Bug 1182667 - Enable warnings as errors, r=rrelyea
authorMartin Thomson <martin.thomson@gmail.com>
Mon, 17 Aug 2015 11:22:29 -0700
changeset 11521 0a59f0bce2ea7089bce03a54ca442dc323c6e995
parent 11520 a27fd2b3d2e0ee730b5fdab1046e62c52e27a521
child 11522 276a21813f7c4366d4005b18d7f2b35b77cd6042
push id690
push usermartin.thomson@gmail.com
push dateMon, 17 Aug 2015 18:31:19 +0000
reviewersrrelyea
bugs1182667
Bug 1182667 - Enable warnings as errors, r=rrelyea
cmd/bltest/blapitest.c
cmd/certcgi/certcgi.c
cmd/checkcert/checkcert.c
cmd/crlutil/crlgen.c
cmd/crlutil/crlutil.c
cmd/crmftest/testcrmf.c
cmd/fipstest/fipstest.c
cmd/httpserv/httpserv.c
cmd/lib/basicutil.c
cmd/lib/derprint.c
cmd/lib/pk11table.c
cmd/lib/pk11table.h
cmd/lib/secutil.c
cmd/modutil/error.h
cmd/modutil/installparse.c
cmd/modutil/lex.Pk11Install_yy.c
cmd/modutil/manifest.mn
cmd/modutil/modutil.c
cmd/multinit/multinit.c
cmd/ocspclnt/ocspclnt.c
cmd/ocspresp/ocspresp.c
cmd/oidcalc/oidcalc.c
cmd/p7env/p7env.c
cmd/pk11gcmtest/pk11gcmtest.c
cmd/pk11mode/pk11mode.c
cmd/pk12util/pk12util.c
cmd/pk1sign/pk1sign.c
cmd/pp/pp.c
cmd/sdrtest/sdrtest.c
cmd/selfserv/selfserv.c
cmd/shlibsign/shlibsign.c
cmd/signtool/certgen.c
cmd/signtool/util.c
cmd/ssltap/ssltap.c
cmd/strsclnt/strsclnt.c
cmd/symkeyutil/symkeyutil.c
cmd/tstclnt/tstclnt.c
cmd/vfychain/vfychain.c
cmd/vfyserv/vfyserv.c
cmd/vfyserv/vfyutil.c
coreconf/Linux.mk
coreconf/WIN32.mk
coreconf/rules.mk
external_tests/google_test/Makefile
external_tests/ssl_gtest/Makefile
external_tests/ssl_gtest/databuffer.h
external_tests/ssl_gtest/ssl_loopback_unittest.cc
external_tests/ssl_gtest/tls_agent.cc
external_tests/ssl_gtest/tls_agent.h
external_tests/ssl_gtest/tls_connect.cc
external_tests/ssl_gtest/tls_parser.h
lib/base/hash.c
lib/base/list.c
lib/base/tracker.c
lib/certdb/certdb.c
lib/certdb/crl.c
lib/certdb/genname.c
lib/certdb/secname.c
lib/certhigh/certhigh.c
lib/certhigh/certvfypkix.c
lib/certhigh/ocsp.c
lib/certhigh/xcrldist.c
lib/ckfw/builtins/binst.c
lib/ckfw/builtins/certdata.perl
lib/ckfw/hash.c
lib/ckfw/token.c
lib/crmf/cmmfchal.c
lib/crmf/crmfcont.c
lib/crmf/crmfi.h
lib/crmf/crmfpop.c
lib/crmf/crmftmpl.c
lib/dbm/src/h_page.c
lib/dev/devslot.c
lib/dev/devtoken.c
lib/freebl/cts.c
lib/freebl/dh.c
lib/freebl/drbg.c
lib/freebl/dsa.c
lib/freebl/ecl/ecl-priv.h
lib/freebl/ecl/ecl_gf.c
lib/freebl/ecl/ecl_mult.c
lib/freebl/ecl/ecp_192.c
lib/freebl/ecl/ecp_224.c
lib/freebl/ecl/ecp_256.c
lib/freebl/ecl/ecp_521.c
lib/freebl/ecl/ecp_jac.c
lib/freebl/ldvector.c
lib/freebl/loader.c
lib/freebl/md5.c
lib/freebl/mpi/mpcpucache.c
lib/freebl/mpi/mpi-priv.h
lib/freebl/mpi/mpi.c
