subval->type != STRING_VALUE)) {
 					errStr = PR_smprintf(errString[BOGUS_MODULE_NAME],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				_this->moduleName = PR_Strdup(subval->string);
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
 				gotModuleName = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, MECH_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotMech) {
 					errStr = PR_smprintf(errString[REPEAT_MECH],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -802,17 +808,19 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->mechFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_MECH_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter=NULL;
 				gotMech = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key,CIPHER_FLAGS_STRING)) {
 				endptr=NULL;
 
 				if(gotCipher) {
 					errStr = PR_smprintf(errString[REPEAT_CIPHER],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
@@ -825,17 +833,19 @@ Pk11Install_Platform_Generate(Pk11Instal
 					goto loser;
 				}
 				_this->cipherFlags = strtol(subval->string, &endptr, 0);
 				if(*endptr!='\0' || (endptr==subval->string) ) {
 					errStr = PR_smprintf(errString[BOGUS_CIPHER_FLAGS],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter=NULL;
 				gotCipher = PR_TRUE;
 			} else if(!PORT_Strcasecmp(subpair->key, FILES_STRING)) {
 				if(gotFiles) {
 					errStr = PR_smprintf(errString[REPEAT_FILES],
                                     Pk11Install_PlatformName_GetString(&_this->name));
 					goto loser;
 				}
 				subiter = Pk11Install_ListIter_new(subpair->list);
@@ -1074,17 +1084,19 @@ Pk11Install_Info_Generate(Pk11Install_In
 					if(subval->type == STRING_VALUE) {
 						errStr = Pk11Install_PlatformName_Generate(
                               &_this->forwardCompatible[i], subval->string);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
 			} else if(!PORT_Strcasecmp(pair->key, PLATFORMS_STRING)) {
 				subiter = Pk11Install_ListIter_new(pair->list);
 				_this->numPlatforms = pair->list->numPairs;
 				_this->platforms = (Pk11Install_Platform*)
                             PR_Malloc(sizeof(Pk11Install_Platform)*
                             _this->numPlatforms);
 				for(i=0; i < _this->numPlatforms; i++, 
                        Pk11Install_ListIter_nextItem(subiter)) {
@@ -1092,17 +1104,19 @@ Pk11Install_Info_Generate(Pk11Install_In
 					subval = subiter->current;
 					if(subval->type == PAIR_VALUE) {
 						errStr = Pk11Install_Platform_Generate(&_this->platforms[i],subval->pair);
 						if(errStr) {
 							goto loser;
 						}
 					}
 				}
-				Pk11Install_ListIter_delete(&subiter);
+				Pk11Install_ListIter_delete(subiter);
+				PR_Free(subiter);
+				subiter = NULL;
 			}
 		}
 	}
 
 	if(_this->numPlatforms == 0) {
 		errStr = PR_smprintf(errString[NO_PLATFORMS]);
 		goto loser;
 	}
@@ -1173,20 +1187,24 @@ Pk11Install_Info_Generate(Pk11Install_In
 				first = first->equiv;
 			}
 			_this->platforms[i].equiv = first;
 		}
 	}
 
 loser:
 	if(iter) {
-		Pk11Install_ListIter_delete(&iter);
+		Pk11Install_ListIter_delete(iter);
+		PR_Free(iter);
+		iter = NULL;
 	}
 	if(subiter) {
-		Pk11Install_ListIter_delete(&subiter);
+		Pk11Install_ListIter_delete(subiter);
+		PR_Free(subiter);
+		subiter = NULL;
 	}
 	return errStr;
 }
 
 /*
 //////////////////////////////////////////////////////////////////////////
 // Method:		GetBestPlatform
 // Class:		Pk11Install_Info
@@ -1325,22 +1343,20 @@ Pk11Install_ListIter_new(const Pk11Insta
                     PR_Malloc(sizeof(Pk11Install_ListIter));
 	new_this->list = _list;
 	new_this->current = _list->head;
 	return new_this;
 }
 
 /****************************************************************************/
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter** _this)
+Pk11Install_ListIter_delete(Pk11Install_ListIter* _this)
 {
-	(*_this)->list=NULL;
-	(*_this)->current=NULL;
-	PR_Free(*_this);
-	*_this=NULL;
+	_this->list=NULL;
+	_this->current=NULL;
 }
 
 /****************************************************************************/
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this)
 {
 	if(_this->list) {
 		_this->current = _this->list->head;
--- a/security/nss/cmd/modutil/install-ds.h
+++ b/security/nss/cmd/modutil/install-ds.h
@@ -119,17 +119,17 @@ struct Pk11Install_ListIter_str {
 
 Pk11Install_ListIter* 
 Pk11Install_ListIter_new_default();
 void
 Pk11Install_ListIter_init(Pk11Install_ListIter* _this);
 Pk11Install_ListIter*
 Pk11Install_ListIter_new(const Pk11Install_ValueList* _list);
 void
-Pk11Install_ListIter_delete(Pk11Install_ListIter** _this);
+Pk11Install_ListIter_delete(Pk11Install_ListIter* _this);
 void
 Pk11Install_ListIter_reset(Pk11Install_ListIter* _this);
 Pk11Install_Value*
 Pk11Install_ListIter_nextItem(Pk11Install_ListIter* _this);
 
 /************************************************************************
  *
  * Pk11Install_File
--- a/security/nss/cmd/modutil/installparse.c
+++ b/security/nss/cmd/modutil/installparse.c
@@ -196,19 +196,19 @@ Pk11Install_yyerror(char *message)
 #define YYACCEPT goto yyaccept
 #define YYERROR goto yyerrlab
 int
 yyparse()
 {
     register int yym, yyn, yystate;
 #if YYDEBUG
     register char *yys;
-    extern char *PR_GetEnvSecure();
+    extern char *getenv();
 
-    if ((yys = PR_GetEnvSecure("YYDEBUG")) != NULL)
+    if ((yys = getenv("YYDEBUG")) != NULL)
     {
         yyn = *yys;
         if (yyn >= '0' && yyn <= '9')
             yydebug = yyn - '0';
     }
 #endif
 
     yynerrs = 0;
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -749,17 +749,17 @@ cleanup:
     }
     if (moduleSpec) {
         PR_smprintf_free(moduleSpec);
     }
 
 #ifdef _WIN32
     FreeLibrary(hModule);
 #else
-    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }
 #endif
     if (CKR_OK == crv && doForkTests && !disableUnload) {
         /* try to fork with softoken both de-initialized and unloaded */
         crv = PKM_ForkCheck(123, NULL, PR_TRUE, NULL);
     }
--- a/security/nss/cmd/pk11util/pk11util.c
+++ b/security/nss/cmd/pk11util/pk11util.c
@@ -1399,17 +1399,17 @@ putOutput(Value **ptr)
     }
 }
 	   
 CK_RV
 unloadModule(Module *module)
 {
     char *disableUnload = NULL;
 
-    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
 
     if (module->library && !disableUnload) {
 	PR_UnloadLibrary(module->library);
     }
 
     module->library = NULL;
     module->functionList = NULL;
 
--- a/security/nss/cmd/pk1sign/pk1sign.c
+++ b/security/nss/cmd/pk1sign/pk1sign.c
@@ -39,18 +39,18 @@ SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplat
 SEC_ASN1Template CERTSignatureDataTemplate[] =
 {
     { SEC_ASN1_SEQUENCE,
           0, NULL, sizeof(CERTSignedData) },
     { SEC_ASN1_INLINE,
           offsetof(CERTSignedData,signatureAlgorithm),
           SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_BIT_STRING,
-          offsetof(CERTSignedData,signature) },
-    { 0 }
+          offsetof(CERTSignedData,signature), },
+    { 0, }
 };
 
 
 static void
 Usage(char *progName)
 {
     fprintf(stderr,
 	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
--- a/security/nss/cmd/platlibs.mk
+++ b/security/nss/cmd/platlibs.mk
@@ -46,140 +46,91 @@ else
 CRYPTOLIB=$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 SOFTOKENLIB=
 EXTRA_SHARED_LIBS += \
 	-L$(SOFTOKEN_LIB_DIR) \
 	-lsoftokn3 \
 	$(NULL)
 endif
 
-ifndef NSS_BUILD_SOFTOKEN_ONLY
 PKIXLIB = \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixutil.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixsystem.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcrlsel.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixmodule.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixstore.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixparams.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixchecker.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixpki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixtop.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixresults.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkixcertsel.$(LIB_SUFFIX)
-endif
-
-NSS_LIBS_1=
-SECTOOL_LIB=
-NSS_LIBS_2=
-NSS_LIBS_3=
-NSS_LIBS_4=
 
-ifneq ($(NSS_BUILD_UTIL_ONLY),1)
-SECTOOL_LIB = \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(NULL)
-else
-SECTOOL_LIB = \
-	$(NULL)
-endif
+# can't do this in manifest.mn because OS_ARCH isn't defined there.
+ifeq ($(OS_ARCH), WINNT)
 
-ifneq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-ifeq ($(OS_ARCH), WINNT)
-# breakdown for windows
-NSS_LIBS_1 = \
+EXTRA_LIBS += \
 	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(NULL)
-NSS_LIBS_2 = \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(NULL)
-NSS_LIBS_3 = \
+	$(SOFTOKENLIB) \
+	$(CRYPTOLIB) \
 	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(PKIXLIB) \
 	$(DBMLIB) \
-	$(NULL)
-NSS_LIBS_4 = \
 	$(SQLITE_LIB_DIR)/$(LIB_PREFIX)$(SQLITE_LIB_NAME).$(LIB_SUFFIX) \
 	$(NSSUTIL_LIB_DIR)/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 	$(NULL)
-else
-# breakdown for others
-NSS_LIBS_1 = \
-	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-	$(NULL)
-SECTOOL_LIB = \
-	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-	$(NULL)
-NSS_LIBS_2 = \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(NULL)
-NSS_LIBS_3 = \
-	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
-	$(NULL)
-NSS_LIBS_4 = \
-	$(DBMLIB) \
-	$(PKIXLIB) \
-	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
-	$(NULL)
-endif
-endif
-
-# can't do this in manifest.mn because OS_ARCH isn't defined there.
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
-	$(NSS_LIBS_1) \
-	$(SECTOOL_LIB) \
-	$(NSS_LIBS_2) \
-	$(SOFTOKENLIB) \
-	$(CRYPTOLIB) \
-	$(NSS_LIBS_3) \
-	$(NSS_LIBS_4) \
-	$(NULL)
 
 # $(PROGRAM) has NO explicit dependencies on $(OS_LIBS)
 #OS_LIBS += \
 	wsock32.lib \
 	winmm.lib \
 	$(NULL)
 else
 
 EXTRA_LIBS += \
-	$(NSS_LIBS_1) \
-	$(SECTOOL_LIB) \
-	$(NSS_LIBS_2) \
+	$(DIST)/lib/$(LIB_PREFIX)smime.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
 	$(SOFTOKENLIB) \
-	$(NSS_LIBS_3) \
+	$(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
 	$(CRYPTOLIB) \
-	$(NSS_LIBS_4) \
+	$(DBMLIB) \
+	$(PKIXLIB) \
+	$(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
 	$(NULL)
 
 ifeq ($(OS_ARCH), AIX) 
 EXTRA_SHARED_LIBS += -brtl 
 endif
 
 # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
 # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -220,17 +220,16 @@ PrintParameterUsage()
 "           good, revoked, unknown, failure, badsig, corrupted\n"
 "   ocsp: fetch from external OCSP server using AIA, or none\n"
 "-A <ca> Nickname of a CA used to sign a stapled cert status\n"
 "-U override default ECDHE ephemeral key reuse, 0: refresh, 1: reuse\n"
 "-H override default DHE server support, 0: disable, 1: enable\n"
 "-W override default DHE server weak parameters support, 0: disable, 1: enable\n"
 "-c Restrict ciphers\n"
 "-Y prints cipher values allowed for parameter -c and exits\n"
-"-G enables the extended master secret extension [RFC7627]\n"
     , stderr);
 }
 
 static void
 Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
@@ -2454,22 +2453,22 @@ main(int argc, char **argv)
     if (testBulk) {
         testBulkBuf = PORT_Malloc(testBulkSize);
         if (testBulkBuf == NULL)
             errExit("Out of memory: testBulkBuf");
         for (i = 0; i < testBulkSize; i++)
             testBulkBuf[i] = i;
     }
 
-    envString = PR_GetEnvSecure(envVarName);
-    tmp = PR_GetEnvSecure("TMP");
+    envString = getenv(envVarName);
+    tmp = getenv("TMP");
     if (!tmp)
-	tmp = PR_GetEnvSecure("TMPDIR");
+	tmp = getenv("TMPDIR");
     if (!tmp)
-	tmp = PR_GetEnvSecure("TEMP");
+	tmp = getenv("TEMP");
     if (envString) {
 	/* we're one of the children in a multi-process server. */
 	listen_sock = PR_GetInheritedFD(inheritableSockName);
 	if (!listen_sock)
 	    errExit("PR_GetInheritedFD");
 #ifndef WINNT
 	/* we can't do this on NT because it breaks NSPR and
 	PR_Accept will fail on the socket in the child process if
--- a/security/nss/cmd/shlibsign/shlibsign.c
+++ b/security/nss/cmd/shlibsign/shlibsign.c
@@ -1283,17 +1283,17 @@ cleanup:
         PL_strfree(output_file); 
     }
 #ifdef USES_LINKS
     if (link_file) { /* allocated by mkoutput function */
         PL_strfree(link_file); 
     }
 #endif
 
-    disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+    disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(lib);
     }
     PR_Cleanup();
 
     if (crv != CKR_OK)
 	return crv;
     
--- a/security/nss/cmd/signtool/javascript.c
+++ b/security/nss/cmd/signtool/javascript.c
@@ -59,17 +59,17 @@ static int	num_handlers = 23;
 int
 InlineJavaScript(char *dir, PRBool recurse)
 {
     jartree = dir;
     if (verbosity >= 0) {
 	PR_fprintf(outputFD, "\nGenerating inline signatures from HTML files in: %s\n",
 	     dir);
     }
-    if (PR_GetEnvSecure("SIGNTOOL_DUMP_PARSE")) {
+    if (PR_GetEnv("SIGNTOOL_DUMP_PARSE")) {
 	dumpParse = PR_TRUE;
     }
 
     return foreach(dir, "", javascript_fn, recurse, PR_FALSE /*include dirs*/,
          		(void * )NULL);
 
 }
 
--- a/security/nss/cmd/signtool/util.c
+++ b/security/nss/cmd/signtool/util.c
@@ -1,16 +1,15 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "signtool.h"
 #include "prio.h"
 #include "prmem.h"
-#include "prenv.h"
 #include "nss.h"
 
 static int	is_dir (char *filename);
 
 /***********************************************************
  * Nasty hackish function definitions
  */
 
@@ -977,30 +976,30 @@ InitCrypto(char *cert_dir, PRBool readOn
 char	*get_default_cert_dir (void)
 {
     char	*home;
 
     char	*cd = NULL;
     static char	db [FNSIZE];
 
 #ifdef XP_UNIX
-    home = PR_GetEnvSecure ("HOME");
+    home = getenv ("HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/.netscape", home);
 	cd = db;
     }
 #endif
 
 #ifdef XP_PC
     FILE * fp;
 
     /* first check the environment override */
 
-    home = PR_GetEnvSecure ("JAR_HOME");
+    home = getenv ("JAR_HOME");
 
     if (home && *home) {
 	sprintf (db, "%s/cert7.db", home);
 
 	if ((fp = fopen (db, "r")) != NULL) {
 	    fclose (fp);
 	    cd = home;
 	}
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -1064,19 +1064,19 @@ main(int argc, char **argv)
     char *envFileName;
     SECItem input = { 0, 0, 0};
     SECItem envmsg = { 0, 0, 0 };
     SECStatus rv;
     PRFileDesc *contentFile = NULL;
     PRBool      batch = PR_FALSE;
 
 #ifdef NISCC_TEST
-    const char *ev = PR_GetEnvSecure("NSS_DISABLE_ARENA_FREE_LIST");
+    const char *ev = PR_GetEnv("NSS_DISABLE_ARENA_FREE_LIST");
     PORT_Assert(ev); 
-    ev = PR_GetEnvSecure("NSS_STRICT_SHUTDOWN");
+    ev = PR_GetEnv("NSS_STRICT_SHUTDOWN");
     PORT_Assert(ev); 
 #endif 
 
     progName = strrchr(argv[0], '/');
     if (!progName)
        progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -1443,17 +1443,17 @@ main(int argc, char **argv)
     if (port == 0)
 	Usage(progName);
 
     if (fileName)
     	readBigFile(fileName);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
-    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
         int sec = PORT_Atoi(tmp);
 	if (sec > 0) {
 	    maxInterval = PR_SecondsToInterval(sec);
     	}
     }
 
     /* Call the NSS initialization routines */
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -105,17 +105,16 @@ int renegotiationsDone = 0;
 static char *progName;
 
 secuPWData  pwdata          = { PW_NONE, 0 };
 
 void printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate * cert;
     const SECItemArray *csa;
-    const SECItem *scts;
     SSL3Statistics * ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo    channel;
     SSLCipherSuiteInfo suite;
 
     result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
     if (result == SECSuccess && 
         channel.length == sizeof channel && 
@@ -158,21 +157,16 @@ void printSecurityInfo(PRFileDesc *fd)
     	ssl3stats->hsh_sid_cache_hits, ssl3stats->hsh_sid_cache_misses,
 	ssl3stats->hsh_sid_cache_not_ok, ssl3stats->hsh_sid_stateless_resumes);
 
     csa = SSL_PeerStapledOCSPResponses(fd);
     if (csa) {
         fprintf(stderr, "Received %d Cert Status items (OCSP stapled data)\n",
                 csa->len);
     }
-    scts = SSL_PeerSignedCertTimestamps(fd);
-    if (scts && scts->len) {
-        fprintf(stderr, "Received a Signed Certificate Timestamp of length"
-                " %u\n", scts->len);
-    }
 }
 
 void
 handshakeCallback(PRFileDesc *fd, void *client_data)
 {
     const char *secondHandshakeName = (char *)client_data;
     if (secondHandshakeName) {
         SSL_SetURL(fd, secondHandshakeName);
@@ -185,17 +179,17 @@ handshakeCallback(PRFileDesc *fd, void *
 }
 
 static void PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
                     "[-D | -d certdir] [-C] [-b | -R root-module] \n"
 		    "[-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
+                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
 
 static void PrintParameterUsage(void)
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -233,17 +227,16 @@ static void PrintParameterUsage(void)
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
     fprintf(stderr, "%-20s Ping the server and then exit.\n", "-q");
     fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
     fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
-    fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
     fprintf(stderr, "%-20s Enable the extended master secret extension (session hash).\n", "-G");
     fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
                     "%-20s -F once means: require for server cert only\n"
                     "%-20s -F twice means: require for intermediates, too\n"
                     "%-20s (Connect, handshake with server, disable dynamic download\n"
                     "%-20s  of OCSP/CRL, verify cert using CERT_PKIXVerifyCert.)\n"
                     "%-20s Exit code:\n"
                     "%-20s 0: have fresh and valid revocation data, status good\n"
@@ -252,17 +245,16 @@ static void PrintParameterUsage(void)
                     "%-20s 3: have fresh and valid revocation data, status revoked\n",
                     "-F", "", "", "", "", "", "", "", "", "");
     fprintf(stderr, "%-20s Test -F allows 0=any (default), 1=only OCSP, 2=only CRL\n", "-M");
     fprintf(stderr, "%-20s Restrict ciphers\n", "-c ciphers");
     fprintf(stderr, "%-20s Print cipher values allowed for parameter -c and exit\n", "-Y");
     fprintf(stderr, "%-20s Enforce using an IPv4 destination address\n", "-4");
     fprintf(stderr, "%-20s Enforce using an IPv6 destination address\n", "-6");
     fprintf(stderr, "%-20s (Options -4 and -6 cannot be combined.)\n", "");
-    fprintf(stderr, "%-20s Enable the extended master secret extension [RFC7627]\n", "-G");
 }
 
 static void Usage(const char *progName)
 {
     PrintUsageHeader(progName);
     PrintParameterUsage();
     exit(1);
 }
@@ -923,17 +915,16 @@ int main(int argc, char **argv)
     PRBool             enableSSL2 = PR_TRUE;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
     int                enableCertStatus = 0;
-    int                enableSignedCertTimestamps = 0;
     int                forceFallbackSCSV = 0;
     int                enableExtendedMasterSecret = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
     PRBool             allowIPv4 = PR_TRUE;
     PRBool             allowIPv6 = PR_TRUE;
     PRBool             pingServerFirst = PR_FALSE;
@@ -963,28 +954,28 @@ int main(int argc, char **argv)
     serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
     serverCertAuth.allowCRLSideChannelData = PR_TRUE;
 
     progName = strrchr(argv[0], '/');
     if (!progName)
 	progName = strrchr(argv[0], '\\');
     progName = progName ? progName+1 : argv[0];
 
-    tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
+    tmp = PR_GetEnv("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
        int sec = PORT_Atoi(tmp);
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46BCDFGKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "46BCDFGKM:OR:STV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
 
@@ -1027,18 +1018,16 @@ int main(int argc, char **argv)
                     break;
 
           case 'R': rootModule = PORT_Strdup(optstate->value); break;
 
           case 'S': skipProtoHeader = PR_TRUE;                 break;
 
           case 'T': enableCertStatus = 1;               break;
 
-          case 'U': enableSignedCertTimestamps = 1;               break;
-
           case 'V': if (SECU_ParseSSLVersionRangeString(optstate->value,
                             enabledVersions, enableSSL2,
                             &enabledVersions, &enableSSL2) != SECSuccess) {
                         Usage(progName);
                     }
                     break;
 
           case 'Y': PrintCipherUsage(progName); exit(0); break;
@@ -1406,24 +1395,16 @@ int main(int argc, char **argv)
     if  (enableExtendedMasterSecret) {
         rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
 	if (rv != SECSuccess) {
             SECU_PrintError(progName, "error enabling extended master secret");
             return 1;
 	}
     }
 
-    /* enable Signed Certificate Timestamps. */
-    rv = SSL_OptionSet(s, SSL_ENABLE_SIGNED_CERT_TIMESTAMPS,
-              enableSignedCertTimestamps);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "error enabling signed cert timestamps");
-        return 1;
-    }
-
     SSL_SetPKCS11PinArg(s, &pwdata);
 
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
     if (override) {
 	SSL_BadCertHook(s, ownBadCertHandler, NULL);
     }
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -99,17 +99,17 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mwindows -mms-bitfields
+    OS_CFLAGS += -mwindows -mms-bitfields -Werror
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
--- a/security/nss/coreconf/Werror.mk
+++ b/security/nss/coreconf/Werror.mk
@@ -16,17 +16,17 @@ ifndef WARNING_CFLAGS
   disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
 
   WARNING_CFLAGS = -Wall
   ifeq ($(CC_NAME),clang)
     # -Qunused-arguments : clang objects to arguments that it doesn't understand
     #    and fixing this would require rearchitecture
     WARNING_CFLAGS += -Qunused-arguments
     # -Wno-parentheses-equality : because clang warns about macro expansions
-    WARNING_CFLAGS += $(call disable_warning,parentheses-equality)
+    OS_CFLAGS += $(call disable_warning,parentheses-equality)
     ifdef BUILD_OPT
       # clang is unable to handle glib's expansion of strcmp and similar for optimized
       # builds, so ignore the resulting errors.
       # See https://llvm.org/bugs/show_bug.cgi?id=20144
       WARNING_CFLAGS += $(call disable_warning,array-bounds)
       WARNING_CFLAGS += $(call disable_warning,unevaluated-expression)
     endif
   endif # if clang
--- a/security/nss/external_tests/README
+++ b/security/nss/external_tests/README
@@ -1,14 +1,14 @@
 GTest-based Unit Tests
 
 This directory contains GTest-based unit tests for NSS libssl.
 
-If your environment doesn't have C++ compiler suitable to build these tests,
-you may disable them using ``NSS_DISABLE_GTESTS=1''
+These aren't built by default, because they require C++.
+To build them, set ``NSS_BUILD_GTESTS=1''
 
 Once built, they are run as part of running ``test/all.sh''
 You can run just the GTests by running ``tests/ssl_gtests/ssl_gtests.sh''
 
 They can be run standalone or under a debugger by invoking the ssl_gtest
 executable with a ``-d'' option pointing to the directory created by either
 of the above options.  You can find that in
 
deleted file mode 100644
--- a/security/nss/external_tests/common/gtest.mk
+++ /dev/null
@@ -1,27 +0,0 @@
-#! gmake
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include ../../cmd/platlibs.mk
-include ../../cmd/platrules.mk
-
-MKPROG = $(CCC)
-MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
-
-ifeq (WINNT,$(OS_ARCH))
-    # -EHsc because gtest has exception handlers
-    OS_CFLAGS += -EHsc -nologo
-    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
-    OS_CFLAGS += -DNOMINMAX
-
-    # Linking to winsock to get htonl
-    OS_LIBS += Ws2_32.lib
-
-    # On windows, we need to create the parent directory
-    # Needed because we include files from a subdirectory
-    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
-else
-    CXXFLAGS += -std=c++0x
-endif
deleted file mode 100644
--- a/security/nss/external_tests/common/scoped_ptrs.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
-
-#include "keyhi.h"
-
-namespace nss_test {
-
-struct ScopedDelete {
-  void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
-  void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
-  void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
-  void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
-  void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
-  void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
-  void operator()(CERTSubjectPublicKeyInfo* spki) {
-    SECKEY_DestroySubjectPublicKeyInfo(spki);
-  }
-};
-
-template<class T>
-struct ScopedMaybeDelete {
-  void operator()(T* ptr) { if (ptr) { ScopedDelete del; del(ptr); } }
-};
-
-#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped ## x
-
-SCOPED(PK11SlotInfo);
-SCOPED(SECItem);
-SCOPED(PK11SymKey);
-SCOPED(SECKEYPublicKey);
-SCOPED(SECKEYPrivateKey);
-SCOPED(SECAlgorithmID);
-SCOPED(CERTSubjectPublicKeyInfo);
-
-#undef SCOPED
-
-}  // namespace nss_test
-
-#endif
--- a/security/nss/external_tests/google_test/Makefile
+++ b/security/nss/external_tests/google_test/Makefile
@@ -21,24 +21,32 @@ include $(CORE_DEPTH)/coreconf/config.mk
 #######################################################################
 
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-include ../common/gtest.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
+
+MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+ifeq (WINNT,$(OS_ARCH))
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS += -EHsc
+    # On windows, we need to create the parent directory
+    # Needed because we include files from a subdirectory
+    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
+endif
--- a/security/nss/external_tests/google_test/gtest/test/gtest_unittest.cc
+++ b/security/nss/external_tests/google_test/gtest/test/gtest_unittest.cc
@@ -416,19 +416,19 @@ class FormatEpochTimeInMillisAsIso8601Te
   // 32 bits, even when 64-bit integer types are available.  We have to
   // force the constants to have a 64-bit type here.
   static const TimeInMillis kMillisPerSec = 1000;
 
  private:
   virtual void SetUp() {
     saved_tz_ = NULL;
 
-    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* PR_GetEnvSecure, strdup: deprecated */)
-    if (PR_GetEnvSecure("TZ"))
-      saved_tz_ = strdup(PR_GetEnvSecure("TZ"));
+    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* getenv, strdup: deprecated */)
+    if (getenv("TZ"))
+      saved_tz_ = strdup(getenv("TZ"));
     GTEST_DISABLE_MSC_WARNINGS_POP_()
 
     // Set up the time zone for FormatEpochTimeInMillisAsIso8601 to use.  We
     // cannot use the local time zone because the function's output depends
     // on the time zone.
     SetTimeZone("UTC+00");
   }
 
--- a/security/nss/external_tests/manifest.mn
+++ b/security/nss/external_tests/manifest.mn
@@ -2,11 +2,10 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ..
 DEPTH      = ..
 