lib/freebl/mpi/mpi.h
lib/freebl/mpi/mplogic.c
lib/freebl/mpi/mplogic.h
lib/freebl/mpi/mpmontg.c
lib/freebl/mpi/mpprime.c
lib/freebl/nsslowhash.c
lib/freebl/pqg.c
lib/freebl/rsa.c
lib/freebl/sha512.c
lib/freebl/sha_fast.c
lib/freebl/sha_fast.h
lib/freebl/stubs.c
lib/jar/jarfile.c
lib/jar/jarsign.c
lib/libpkix/include/pkix_certstore.h
lib/libpkix/pkix/checker/pkix_crlchecker.c
lib/libpkix/pkix/checker/pkix_crlchecker.h
lib/libpkix/pkix/checker/pkix_ocspchecker.c
lib/libpkix/pkix/checker/pkix_ocspchecker.h
lib/libpkix/pkix/checker/pkix_revocationchecker.c
lib/libpkix/pkix/checker/pkix_revocationchecker.h
lib/libpkix/pkix/checker/pkix_revocationmethod.h
lib/libpkix/pkix/crlsel/pkix_crlselector.c
lib/libpkix/pkix/results/pkix_policynode.c
lib/libpkix/pkix/store/pkix_store.c
lib/libpkix/pkix/top/pkix_build.c
lib/libpkix/pkix/util/pkix_error.c
lib/libpkix/pkix/util/pkix_logger.c
lib/libpkix/pkix/util/pkix_tools.h
lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c
lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
lib/nss/nssinit.c
lib/pk11wrap/pk11cert.c
lib/pk11wrap/pk11load.c
lib/pk11wrap/pk11merge.c
lib/pk11wrap/pk11obj.c
lib/pk11wrap/pk11pk12.c
lib/pk11wrap/pk11skey.c
lib/pk11wrap/pk11slot.c
lib/pkcs12/p12d.c
lib/pkcs12/p12e.c
lib/pkcs7/p7decode.c
lib/pkcs7/p7encode.c
lib/pkcs7/p7local.c
lib/pki/certificate.c
lib/pki/pki3hack.c
lib/pki/pkibase.c
lib/pki/tdcache.c
lib/pki/trustdomain.c
lib/smime/cmsasn1.c
lib/smime/cmscipher.c
lib/smime/cmsencode.c
lib/smime/cmsrecinfo.c
lib/smime/cmsudf.c
lib/smime/smimeutil.c
lib/softoken/legacydb/keydb.c
lib/softoken/legacydb/lgattr.c
lib/softoken/legacydb/lginit.c
lib/softoken/legacydb/pcertdb.c
lib/softoken/lowpbe.c
lib/softoken/pkcs11.c
lib/softoken/pkcs11c.c
lib/softoken/pkcs11u.c
lib/softoken/sdb.c
lib/softoken/sftkdb.c
lib/softoken/sftkhmac.c
lib/softoken/sftkpwd.c
lib/sqlite/Makefile
lib/sqlite/sqlite3.c
lib/ssl/dtlscon.c
lib/ssl/ssl3con.c
lib/ssl/ssl3ecc.c
lib/ssl/ssl3ext.c
lib/ssl/ssl3gthr.c
lib/ssl/sslauth.c
lib/ssl/sslcon.c
lib/ssl/sslimpl.h
lib/ssl/sslinfo.c
lib/ssl/sslmutex.c
lib/ssl/sslmutex.h
lib/ssl/sslsecur.c
lib/ssl/sslsnce.c
lib/ssl/sslsock.c
lib/util/derdec.c
lib/util/derenc.c
lib/util/manifest.mn
lib/util/nssb64e.c
lib/util/nssrwlk.c
lib/util/quickder.c
lib/util/secoid.c
lib/util/secport.c
lib/util/secport.h
lib/util/utilmod.c
lib/util/verref.h
--- a/cmd/bltest/blapitest.c
+++ b/cmd/bltest/blapitest.c
@@ -51,18 +51,17 @@ char *testdir = NULL;
 #define TIMEFINISH(time, reps) \
     time2 = (PRIntervalTime)(PR_IntervalNow() - time1); \
     time1 = PR_IntervalToMilliseconds(time2); \
     time = ((double)(time1))/reps;
 