 DIRS = \
 	google_test \
-        pk11_gtest \
         ssl_gtest \
 	$(NULL)
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-#! gmake
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY).   #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL)          #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL)       #
-#######################################################################
-
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
-#######################################################################
-
-include ../common/gtest.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL)                              #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL)                           #
-#######################################################################
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL).                              #
-#######################################################################
-
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/manifest.mn
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-CORE_DEPTH = ../..
-DEPTH      = ../..
-MODULE = nss
-
-CPPSRCS = \
-      pk11_pbkdf2_unittest.cc \
-      pk11_prf_unittest.cc \
-      pk11_rsapss_unittest.cc \
-      pk11_gtest.cc \
-      $(NULL)
-
-INCLUDES += -I$(CORE_DEPTH)/external_tests/google_test/gtest/include \
-            -I$(CORE_DEPTH)/external_tests/common
-
-REQUIRES = nspr nss libdbm gtest
-
-PROGRAM = pk11_gtest
-EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX)
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/pk11_gtest.cc
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "nspr.h"
-#include "nss.h"
-#include "ssl.h"
-
-#include <cstdlib>
-
-#define GTEST_HAS_RTTI 0
-#include "gtest/gtest.h"
-
-int main(int argc, char **argv) {
-  // Start the tests
-  ::testing::InitGoogleTest(&argc, argv);
-
-  NSS_NoDB_Init(nullptr);
-  NSS_SetDomesticPolicy();
-  int rv = RUN_ALL_TESTS();
-
-  NSS_Shutdown();
-
-  return rv;
-}
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/pk11_pbkdf2_unittest.cc
+++ /dev/null
@@ -1,100 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nss.h"
-#include "pk11pub.h"
-#include <memory>
-
-#include "gtest/gtest.h"
-#include "scoped_ptrs.h"
-
-namespace nss_test {
-
-static unsigned char* ToUcharPtr(std::string& str) {
-  return const_cast<unsigned char*>(
-    reinterpret_cast<const unsigned char*>(str.c_str()));
-}
-
-class Pkcs11Pbkdf2Test : public ::testing::Test {
- public:
-  void Derive(std::vector<uint8_t>& derived, SECOidTag hash_alg)
-  {
-    // Shared between test vectors.
-    const unsigned int iterations = 4096;
-    std::string pass("passwordPASSWORDpassword");
-    std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt");
-
-    // Derivation must succeed with the right values.
-    EXPECT_TRUE(DeriveBytes(pass, salt, derived, hash_alg, iterations));
-
-    // Derivation must fail when the password is bogus.
-    std::string bogusPass("PasswordPASSWORDpassword");
-    EXPECT_FALSE(DeriveBytes(bogusPass, salt, derived, hash_alg, iterations));
-
-    // Derivation must fail when the salt is bogus.
-    std::string bogusSalt("SaltSALTsaltSALTsaltSALTsaltSALTsalt");
-    EXPECT_FALSE(DeriveBytes(pass, bogusSalt, derived, hash_alg, iterations));
-
-    // Derivation must fail when using the wrong hash function.
-    SECOidTag next_hash_alg = static_cast<SECOidTag>(hash_alg + 1);
-    EXPECT_FALSE(DeriveBytes(pass, salt, derived, next_hash_alg, iterations));
-
-    // Derivation must fail when using the wrong number of iterations.
-    EXPECT_FALSE(DeriveBytes(pass, salt, derived, hash_alg, iterations + 1));
-  }
-
- private:
-  bool DeriveBytes(std::string& pass, std::string& salt,
-                   std::vector<uint8_t>& derived, SECOidTag hash_alg,
-                   unsigned int iterations)
-  {
-    SECItem passItem = { siBuffer, ToUcharPtr(pass),
-                         static_cast<unsigned int>(pass.length()) };
-    SECItem saltItem = { siBuffer, ToUcharPtr(salt),
-                         static_cast<unsigned int>(salt.length()) };
-
-    // Set up PBKDF2 params.
-    ScopedSECAlgorithmID alg_id(
-      PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, hash_alg, hash_alg,
-                                  derived.size(), iterations, &saltItem));
-
-    // Derive.
-    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
-    ScopedPK11SymKey symKey(
-      PK11_PBEKeyGen(slot.get(), alg_id.get(), &passItem, false, nullptr));
-
-    SECStatus rv = PK11_ExtractKeyValue(symKey.get());
-    EXPECT_EQ(rv, SECSuccess);
-
-    SECItem* keyData = PK11_GetKeyData(symKey.get());
-    return !memcmp(&derived[0], keyData->data, keyData->len);
-  }
-};
-
-// RFC 6070 <http://tools.ietf.org/html/rfc6070>
-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown1) {
-  std::vector<uint8_t> derived = {
-    0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b, 0x80, 0xc8, 0xd8, 0x36,
-    0x62, 0xc0, 0xe4, 0x4a, 0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70, 0x38
-  };
-
-  Derive(derived, SEC_OID_HMAC_SHA1);
-}
-
-// https://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors
-TEST_F(Pkcs11Pbkdf2Test, DeriveKnown2) {
-  std::vector<uint8_t> derived = {
-    0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8,
-    0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
-    0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, 0xc6, 0x35, 0x51, 0x8c,
-    0x7d, 0xac, 0x47, 0xe9
-  };
-
-  Derive(derived, SEC_OID_HMAC_SHA256);
-}
-
-}  // namespace nss_test
-
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/pk11_prf_unittest.cc
+++ /dev/null
@@ -1,250 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nss.h"
-#include "pk11pub.h"
-#include <memory>
-
-#include "gtest/gtest.h"
-
-namespace nss_test {
-
-const size_t kPmsSize = 48;
-const size_t kMasterSecretSize = 48;
-const size_t kPrfSeedSizeSha256 = 32;
-const size_t kPrfSeedSizeTlsPrf = 36;
-
-// This is not the right size for anything
-const size_t kIncorrectSize = 17;
-
-const uint8_t kPmsData[] = {
-  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
-  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
-  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
-  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
-  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
-  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
-};
-
-const uint8_t kPrfSeed[] = {
-  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
-  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
-  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
-  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
-  0xd0,0xd1,0xd2,0xd3
-};
-
-const uint8_t kExpectedOutputEmsSha256[] = {
-  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
-  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
-  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
-  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
-  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
-  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
-};
-
-const uint8_t kExpectedOutputEmsTlsPrf[] = {
-  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
-  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
-  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
-  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
-  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
-  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
-};
-
-static unsigned char* toUcharPtr(const uint8_t* v) {
-  return const_cast<unsigned char*>(
-    static_cast<const unsigned char *>(v));
-}
-
-class TlsPrfTest : public ::testing::Test {
- public:
-  TlsPrfTest()
-    : params_({siBuffer, nullptr, 0})
-    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
-    , key_mech_(0)
-    , slot_(nullptr)
-    , pms_(nullptr)
-    , ms_(nullptr)
-    , pms_version_({0, 0}) {}
-
-  ~TlsPrfTest() {
-    if (slot_) { PK11_FreeSlot(slot_); }
-    ClearTempVars();
-  }
-
-  void ClearTempVars() {
-    if (pms_) { PK11_FreeSymKey(pms_); }
-    if (ms_)  { PK11_FreeSymKey(ms_);  }
-  }
-
-  void Init() {
-    params_.type = siBuffer;
-
-    pms_item_.type = siBuffer;
-    pms_item_.data = const_cast<unsigned char*>(
-                        static_cast<const unsigned char *>(kPmsData));
-
-    slot_ = PK11_GetInternalSlot();
-    ASSERT_NE(nullptr, slot_);
-  }
-
-  void CheckForError(CK_MECHANISM_TYPE hash_mech,
-                     size_t seed_len,
-                     size_t pms_len,
-                     size_t output_len) {
-    // Error tests don't depend on the derivation mechansim
-    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
-          seed_len, pms_len, output_len, nullptr, nullptr);
-  }
-
-  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
-                          CK_MECHANISM_TYPE hash_mech,
-                          CK_VERSION* version,
-                          const uint8_t* expected) {
-    // Infer seed length from mechanism
-    int seed_len = 0;
-    switch (hash_mech) {
-      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
-      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    Inner(derive_mech, hash_mech, seed_len,
-          kPmsSize, 0, version, expected);
-  }
-
-
-  // Set output == nullptr to test when errors occur
-  void Inner(
-      CK_MECHANISM_TYPE derive_mech,
-      CK_MECHANISM_TYPE hash_mech,
-      size_t seed_len,
-      size_t pms_len,
-      size_t output_len,
-      CK_VERSION* version,
-      const uint8_t* expected) {
-    ClearTempVars();
-
-    // Infer the key mechanism from the hash type
-    switch (hash_mech) {
-      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
-      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
-      default:          ASSERT_TRUE(false);
-    }
-
-    // Import the params
-    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
-      hash_mech,
-      toUcharPtr(kPrfSeed),
-      static_cast<CK_ULONG>(seed_len),
-      version
-    };
-    params_.data = reinterpret_cast<unsigned char*>(&master_params);
-    params_.len = sizeof(master_params);
-
-    // Import the PMS
-    pms_item_.len = pms_len;
-    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
-                            CKA_DERIVE, &pms_item_, NULL);
-    ASSERT_NE(nullptr, pms_);
-
-
-    // Compute the EMS
-    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
-        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
-
-    // Verify the EMS has the expected value (null or otherwise)
-    if (!expected) {
-      EXPECT_EQ(nullptr, ms_);
-    } else {
-      ASSERT_NE(nullptr, ms_);
-
-      SECStatus rv = PK11_ExtractKeyValue(ms_);
-      ASSERT_EQ(SECSuccess, rv);
-
-      SECItem *msData = PK11_GetKeyData(ms_);
-      ASSERT_NE(nullptr, msData);
-
-      ASSERT_EQ(kMasterSecretSize, msData->len);
-      EXPECT_EQ(0,
-                memcmp(msData->data, expected, kMasterSecretSize));
-    }
-  }
-
- protected:
-  SECItem params_;
-  SECItem pms_item_;
-  CK_MECHANISM_TYPE key_mech_;
-  PK11SlotInfo *slot_;
-  PK11SymKey *pms_;
-  PK11SymKey *ms_;
-  CK_VERSION pms_version_;
-};
-
-TEST_F(TlsPrfTest, ExtendedMsParamErr) {
-  Init();
-
-  // This should fail; it's the correct set from which the below are derived
-  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
-
-  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
-
-  // not-DH && pms size != SSL3_PMS_LENGTH
-  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
-
-  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
-  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
-
-  // !CKM_TLS_PRF && seed length != hash output length
-  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
-}
-
-// Test matrix:
-//
-//            DH  RSA
-//  TLS_PRF   1   2
-//  SHA256    3   4
-TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_TLS_PRF,
-                     nullptr,
-                     kExpectedOutputEmsTlsPrf);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_TLS_PRF,
-                     &pms_version_,
-                     kExpectedOutputEmsTlsPrf);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-
-TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
-                     CKM_SHA256,
-                     nullptr,
-                     kExpectedOutputEmsSha256);
-}
-
-TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
-  Init();
-  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
-                     CKM_SHA256,
-                     &pms_version_,
-                     kExpectedOutputEmsSha256);
-  EXPECT_EQ(0, pms_version_.major);
-  EXPECT_EQ(1, pms_version_.minor);
-}
-
-}  // namespace nss_test
-
deleted file mode 100644
--- a/security/nss/external_tests/pk11_gtest/pk11_rsapss_unittest.cc
+++ /dev/null
@@ -1,246 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nss.h"
-#include "pk11pub.h"
-#include "sechash.h"
-#include <memory>
-
-#include "gtest/gtest.h"
-#include "scoped_ptrs.h"
-
-namespace nss_test {
-
-// RSA-PSS test vectors, pss-vect.txt, Example 1: A 1024-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-const uint8_t kTestVector1Spki[] = {
-  0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
-  0x81, 0x81, 0x00, 0xa5, 0x6e, 0x4a, 0x0e, 0x70, 0x10, 0x17, 0x58, 0x9a, 0x51,
-  0x87, 0xdc, 0x7e, 0xa8, 0x41, 0xd1, 0x56, 0xf2, 0xec, 0x0e, 0x36, 0xad, 0x52,
-  0xa4, 0x4d, 0xfe, 0xb1, 0xe6, 0x1f, 0x7a, 0xd9, 0x91, 0xd8, 0xc5, 0x10, 0x56,
-  0xff, 0xed, 0xb1, 0x62, 0xb4, 0xc0, 0xf2, 0x83, 0xa1, 0x2a, 0x88, 0xa3, 0x94,
-  0xdf, 0xf5, 0x26, 0xab, 0x72, 0x91, 0xcb, 0xb3, 0x07, 0xce, 0xab, 0xfc, 0xe0,
-  0xb1, 0xdf, 0xd5, 0xcd, 0x95, 0x08, 0x09, 0x6d, 0x5b, 0x2b, 0x8b, 0x6d, 0xf5,
-  0xd6, 0x71, 0xef, 0x63, 0x77, 0xc0, 0x92, 0x1c, 0xb2, 0x3c, 0x27, 0x0a, 0x70,
-  0xe2, 0x59, 0x8e, 0x6f, 0xf8, 0x9d, 0x19, 0xf1, 0x05, 0xac, 0xc2, 0xd3, 0xf0,
-  0xcb, 0x35, 0xf2, 0x92, 0x80, 0xe1, 0x38, 0x6b, 0x6f, 0x64, 0xc4, 0xef, 0x22,
-  0xe1, 0xe1, 0xf2, 0x0d, 0x0c, 0xe8, 0xcf, 0xfb, 0x22, 0x49, 0xbd, 0x9a, 0x21,
-  0x37, 0x02, 0x03, 0x01, 0x00, 0x01
-};
-// RSA-PSS test vectors, pss-vect.txt, Example 1.1
-const uint8_t kTestVector1Data[] = {
-  0xcd, 0xc8, 0x7d, 0xa2, 0x23, 0xd7, 0x86, 0xdf, 0x3b, 0x45, 0xe0, 0xbb, 0xbc,
-  0x72, 0x13, 0x26, 0xd1, 0xee, 0x2a, 0xf8, 0x06, 0xcc, 0x31, 0x54, 0x75, 0xcc,
-  0x6f, 0x0d, 0x9c, 0x66, 0xe1, 0xb6, 0x23, 0x71, 0xd4, 0x5c, 0xe2, 0x39, 0x2e,
-  0x1a, 0xc9, 0x28, 0x44, 0xc3, 0x10, 0x10, 0x2f, 0x15, 0x6a, 0x0d, 0x8d, 0x52,
-  0xc1, 0xf4, 0xc4, 0x0b, 0xa3, 0xaa, 0x65, 0x09, 0x57, 0x86, 0xcb, 0x76, 0x97,
-  0x57, 0xa6, 0x56, 0x3b, 0xa9, 0x58, 0xfe, 0xd0, 0xbc, 0xc9, 0x84, 0xe8, 0xb5,
-  0x17, 0xa3, 0xd5, 0xf5, 0x15, 0xb2, 0x3b, 0x8a, 0x41, 0xe7, 0x4a, 0xa8, 0x67,
-  0x69, 0x3f, 0x90, 0xdf, 0xb0, 0x61, 0xa6, 0xe8, 0x6d, 0xfa, 0xae, 0xe6, 0x44,
-  0x72, 0xc0, 0x0e, 0x5f, 0x20, 0x94, 0x57, 0x29, 0xcb, 0xeb, 0xe7, 0x7f, 0x06,
-  0xce, 0x78, 0xe0, 0x8f, 0x40, 0x98, 0xfb, 0xa4, 0x1f, 0x9d, 0x61, 0x93, 0xc0,
-  0x31, 0x7e, 0x8b, 0x60, 0xd4, 0xb6, 0x08, 0x4a, 0xcb, 0x42, 0xd2, 0x9e, 0x38,
-  0x08, 0xa3, 0xbc, 0x37, 0x2d, 0x85, 0xe3, 0x31, 0x17, 0x0f, 0xcb, 0xf7, 0xcc,
-  0x72, 0xd0, 0xb7, 0x1c, 0x29, 0x66, 0x48, 0xb3, 0xa4, 0xd1, 0x0f, 0x41, 0x62,
-  0x95, 0xd0, 0x80, 0x7a, 0xa6, 0x25, 0xca, 0xb2, 0x74, 0x4f, 0xd9, 0xea, 0x8f,
-  0xd2, 0x23, 0xc4, 0x25, 0x37, 0x02, 0x98, 0x28, 0xbd, 0x16, 0xbe, 0x02, 0x54,
-  0x6f, 0x13, 0x0f, 0xd2, 0xe3, 0x3b, 0x93, 0x6d, 0x26, 0x76, 0xe0, 0x8a, 0xed,
-  0x1b, 0x73, 0x31, 0x8b, 0x75, 0x0a, 0x01, 0x67, 0xd0
-};
-const uint8_t kTestVector1Sig[] = {
-  0x90, 0x74, 0x30, 0x8f, 0xb5, 0x98, 0xe9, 0x70, 0x1b, 0x22, 0x94, 0x38, 0x8e,
-  0x52, 0xf9, 0x71, 0xfa, 0xac, 0x2b, 0x60, 0xa5, 0x14, 0x5a, 0xf1, 0x85, 0xdf,
-  0x52, 0x87, 0xb5, 0xed, 0x28, 0x87, 0xe5, 0x7c, 0xe7, 0xfd, 0x44, 0xdc, 0x86,
-  0x34, 0xe4, 0x07, 0xc8, 0xe0, 0xe4, 0x36, 0x0b, 0xc2, 0x26, 0xf3, 0xec, 0x22,
-  0x7f, 0x9d, 0x9e, 0x54, 0x63, 0x8e, 0x8d, 0x31, 0xf5, 0x05, 0x12, 0x15, 0xdf,
-  0x6e, 0xbb, 0x9c, 0x2f, 0x95, 0x79, 0xaa, 0x77, 0x59, 0x8a, 0x38, 0xf9, 0x14,
-  0xb5, 0xb9, 0xc1, 0xbd, 0x83, 0xc4, 0xe2, 0xf9, 0xf3, 0x82, 0xa0, 0xd0, 0xaa,
-  0x35, 0x42, 0xff, 0xee, 0x65, 0x98, 0x4a, 0x60, 0x1b, 0xc6, 0x9e, 0xb2, 0x8d,
-  0xeb, 0x27, 0xdc, 0xa1, 0x2c, 0x82, 0xc2, 0xd4, 0xc3, 0xf6, 0x6c, 0xd5, 0x00,
-  0xf1, 0xff, 0x2b, 0x99, 0x4d, 0x8a, 0x4e, 0x30, 0xcb, 0xb3, 0x3c
-};
-
-// RSA-PSS test vectors, pss-vect.txt, Example 10: A 2048-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-const uint8_t kTestVector2Spki[] = {
-  0x30, 0x82, 0x01, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
-  0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0e, 0x00, 0x30, 0x82,
-  0x01, 0x09, 0x02, 0x82, 0x01, 0x00, 0xa5, 0xdd, 0x86, 0x7a, 0xc4, 0xcb, 0x02,
-  0xf9, 0x0b, 0x94, 0x57, 0xd4, 0x8c, 0x14, 0xa7, 0x70, 0xef, 0x99, 0x1c, 0x56,
-  0xc3, 0x9c, 0x0e, 0xc6, 0x5f, 0xd1, 0x1a, 0xfa, 0x89, 0x37, 0xce, 0xa5, 0x7b,
-  0x9b, 0xe7, 0xac, 0x73, 0xb4, 0x5c, 0x00, 0x17, 0x61, 0x5b, 0x82, 0xd6, 0x22,
-  0xe3, 0x18, 0x75, 0x3b, 0x60, 0x27, 0xc0, 0xfd, 0x15, 0x7b, 0xe1, 0x2f, 0x80,
-  0x90, 0xfe, 0xe2, 0xa7, 0xad, 0xcd, 0x0e, 0xef, 0x75, 0x9f, 0x88, 0xba, 0x49,
-  0x97, 0xc7, 0xa4, 0x2d, 0x58, 0xc9, 0xaa, 0x12, 0xcb, 0x99, 0xae, 0x00, 0x1f,
-  0xe5, 0x21, 0xc1, 0x3b, 0xb5, 0x43, 0x14, 0x45, 0xa8, 0xd5, 0xae, 0x4f, 0x5e,
-  0x4c, 0x7e, 0x94, 0x8a, 0xc2, 0x27, 0xd3, 0x60, 0x40, 0x71, 0xf2, 0x0e, 0x57,
-  0x7e, 0x90, 0x5f, 0xbe, 0xb1, 0x5d, 0xfa, 0xf0, 0x6d, 0x1d, 0xe5, 0xae, 0x62,
-  0x53, 0xd6, 0x3a, 0x6a, 0x21, 0x20, 0xb3, 0x1a, 0x5d, 0xa5, 0xda, 0xbc, 0x95,
-  0x50, 0x60, 0x0e, 0x20, 0xf2, 0x7d, 0x37, 0x39, 0xe2, 0x62, 0x79, 0x25, 0xfe,
-  0xa3, 0xcc, 0x50, 0x9f, 0x21, 0xdf, 0xf0, 0x4e, 0x6e, 0xea, 0x45, 0x49, 0xc5,
-  0x40, 0xd6, 0x80, 0x9f, 0xf9, 0x30, 0x7e, 0xed, 0xe9, 0x1f, 0xff, 0x58, 0x73,
-  0x3d, 0x83, 0x85, 0xa2, 0x37, 0xd6, 0xd3, 0x70, 0x5a, 0x33, 0xe3, 0x91, 0x90,
-  0x09, 0x92, 0x07, 0x0d, 0xf7, 0xad, 0xf1, 0x35, 0x7c, 0xf7, 0xe3, 0x70, 0x0c,
-  0xe3, 0x66, 0x7d, 0xe8, 0x3f, 0x17, 0xb8, 0xdf, 0x17, 0x78, 0xdb, 0x38, 0x1d,
-  0xce, 0x09, 0xcb, 0x4a, 0xd0, 0x58, 0xa5, 0x11, 0x00, 0x1a, 0x73, 0x81, 0x98,
-  0xee, 0x27, 0xcf, 0x55, 0xa1, 0x3b, 0x75, 0x45, 0x39, 0x90, 0x65, 0x82, 0xec,
-  0x8b, 0x17, 0x4b, 0xd5, 0x8d, 0x5d, 0x1f, 0x3d, 0x76, 0x7c, 0x61, 0x37, 0x21,
-  0xae, 0x05, 0x02, 0x03, 0x01, 0x00, 0x01
-};
-// RSA-PSS test vectors, pss-vect.txt, Example 10.1
-const uint8_t kTestVector2Data[] = {
-  0x88, 0x31, 0x77, 0xe5, 0x12, 0x6b, 0x9b, 0xe2, 0xd9, 0xa9, 0x68, 0x03, 0x27,
-  0xd5, 0x37, 0x0c, 0x6f, 0x26, 0x86, 0x1f, 0x58, 0x20, 0xc4, 0x3d, 0xa6, 0x7a,
-  0x3a, 0xd6, 0x09
-};
-const uint8_t kTestVector2Sig[] = {
-  0x82, 0xc2, 0xb1, 0x60, 0x09, 0x3b, 0x8a, 0xa3, 0xc0, 0xf7, 0x52, 0x2b, 0x19,
-  0xf8, 0x73, 0x54, 0x06, 0x6c, 0x77, 0x84, 0x7a, 0xbf, 0x2a, 0x9f, 0xce, 0x54,
-  0x2d, 0x0e, 0x84, 0xe9, 0x20, 0xc5, 0xaf, 0xb4, 0x9f, 0xfd, 0xfd, 0xac, 0xe1,
-  0x65, 0x60, 0xee, 0x94, 0xa1, 0x36, 0x96, 0x01, 0x14, 0x8e, 0xba, 0xd7, 0xa0,
-  0xe1, 0x51, 0xcf, 0x16, 0x33, 0x17, 0x91, 0xa5, 0x72, 0x7d, 0x05, 0xf2, 0x1e,
-  0x74, 0xe7, 0xeb, 0x81, 0x14, 0x40, 0x20, 0x69, 0x35, 0xd7, 0x44, 0x76, 0x5a,
-  0x15, 0xe7, 0x9f, 0x01, 0x5c, 0xb6, 0x6c, 0x53, 0x2c, 0x87, 0xa6, 0xa0, 0x59,
-  0x61, 0xc8, 0xbf, 0xad, 0x74, 0x1a, 0x9a, 0x66, 0x57, 0x02, 0x28, 0x94, 0x39,
-  0x3e, 0x72, 0x23, 0x73, 0x97, 0x96, 0xc0, 0x2a, 0x77, 0x45, 0x5d, 0x0f, 0x55,
-  0x5b, 0x0e, 0xc0, 0x1d, 0xdf, 0x25, 0x9b, 0x62, 0x07, 0xfd, 0x0f, 0xd5, 0x76,
-  0x14, 0xce, 0xf1, 0xa5, 0x57, 0x3b, 0xaa, 0xff, 0x4e, 0xc0, 0x00, 0x69, 0x95,
-  0x16, 0x59, 0xb8, 0x5f, 0x24, 0x30, 0x0a, 0x25, 0x16, 0x0c, 0xa8, 0x52, 0x2d,
-  0xc6, 0xe6, 0x72, 0x7e, 0x57, 0xd0, 0x19, 0xd7, 0xe6, 0x36, 0x29, 0xb8, 0xfe,
-  0x5e, 0x89, 0xe2, 0x5c, 0xc1, 0x5b, 0xeb, 0x3a, 0x64, 0x75, 0x77, 0x55, 0x92,
-  0x99, 0x28, 0x0b, 0x9b, 0x28, 0xf7, 0x9b, 0x04, 0x09, 0x00, 0x0b, 0xe2, 0x5b,
-  0xbd, 0x96, 0x40, 0x8b, 0xa3, 0xb4, 0x3c, 0xc4, 0x86, 0x18, 0x4d, 0xd1, 0xc8,
-  0xe6, 0x25, 0x53, 0xfa, 0x1a, 0xf4, 0x04, 0x0f, 0x60, 0x66, 0x3d, 0xe7, 0xf5,
-  0xe4, 0x9c, 0x04, 0x38, 0x8e, 0x25, 0x7f, 0x1c, 0xe8, 0x9c, 0x95, 0xda, 0xb4,
-  0x8a, 0x31, 0x5d, 0x9b, 0x66, 0xb1, 0xb7, 0x62, 0x82, 0x33, 0x87, 0x6f, 0xf2,
-  0x38, 0x52, 0x30, 0xd0, 0x70, 0xd0, 0x7e, 0x16, 0x66
-};
-
-static unsigned char* toUcharPtr(const uint8_t* v) {
-  return const_cast<unsigned char*>(
-    static_cast<const unsigned char*>(v));
-}
-
-class Pkcs11RsaPssTest : public ::testing::Test {
-};
-
-class Pkcs11RsaPssVectorTest : public Pkcs11RsaPssTest {
- public:
-  void Verify(const uint8_t* spki, size_t spki_len, const uint8_t* data,
-              size_t data_len, const uint8_t* sig, size_t sig_len) {
-    // Verify data signed with PSS/SHA-1.
-    SECOidTag hashOid = SEC_OID_SHA1;
-    CK_MECHANISM_TYPE hashMech = CKM_SHA_1;
-    CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA1;
-
-    // Set up PSS parameters.
-    unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
-    CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
-    SECItem params = { siBuffer,
-                       reinterpret_cast<unsigned char*>(&rsaPssParams),
-                       sizeof(rsaPssParams) };
-
-    // Import public key.
-    SECItem spkiItem = { siBuffer, toUcharPtr(spki),
-                         static_cast<unsigned int>(spki_len) };
-    ScopedCERTSubjectPublicKeyInfo certSpki(
-      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
-    ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
-
-    // Hash the data.
-    std::vector<uint8_t> hashBuf(hLen);
-    SECItem hash = { siBuffer, &hashBuf[0],
-                     static_cast<unsigned int>(hashBuf.size()) };
-    SECStatus rv = PK11_HashBuf(hashOid, hash.data, toUcharPtr(data),
-                                data_len);
-    EXPECT_EQ(rv, SECSuccess);
-
-    // Verify.
-    CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
-    SECItem sigItem = { siBuffer, toUcharPtr(sig),
-                        static_cast<unsigned int>(sig_len) };
-    rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sigItem, &hash,
-                                  nullptr);
-    EXPECT_EQ(rv, SECSuccess);
-  }
-};
-
-#define PSS_TEST_VECTOR_VERIFY(spki, data, sig) \
-  Verify(spki, sizeof(spki), data, sizeof(data), sig, sizeof(sig));
-
-TEST_F(Pkcs11RsaPssTest, GenerateAndSignAndVerify) {
-  // Sign data with a 1024-bit RSA key, using PSS/SHA-256.
-  SECOidTag hashOid = SEC_OID_SHA256;
-  CK_MECHANISM_TYPE hashMech = CKM_SHA256;
-  CK_RSA_PKCS_MGF_TYPE mgf = CKG_MGF1_SHA256;
-  PK11RSAGenParams rsaGenParams = { 1024, 0x10001 };
-
-  // Generate RSA key pair.
-  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
-  SECKEYPublicKey* pubKeyRaw = nullptr;
-  ScopedSECKEYPrivateKey privKey(PK11_GenerateKeyPair(slot.get(),
-                                                      CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                                      &rsaGenParams, &pubKeyRaw,
-                                                      false, false, nullptr));
-  ASSERT_TRUE(!!privKey && pubKeyRaw);
-  ScopedSECKEYPublicKey pubKey(pubKeyRaw);
-
-  // Generate random data to sign.
-  uint8_t dataBuf[50];
-  SECItem data = { siBuffer, dataBuf, sizeof(dataBuf) };
-  unsigned int hLen = HASH_ResultLenByOidTag(hashOid);
-  SECStatus rv = PK11_GenerateRandomOnSlot(slot.get(), data.data, data.len);
-  EXPECT_EQ(rv, SECSuccess);
-
-  // Allocate memory for the signature.
-  std::vector<uint8_t> sigBuf(PK11_SignatureLen(privKey.get()));
-  SECItem sig = { siBuffer, &sigBuf[0],
-                  static_cast<unsigned int>(sigBuf.size()) };
-
-  // Set up PSS parameters.
-  CK_RSA_PKCS_PSS_PARAMS rsaPssParams = { hashMech, mgf, hLen };
-  SECItem params = { siBuffer, reinterpret_cast<unsigned char*>(&rsaPssParams),
-                     sizeof(rsaPssParams) };
-
-  // Sign.
-  CK_MECHANISM_TYPE mech = CKM_RSA_PKCS_PSS;
-  rv = PK11_SignWithMechanism(privKey.get(), mech, &params, &sig, &data);
-  EXPECT_EQ(rv, SECSuccess);
-
-  // Verify.
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
-                                nullptr);
-  EXPECT_EQ(rv, SECSuccess);
-
-  // Verification with modified data must fail.
-  data.data[0] ^= 0xff;
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
-                                nullptr);
-  EXPECT_EQ(rv, SECFailure);
-
-  // Verification with original data but the wrong signature must fail.
-  data.data[0] ^= 0xff; // Revert previous changes.
-  sig.data[0] ^= 0xff;
-  rv = PK11_VerifyWithMechanism(pubKey.get(), mech, &params, &sig, &data,
-                                nullptr);
-  EXPECT_EQ(rv, SECFailure);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 1.1: A 1024-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature1) {
-  PSS_TEST_VECTOR_VERIFY(kTestVector1Spki, kTestVector1Data, kTestVector1Sig);
-}
-
-// RSA-PSS test vectors, pss-vect.txt, Example 10.1: A 2048-bit RSA Key Pair
-// <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>
-TEST_F(Pkcs11RsaPssVectorTest, VerifyKnownSignature2) {
-  PSS_TEST_VECTOR_VERIFY(kTestVector2Spki, kTestVector2Data, kTestVector2Sig);
-}
-
-}  // namespace nss_test
-
--- a/security/nss/external_tests/ssl_gtest/Makefile
+++ b/security/nss/external_tests/ssl_gtest/Makefile
@@ -20,26 +20,41 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (3) Include "component" configuration information. (OPTIONAL)       #
 #######################################################################
 