 #define TIMEMARK(seconds) \
     time1 = PR_SecondsToInterval(seconds); \
     { \
-        PRInt64 tmp, L100; \
-        LL_I2L(L100, 100); \
+        PRInt64 tmp; \
         if (time2 == 0) { \
             time2 = 1; \
         } \
         LL_DIV(tmp, time1, time2); \
         if (tmp < 10) { \
             if (tmp == 0) { \
                 opsBetweenChecks = 1; \
             } else { \
@@ -308,29 +307,28 @@ char2_from_hex(unsigned char byteval, ch
     return SECSuccess;
 }
 
 void
 serialize_key(SECItem *it, int ni, PRFileDesc *file)
 {
     unsigned char len[4];
     int i;
-    SECStatus status;
     NSSBase64Encoder *cx;
     cx = NSSBase64Encoder_Create(output_ascii, file);
     for (i=0; i<ni; i++, it++) {
 	len[0] = (it->len >> 24) & 0xff;
 	len[1] = (it->len >> 16) & 0xff;
 	len[2] = (it->len >>  8) & 0xff;
 	len[3] = (it->len	 & 0xff);
-	status = NSSBase64Encoder_Update(cx, len, 4);
-	status = NSSBase64Encoder_Update(cx, it->data, it->len);
+	NSSBase64Encoder_Update(cx, len, 4);
+	NSSBase64Encoder_Update(cx, it->data, it->len);
     }
-    status = NSSBase64Encoder_Destroy(cx, PR_FALSE);
-    status = PR_Write(file, "\r\n", 2);
+    NSSBase64Encoder_Destroy(cx, PR_FALSE);
+    PR_Write(file, "\r\n", 2);
 }
 
 void
 key_from_filedata(PLArenaPool *arena, SECItem *it, int ns, int ni, SECItem *filedata)
 {
     int fpos = 0;
     int i, len;
     unsigned char *buf = filedata->data;
@@ -1431,17 +1429,17 @@ bltest_rc5_init(bltestCipherInfo *cipher
 SECStatus
 bltest_aes_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     bltestSymmKeyParams *aesp = &cipherInfo->params.sk;
     bltestAuthSymmKeyParams *gcmp = &cipherInfo->params.ask;
     int minorMode;
     int i;
     int keylen   = aesp->key.buf.len;
-    int blocklen = AES_BLOCK_SIZE; 
+    unsigned int blocklen = AES_BLOCK_SIZE;
     PRIntervalTime time1, time2;
     unsigned char *params;
     int len;
     CK_AES_CTR_PARAMS ctrParams;
     CK_GCM_PARAMS gcmParams;
 
     params = aesp->iv.buf.data;
     switch (cipherInfo->mode) {
@@ -1630,16 +1628,18 @@ bltest_rsa_init(bltestCipherInfo *cipher
         case bltestRSA_PSS:
             cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_signDigestPSS
                                                       : rsa_verifyDigestPSS;
             break;
         case bltestRSA_OAEP:
             cipherInfo->cipher.pubkeyCipher = encrypt ? rsa_encryptOAEP
                                                       : rsa_decryptOAEP;
             break;
+        default:
+            break;
     }
     return SECSuccess;
 }
 
 SECStatus
 blapi_pqg_param_gen(unsigned int keysize, PQGParams **pqg, PQGVerify **vfy)
 {
     if (keysize < 1024) {
@@ -2564,18 +2564,16 @@ getHighUnitBytes(PRInt64 res)
 static void
 printPR_smpString(const char *sformat, char *reportStr,
                   const char *nformat, PRInt64 rNum)
 {
     if (reportStr) {
         fprintf(stdout, sformat, reportStr);
         PR_smprintf_free(reportStr);
     } else {
-        int prnRes;
-        LL_L2I(prnRes, rNum);
         fprintf(stdout, nformat, rNum);
     }
 }
 
 static char*
 getHighUnitOps(PRInt64 res)
 {
     int spl[] = {0, 0, 0, 0};
@@ -2786,18 +2784,18 @@ mode_str_to_hash_alg(const SECItem *mode
     switch (mode) {
         case bltestMD2:    return HASH_AlgMD2;
         case bltestMD5:    return HASH_AlgMD5;
         case bltestSHA1:   return HASH_AlgSHA1;
         case bltestSHA224: return HASH_AlgSHA224;
         case bltestSHA256: return HASH_AlgSHA256;
         case bltestSHA384: return HASH_AlgSHA384;
         case bltestSHA512: return HASH_AlgSHA512;
+        default: return HASH_AlgNULL;
     }
-    return HASH_AlgNULL;
 }
 