 
 #######################################################################
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 
-include ../common/gtest.mk
+include ../../cmd/platlibs.mk
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
+MKPROG = $(CCC)
 CFLAGS += -I$(CORE_DEPTH)/lib/ssl
+
+include ../../cmd/platrules.mk
+
+ifeq (WINNT,$(OS_ARCH))
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS += -EHsc -nologo
+    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
+    OS_CFLAGS += -DNOMINMAX
+
+    # Linking to winsock to get htonl
+    OS_LIBS += Ws2_32.lib
+else
+    CXXFLAGS += -std=c++0x
+endif
--- a/security/nss/external_tests/ssl_gtest/databuffer.h
+++ b/security/nss/external_tests/ssl_gtest/databuffer.h
@@ -46,26 +46,19 @@ class DataBuffer {
 
   void Truncate(size_t len) {
     len_ = std::min(len_, len);
   }
 
   void Assign(const DataBuffer& other) {
     Assign(other.data(), other.len());
   }
-
   void Assign(const uint8_t* data, size_t len) {
-    if (data) {
-      Allocate(len);
-      memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
-    } else {
-      assert(len == 0);
-      data_ = nullptr;
-      len_ = 0;
-    }
+    Allocate(len);
+    memcpy(static_cast<void *>(data_), static_cast<const void *>(data), len);
   }
 
   // Write will do a new allocation and expand the size of the buffer if needed.
   void Write(size_t index, const uint8_t* val, size_t count) {
     if (index + count > len_) {
       size_t newlen = index + count;
       uint8_t* tmp = new uint8_t[newlen]; // Always > 0.
       memcpy(static_cast<void*>(tmp),
@@ -168,20 +161,11 @@ inline std::ostream& operator<<(std::ost
     }
     stream << std::hex << std::setfill('0') << std::setw(2)
            << static_cast<unsigned>(buf.data()[i]);
   }
   stream << std::dec;
   return stream;
 }
 
-inline bool operator==(const DataBuffer& a, const DataBuffer& b) {
-  return (a.empty() && b.empty()) ||
-    (a.len() == b.len() && 0 == memcmp(a.data(), b.data(), a.len()));
-}
-
-inline bool operator!=(const DataBuffer& a, const DataBuffer& b) {
-  return !(a == b);
-}
-
 } // namespace nss_test
 
 #endif
--- a/security/nss/external_tests/ssl_gtest/manifest.mn
+++ b/security/nss/external_tests/ssl_gtest/manifest.mn
@@ -10,16 +10,17 @@ MODULE = nss
 CSRCS = \
       libssl_internals.c \
       $(NULL)
 
 CPPSRCS = \
       ssl_agent_unittest.cc \
       ssl_loopback_unittest.cc \
       ssl_extension_unittest.cc \
+      ssl_prf_unittest.cc \
       ssl_skip_unittest.cc \
       ssl_gtest.cc \
       test_io.cc \
       tls_agent.cc \
       tls_connect.cc \
       tls_filter.cc \
       tls_parser.cc \
       $(NULL)
--- a/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_extension_unittest.cc
@@ -604,120 +604,16 @@ TEST_P(TlsExtensionTest12Plus, Signature
     uint32_t v;
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].hashAlg, static_cast<SSLHashType>(v));
     EXPECT_TRUE(ext.Read(cursor++, 1, &v));
     EXPECT_EQ(algorithms[i].sigAlg, static_cast<SSLSignType>(v));
   }
 }
 
-/*
- * Tests for Certificate Transparency (RFC 6962)
- */
-
-// Helper class - stores signed certificate timestamps as provided
-// by the relevant callbacks on the client.
-class SignedCertificateTimestampsExtractor {
- public:
-  SignedCertificateTimestampsExtractor(TlsAgent& client) {
-    client.SetAuthCertificateCallback(
-      [&](TlsAgent& agent, PRBool checksig, PRBool isServer) {
-        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
-        ASSERT_TRUE(scts);
-        auth_timestamps_.reset(new DataBuffer(scts->data, scts->len));
-      }
-    );
-    client.SetHandshakeCallback(
-      [&](TlsAgent& agent) {
-        const SECItem *scts = SSL_PeerSignedCertTimestamps(agent.ssl_fd());
-        ASSERT_TRUE(scts);
-        handshake_timestamps_.reset(new DataBuffer(scts->data, scts->len));
-      }
-    );
-  }
-
-  void assertTimestamps(const DataBuffer& timestamps) {
-    ASSERT_TRUE(auth_timestamps_);
-    ASSERT_EQ(timestamps, *auth_timestamps_);
-
-    ASSERT_TRUE(handshake_timestamps_);
-    ASSERT_EQ(timestamps, *handshake_timestamps_);
-  }
-
- private:
-  std::unique_ptr<DataBuffer> auth_timestamps_;
-  std::unique_ptr<DataBuffer> handshake_timestamps_;
-};
-
-// Test timestamps extraction during a successful handshake.
-TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsHandshake) {
-  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
-  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
-  const DataBuffer timestamps(val, sizeof(val));
-
-  server_->StartConnect();
-  ASSERT_EQ(SECSuccess,
-    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
-      &si_timestamps, server_->kea()));
-
-  client_->StartConnect();
-  ASSERT_EQ(SECSuccess,
-    SSL_OptionSet(client_->ssl_fd(),
-      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
-
-  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
-  Handshake();
-  CheckConnected();
-  timestamps_extractor.assertTimestamps(timestamps);
-}
-
-// Test SSL_PeerSignedCertTimestamps returning zero-length SECItem
-// when the client / the server / both have not enabled the feature.
-TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveClient) {
-  uint8_t val[] = { 0x01, 0x23, 0x45, 0x67, 0x89 };
-  const SECItem si_timestamps = { siBuffer, val, sizeof(val) };
-
-  server_->StartConnect();
-  ASSERT_EQ(SECSuccess,
-    SSL_SetSignedCertTimestamps(server_->ssl_fd(),
-      &si_timestamps, server_->kea()));
-
-  client_->StartConnect();
-
-  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
-  Handshake();
-  CheckConnected();
-  timestamps_extractor.assertTimestamps(DataBuffer());
-}
-
-TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveServer) {
-  server_->StartConnect();
-
-  client_->StartConnect();
-  ASSERT_EQ(SECSuccess,
-    SSL_OptionSet(client_->ssl_fd(),
-      SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, PR_TRUE));
-
-  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
-  Handshake();
-  CheckConnected();
-  timestamps_extractor.assertTimestamps(DataBuffer());
-}
-
-TEST_P(TlsExtensionTestGeneric, SignedCertificateTimestampsInactiveBoth) {
-  server_->StartConnect();
-  client_->StartConnect();
-
-  SignedCertificateTimestampsExtractor timestamps_extractor(*client_);
-  Handshake();
-  CheckConnected();
-  timestamps_extractor.assertTimestamps(DataBuffer());
-}
-
-
 INSTANTIATE_TEST_CASE_P(ExtensionTls10, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesStream,
                           TlsConnectTestBase::kTlsV10));
 INSTANTIATE_TEST_CASE_P(ExtensionVariants, TlsExtensionTestGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesAll,
                           TlsConnectTestBase::kTlsV11V12));
--- a/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
+++ b/security/nss/external_tests/ssl_gtest/ssl_gtest.cc
@@ -1,10 +1,9 @@
 #include "nspr.h"
-#include "prenv.h"
 #include "nss.h"
 #include "ssl.h"
 
 #include <cstdlib>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
@@ -12,17 +11,17 @@
 
 std::string g_working_dir_path;
 
 int main(int argc, char **argv) {
   // Start the tests
   ::testing::InitGoogleTest(&argc, argv);
   g_working_dir_path = ".";
 
-  char* workdir = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
+  char* workdir = getenv("NSS_GTEST_WORKDIR");
   if (workdir)
     g_working_dir_path = workdir;
 
   for (int i = 0; i < argc; i++) {
     if (!strcmp(argv[i], "-d")) {
       g_working_dir_path = argv[i + 1];
       ++i;
     }
new file mode 100644
--- /dev/null
+++ b/security/nss/external_tests/ssl_gtest/ssl_prf_unittest.cc
@@ -0,0 +1,253 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "pk11pub.h"
+#include <memory>
+
+#include "gtest_utils.h"
+
+namespace nss_test {
+
+#define CONST_UINT8_TO_UCHAR(a) const_cast<unsigned char*>( \
+    static_cast<const unsigned char *>(a))
+
+const size_t kPmsSize = 48;
+const size_t kMasterSecretSize = 48;
+const size_t kPrfSeedSizeSha256 = 32;
+const size_t kPrfSeedSizeTlsPrf = 36;
+
+// This is not the right size for anything
+const size_t kIncorrectSize = 17;
+
+const uint8_t kPmsData[] = {
+  0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+  0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+  0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+  0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
+  0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,
+  0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f
+};
+
+const uint8_t kPrfSeed[] = {
+  0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,
+  0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff,
+  0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,
+  0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef,
+  0xd0,0xd1,0xd2,0xd3
+};
+
+const uint8_t kExpectedOutputEmsSha256[] = {
+  0x75,0xa7,0xa5,0x98,0xef,0xab,0x90,0xe7,
+  0x7c,0x67,0x80,0xde,0xab,0x3a,0x11,0xf3,
+  0x5d,0xb2,0xf8,0x47,0xff,0x09,0x01,0xec,
+  0xf8,0x93,0x89,0xfc,0x98,0x2e,0x6e,0xf9,
+  0x2c,0xf5,0x9b,0x04,0x04,0x6f,0xd7,0x28,
+  0x6e,0xea,0xe3,0x83,0xc4,0x4a,0xff,0x03
+};
+
+const uint8_t kExpectedOutputEmsTlsPrf[] = {
+  0x06,0xbf,0x29,0x86,0x5d,0xf3,0x3e,0x38,
+  0xfd,0xfa,0x91,0x10,0x2a,0x20,0xff,0xd6,
+  0xb9,0xd5,0x72,0x5a,0x6d,0x42,0x20,0x16,
+  0xde,0xa4,0xa0,0x51,0xe5,0x53,0xc1,0x28,
+  0x04,0x99,0xbc,0xb1,0x2c,0x9d,0xe8,0x0b,
+  0x18,0xa2,0x0e,0x48,0x52,0x8d,0x61,0x13
+};
+
+static unsigned char* toUcharPtr(const uint8_t* v) {
+  return const_cast<unsigned char*>(
+    static_cast<const unsigned char *>(v));
+}
+
+class TlsPrfTest : public ::testing::Test {
+ public:
+  TlsPrfTest()
+    : params_({siBuffer, nullptr, 0})
+    , pms_item_({siBuffer, toUcharPtr(kPmsData), kPmsSize})
+    , key_mech_(0)
+    , slot_(nullptr)
+    , pms_(nullptr)
+    , ms_(nullptr)
+    , pms_version_({0, 0}) {}
+
+  ~TlsPrfTest() {
+    if (slot_) { PK11_FreeSlot(slot_); }
+    ClearTempVars();
+  }
+
+  void ClearTempVars() {
+    if (pms_) { PK11_FreeSymKey(pms_); }
+    if (ms_)  { PK11_FreeSymKey(ms_);  }
+  }
+
+  void Init() {
+    params_.type = siBuffer;
+
+    pms_item_.type = siBuffer;
+    pms_item_.data = const_cast<unsigned char*>(
+                        static_cast<const unsigned char *>(kPmsData));
+
+    slot_ = PK11_GetInternalSlot();
+    ASSERT_NE(nullptr, slot_);
+  }
+
+  void CheckForError(CK_MECHANISM_TYPE hash_mech,
+                     size_t seed_len,
+                     size_t pms_len,
+                     size_t output_len) {
+    // Error tests don't depend on the derivation mechansim
+    Inner(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, hash_mech,
+          seed_len, pms_len, output_len, nullptr, nullptr);
+  }
+
+  void ComputeAndVerifyMs(CK_MECHANISM_TYPE derive_mech,
+                          CK_MECHANISM_TYPE hash_mech,
+                          CK_VERSION* version,
+                          const uint8_t* expected) {
+    // Infer seed length from mechanism
+    int seed_len = 0;
+    switch (hash_mech) {
+      case CKM_TLS_PRF: seed_len = kPrfSeedSizeTlsPrf; break;
+      case CKM_SHA256:  seed_len = kPrfSeedSizeSha256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    Inner(derive_mech, hash_mech, seed_len,
+          kPmsSize, 0, version, expected);
+  }
+
+
+  // Set output == nullptr to test when errors occur
+  void Inner(
+      CK_MECHANISM_TYPE derive_mech,
+      CK_MECHANISM_TYPE hash_mech,
+      size_t seed_len,
+      size_t pms_len,
+      size_t output_len,
+      CK_VERSION* version,
+      const uint8_t* expected) {
+    ClearTempVars();
+
+    // Infer the key mechanism from the hash type
+    switch (hash_mech) {
+      case CKM_TLS_PRF: key_mech_ = CKM_TLS_KEY_AND_MAC_DERIVE; break;
+      case CKM_SHA256:  key_mech_ = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; break;
+      default:          ASSERT_TRUE(false);
+    }
+
+    // Import the params
+    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS master_params = {
+      hash_mech,
+      toUcharPtr(kPrfSeed),
+      seed_len,
+      version
+    };
+    params_.data = reinterpret_cast<unsigned char*>(&master_params);
+    params_.len = sizeof(master_params);
+
+    // Import the PMS
+    pms_item_.len = pms_len;
+    pms_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
+                            CKA_DERIVE, &pms_item_, NULL);
+    ASSERT_NE(nullptr, pms_);
+
+
+    // Compute the EMS
+    ms_ = PK11_DeriveWithFlags(pms_, derive_mech, &params_, key_mech_,
+        CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
+
+    // Verify the EMS has the expected value (null or otherwise)
+    if (!expected) {
+      EXPECT_EQ(nullptr, ms_);
+    } else {
+      ASSERT_NE(nullptr, ms_);
+
+      SECStatus rv = PK11_ExtractKeyValue(ms_);
+      ASSERT_EQ(SECSuccess, rv);
+
+      SECItem *msData = PK11_GetKeyData(ms_);
+      ASSERT_NE(nullptr, msData);
+
+      ASSERT_EQ(kMasterSecretSize, msData->len);
+      EXPECT_EQ(0,
+                memcmp(msData->data, expected, kMasterSecretSize));
+    }
+  }
+
+ protected:
+  SECItem params_;
+  SECItem pms_item_;
+  CK_MECHANISM_TYPE key_mech_;
+  PK11SlotInfo *slot_;
+  PK11SymKey *pms_;
+  PK11SymKey *ms_;
+  CK_VERSION pms_version_;
+};
+
+TEST_F(TlsPrfTest, ExtendedMsParamErr) {
+  Init();
+
+  // This should fail; it's the correct set from which the below are derived
+  // CheckForError(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, 0);
+
+  // Output key size != 0, SSL3_MASTER_SECRET_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kPmsSize, kIncorrectSize);
+
+  // not-DH && pms size != SSL3_PMS_LENGTH
+  CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0);
+
+  // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH
+  CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0);
+
+  // !CKM_TLS_PRF && seed length != hash output length
+  CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0);
+}
+
+// Test matrix:
+//
+//            DH  RSA
+//  TLS_PRF   1   2
+//  SHA256    3   4
+TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_TLS_PRF,
+                     nullptr,
+                     kExpectedOutputEmsTlsPrf);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_TLS_PRF,
+                     &pms_version_,
+                     kExpectedOutputEmsTlsPrf);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+
+TEST_F(TlsPrfTest, ExtendedMsDhSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+                     CKM_SHA256,
+                     nullptr,
+                     kExpectedOutputEmsSha256);
+}
+
+TEST_F(TlsPrfTest, ExtendedMsRsaSha256) {
+  Init();
+  ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+                     CKM_SHA256,
+                     &pms_version_,
+                     kExpectedOutputEmsSha256);
+  EXPECT_EQ(0, pms_version_.major);
+  EXPECT_EQ(1, pms_version_.minor);
+}
+
+}  // namespace nss_test
+
--- a/security/nss/external_tests/ssl_gtest/tls_agent.cc
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.cc
@@ -35,19 +35,17 @@ TlsAgent::TlsAgent(const std::string& na
     expect_resumption_(false),
     can_falsestart_hook_called_(false),
     sni_hook_called_(false),
     auth_certificate_hook_called_(false),
     handshake_callback_called_(false),
     error_code_(0),
     send_ctr_(0),
     recv_ctr_(0),
-    expected_read_error_(false),
-    handshake_callback_(),
-    auth_certificate_callback_() {
+    expected_read_error_(false) {
 
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
   SECStatus rv = SSL_VersionRangeGetDefault(mode_ == STREAM ?
                                             ssl_variant_stream : ssl_variant_datagram,
                                             &vrange_);
   EXPECT_EQ(SECSuccess, rv);
 }
--- a/security/nss/external_tests/ssl_gtest/tls_agent.h
+++ b/security/nss/external_tests/ssl_gtest/tls_agent.h
@@ -6,17 +6,16 @@
 
 #ifndef tls_agent_h_
 #define tls_agent_h_
 
 #include "prio.h"
 #include "ssl.h"
 
 #include <iostream>
-#include <functional>
 
 #include "test_io.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
 namespace nss_test {
 
@@ -24,26 +23,16 @@ namespace nss_test {
 
 enum SessionResumptionMode {
   RESUME_NONE = 0,
   RESUME_SESSIONID = 1,
   RESUME_TICKET = 2,
   RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
 };
 
-class TlsAgent;
-
-typedef
-  std::function<void(TlsAgent& agent, PRBool checksig, PRBool isServer)>
-  AuthCertificateCallbackFunction;
-
-typedef
-  std::function<void(TlsAgent& agent)>
-  HandshakeCallbackFunction;
-
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
   enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
 
   TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
   virtual ~TlsAgent();
 
@@ -100,22 +89,18 @@ class TlsAgent : public PollTarget {
   void CheckErrorCode(int32_t expected) const;
   void SendData(size_t bytes, size_t blocksize = 1024);
   void ReadBytes();
   void ResetSentBytes(); // Hack to test drops.
   void EnableExtendedMasterSecret();
   void CheckExtendedMasterSecret(bool expected);
   void DisableRollbackDetection();
 
-  Role role() const { return role_; }
-
   State state() const { return state_; }
 
-  SSLKEAType kea() const { return kea_; }
-
   const char* state_str() const { return state_str(state()); }
 
   const char* state_str(State state) const { return states[state]; }
 
   PRFileDesc* ssl_fd() { return ssl_fd_; }
   DummyPrSocket* adapter() { return adapter_; }
 
   uint16_t min_version() const { return vrange_.min; }
@@ -141,25 +126,16 @@ class TlsAgent : public PollTarget {
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
 
   size_t received_bytes() const { return recv_ctr_; }
   int32_t error_code() const { return error_code_; }
 
-  void SetHandshakeCallback(HandshakeCallbackFunction handshake_callback) {
-    handshake_callback_ = handshake_callback;
-  }
-
-  void SetAuthCertificateCallback(
-      AuthCertificateCallbackFunction auth_certificate_callback) {
-    auth_certificate_callback_ = auth_certificate_callback;
-  }
-
  private:
   const static char* states[];
 
   void SetState(State state) {
     if (state_ == state) return;
 
     LOG("Changing state from " << state_str(state_) << " to "
                                << state_str(state));
@@ -167,31 +143,25 @@ class TlsAgent : public PollTarget {
   }
 
   // Dummy auth certificate hook.
   static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->auth_certificate_hook_called_ = true;
-    if (agent->auth_certificate_callback_) {
-      agent->auth_certificate_callback_(*agent, checksig, isServer);
-    }
     return SECSuccess;
   }
 
   // Client auth certificate hook.
   static SECStatus ClientAuthenticated(void* arg, PRFileDesc* fd,
                                        PRBool checksig, PRBool isServer) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     EXPECT_TRUE(agent->expect_client_auth_);
     EXPECT_TRUE(isServer);
-    if (agent->auth_certificate_callback_) {
-      agent->auth_certificate_callback_(*agent, checksig, isServer);
-    }
     return SECSuccess;
   }
 
   static SECStatus GetClientAuthDataHook(void* self, PRFileDesc* fd,
                                          CERTDistNames* caNames,
                                          CERTCertificate** cert,
                                          SECKEYPrivateKey** privKey);
 
@@ -233,19 +203,16 @@ class TlsAgent : public PollTarget {
     *canFalseStart = true;
     return SECSuccess;
   }
 
   static void HandshakeCallback(PRFileDesc *fd, void *arg) {
     TlsAgent* agent = reinterpret_cast<TlsAgent*>(arg);
     agent->CheckPreliminaryInfo();
     agent->handshake_callback_called_ = true;
-    if (agent->handshake_callback_) {
-      agent->handshake_callback_(*agent);
-    }
   }
 
   void CheckCallbacks() const;
   void Connected();
 
   const std::string name_;
   Mode mode_;
   SSLKEAType kea_;
@@ -265,18 +232,16 @@ class TlsAgent : public PollTarget {
   bool handshake_callback_called_;
   SSLChannelInfo info_;
   SSLCipherSuiteInfo csinfo_;
   SSLVersionRange vrange_;
   int32_t error_code_;
   size_t send_ctr_;
   size_t recv_ctr_;
   bool expected_read_error_;
-  HandshakeCallbackFunction handshake_callback_;
-  AuthCertificateCallbackFunction auth_certificate_callback_;
 };
 
 class TlsAgentTestBase : public ::testing::Test {
  public:
   static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll;
 
   TlsAgentTestBase(TlsAgent::Role role,
                    Mode mode) : agent_(nullptr),
--- a/security/nss/lib/Makefile
+++ b/security/nss/lib/Makefile
@@ -41,53 +41,35 @@ ifeq ($(OS_ARCH),Linux)
 SYSINIT_SRCDIR = sysinit  # Add the sysinit directory to DIRS.
 endif
 endif
 
 ifndef NSS_DISABLE_DBM
 DBM_SRCDIR = dbm  # Add the dbm directory to DIRS.
 endif
 
-ifeq ($(NSS_BUILD_UTIL_ONLY),1)
-SYSINIT_SRCDIR=
-endif
-
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-ifeq ($(NSS_BUILD_UTIL_ONLY),1)
-  UTIL_SRCDIR = util
-  FREEBL_SRCDIR =
-  SOFTOKEN_SRCDIR =
+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+# Not included when building nss without softoken
+UTIL_SRCDIR =
+FREEBL_SRCDIR =
+SOFTOKEN_SRCDIR =
 else
-  ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-      UTIL_SRCDIR =
-      FREEBL_SRCDIR = freebl
-      SOFTOKEN_SRCDIR = softoken
-  else
-    ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
-      # Not included when building nss without softoken
-      # This build type uses the build results of the prior
-      # NSS_BUILD_UTIL_ONLY and NSS_BUILD_SOFTOKEN_ONLY builds
-      UTIL_SRCDIR =
-      FREEBL_SRCDIR =
-      SOFTOKEN_SRCDIR =
-    else
-      # default is to include all
-      UTIL_SRCDIR = util
-      FREEBL_SRCDIR = freebl
-      SOFTOKEN_SRCDIR = softoken
-    endif
-  endif
+# default is to include all
+UTIL_SRCDIR = util
+FREEBL_SRCDIR = freebl
+SOFTOKEN_SRCDIR = softoken
 endif
--- a/security/nss/lib/base/arena.c
+++ b/security/nss/lib/base/arena.c
@@ -36,104 +36,110 @@
  *
  * The nonpublic methods relating to this type are:
  *
  *  nssArena_Create  -- constructor
  *  nssArena_Destroy
  *  nssArena_Mark
  *  nssArena_Release
  *  nssArena_Unmark
- *
+ * 
  *  nss_ZAlloc
  *  nss_ZFreeIf
  *  nss_ZRealloc
  *
  * In debug builds, the following calls are available:
  *
  *  nssArena_verifyPointer
  *  nssArena_registerDestructor
  *  nssArena_deregisterDestructor
  */
 
 struct NSSArenaStr {
-    PLArenaPool pool;
-    PRLock *lock;
+  PLArenaPool pool;
+  PRLock *lock;
 #ifdef ARENA_THREADMARK
-    PRThread *marking_thread;
-    nssArenaMark *first_mark;
-    nssArenaMark *last_mark;
+  PRThread *marking_thread;
+  nssArenaMark *first_mark;
+  nssArenaMark *last_mark;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-    struct arena_destructor_node *first_destructor;
-    struct arena_destructor_node *last_destructor;
+  struct arena_destructor_node *first_destructor;
+  struct arena_destructor_node *last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 /*
  * nssArenaMark
  *
  * This type is used to mark the current state of an NSSArena.
  */
 
 struct nssArenaMarkStr {
-    PRUint32 magic;
-    void *mark;
+  PRUint32 magic;
+  void *mark;
 #ifdef ARENA_THREADMARK
-    nssArenaMark *next;
+  nssArenaMark *next;
 #endif /* ARENA_THREADMARK */
 #ifdef ARENA_DESTRUCTOR_LIST
-    struct arena_destructor_node *next_destructor;
-    struct arena_destructor_node *prev_destructor;
+  struct arena_destructor_node *next_destructor;
+  struct arena_destructor_node *prev_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 };
 
 #define MARK_MAGIC 0x4d41524b /* "MARK" how original */
 
 /*
  * But first, the pointer-tracking code
  */
 #ifdef DEBUG
 extern const NSSError NSS_ERROR_INTERNAL_ERROR;
 
 static nssPointerTracker arena_pointer_tracker;
 
 static PRStatus
-arena_add_pointer(const NSSArena *arena)
+arena_add_pointer
+(
+  const NSSArena *arena
+)
 {
-    PRStatus rv;
+  PRStatus rv;
 
-    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-    if (PR_SUCCESS != rv) {
-        return rv;
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    return rv;
+  }
+
+  rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    NSSError e = NSS_GetError();
+    if( NSS_ERROR_NO_MEMORY != e ) {
+      nss_SetError(NSS_ERROR_INTERNAL_ERROR);
     }
 
-    rv = nssPointerTracker_add(&arena_pointer_tracker, arena);
-    if (PR_SUCCESS != rv) {
-        NSSError e = NSS_GetError();
-        if (NSS_ERROR_NO_MEMORY != e) {
-            nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-        }
+    return rv;
+  }
 
-        return rv;
-    }
-
-    return PR_SUCCESS;
+  return PR_SUCCESS;
 }
 
 static PRStatus
-arena_remove_pointer(const NSSArena *arena)
+arena_remove_pointer
+(
+  const NSSArena *arena
+)
 {
-    PRStatus rv;
+  PRStatus rv;
 
-    rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
-    if (PR_SUCCESS != rv) {
-        nss_SetError(NSS_ERROR_INTERNAL_ERROR);
-    }
+  rv = nssPointerTracker_remove(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INTERNAL_ERROR);
+  }
 
-    return rv;
+  return rv;
 }
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
@@ -144,172 +150,186 @@ arena_remove_pointer(const NSSArena *are
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_verifyPointer(const NSSArena *arena)
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+)
 {
-    PRStatus rv;
+  PRStatus rv;
 
-    rv = nssPointerTracker_initialize(&arena_pointer_tracker);
-    if (PR_SUCCESS != rv) {
-        /*
-         * This is a little disingenious.  We have to initialize the
-         * tracker, because someone could "legitimately" try to verify
-         * an arena pointer before one is ever created.  And this step
-         * might fail, due to lack of memory.  But the only way that
-         * this step can fail is if it's doing the call_once stuff,
-         * (later calls just no-op).  And if it didn't no-op, there
-         * aren't any valid arenas.. so the argument certainly isn't one.
-         */
-        nss_SetError(NSS_ERROR_INVALID_ARENA);
-        return PR_FAILURE;
-    }
+  rv = nssPointerTracker_initialize(&arena_pointer_tracker);
+  if( PR_SUCCESS != rv ) {
+    /*
+     * This is a little disingenious.  We have to initialize the
+     * tracker, because someone could "legitimately" try to verify
+     * an arena pointer before one is ever created.  And this step
+     * might fail, due to lack of memory.  But the only way that
+     * this step can fail is if it's doing the call_once stuff,
+     * (later calls just no-op).  And if it didn't no-op, there
+     * aren't any valid arenas.. so the argument certainly isn't one.
+     */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
 
-    rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
-    if (PR_SUCCESS != rv) {
-        nss_SetError(NSS_ERROR_INVALID_ARENA);
-        return PR_FAILURE;
-    }
+  rv = nssPointerTracker_verify(&arena_pointer_tracker, arena);
+  if( PR_SUCCESS != rv ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
 
-    return PR_SUCCESS;
+  return PR_SUCCESS;
 }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 struct arena_destructor_node {
-    struct arena_destructor_node *next;
-    struct arena_destructor_node *prev;
-    void (*destructor)(void *argument);
-    void *arg;
+  struct arena_destructor_node *next;
+  struct arena_destructor_node *prev;
+  void (*destructor)(void *argument);
+  void *arg;
 };
 
 /*
  * nssArena_registerDestructor
  *
  * This routine stores a pointer to a callback and an arbitrary
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If
- * unsuccessful, it will set an error on the error stack and
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_registerDestructor(NSSArena *arena, void (*destructor)(void *argument),
-                            void *arg)
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
 {
-    struct arena_destructor_node *it;
+  struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
 #endif /* NSSDEBUG */
-
-    it = nss_ZNEW(arena, struct arena_destructor_node);
-    if ((struct arena_destructor_node *)NULL == it) {
-        return PR_FAILURE;
-    }
+  
+  it = nss_ZNEW(arena, struct arena_destructor_node);
+  if( (struct arena_destructor_node *)NULL == it ) {
+    return PR_FAILURE;
+  }
 
-    it->prev = arena->last_destructor;
-    arena->last_destructor->next = it;
-    arena->last_destructor = it;
-    it->destructor = destructor;
-    it->arg = arg;
+  it->prev = arena->last_destructor;
+  arena->last_destructor->next = it;
+  arena->last_destructor = it;
+  it->destructor = destructor;
+  it->arg = arg;
 
-    if ((nssArenaMark *)NULL != arena->last_mark) {
-        arena->last_mark->prev_destructor = it->prev;
-        arena->last_mark->next_destructor = it->next;
-    }
+  if( (nssArenaMark *)NULL != arena->last_mark ) {
+    arena->last_mark->prev_destructor = it->prev;
+    arena->last_mark->next_destructor = it->next;
+  }
 
-    return PR_SUCCESS;
+  return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
-nssArena_deregisterDestructor(NSSArena *arena,
-                              void (*destructor)(void *argument), void *arg)
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+)
 {
-    struct arena_destructor_node *it;
+  struct arena_destructor_node *it;
 
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
 #endif /* NSSDEBUG */
 
-    for (it = arena->first_destructor; it; it = it->next) {
-        if ((it->destructor == destructor) && (it->arg == arg)) {
-            break;
-        }
+  for( it = arena->first_destructor; it; it = it->next ) {
+    if( (it->destructor == destructor) && (it->arg == arg) ) {
+      break;
     }
+  }
 
-    if ((struct arena_destructor_node *)NULL == it) {
-        nss_SetError(NSS_ERROR_NOT_FOUND);
-        return PR_FAILURE;
-    }
+  if( (struct arena_destructor_node *)NULL == it ) {
+    nss_SetError(NSS_ERROR_NOT_FOUND);
+    return PR_FAILURE;
+  }
 
-    if (it == arena->first_destructor) {
-        arena->first_destructor = it->next;
-    }
+  if( it == arena->first_destructor ) {
+    arena->first_destructor = it->next;
+  }
 
-    if (it == arena->last_destructor) {
-        arena->last_destructor = it->prev;
-    }
+  if( it == arena->last_destructor ) {
+    arena->last_destructor = it->prev;
+  }
 
-    if ((struct arena_destructor_node *)NULL != it->prev) {
-        it->prev->next = it->next;
-    }
+  if( (struct arena_destructor_node *)NULL != it->prev ) {
+    it->prev->next = it->next;
+  }
 
-    if ((struct arena_destructor_node *)NULL != it->next) {
-        it->next->prev = it->prev;
-    }
+  if( (struct arena_destructor_node *)NULL != it->next ) {
+    it->next->prev = it->prev;
+  }
 
-    {
-        nssArenaMark *m;
-        for (m = arena->first_mark; m; m = m->next) {
-            if (m->next_destructor == it) {
-                m->next_destructor = it->next;
-            }
-            if (m->prev_destructor == it) {
-                m->prev_destructor = it->prev;
-            }
-        }
+  {
+    nssArenaMark *m;
+    for( m = arena->first_mark; m; m = m->next ) {
+      if( m->next_destructor == it ) {
+        m->next_destructor = it->next;
+      }
+      if( m->prev_destructor == it ) {
+        m->prev_destructor = it->prev;
+      }
     }
+  }
 
-    nss_ZFreeIf(it);
-    return PR_SUCCESS;
+  nss_ZFreeIf(it);
+  return PR_SUCCESS;
 }
 
 static void
-nss_arena_call_destructor_chain(struct arena_destructor_node *it)
+nss_arena_call_destructor_chain
+(
+  struct arena_destructor_node *it
+)
 {
-    for (; it; it = it->next) {
-        (*(it->destructor))(it->arg);
-    }
+  for( ; it ; it = it->next ) {
+    (*(it->destructor))(it->arg);
+  }
 }
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * NSSArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
@@ -319,367 +339,382 @@ nss_arena_call_destructor_chain(struct a
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-NSSArena_Create(void)
+NSSArena_Create
+(
+  void
+)
 {
-    nss_ClearErrorStack();
-    return nssArena_Create();
+  nss_ClearErrorStack();
+  return nssArena_Create();
 }
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the
+ * NULL upon error, in which case it will have set an error on the 
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
  */
 
 NSS_IMPLEMENT NSSArena *
-nssArena_Create(void)
+nssArena_Create
+(
+  void
+)
 {
-    NSSArena *rv = (NSSArena *)NULL;
+  NSSArena *rv = (NSSArena *)NULL;
 
-    rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
-    if ((NSSArena *)NULL == rv) {
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (NSSArena *)NULL;
-    }
-
-    rv->lock = PR_NewLock();
-    if ((PRLock *)NULL == rv->lock) {
-        (void)nss_ZFreeIf(rv);
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (NSSArena *)NULL;
-    }
+  rv = nss_ZNEW((NSSArena *)NULL, NSSArena);
+  if( (NSSArena *)NULL == rv ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
 
-    /*
-     * Arena sizes.  The current security code has 229 occurrences of
-     * PORT_NewArena.  The default chunksizes specified break down as
-     *
-     *  Size    Mult.   Specified as
-     *   512       1    512
-     *  1024       7    1024
-     *  2048       5    2048
-     *  2048       5    CRMF_DEFAULT_ARENA_SIZE
-     *  2048     190    DER_DEFAULT_CHUNKSIZE
-     *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
-     *  4096       1    4096
-     *
-     * Obviously this "default chunksize" flexibility isn't very
-     * useful to us, so I'll just pick 2048.
-     */
+  rv->lock = PR_NewLock();
+  if( (PRLock *)NULL == rv->lock ) {
+    (void)nss_ZFreeIf(rv);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (NSSArena *)NULL;
+  }
 
-    PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
+  /*
+   * Arena sizes.  The current security code has 229 occurrences of
+   * PORT_NewArena.  The default chunksizes specified break down as
+   *
+   *  Size    Mult.   Specified as
+   *   512       1    512
+   *  1024       7    1024
+   *  2048       5    2048
+   *  2048       5    CRMF_DEFAULT_ARENA_SIZE
+   *  2048     190    DER_DEFAULT_CHUNKSIZE
+   *  2048      20    SEC_ASN1_DEFAULT_ARENA_SIZE
+   *  4096       1    4096
+   *
+   * Obviously this "default chunksize" flexibility isn't very 
+   * useful to us, so I'll just pick 2048.
+   */
+
+  PL_InitArenaPool(&rv->pool, "NSS", 2048, sizeof(double));
 
 #ifdef DEBUG
-    {
-        PRStatus st;
-        st = arena_add_pointer(rv);
-        if (PR_SUCCESS != st) {
-            PL_FinishArenaPool(&rv->pool);
-            PR_DestroyLock(rv->lock);
-            (void)nss_ZFreeIf(rv);
-            return (NSSArena *)NULL;
-        }
+  {
+    PRStatus st;
+    st = arena_add_pointer(rv);
+    if( PR_SUCCESS != st ) {
+      PL_FinishArenaPool(&rv->pool);
+      PR_DestroyLock(rv->lock);
+      (void)nss_ZFreeIf(rv);
+      return (NSSArena *)NULL;
     }
+  }
 #endif /* DEBUG */
 
-    return rv;
+  return rv;
 }
 
 /*
  * NSSArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if
+ * allocated from it.  This routine returns a PRStatus value; if 
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * create an error stack and return PR_FAILURE.
  *
  * The top-level error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS upon success
  *  PR_FAILURE upon failure
  */
 
 NSS_IMPLEMENT PRStatus
-NSSArena_Destroy(NSSArena *arena)
+NSSArena_Destroy
+(
+  NSSArena *arena
+)
 {
-    nss_ClearErrorStack();
+  nss_ClearErrorStack();
 
 #ifdef DEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
 #endif /* DEBUG */
 
-    return nssArena_Destroy(arena);
+  return nssArena_Destroy(arena);
 }
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if
+ * allocated from it.  This routine returns a PRStatus value; if 
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Destroy(NSSArena *arena)
+nssArena_Destroy
+(
+  NSSArena *arena
+)
 {
-    PRLock *lock;
+  PRLock *lock;
 
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
 #endif /* NSSDEBUG */
 
-    if ((PRLock *)NULL == arena->lock) {
-        /* Just got destroyed */
-        nss_SetError(NSS_ERROR_INVALID_ARENA);
-        return PR_FAILURE;
-    }
-    PR_Lock(arena->lock);
-
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+  PR_Lock(arena->lock);
+  
 #ifdef DEBUG
-    if (PR_SUCCESS != arena_remove_pointer(arena)) {
-        PR_Unlock(arena->lock);
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != arena_remove_pointer(arena) ) {
+    PR_Unlock(arena->lock);
+    return PR_FAILURE;
+  }
 #endif /* DEBUG */
 