 void
 get_params(PLArenaPool *arena, bltestParams *params,
 	   bltestCipherMode mode, int j)
 {
     char filename[256];
     char *modestr = mode_strings[mode];
@@ -2999,17 +2997,17 @@ ReadFileToItem(SECItem *dst, const char 
 static SECStatus
 blapi_selftest(bltestCipherMode *modes, int numModes, int inoff, int outoff,
                PRBool encrypt, PRBool decrypt)
 {
     bltestCipherInfo cipherInfo;
     bltestIO pt, ct;
     bltestCipherMode mode;
     bltestParams *params;
-    int i, j, nummodes, numtests;
+    unsigned int i, j, nummodes, numtests;
     char *modestr;
     char filename[256];
     PLArenaPool *arena;
     SECItem item;
     SECStatus rv = SECSuccess, srv;
 
     PORT_Memset(&cipherInfo, 0, sizeof(cipherInfo));
     arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
@@ -3452,23 +3450,22 @@ static secuCommandFlag bltest_options[] 
     { /* opt_MonteCarlo   */ '3', PR_FALSE, 0, PR_FALSE },
     { /* opt_ThreadNum    */ '4', PR_TRUE,  0, PR_FALSE },
     { /* opt_SecondsToRun */ '5', PR_TRUE,  0, PR_FALSE },
     { /* opt_CmdLine	  */ '-', PR_FALSE, 0, PR_FALSE }
 };
 
 int main(int argc, char **argv)
 {
-    char *infileName, *outfileName, *keyfileName, *ivfileName;
     SECStatus rv = SECFailure;
 
-    double              totalTime;
+    double              totalTime = 0.0;
     PRIntervalTime      time1, time2;
     PRFileDesc          *outfile = NULL;
-    bltestCipherInfo    *cipherInfoListHead, *cipherInfo;
+    bltestCipherInfo    *cipherInfoListHead, *cipherInfo = NULL;
     bltestIOMode        ioMode;
     int                 bufsize, exponent, curThrdNum;
 #ifndef NSS_DISABLE_ECC
     char		*curveName = NULL;
 #endif
     int			 i, commandsEntered;
     int			 inoff, outoff;
     int                  threads = 1;
@@ -3506,18 +3503,16 @@ int main(int argc, char **argv)
     if (rv == SECFailure) {
 	fprintf(stderr, "%s: command line parsing error!\n", progName);
 	goto print_usage;
     }
     rv = SECFailure;
 
     cipherInfo = PORT_ZNew(bltestCipherInfo);
     cipherInfoListHead = cipherInfo;
-    /* set some defaults */
-    infileName = outfileName = keyfileName = ivfileName = NULL;
 
     /* Check the number of commands entered on the command line. */
     commandsEntered = 0;
     for (i=0; i<bltest.numCommands; i++)
 	if (bltest.commands[i].activated)
 	    commandsEntered++;
 
     if (commandsEntered > 1 &&
@@ -3707,18 +3702,20 @@ int main(int argc, char **argv)
 	curveName = NULL;
 #endif
 
     if (bltest.commands[cmd_Verify].activated &&
         !bltest.options[opt_SigFile].activated) {
         fprintf(stderr, "%s: You must specify a signature file with -f.\n",
                 progName);
 
-      print_usage:
-        PORT_Free(cipherInfo);
+print_usage:
+        if (cipherInfo) {
+            PORT_Free(cipherInfo);
+        }
         Usage();
     }
 
     if (bltest.options[opt_MonteCarlo].activated) {
         cipherInfo->mCarlo = PR_TRUE;
     } else {
         cipherInfo->mCarlo = PR_FALSE;
     }
--- a/cmd/certcgi/certcgi.c
+++ b/cmd/certcgi/certcgi.c
@@ -351,91 +351,16 @@ find_field_bool(Pair    *data,
 	
     if  ((rv != NULL) && (PORT_Strcmp(rv, "true")) == 0) {
 	return PR_TRUE;
     } else {
 	return PR_FALSE;
     }
 }
 