 #ifdef ARENA_DESTRUCTOR_LIST
-    /* Note that the arena is locked at this time */
-    nss_arena_call_destructor_chain(arena->first_destructor);
+  /* Note that the arena is locked at this time */
+  nss_arena_call_destructor_chain(arena->first_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-    PL_FinishArenaPool(&arena->pool);
-    lock = arena->lock;
-    arena->lock = (PRLock *)NULL;
-    PR_Unlock(lock);
-    PR_DestroyLock(lock);
-    (void)nss_ZFreeIf(arena);
-    return PR_SUCCESS;
+  PL_FinishArenaPool(&arena->pool);
+  lock = arena->lock;
+  arena->lock = (PRLock *)NULL;
+  PR_Unlock(lock);
+  PR_DestroyLock(lock);
+  (void)nss_ZFreeIf(arena);
+  return PR_SUCCESS;
 }
 
 static void *nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size);
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful,
- * this routine returns a valid nssArenaMark pointer.  This
- * routine may return NULL upon error, in which case it will
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
 NSS_IMPLEMENT nssArenaMark *
-nssArena_Mark(NSSArena *arena)
+nssArena_Mark
+(
+  NSSArena *arena
+)
 {
-    nssArenaMark *rv;
-    void *p;
+  nssArenaMark *rv;
+  void *p;
 
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return (nssArenaMark *)NULL;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return (nssArenaMark *)NULL;
+  }
 #endif /* NSSDEBUG */
 
-    if ((PRLock *)NULL == arena->lock) {
-        /* Just got destroyed */
-        nss_SetError(NSS_ERROR_INVALID_ARENA);
-        return (nssArenaMark *)NULL;
-    }
-    PR_Lock(arena->lock);
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return (nssArenaMark *)NULL;
+  }
+  PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-    if ((PRThread *)NULL == arena->marking_thread) {
-        /* Unmarked.  Store our thread ID */
-        arena->marking_thread = PR_GetCurrentThread();
-        /* This call never fails. */
+  if( (PRThread *)NULL == arena->marking_thread ) {
+    /* Unmarked.  Store our thread ID */
+    arena->marking_thread = PR_GetCurrentThread();
+    /* This call never fails. */
+  } else {
+    /* Marked.  Verify it's the current thread */
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return (nssArenaMark *)NULL;
     }
-    else {
-        /* Marked.  Verify it's the current thread */
-        if (PR_GetCurrentThread() != arena->marking_thread) {
-            PR_Unlock(arena->lock);
-            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-            return (nssArenaMark *)NULL;
-        }
-    }
+  }
 #endif /* ARENA_THREADMARK */
 
-    p = PL_ARENA_MARK(&arena->pool);
-    /* No error possible */
+  p = PL_ARENA_MARK(&arena->pool);
+  /* No error possible */
 
-    /* Do this after the mark */
-    rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
-    if ((nssArenaMark *)NULL == rv) {
-        PR_Unlock(arena->lock);
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (nssArenaMark *)NULL;
-    }
+  /* Do this after the mark */
+  rv = (nssArenaMark *)nss_zalloc_arena_locked(arena, sizeof(nssArenaMark));
+  if( (nssArenaMark *)NULL == rv ) {
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (nssArenaMark *)NULL;
+  }
 
 #ifdef ARENA_THREADMARK
-    if ((nssArenaMark *)NULL == arena->first_mark) {
-        arena->first_mark = rv;
-        arena->last_mark = rv;
-    }
-    else {
-        arena->last_mark->next = rv;
-        arena->last_mark = rv;
-    }
+  if ( (nssArenaMark *)NULL == arena->first_mark) {
+    arena->first_mark = rv;
+    arena->last_mark = rv;
+  } else {
+    arena->last_mark->next = rv;
+    arena->last_mark = rv;
+  }
 #endif /* ARENA_THREADMARK */
 
-    rv->mark = p;
-    rv->magic = MARK_MAGIC;
+  rv->mark = p;
+  rv->magic = MARK_MAGIC;
 
 #ifdef ARENA_DESTRUCTOR_LIST
-    rv->prev_destructor = arena->last_destructor;
+  rv->prev_destructor = arena->last_destructor;
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-    PR_Unlock(arena->lock);
+  PR_Unlock(arena->lock);
 
-    return rv;
+  return rv;
 }
 
 /*
  * nss_arena_unmark_release
  *
  * This static routine implements the routines nssArena_Release
  * ans nssArena_Unmark, which are almost identical.
  */
 
 static PRStatus
-nss_arena_unmark_release(NSSArena *arena, nssArenaMark *arenaMark,
-                         PRBool release)
+nss_arena_unmark_release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark,
+  PRBool release
+)
 {
-    void *inner_mark;
+  void *inner_mark;
 
 #ifdef NSSDEBUG
-    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-        return PR_FAILURE;
-    }
+  if( PR_SUCCESS != nssArena_verifyPointer(arena) ) {
+    return PR_FAILURE;
+  }
 #endif /* NSSDEBUG */
 
-    if (MARK_MAGIC != arenaMark->magic) {
-        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-        return PR_FAILURE;
-    }
-
-    if ((PRLock *)NULL == arena->lock) {
-        /* Just got destroyed */
-        nss_SetError(NSS_ERROR_INVALID_ARENA);
-        return PR_FAILURE;
-    }
-    PR_Lock(arena->lock);
+  if( MARK_MAGIC != arenaMark->magic ) {
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
 
-#ifdef ARENA_THREADMARK
-    if ((PRThread *)NULL != arena->marking_thread) {
-        if (PR_GetCurrentThread() != arena->marking_thread) {
-            PR_Unlock(arena->lock);
-            nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-            return PR_FAILURE;
-        }
-    }
-#endif /* ARENA_THREADMARK */
-
-    if (MARK_MAGIC != arenaMark->magic) {
-        /* Just got released */
-        PR_Unlock(arena->lock);
-        nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
-        return PR_FAILURE;
-    }
-
-    arenaMark->magic = 0;
-    inner_mark = arenaMark->mark;
+  if( (PRLock *)NULL == arena->lock ) {
+    /* Just got destroyed */
+    nss_SetError(NSS_ERROR_INVALID_ARENA);
+    return PR_FAILURE;
+  }
+  PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-    {
-        nssArenaMark **pMark = &arena->first_mark;
-        nssArenaMark *rest;
-        nssArenaMark *last = (nssArenaMark *)NULL;
-
-        /* Find this mark */
-        while (*pMark != arenaMark) {
-            last = *pMark;
-            pMark = &(*pMark)->next;
-        }
-
-        /* Remember the pointer, then zero it */
-        rest = (*pMark)->next;
-        *pMark = (nssArenaMark *)NULL;
-
-        arena->last_mark = last;
-
-        /* Invalidate any later marks being implicitly released */
-        for (; (nssArenaMark *)NULL != rest; rest = rest->next) {
-            rest->magic = 0;
-        }
-
-        /* If we just got rid of the first mark, clear the thread ID */
-        if ((nssArenaMark *)NULL == arena->first_mark) {
-            arena->marking_thread = (PRThread *)NULL;
-        }
+  if( (PRThread *)NULL != arena->marking_thread ) {
+    if( PR_GetCurrentThread() != arena->marking_thread ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+      return PR_FAILURE;
     }
+  }
 #endif /* ARENA_THREADMARK */
 
-    if (release) {
+  if( MARK_MAGIC != arenaMark->magic ) {
+    /* Just got released */
+    PR_Unlock(arena->lock);
+    nss_SetError(NSS_ERROR_INVALID_ARENA_MARK);
+    return PR_FAILURE;
+  }
+
+  arenaMark->magic = 0;
+  inner_mark = arenaMark->mark;
+
+#ifdef ARENA_THREADMARK
+  {
+    nssArenaMark **pMark = &arena->first_mark;
+    nssArenaMark *rest;
+    nssArenaMark *last = (nssArenaMark *)NULL;
+
+    /* Find this mark */
+    while( *pMark != arenaMark ) {
+      last = *pMark;
+      pMark = &(*pMark)->next;
+    }
+
+    /* Remember the pointer, then zero it */
+    rest = (*pMark)->next;
+    *pMark = (nssArenaMark *)NULL;
+
+    arena->last_mark = last;
+
+    /* Invalidate any later marks being implicitly released */
+    for( ; (nssArenaMark *)NULL != rest; rest = rest->next ) {
+      rest->magic = 0;
+    }
+
+    /* If we just got rid of the first mark, clear the thread ID */
+    if( (nssArenaMark *)NULL == arena->first_mark ) {
+      arena->marking_thread = (PRThread *)NULL;
+    }
+  }
+#endif /* ARENA_THREADMARK */
+
+  if( release ) {
 #ifdef ARENA_DESTRUCTOR_LIST
-        if ((struct arena_destructor_node *)NULL !=
-            arenaMark->prev_destructor) {
-            arenaMark->prev_destructor->next =
-                (struct arena_destructor_node *)NULL;
-        }
-        arena->last_destructor = arenaMark->prev_destructor;
+    if( (struct arena_destructor_node *)NULL != arenaMark->prev_destructor ) {
+      arenaMark->prev_destructor->next = (struct arena_destructor_node *)NULL;
+    }
+    arena->last_destructor = arenaMark->prev_destructor;
 
-        /* Note that the arena is locked at this time */
-        nss_arena_call_destructor_chain(arenaMark->next_destructor);
+    /* Note that the arena is locked at this time */
+    nss_arena_call_destructor_chain(arenaMark->next_destructor);
 #endif /* ARENA_DESTRUCTOR_LIST */
 
-        PL_ARENA_RELEASE(&arena->pool, inner_mark);
-        /* No error return */
-    }
+    PL_ARENA_RELEASE(&arena->pool, inner_mark);
+    /* No error return */
+  }
 
-    PR_Unlock(arena->lock);
-    return PR_SUCCESS;
+  PR_Unlock(arena->lock);
+  return PR_SUCCESS;
 }
 
 /*
  * nssArena_Release
  *
  * This routine invalidates and releases all memory allocated from
  * the specified arena after the point at which the specified mark
  * was obtained.  This routine returns a PRStatus value; if successful,
@@ -692,19 +727,23 @@ nss_arena_unmark_release(NSSArena *arena
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark)
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
 {
-    return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
+  return nss_arena_unmark_release(arena, arenaMark, PR_TRUE);
 }
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
  * it, making them unreleasable.  Note that any earlier marks can
  * still be released, and such a release will invalidate these
@@ -720,430 +759,456 @@ nssArena_Release(NSSArena *arena, nssAre
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark)
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+)
 {
-    return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
+  return nss_arena_unmark_release(arena, arenaMark, PR_FALSE);
 }
 
 /*
  * We prefix this header to all allocated blocks.  It is a multiple
  * of the alignment size.  Note that this usage of a header may make
  * purify spew bogus warnings about "potentially leaked blocks" of
  * memory; if that gets too annoying we can add in a pointer to the
  * header in the header itself.  There's not a lot of safety here;
  * maybe we should add a magic value?
  */
 struct pointer_header {
-    NSSArena *arena;
-    PRUint32 size;
+  NSSArena *arena;
+  PRUint32 size;
 };
 
 static void *
-nss_zalloc_arena_locked(NSSArena *arena, PRUint32 size)
+nss_zalloc_arena_locked
+(
+  NSSArena *arena,
+  PRUint32 size
+)
 {
-    void *p;
-    void *rv;
-    struct pointer_header *h;
-    PRUint32 my_size = size + sizeof(struct pointer_header);
-    PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
-    if ((void *)NULL == p) {
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (void *)NULL;
-    }
-    /*
-     * Do this before we unlock.  This way if the user is using
-     * an arena in one thread while destroying it in another, he'll
-     * fault/FMR in his code, not ours.
-     */
-    h = (struct pointer_header *)p;
-    h->arena = arena;
-    h->size = size;
-    rv = (void *)((char *)h + sizeof(struct pointer_header));
-    (void)nsslibc_memset(rv, 0, size);
-    return rv;
+  void *p;
+  void *rv;
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
+  PL_ARENA_ALLOCATE(p, &arena->pool, my_size);
+  if( (void *)NULL == p ) {
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+  /* 
+   * Do this before we unlock.  This way if the user is using
+   * an arena in one thread while destroying it in another, he'll
+   * fault/FMR in his code, not ours.
+   */
+  h = (struct pointer_header *)p;
+  h->arena = arena;
+  h->size = size;
+  rv = (void *)((char *)h + sizeof(struct pointer_header));
+  (void)nsslibc_memset(rv, 0, size);
+  return rv;
 }
 
 /*
  * NSS_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the
+ * This routine allocates and zeroes a section of memory of the 
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid
+ * value specified for size may be zero; in which case a valid 
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling NSS_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-NSS_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
+NSS_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+)
 {
-    return nss_ZAlloc(arenaOpt, size);
+  return nss_ZAlloc(arenaOpt, size);
 }
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the
+ * This routine allocates and zeroes a section of memory of the 
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid
+ * value specified for size may be zero; in which case a valid 
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
 NSS_IMPLEMENT void *
-nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size)
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+)
 {
-    struct pointer_header *h;
-    PRUint32 my_size = size + sizeof(struct pointer_header);
+  struct pointer_header *h;
+  PRUint32 my_size = size + sizeof(struct pointer_header);
 
-    if (my_size < sizeof(struct pointer_header)) {
-        /* Wrapped */
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (void *)NULL;
+  if( my_size < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
+
+  if( (NSSArena *)NULL == arenaOpt ) {
+    /* Heap allocation, no locking required. */
+    h = (struct pointer_header *)PR_Calloc(1, my_size);
+    if( (struct pointer_header *)NULL == h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
     }
 
-    if ((NSSArena *)NULL == arenaOpt) {
-        /* Heap allocation, no locking required. */
-        h = (struct pointer_header *)PR_Calloc(1, my_size);
-        if ((struct pointer_header *)NULL == h) {
-            nss_SetError(NSS_ERROR_NO_MEMORY);
-            return (void *)NULL;
-        }
+    h->arena = (NSSArena *)NULL;
+    h->size = size;
+    /* We used calloc: it's already zeroed */
 
-        h->arena = (NSSArena *)NULL;
-        h->size = size;
-        /* We used calloc: it's already zeroed */
-
-        return (void *)((char *)h + sizeof(struct pointer_header));
+    return (void *)((char *)h + sizeof(struct pointer_header));
+  } else {
+    void *rv;
+    /* Arena allocation */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(arenaOpt) ) {
+      return (void *)NULL;
     }
-    else {
-        void *rv;
-/* Arena allocation */
-#ifdef NSSDEBUG
-        if (PR_SUCCESS != nssArena_verifyPointer(arenaOpt)) {
-            return (void *)NULL;
-        }
 #endif /* NSSDEBUG */
 
-        if ((PRLock *)NULL == arenaOpt->lock) {
-            /* Just got destroyed */
-            nss_SetError(NSS_ERROR_INVALID_ARENA);
-            return (void *)NULL;
-        }
-        PR_Lock(arenaOpt->lock);
+    if( (PRLock *)NULL == arenaOpt->lock ) {
+      /* Just got destroyed */
+      nss_SetError(NSS_ERROR_INVALID_ARENA);
+      return (void *)NULL;
+    }
+    PR_Lock(arenaOpt->lock);
 
 #ifdef ARENA_THREADMARK
-        if ((PRThread *)NULL != arenaOpt->marking_thread) {
-            if (PR_GetCurrentThread() != arenaOpt->marking_thread) {
-                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-                PR_Unlock(arenaOpt->lock);
-                return (void *)NULL;
-            }
-        }
+    if( (PRThread *)NULL != arenaOpt->marking_thread ) {
+      if( PR_GetCurrentThread() != arenaOpt->marking_thread ) {
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        PR_Unlock(arenaOpt->lock);
+        return (void *)NULL;
+      }
+    }
 #endif /* ARENA_THREADMARK */
 
-        rv = nss_zalloc_arena_locked(arenaOpt, size);
+    rv = nss_zalloc_arena_locked(arenaOpt, size);
 
-        PR_Unlock(arenaOpt->lock);
-        return rv;
-    }
-    /*NOTREACHED*/
+    PR_Unlock(arenaOpt->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
 }
 
 /*
  * NSS_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory
- * to which it points -- which must have been allocated with
- * NSS_ZAlloc -- will be zeroed and released.  This routine
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * NSS_ZAlloc -- will be zeroed and released.  This routine 
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return
+ * If unsuccessful, it will set an error on the error stack and return 
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 NSS_IMPLEMENT PRStatus
-NSS_ZFreeIf(void *pointer)
+NSS_ZFreeIf
+(
+  void *pointer
+)
 {
-    return nss_ZFreeIf(pointer);
+   return nss_ZFreeIf(pointer);
 }
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory
- * to which it points -- which must have been allocated with
- * nss_ZAlloc -- will be zeroed and released.  This routine
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return
+ * If unsuccessful, it will set an error on the error stack and return 
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
 NSS_IMPLEMENT PRStatus
-nss_ZFreeIf(void *pointer)
+nss_ZFreeIf
+(
+  void *pointer
+)
 {
-    struct pointer_header *h;
+  struct pointer_header *h;
 
-    if ((void *)NULL == pointer) {
-        return PR_SUCCESS;
-    }
+  if( (void *)NULL == pointer ) {
+    return PR_SUCCESS;
+  }
 
-    h = (struct pointer_header *)((char *)pointer -
-                                  sizeof(struct pointer_header));
-
-    /* Check any magic here */
+  h = (struct pointer_header *)((char *)pointer
+    - sizeof(struct pointer_header));
 
-    if ((NSSArena *)NULL == h->arena) {
-        /* Heap */
-        (void)nsslibc_memset(pointer, 0, h->size);
-        PR_Free(h);
-        return PR_SUCCESS;
+  /* Check any magic here */
+
+  if( (NSSArena *)NULL == h->arena ) {
+    /* Heap */
+    (void)nsslibc_memset(pointer, 0, h->size);
+    PR_Free(h);
+    return PR_SUCCESS;
+  } else {
+    /* Arena */
+#ifdef NSSDEBUG
+    if( PR_SUCCESS != nssArena_verifyPointer(h->arena) ) {
+      return PR_FAILURE;
     }
-    else {
-/* Arena */
-#ifdef NSSDEBUG
-        if (PR_SUCCESS != nssArena_verifyPointer(h->arena)) {
-            return PR_FAILURE;
-        }
 #endif /* NSSDEBUG */
 
-        if ((PRLock *)NULL == h->arena->lock) {
-            /* Just got destroyed.. so this pointer is invalid */
-            nss_SetError(NSS_ERROR_INVALID_POINTER);
-            return PR_FAILURE;
-        }
-        PR_Lock(h->arena->lock);
+    if( (PRLock *)NULL == h->arena->lock ) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return PR_FAILURE;
+    }
+    PR_Lock(h->arena->lock);
 
-        (void)nsslibc_memset(pointer, 0, h->size);
+    (void)nsslibc_memset(pointer, 0, h->size);
 
-        /* No way to "free" it within an NSPR arena. */
+    /* No way to "free" it within an NSPR arena. */
 
-        PR_Unlock(h->arena->lock);
-        return PR_SUCCESS;
-    }
-    /*NOTREACHED*/
+    PR_Unlock(h->arena->lock);
+    return PR_SUCCESS;
+  }
+  /*NOTREACHED*/
 }
 
 /*
  * NSS_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine
- * may return NULL upon failure, in which case it will have placed
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-NSS_ZRealloc(void *pointer, PRUint32 newSize)
+NSS_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+)
 {
     return nss_ZRealloc(pointer, newSize);
 }
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine
- * may return NULL upon failure, in which case it will have placed
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
 NSS_EXTERN void *
-nss_ZRealloc(void *pointer, PRUint32 newSize)
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+)
 {
-    NSSArena *arena;
-    struct pointer_header *h, *new_h;
-    PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
-    void *rv;
+  NSSArena *arena;
+  struct pointer_header *h, *new_h;
+  PRUint32 my_newSize = newSize + sizeof(struct pointer_header);
+  void *rv;
 
-    if (my_newSize < sizeof(struct pointer_header)) {
-        /* Wrapped */
-        nss_SetError(NSS_ERROR_NO_MEMORY);
-        return (void *)NULL;
-    }
+  if( my_newSize < sizeof(struct pointer_header) ) {
+    /* Wrapped */
+    nss_SetError(NSS_ERROR_NO_MEMORY);
+    return (void *)NULL;
+  }
 
-    if ((void *)NULL == pointer) {
-        nss_SetError(NSS_ERROR_INVALID_POINTER);
-        return (void *)NULL;
-    }
+  if( (void *)NULL == pointer ) {
+    nss_SetError(NSS_ERROR_INVALID_POINTER);
+    return (void *)NULL;
+  }
+
+  h = (struct pointer_header *)((char *)pointer
+    - sizeof(struct pointer_header));
+
+  /* Check any magic here */
 
-    h = (struct pointer_header *)((char *)pointer -
-                                  sizeof(struct pointer_header));
+  if( newSize == h->size ) {
+    /* saves thrashing */
+    return pointer;
+  }
 
-    /* Check any magic here */
-
-    if (newSize == h->size) {
-        /* saves thrashing */
-        return pointer;
+  arena = h->arena;
+  if (!arena) {
+    /* Heap */
+    new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
+    if( (struct pointer_header *)NULL == new_h ) {
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
     }
 
-    arena = h->arena;
-    if (!arena) {
-        /* Heap */
-        new_h = (struct pointer_header *)PR_Calloc(1, my_newSize);
-        if ((struct pointer_header *)NULL == new_h) {
-            nss_SetError(NSS_ERROR_NO_MEMORY);
-            return (void *)NULL;
-        }
+    new_h->arena = (NSSArena *)NULL;
+    new_h->size = newSize;
+    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
 
-        new_h->arena = (NSSArena *)NULL;
-        new_h->size = newSize;
-        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+    if( newSize > h->size ) {
+      (void)nsslibc_memcpy(rv, pointer, h->size);
+      (void)nsslibc_memset(&((char *)rv)[ h->size ], 
+                           0, (newSize - h->size));
+    } else {
+      (void)nsslibc_memcpy(rv, pointer, newSize);
+    }
 
-        if (newSize > h->size) {
-            (void)nsslibc_memcpy(rv, pointer, h->size);
-            (void)nsslibc_memset(&((char *)rv)[h->size], 0,
-                                 (newSize - h->size));
-        }
-        else {
-            (void)nsslibc_memcpy(rv, pointer, newSize);
-        }
+    (void)nsslibc_memset(pointer, 0, h->size);
+    h->size = 0;
+    PR_Free(h);
 
-        (void)nsslibc_memset(pointer, 0, h->size);
-        h->size = 0;
-        PR_Free(h);
-
-        return rv;
+    return rv;
+  } else {
+    void *p;
+    /* Arena */
+#ifdef NSSDEBUG
+    if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
+      return (void *)NULL;
     }
-    else {
-        void *p;
-/* Arena */
-#ifdef NSSDEBUG
-        if (PR_SUCCESS != nssArena_verifyPointer(arena)) {
-            return (void *)NULL;
-        }
 #endif /* NSSDEBUG */
 
-        if (!arena->lock) {
-            /* Just got destroyed.. so this pointer is invalid */
-            nss_SetError(NSS_ERROR_INVALID_POINTER);
-            return (void *)NULL;
-        }
-        PR_Lock(arena->lock);
+    if (!arena->lock) {
+      /* Just got destroyed.. so this pointer is invalid */
+      nss_SetError(NSS_ERROR_INVALID_POINTER);
+      return (void *)NULL;
+    }
+    PR_Lock(arena->lock);
 
 #ifdef ARENA_THREADMARK
-        if (arena->marking_thread) {
-            if (PR_GetCurrentThread() != arena->marking_thread) {
-                PR_Unlock(arena->lock);
-                nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
-                return (void *)NULL;
-            }
-        }
+    if (arena->marking_thread) {
+      if (PR_GetCurrentThread() != arena->marking_thread) {
+        PR_Unlock(arena->lock);
+        nss_SetError(NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD);
+        return (void *)NULL;
+      }
+    }
 #endif /* ARENA_THREADMARK */
 
-        if (newSize < h->size) {
-            /*
-             * We have no general way of returning memory to the arena
-             * (mark/release doesn't work because things may have been
-             * allocated after this object), so the memory is gone
-             * anyway.  We might as well just return the same pointer to
-             * the user, saying "yeah, uh-hunh, you can only use less of
-             * it now."  We'll zero the leftover part, of course.  And
-             * in fact we might as well *not* adjust h->size-- this way,
-             * if the user reallocs back up to something not greater than
-             * the original size, then voila, there's the memory!  This
-             * way a thrash big/small/big/small doesn't burn up the arena.
-             */
-            char *extra = &((char *)pointer)[newSize];
-            (void)nsslibc_memset(extra, 0, (h->size - newSize));
-            PR_Unlock(arena->lock);
-            return pointer;
-        }
+    if( newSize < h->size ) {
+      /*
+       * We have no general way of returning memory to the arena
+       * (mark/release doesn't work because things may have been
+       * allocated after this object), so the memory is gone
+       * anyway.  We might as well just return the same pointer to
+       * the user, saying "yeah, uh-hunh, you can only use less of
+       * it now."  We'll zero the leftover part, of course.  And
+       * in fact we might as well *not* adjust h->size-- this way,
+       * if the user reallocs back up to something not greater than
+       * the original size, then voila, there's the memory!  This
+       * way a thrash big/small/big/small doesn't burn up the arena.
+       */
+      char *extra = &((char *)pointer)[ newSize ];
+      (void)nsslibc_memset(extra, 0, (h->size - newSize));
+      PR_Unlock(arena->lock);
+      return pointer;
+    }
 
-        PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
-        if ((void *)NULL == p) {
-            PR_Unlock(arena->lock);
-            nss_SetError(NSS_ERROR_NO_MEMORY);
-            return (void *)NULL;
-        }
+    PL_ARENA_ALLOCATE(p, &arena->pool, my_newSize);
+    if( (void *)NULL == p ) {
+      PR_Unlock(arena->lock);
+      nss_SetError(NSS_ERROR_NO_MEMORY);
+      return (void *)NULL;
+    }
 
-        new_h = (struct pointer_header *)p;
-        new_h->arena = arena;
-        new_h->size = newSize;
-        rv = (void *)((char *)new_h + sizeof(struct pointer_header));
-        if (rv != pointer) {
-            (void)nsslibc_memcpy(rv, pointer, h->size);
-            (void)nsslibc_memset(pointer, 0, h->size);
-        }
-        (void)nsslibc_memset(&((char *)rv)[h->size], 0, (newSize - h->size));
-        h->arena = (NSSArena *)NULL;
-        h->size = 0;
-        PR_Unlock(arena->lock);
-        return rv;
+    new_h = (struct pointer_header *)p;
+    new_h->arena = arena;
+    new_h->size = newSize;
+    rv = (void *)((char *)new_h + sizeof(struct pointer_header));
+    if (rv != pointer) {
+	(void)nsslibc_memcpy(rv, pointer, h->size);
+	(void)nsslibc_memset(pointer, 0, h->size);
     }
-    /*NOTREACHED*/
+    (void)nsslibc_memset(&((char *)rv)[ h->size ], 0, (newSize - h->size));
+    h->arena = (NSSArena *)NULL;
+    h->size = 0;
+    PR_Unlock(arena->lock);
+    return rv;
+  }
+  /*NOTREACHED*/
 }
 
-PRStatus
+PRStatus 
 nssArena_Shutdown(void)
 {
-    PRStatus rv = PR_SUCCESS;
+  PRStatus rv = PR_SUCCESS;
 #ifdef DEBUG
-    rv = nssPointerTracker_finalize(&arena_pointer_tracker);
+  rv = nssPointerTracker_finalize(&arena_pointer_tracker);
 #endif
-    return rv;
+  return rv;
 }
--- a/security/nss/lib/base/base.h
+++ b/security/nss/lib/base/base.h
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef BASE_H
 #define BASE_H
 
 /*
  * base.h
  *
- * This header file contains basic prototypes and preprocessor
+ * This header file contains basic prototypes and preprocessor 
  * definitions used throughout nss but not available publicly.
  */
 
 #ifndef BASET_H
 #include "baset.h"
 #endif /* BASET_H */
 
 #ifndef NSSBASE_H
@@ -59,17 +59,17 @@ PR_BEGIN_EXTERN_C
  *
  *  nssArenaHashAllocOps
  */
 
 /*
  * nssArena_Create
  *
  * This routine creates a new memory arena.  This routine may return
- * NULL upon error, in which case it will have set an error on the
+ * NULL upon error, in which case it will have set an error on the 
  * error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to an NSSArena upon success
@@ -78,62 +78,74 @@ PR_BEGIN_EXTERN_C
 /*
  * XXX fgmr
  * Arenas can be named upon creation; this is mostly of use when
  * debugging.  Should we expose that here, allowing an optional
  * "const char *name" argument?  Should the public version of this
  * call (NSSArena_Create) have it too?
  */
 
-NSS_EXTERN NSSArena *nssArena_Create(void);
+NSS_EXTERN NSSArena *
+nssArena_Create
+(
+  void
+);
 
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_Destroy
  *
  * This routine will destroy the specified arena, freeing all memory
- * allocated from it.  This routine returns a PRStatus value; if
+ * allocated from it.  This routine returns a PRStatus value; if 
  * successful, it will return PR_SUCCESS.  If unsuccessful, it will
  * set an error on the error stack and return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nssArena_Destroy(NSSArena *arena);
+NSS_EXTERN PRStatus
+nssArena_Destroy
+(
+  NSSArena *arena
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 
 /*
  * nssArena_Mark
  *
  * This routine "marks" the current state of an arena.  Space
  * allocated after the arena has been marked can be freed by
  * releasing the arena back to the mark with nssArena_Release,
- * or committed by calling nssArena_Unmark.  When successful,
- * this routine returns a valid nssArenaMark pointer.  This
- * routine may return NULL upon error, in which case it will
+ * or committed by calling nssArena_Unmark.  When successful, 
+ * this routine returns a valid nssArenaMark pointer.  This 
+ * routine may return NULL upon error, in which case it will 
  * have set an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon failure
  *  An nssArenaMark pointer upon success
  */
 
-NSS_EXTERN nssArenaMark *nssArena_Mark(NSSArena *arena);
+NSS_EXTERN nssArenaMark *
+nssArena_Mark
+(
+  NSSArena *arena
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nssArena_Release
  *
@@ -148,17 +160,22 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nssArena_Release(NSSArena *arena, nssArenaMark *arenaMark);
+NSS_EXTERN PRStatus
+nssArena_Release
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 
 /*
  * nssArena_Unmark
  *
  * This routine "commits" the indicated mark and any marks after
@@ -175,17 +192,22 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_INVALID_ARENA_MARK
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nssArena_Unmark(NSSArena *arena, nssArenaMark *arenaMark);
+NSS_EXTERN PRStatus
+nssArena_Unmark
+(
+  NSSArena *arena,
+  nssArenaMark *arenaMark
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_INVALID_ARENA_MARK;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 #ifdef ARENA_DESTRUCTOR_LIST
 
 /*
@@ -195,205 +217,229 @@ extern const NSSError NSS_ERROR_ARENA_MA
  * pointer-sized argument in the arena, at the current point in
  * the mark stack.  If the arena is destroyed, or an "earlier"
  * mark is released, then this destructor will be called at that
  * time.  Note that the destructor will be called with the arena
  * locked, which means the destructor may free memory in that
  * arena, but it may not allocate or cause to be allocated any
  * memory.  This callback facility was included to support our
  * debug-version pointer-tracker feature; overuse runs counter to
- * the the original intent of arenas.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If
- * unsuccessful, it will set an error on the error stack and
+ * the the original intent of arenas.  This routine returns a 
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nssArena_registerDestructor(
-    NSSArena *arena, void (*destructor)(void *argument), void *arg);
+NSS_EXTERN PRStatus
+nssArena_registerDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 
 /*
  * nssArena_deregisterDestructor
  *
  * This routine will remove the first destructor in the specified
  * arena which has the specified destructor and argument values.
  * The destructor will not be called.  This routine returns a
- * PRStatus value; if successful, it will return PR_SUCCESS.  If
- * unsuccessful, it will set an error on the error stack and
+ * PRStatus value; if successful, it will return PR_SUCCESS.  If 
+ * unsuccessful, it will set an error on the error stack and 
  * return PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NOT_FOUND
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nssArena_deregisterDestructor(
-    NSSArena *arena, void (*destructor)(void *argument), void *arg);
+NSS_EXTERN PRStatus
+nssArena_deregisterDestructor
+(
+  NSSArena *arena,
+  void (*destructor)(void *argument),
+  void *arg
+);
 
 extern const NSSError NSS_ERROR_INVALID_ITEM;
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NOT_FOUND;
 
 #endif /* ARENA_DESTRUCTOR_LIST */
 
 /*
  * nss_ZAlloc
  *
- * This routine allocates and zeroes a section of memory of the
+ * This routine allocates and zeroes a section of memory of the 
  * size, and returns to the caller a pointer to that memory.  If
  * the optional arena argument is non-null, the memory will be
  * obtained from that arena; otherwise, the memory will be obtained
  * from the heap.  This routine may return NULL upon error, in
  * which case it will have set an error upon the error stack.  The
- * value specified for size may be zero; in which case a valid
+ * value specified for size may be zero; in which case a valid 
  * zero-length block of memory will be allocated.  This block may
  * be expanded by calling nss_ZRealloc.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-NSS_EXTERN void *nss_ZAlloc(NSSArena *arenaOpt, PRUint32 size);
+NSS_EXTERN void *
+nss_ZAlloc
+(
+  NSSArena *arenaOpt,
+  PRUint32 size
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZFreeIf
  *
- * If the specified pointer is non-null, then the region of memory
- * to which it points -- which must have been allocated with
- * nss_ZAlloc -- will be zeroed and released.  This routine
+ * If the specified pointer is non-null, then the region of memory 
+ * to which it points -- which must have been allocated with 
+ * nss_ZAlloc -- will be zeroed and released.  This routine 
  * returns a PRStatus value; if successful, it will return PR_SUCCESS.
- * If unsuccessful, it will set an error on the error stack and return
+ * If unsuccessful, it will set an error on the error stack and return 
  * PR_FAILURE.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_SUCCESS
  *  PR_FAILURE
  */
 
-NSS_EXTERN PRStatus nss_ZFreeIf(void *pointer);
+NSS_EXTERN PRStatus
+nss_ZFreeIf
+(
+  void *pointer
+);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 
 /*
  * nss_ZRealloc
  *
  * This routine reallocates a block of memory obtained by calling
- * nss_ZAlloc or nss_ZRealloc.  The portion of memory
+ * nss_ZAlloc or nss_ZRealloc.  The portion of memory 
  * between the new and old sizes -- which is either being newly
- * obtained or released -- is in either case zeroed.  This routine
- * may return NULL upon failure, in which case it will have placed
+ * obtained or released -- is in either case zeroed.  This routine 
+ * may return NULL upon failure, in which case it will have placed 
  * an error on the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
 
-NSS_EXTERN void *nss_ZRealloc(void *pointer, PRUint32 newSize);
+NSS_EXTERN void *
+nss_ZRealloc
+(
+  void *pointer,
+  PRUint32 newSize
+);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD;
 
 /*
  * nss_ZNEW
  *
  * This preprocessor macro will allocate memory for a new object
  * of the specified type with nss_ZAlloc, and will cast the
- * return value appropriately.  If the optional arena argument is
- * non-null, the memory will be obtained from that arena; otherwise,
- * the memory will be obtained from the heap.  This routine may
- * return NULL upon error, in which case it will have set an error
+ * return value appropriately.  If the optional arena argument is 
+ * non-null, the memory will be obtained from that arena; otherwise, 
+ * the memory will be obtained from the heap.  This routine may 
+ * return NULL upon error, in which case it will have set an error 
  * upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
 #define nss_ZNEW(arenaOpt, type) ((type *)nss_ZAlloc((arenaOpt), sizeof(type)))
 
 /*
  * nss_ZNEWARRAY
  *
  * This preprocessor macro will allocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * If the optional arena argument is non-null, the memory will
- * be obtained from that arena; otherwise, the memory will be
- * obtained from the heap.  This routine may return NULL upon
- * error, in which case it will have set an error upon the error
+ * If the optional arena argument is non-null, the memory will 
+ * be obtained from that arena; otherwise, the memory will be 
+ * obtained from the heap.  This routine may return NULL upon 
+ * error, in which case it will have set an error upon the error 
  * stack.  The array size may be specified as zero.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the new segment of zeroed memory
  */
 
-#define nss_ZNEWARRAY(arenaOpt, type, quantity)                                \
-    ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nss_ZNEWARRAY(arenaOpt, type, quantity) ((type *)nss_ZAlloc((arenaOpt), sizeof(type) * (quantity)))
 
 /*
  * nss_ZREALLOCARRAY
  *
  * This preprocessor macro will reallocate memory for an array of
  * new objects, and will cast the return value appropriately.
- * This routine may return NULL upon error, in which case it will
+ * This routine may return NULL upon error, in which case it will 
  *  have set an error upon the error stack.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_ARENA_MARKED_BY_ANOTHER_THREAD
  *
  * Return value:
  *  NULL upon error
  *  A pointer to the replacement segment of memory
  */
-#define nss_ZREALLOCARRAY(p, type, quantity)                                   \
-    ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
+#define nss_ZREALLOCARRAY(p, type, quantity) ((type *)nss_ZRealloc((p), sizeof(type) * (quantity)))
 
 /*
  * nssArena_verifyPointer
  *
  * This method is only present in debug builds.
  *
  * If the specified pointer is a valid pointer to an NSSArena object,
  * this routine will return PR_SUCCESS.  Otherwise, it will put an
@@ -403,17 +449,21 @@ extern const NSSError NSS_ERROR_ARENA_MA
  *  NSS_ERROR_INVALID_ARENA
  *
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
-NSS_EXTERN PRStatus nssArena_verifyPointer(const NSSArena *arena);
+NSS_EXTERN PRStatus
+nssArena_verifyPointer
+(
+  const NSSArena *arena
+);
 
 extern const NSSError NSS_ERROR_INVALID_ARENA;
 #endif /* DEBUG */
 
 /*
  * nssArena_VERIFYPOINTER
  *
  * This macro is always available.  In debug builds it will call
@@ -424,35 +474,35 @@ extern const NSSError NSS_ERROR_INVALID_
  * Return value:
  *  PR_SUCCESS if the pointer is valid
  *  PR_FAILURE if it isn't
  */
 
 #ifdef DEBUG
 #define nssArena_VERIFYPOINTER(p) nssArena_verifyPointer(p)
 #else /* DEBUG */
-
-#define nssArena_VERIFYPOINTER(p)                                              \
-    (((NSSArena *)NULL == (p)) ? PR_FAILURE : PR_SUCCESS)
+/* The following line exceeds 72 characters, but emacs screws up if I split it. */
+#define nssArena_VERIFYPOINTER(p) (((NSSArena *)NULL == (p))?PR_FAILURE:PR_SUCCESS)
 #endif /* DEBUG */
 