-static char *
-update_data_by_name(Pair  *data, 
-		    char  *field_name,
-                    char  *new_data)
-    /* replaces the data in the data structure associated with 
-       a name with new data, returns null if not found */
-{
-    int                   i = 0;
-    int                   found = 0;
-    int                   length = 100;
-    char                  *new;
-
-    while (return_name(data, i) != NULL) {
-	if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
-	    new = make_copy_string( new_data, length, '\0');
-	    PORT_Free(return_data(data, i));
-	    found = 1;
-	    (*(data + i)).data = new;
-	    break;
-	}
-	i++;
-    }
-    if (!found) {
-	new = NULL;
-    }
-    return new;
-}
-
-static char *
-update_data_by_index(Pair  *data, 
-		     int   n, 
-		     char  *new_data)
-    /* replaces the data of a particular index in the data structure */
-{
-    int                    length = 100;
-    char                   *new;
-
-    new = make_copy_string(new_data, length, '\0');
-    PORT_Free(return_data(data, n));
-    (*(data + n)).data = new;
-    return new;
-}
-
-
-static Pair *
-add_field(Pair   *data, 
-	  char*  field_name, 
-	  char*  field_data)
-    /* adds a new name/data pair to the data structure */
-{
-    int          i = 0;
-    int          j;
-    int          name_length = 100;
-    int          data_length = 100;
-
-    while(return_name(data, i) != NULL) {
-	i++;
-    }
-    j = START_FIELDS;
-    while ( j < (i + 1) ) {
-	j = j * 2;
-    }
-    if (j == (i + 1)) {
-	data = (Pair *) PORT_Realloc(data, (j * 2) * sizeof(Pair));
-	if (data == NULL) {
-	    error_allocate();
-	}
-    }
-    (*(data + i)).name = make_copy_string(field_name, name_length, '\0');
-    (*(data + i)).data = make_copy_string(field_data, data_length, '\0');
-    (data + i + 1)->name = NULL;
-    return data;
-}
-
-
 static CERTCertificateRequest *
 makeCertReq(Pair             *form_data,
 	    int              which_priv_key)
     /* makes and encodes a certrequest */
 {
 
     PK11SlotInfo             *slot;
     CERTCertificateRequest   *certReq = NULL;
@@ -522,40 +447,36 @@ MakeV1Cert(CERTCertDBHandle        *hand
 	   Pair                    *data)
 {
     CERTCertificate                 *issuerCert = NULL;
     CERTValidity                    *validity;
     CERTCertificate                 *cert = NULL;
     PRExplodedTime                  printableTime;
     PRTime                          now, 
 	                            after;
-    SECStatus rv;
-   
-    
-
     if ( !selfsign ) {
 	issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
 	if (!issuerCert) {
 	    error_out("ERROR: Could not find issuer's certificate");
 	    return NULL;
 	}
     }
     if (find_field_bool(data, "manValidity", PR_TRUE)) {
-	rv = DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
+	(void)DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
     } else {
 	now = PR_Now();
     }
     PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     if ( warpmonths ) {
 	printableTime.tm_month += warpmonths;
 	now = PR_ImplodeTime (&printableTime);
 	PR_ExplodeTime (now, PR_GMTParameters, &printableTime);
     }
     if (find_field_bool(data, "manValidity", PR_TRUE)) {
-	rv = DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
+	(void)DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
 	PR_ExplodeTime (after, PR_GMTParameters, &printableTime);
     } else {
 	printableTime.tm_month += 3;
 	after = PR_ImplodeTime (&printableTime);
     }
     /* note that the time is now in micro-second unit */
     validity = CERT_CreateValidity (now, after);
 
@@ -586,17 +507,17 @@ get_serial_number(Pair  *data)
 
     if (find_field_bool(data, "serial-auto", PR_TRUE)) {
 	serialFile = fopen(filename, "r");
 	if (serialFile != NULL) {
 	    fread(&serial, sizeof(int), 1, serialFile);
 	    if (ferror(serialFile) != 0) {
 		error_out("Error: Unable to read serial number file");
 	    }
-	    if (serial == 4294967295) {
+	    if (serial == -1) {
 		serial = 21;
 	    }
 	    fclose(serialFile);
 	    ++serial;
 	    serialFile = fopen(filename,"w");
 	    if (serialFile == NULL) {
 	        error_out("ERROR: Unable to open serial number file for writing");
 	    }
@@ -1412,62 +1333,59 @@ string_to_ipaddress(char *string)
     *(ipaddress->data + j) = '\0';
     if (j != 4 && j != 8) {
 	error_out("ERROR: Improperly formated IP Address");
     }
     ipaddress->len = j;
     return ipaddress;
 }
 