 /*
- * Private function to be called by NSS_Shutdown to cleanup nssArena
+ * Private function to be called by NSS_Shutdown to cleanup nssArena 
  * bookkeeping.
  */
-extern PRStatus nssArena_Shutdown(void);
+extern PRStatus
+nssArena_Shutdown(void);
 
 /*
  * nssArenaHashAllocOps
  *
  * This constant structure contains allocation callbacks designed for
  * use with the NSPL routine PL_NewHashTable.  For example:
  *
  *  NSSArena *hashTableArena = nssArena_Create();
- *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare,
+ *  PLHashTable *t = PL_NewHashTable(n, hasher, key_compare, 
  *    value_compare, nssArenaHashAllocOps, hashTableArena);
  */
 
 NSS_EXTERN_DATA PLHashAllocOps nssArenaHashAllocOps;
 
 /*
  * The error stack
  *
@@ -460,129 +510,176 @@ NSS_EXTERN_DATA PLHashAllocOps nssArenaH
  *
  *  nss_SetError
  *  nss_ClearErrorStack
  */
 
 /*
  * nss_SetError
  *
- * This routine places a new error code on the top of the calling
+ * This routine places a new error code on the top of the calling 
  * thread's error stack.  Calling this routine wiht an error code
  * of zero will clear the error stack.
  */
 
-NSS_EXTERN void nss_SetError(PRUint32 error);
+NSS_EXTERN void
+nss_SetError
+(
+  PRUint32 error
+);
 
 /*
  * nss_ClearErrorStack
  *
  * This routine clears the calling thread's error stack.
  */
 
-NSS_EXTERN void nss_ClearErrorStack(void);
+NSS_EXTERN void
+nss_ClearErrorStack
+(
+  void
+);
 
 /*
  * nss_DestroyErrorStack
  *
  * This routine frees the calling thread's error stack.
  */
 
-NSS_EXTERN void nss_DestroyErrorStack(void);
+NSS_EXTERN void
+nss_DestroyErrorStack
+(
+  void
+);
 
 /*
  * NSSItem
  *
  * nssItem_Create
  * nssItem_Duplicate
  * nssItem_Equal
  */
 
-NSS_EXTERN NSSItem *nssItem_Create(NSSArena *arenaOpt, NSSItem *rvOpt,
-                                   PRUint32 length, const void *data);
+NSS_EXTERN NSSItem *
+nssItem_Create
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  PRUint32 length,
+  const void *data
+);
 
-NSS_EXTERN void nssItem_Destroy(NSSItem *item);
+NSS_EXTERN void
+nssItem_Destroy
+(
+  NSSItem *item
+);
 
-NSS_EXTERN NSSItem *nssItem_Duplicate(NSSItem *obj, NSSArena *arenaOpt,
-                                      NSSItem *rvOpt);
+NSS_EXTERN NSSItem *
+nssItem_Duplicate
+(
+  NSSItem *obj,
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt
+);
 
-NSS_EXTERN PRBool nssItem_Equal(const NSSItem *one, const NSSItem *two,
-                                PRStatus *statusOpt);
+NSS_EXTERN PRBool
+nssItem_Equal
+(
+  const NSSItem *one,
+  const NSSItem *two,
+  PRStatus *statusOpt
+);
 
 /*
  * NSSUTF8
  *
  *  nssUTF8_CaseIgnoreMatch
  *  nssUTF8_Duplicate
  *  nssUTF8_Size
  *  nssUTF8_Length
  *  nssUTF8_CopyIntoFixedBuffer
  */
 
 /*
  * nssUTF8_CaseIgnoreMatch
- *
- * Returns true if the two UTF8-encoded strings pointed to by the
+ * 
+ * Returns true if the two UTF8-encoded strings pointed to by the 
  * two specified NSSUTF8 pointers differ only in typcase.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool nssUTF8_CaseIgnoreMatch(const NSSUTF8 *a, const NSSUTF8 *b,
-                                          PRStatus *statusOpt);
+NSS_EXTERN PRBool
+nssUTF8_CaseIgnoreMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
 
 /*
  * nssUTF8_Duplicate
  *
  * This routine duplicates the UTF8-encoded string pointed to by the
  * specified NSSUTF8 pointer.  If the optional arenaOpt argument is
  * not null, the memory required will be obtained from that arena;
  * otherwise, the memory required will be obtained from the heap.
  * A pointer to the new string will be returned.  In case of error,
- * an error will be placed on the error stack and NULL will be
+ * an error will be placed on the error stack and NULL will be 
  * returned.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_INVALID_ARENA
  *  NSS_ERROR_NO_MEMORY
  */
 
-NSS_EXTERN NSSUTF8 *nssUTF8_Duplicate(const NSSUTF8 *s, NSSArena *arenaOpt);
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Duplicate
+(
+  const NSSUTF8 *s,
+  NSSArena *arenaOpt
+);
 
 /*
  * nssUTF8_PrintableMatch
  *
- * Returns true if the two Printable strings pointed to by the
- * two specified NSSUTF8 pointers match when compared with the
- * rules for Printable String (leading and trailing spaces are
- * disregarded, extents of whitespace match irregardless of length,
+ * Returns true if the two Printable strings pointed to by the 
+ * two specified NSSUTF8 pointers match when compared with the 
+ * rules for Printable String (leading and trailing spaces are 
+ * disregarded, extents of whitespace match irregardless of length, 
  * and case is not significant), then PR_TRUE will be returned.
  * Otherwise, PR_FALSE will be returned.  Upon failure, PR_FALSE
  * will be returned.  If the optional statusOpt argument is not
  * NULL, then PR_SUCCESS or PR_FAILURE will be stored in that
  * location.
  *
  * The error may be one of the following values:
  *  NSS_ERROR_INVALID_POINTER
  *
  * Return value:
  *  PR_TRUE if the strings match, ignoring case
  *  PR_FALSE if they don't
  *  PR_FALSE upon error
  */
 
-NSS_EXTERN PRBool nssUTF8_PrintableMatch(const NSSUTF8 *a, const NSSUTF8 *b,
-                                         PRStatus *statusOpt);
+NSS_EXTERN PRBool
+nssUTF8_PrintableMatch
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
 
 /*
  * nssUTF8_Size
  *
  * This routine returns the length in bytes (including the terminating
  * null) of the UTF8-encoded string pointed to by the specified
  * NSSUTF8 pointer.  Zero is returned on error.
  *
@@ -590,17 +687,22 @@ NSS_EXTERN PRBool nssUTF8_PrintableMatch
  *  NSS_ERROR_INVALID_POINTER
  *  NSS_ERROR_VALUE_TOO_LARGE
  *
  * Return value:
  *  nonzero size of the string
  *  0 on error
  */
 
-NSS_EXTERN PRUint32 nssUTF8_Size(const NSSUTF8 *s, PRStatus *statusOpt);
+NSS_EXTERN PRUint32
+nssUTF8_Size
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 
 /*
  * nssUTF8_Length
  *
  * This routine returns the length in characters (not including the
@@ -612,17 +714,22 @@ extern const NSSError NSS_ERROR_VALUE_TO
  *  NSS_ERROR_VALUE_TOO_LARGE
  *  NSS_ERROR_INVALID_STRING
  *
  * Return value:
  *  length of the string (which may be zero)
  *  0 on error
  */
 
-NSS_EXTERN PRUint32 nssUTF8_Length(const NSSUTF8 *s, PRStatus *statusOpt);
+NSS_EXTERN PRUint32
+nssUTF8_Length
+(
+  const NSSUTF8 *s,
+  PRStatus *statusOpt
+);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_VALUE_TOO_LARGE;
 extern const NSSError NSS_ERROR_INVALID_STRING;
 
 /*
  * nssUTF8_Create
  *
@@ -641,174 +748,265 @@ extern const NSSError NSS_ERROR_INVALID_
  *  NSS_ERROR_NO_MEMORY
  *  NSS_ERROR_UNSUPPORTED_TYPE
  *
  * Return value:
  *  NULL upon error
  *  A non-null pointer to a new UTF8 string otherwise
  */
 
-NSS_EXTERN NSSUTF8 *nssUTF8_Create(NSSArena *arenaOpt, nssStringType type,
-                                   const void *inputString,
-                                   PRUint32 size /* in bytes, not characters */
-                                   );
+NSS_EXTERN NSSUTF8 *
+nssUTF8_Create
+(
+  NSSArena *arenaOpt,
+  nssStringType type,
+  const void *inputString,
+  PRUint32 size /* in bytes, not characters */
+);
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_NO_MEMORY;
 extern const NSSError NSS_ERROR_UNSUPPORTED_TYPE;
 
-NSS_EXTERN NSSItem *nssUTF8_GetEncoding(NSSArena *arenaOpt, NSSItem *rvOpt,
-                                        nssStringType type, NSSUTF8 *string);
+NSS_EXTERN NSSItem *
+nssUTF8_GetEncoding
+(
+  NSSArena *arenaOpt,
+  NSSItem *rvOpt,
+  nssStringType type,
+  NSSUTF8 *string
+);
 
 /*
  * nssUTF8_CopyIntoFixedBuffer
  *
- * This will copy a UTF8 string into a fixed-length buffer, making
+ * This will copy a UTF8 string into a fixed-length buffer, making 
  * sure that the all characters are valid.  Any remaining space will
- * be padded with the specified ASCII character, typically either
+ * be padded with the specified ASCII character, typically either 
  * null or space.
  *
  * Blah, blah, blah.
  */
 
 extern const NSSError NSS_ERROR_INVALID_POINTER;
 extern const NSSError NSS_ERROR_INVALID_ARGUMENT;
 
-NSS_EXTERN PRStatus nssUTF8_CopyIntoFixedBuffer(NSSUTF8 *string, char *buffer,
-                                                PRUint32 bufferSize, char pad);
+NSS_EXTERN PRStatus
+nssUTF8_CopyIntoFixedBuffer
+(
+  NSSUTF8 *string,
+  char *buffer,
+  PRUint32 bufferSize,
+  char pad
+);
 
 /*
  * nssUTF8_Equal
  *
  */
 
-NSS_EXTERN PRBool nssUTF8_Equal(const NSSUTF8 *a, const NSSUTF8 *b,
-                                PRStatus *statusOpt);
+NSS_EXTERN PRBool
+nssUTF8_Equal
+(
+  const NSSUTF8 *a,
+  const NSSUTF8 *b,
+  PRStatus *statusOpt
+);
 
 /*
  * nssList
  *
  * The goal is to provide a simple, optionally threadsafe, linked list
  * class.  Since NSS did not seem to use the circularity of PRCList
  * much before, this provides a list that appears to be a linear,
  * NULL-terminated list.
  */
 
 /*
  * nssList_Create
  *
  * If threadsafe is true, the list will be locked during modifications
  * and traversals.
  */
-NSS_EXTERN nssList *nssList_Create(NSSArena *arenaOpt, PRBool threadSafe);
+NSS_EXTERN nssList *
+nssList_Create
+(
+  NSSArena *arenaOpt,
+  PRBool threadSafe
+);
 
 /*
  * nssList_Destroy
  */
-NSS_EXTERN PRStatus nssList_Destroy(nssList *list);
+NSS_EXTERN PRStatus
+nssList_Destroy
+(
+  nssList *list
+);
 
-NSS_EXTERN void nssList_Clear(nssList *list,
-                              nssListElementDestructorFunc destructor);
+NSS_EXTERN void
+nssList_Clear
+(
+  nssList *list, 
+  nssListElementDestructorFunc destructor
+);
 
 /*
  * nssList_SetCompareFunction
  *
  * By default, two list elements will be compared by comparing their
  * data pointers.  By setting this function, the user can control
  * how elements are compared.
  */
-NSS_EXTERN void nssList_SetCompareFunction(nssList *list,
-                                           nssListCompareFunc compareFunc);
+NSS_EXTERN void
+nssList_SetCompareFunction
+(
+  nssList *list, 
+  nssListCompareFunc compareFunc
+);
 
 /*
  * nssList_SetSortFunction
  *
  * Sort function to use for an ordered list.
  */
-NSS_EXTERN void nssList_SetSortFunction(nssList *list,
-                                        nssListSortFunc sortFunc);
+NSS_EXTERN void
+nssList_SetSortFunction
+(
+  nssList *list, 
+  nssListSortFunc sortFunc
+);
 
 /*
  * nssList_Add
  */
-NSS_EXTERN PRStatus nssList_Add(nssList *list, void *data);
+NSS_EXTERN PRStatus
+nssList_Add
+(
+  nssList *list, 
+  void *data
+);
 
 /*
  * nssList_AddUnique
  *
  * This will use the compare function to see if the element is already
  * in the list.
  */
-NSS_EXTERN PRStatus nssList_AddUnique(nssList *list, void *data);
+NSS_EXTERN PRStatus
+nssList_AddUnique
+(
+  nssList *list, 
+  void *data
+);
 
 /*
  * nssList_Remove
  *
  * Uses the compare function to locate the element and remove it.
  */
-NSS_EXTERN PRStatus nssList_Remove(nssList *list, void *data);
+NSS_EXTERN PRStatus
+nssList_Remove(nssList *list, void *data);
 
 /*
  * nssList_Get
  *
  * Uses the compare function to locate an element.  Also serves as
  * nssList_Exists.
  */
-NSS_EXTERN void *nssList_Get(nssList *list, void *data);
+NSS_EXTERN void *
+nssList_Get
+(
+  nssList *list, 
+  void *data
+);
 
 /*
  * nssList_Count
  */
-NSS_EXTERN PRUint32 nssList_Count(nssList *list);
+NSS_EXTERN PRUint32
+nssList_Count
+(
+  nssList *list
+);
 
 /*
  * nssList_GetArray
  *
  * Fill rvArray, up to maxElements, with elements in the list.  The
  * array is NULL-terminated, so its allocated size must be maxElements + 1.
  */
-NSS_EXTERN PRStatus nssList_GetArray(nssList *list, void **rvArray,
-                                     PRUint32 maxElements);
+NSS_EXTERN PRStatus
+nssList_GetArray
+(
+  nssList *list, 
+  void **rvArray, 
+  PRUint32 maxElements
+);
 
 /*
  * nssList_CreateIterator
  *
  * Create an iterator for list traversal.
  */
-NSS_EXTERN nssListIterator *nssList_CreateIterator(nssList *list);
+NSS_EXTERN nssListIterator *
+nssList_CreateIterator
+(
+  nssList *list
+);
 
-NSS_EXTERN nssList *nssList_Clone(nssList *list);
+NSS_EXTERN nssList *
+nssList_Clone
+(
+  nssList *list
+);
 
 /*
  * nssListIterator_Destroy
  */
-NSS_EXTERN void nssListIterator_Destroy(nssListIterator *iter);
+NSS_EXTERN void
+nssListIterator_Destroy
+(
+  nssListIterator *iter
+);
 
 /*
  * nssListIterator_Start
  *
  * Begin a list iteration.  After this call, if the list is threadSafe,
  * the list is *locked*.
  */
-NSS_EXTERN void *nssListIterator_Start(nssListIterator *iter);
+NSS_EXTERN void *
+nssListIterator_Start
+(
+  nssListIterator *iter
+);
 
 /*
  * nssListIterator_Next
  *
  * Continue a list iteration.
  */
-NSS_EXTERN void *nssListIterator_Next(nssListIterator *iter);
+NSS_EXTERN void *
+nssListIterator_Next
+(
+  nssListIterator *iter
+);
 
 /*
  * nssListIterator_Finish
  *
  * Complete a list iteration.  This *must* be called in order for the
  * lock to be released.
  */
-NSS_EXTERN PRStatus nssListIterator_Finish(nssListIterator *iter);
+NSS_EXTERN PRStatus
+nssListIterator_Finish
+(
+  nssListIterator *iter
+);
 
 /*
  * nssHash
  *
  *  nssHash_Create
  *  nssHash_Destroy
  *  nssHash_Add
  *  nssHash_Remove
@@ -818,122 +1016,178 @@ NSS_EXTERN PRStatus nssListIterator_Fini
  *  nssHash_Iterate
  */
 
 /*
  * nssHash_Create
  *
  */
 
-NSS_EXTERN nssHash *nssHash_Create(NSSArena *arenaOpt, PRUint32 numBuckets,
-                                   PLHashFunction keyHash,
-                                   PLHashComparator keyCompare,
-                                   PLHashComparator valueCompare);
+NSS_EXTERN nssHash *
+nssHash_Create
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets,
+  PLHashFunction keyHash,
+  PLHashComparator keyCompare,
+  PLHashComparator valueCompare
+);
 
-NSS_EXTERN nssHash *nssHash_CreatePointer(NSSArena *arenaOpt,
-                                          PRUint32 numBuckets);
+NSS_EXTERN nssHash *
+nssHash_CreatePointer
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
 
-NSS_EXTERN nssHash *nssHash_CreateString(NSSArena *arenaOpt,
-                                         PRUint32 numBuckets);
+NSS_EXTERN nssHash *
+nssHash_CreateString
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
 
-NSS_EXTERN nssHash *nssHash_CreateItem(NSSArena *arenaOpt, PRUint32 numBuckets);
+NSS_EXTERN nssHash *
+nssHash_CreateItem
+(
+  NSSArena *arenaOpt,
+  PRUint32 numBuckets
+);
 
 /*
  * nssHash_Destroy
  *
  */
-NSS_EXTERN void nssHash_Destroy(nssHash *hash);
+NSS_EXTERN void
+nssHash_Destroy
+(
+  nssHash *hash
+);
 
 /*
  * nssHash_Add
  *
  */
 
 extern const NSSError NSS_ERROR_HASH_COLLISION;
 
-NSS_EXTERN PRStatus nssHash_Add(nssHash *hash, const void *key,
-                                const void *value);
+NSS_EXTERN PRStatus
+nssHash_Add
+(
+  nssHash *hash,
+  const void *key,
+  const void *value
+);
 
 /*
  * nssHash_Remove
  *
  */
-NSS_EXTERN void nssHash_Remove(nssHash *hash, const void *it);
+NSS_EXTERN void
+nssHash_Remove
+(
+  nssHash *hash,
+  const void *it
+);
 
 /*
  * nssHash_Count
  *
  */
-NSS_EXTERN PRUint32 nssHash_Count(nssHash *hash);
+NSS_EXTERN PRUint32
+nssHash_Count
+(
+  nssHash *hash
+);
 
 /*
  * nssHash_Exists
  *
  */
-NSS_EXTERN PRBool nssHash_Exists(nssHash *hash, const void *it);
+NSS_EXTERN PRBool
+nssHash_Exists
+(
+  nssHash *hash,
+  const void *it
+);
 
 /*
  * nssHash_Lookup
  *
  */
-NSS_EXTERN void *nssHash_Lookup(nssHash *hash, const void *it);
+NSS_EXTERN void *
+nssHash_Lookup
+(
+  nssHash *hash,
+  const void *it
+);
 
 /*
  * nssHash_Iterate
  *
  */
-NSS_EXTERN void nssHash_Iterate(nssHash *hash, nssHashIterator fcn,
-                                void *closure);
+NSS_EXTERN void
+nssHash_Iterate
+(
+  nssHash *hash,
+  nssHashIterator fcn,
+  void *closure
+);
+
 
 /*
  * nssPointerTracker
  *
  * This type and these methods are only present in debug builds.
- *
+ * 
  * The nonpublic methods relating to this type are:
  *
  *  nssPointerTracker_initialize
  *  nssPointerTracker_finalize
  *  nssPointerTracker_add
  *  nssPointerTracker_remove
  *  nssPointerTracker_verify
  */
 
 /*
  * nssPointerTracker_initialize
  *
  * This method is only present in debug builds.
- *
+ * 
  * This routine initializes an nssPointerTracker object.  Note that
  * the object must have been declared *static* to guarantee that it