+static int
+chr_to_hex(char c) {
+    if (isdigit(c)) {
+        return c - '0';
+    }
+    if (isxdigit(c)) {
+        return toupper(c) - 'A' + 10;
+    }
+    return -1;
+}
+
 static SECItem *
-string_to_binary(char  *string)
+string_to_binary(char *string)
 {
     SECItem            *rv;
-    int                high_digit;
-    int                low_digit;
 
     rv = (SECItem *) PORT_ZAlloc(sizeof(SECItem));
     if (rv == NULL) {
 	error_allocate();
     }
     rv->data = (unsigned char *) PORT_ZAlloc((PORT_Strlen(string))/3 + 2);
-    while (!isxdigit(*string)) {
+    rv->len = 0;
+    while (*string && !isxdigit(*string)) {
 	string++;
     }
-    rv->len = 0;
-    while (*string != '\0') {
-	if (isxdigit(*string)) {
-	    if (*string >= '0' && *string <= '9') {
-		high_digit = *string - '0';
-	    } else {
-		*string = toupper(*string);
-		high_digit = *string - 'A' + 10;
-	    }
-	    string++;
-	    if (*string >= '0' && *string <= '9') {
-		low_digit = *string - '0';
-	    } else {
-		*string = toupper(*string);
-		low_digit = *string - 'A' + 10;
-	    }
-	    (rv->len)++;
-	} else {
-	    if (*string == ':') {
-		string++;
-	    } else {
-		if (*string == ' ') {
-		    while (*string == ' ') {
-			string++;
-		    }
-		}
-		if (*string != '\0') {
-		    error_out("ERROR: Improperly formated binary encoding");
-		}
-	    }
-	} 
+    while (*string) {
+        int high, low;
+        high = chr_to_hex(*string++);
+        low = chr_to_hex(*string++);
+        if (high < 0 || low < 0) {
+            error_out("ERROR: Improperly formated binary encoding");
+        }
+	rv->data[(rv->len)++] = high << 4 | low;
+        if (*string != ':') {
+            break;
+        }
+        ++string;
+    }
+    while (*string == ' ') {
+       ++string;
+    }
+    if (*string) {
+        error_out("ERROR: Junk after binary encoding");
     }
 
     return rv;
 }
 
 static SECStatus
 MakeGeneralName(char             *name, 
 		CERTGeneralName  *genName,
--- a/cmd/checkcert/checkcert.c
+++ b/cmd/checkcert/checkcert.c
@@ -117,30 +117,27 @@ void checkName(CERTName *n, char *fieldN
 static
 SECStatus
 OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
 	      SECItem *sig, SECAlgorithmID *sigAlgorithm)
 {
     SECStatus rv;
     VFYContext *cx;
     SECOidData *sigAlgOid, *oiddata;
-    SECOidTag sigAlgTag;
     SECOidTag hashAlgTag;
     int showDigestOid=0;
 
     cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag, 
                                           NULL);
     if (cx == NULL)
 	return SECFailure;
 
     sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
     if (sigAlgOid == 0)
 	return SECFailure;
-    sigAlgTag = sigAlgOid->offset;
-
 
     if (showDigestOid) {
 	oiddata = SECOID_FindOIDByTag(hashAlgTag);
 	if ( oiddata ) {
 	    printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
 	} else {
 	    SECU_PrintAsHex(stdout,
 			    &oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
@@ -383,17 +380,17 @@ int main(int argc, char **argv)
 
 
     if (verbose) {
 	printf("Decoded ok as an X509 certificate.\n");
     }
 
     SECU_RegisterDynamicOids();
     rv = SECU_PrintSignedData(stdout, &derCert, "Certificate", 0,
-			      SECU_PrintCertificate);
+			      (SECU_PPFunc)SECU_PrintCertificate);
 
     if (rv) {
 	fprintf(stderr, "%s: Unable to pretty print cert. Error: %d\n",
 		progName, PORT_GetError());
 	if (!force) {
 	    exit(1);
 	}
     }
--- a/cmd/crlutil/crlgen.c
+++ b/cmd/crlutil/crlgen.c
@@ -540,17 +540,17 @@ crlgen_AddCrlNumber(CRLGENGeneratorData 
 /* Creates Cert Revocation Reason code extension. Encodes it and
  * returns as SECItem structure */
 static SECItem*
 crlgen_CreateReasonCode(PLArenaPool *arena, const char **dataArr,
                         int *extCode)
 {
     SECItem *encodedItem;
     void *dummy;
-    void *mark;
+    void *mark = NULL;
     int code = 0;
 
     PORT_Assert(arena && dataArr);
     if (!arena || !dataArr) {
         goto loser;
     } 
 
     mark = PORT_ArenaMark(arena);
@@ -578,29 +578,31 @@ crlgen_CreateReasonCode(PLArenaPool *are
     if (!dummy) {
         goto loser;
     }
 
     *extCode = SEC_OID_X509_REASON_CODE;
     return encodedItem;
 
   loser:
-    PORT_ArenaRelease (arena, mark);
+    if (mark) {
+        PORT_ArenaRelease (arena, mark);
+    }
     return NULL;
 }
 
 /* Creates Cert Invalidity Date extension. Encodes it and
  * returns as SECItem structure */
 static SECItem*
 crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
                        int *extCode)
 {
     SECItem *encodedItem;
     int length = 0;
-    void *mark;
+    void *mark = NULL;
 
     PORT_Assert(arena && dataArr);
     if (!arena || !dataArr) {
         goto loser;
     } 
 
     mark = PORT_ArenaMark(arena);
 
@@ -619,17 +621,19 @@ crlgen_CreateInvalidityDate(PLArenaPool 
 
     PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) *
                 sizeof(char));
 
     *extCode = SEC_OID_X509_INVALID_DATE;
     return encodedItem;
     
   loser:
-    PORT_ArenaRelease(arena, mark);
+    if (mark) {
+        PORT_ArenaRelease(arena, mark);
+    }
     return NULL;
 }
 
 /* Creates(by calling extCreator function) and adds extension to a set
  * of already added certs. Uses values of rangeFrom and rangeTo from
  * CRLGENCrlGenCtl structure for identifying the inclusive set of certs */
 static SECStatus
 crlgen_AddEntryExtension(CRLGENGeneratorData *crlGenData,
@@ -1074,26 +1078,23 @@ crlgen_AddCert(CRLGENGeneratorData *crlG
 
 
 /* Removes certs from entryDataHashTable which have certId serial number.
  * certId can have value of a range of certs */
 static SECStatus
 crlgen_RmCert(CRLGENGeneratorData *crlGenData, char *certId)
 {
     PRUint64 i = 0;
-    PLArenaPool *arena;
 
     PORT_Assert(crlGenData && certId);
     if (!crlGenData || !certId) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    arena = crlGenData->signCrl->arena;
-
     if (crlgen_SetNewRangeField(crlGenData, certId) == SECFailure &&
         certId) {
         return SECFailure;
     }
 
     for (i = 0;i < crlGenData->rangeTo - crlGenData->rangeFrom + 1;i++) {
         SECItem* certIdItem = SEC_ASN1EncodeInteger(NULL, NULL,
                                                     crlGenData->rangeFrom + i);
--- a/cmd/crlutil/crlutil.c
+++ b/cmd/crlutil/crlutil.c
@@ -123,17 +123,17 @@ static void ListCRLNames (CERTCertDBHand
 
 	crlNode  = crlList->first;
 
         fprintf (stdout, "\n");
 	fprintf (stdout, "\n%-40s %-5s\n\n", "CRL names", "CRL Type");
 	while (crlNode) {
 	    char* asciiname = NULL;
 	    CERTCertificate *cert = NULL;
-	    if (crlNode->crl && &crlNode->crl->crl.derName) {
+	    if (crlNode->crl && crlNode->crl->crl.derName.data != NULL) {
 	        cert = CERT_FindCertByName(certHandle,
 	                                   &crlNode->crl->crl.derName);
 	        if (!cert) {
 	            SECU_PrintError(progName, "could not find signing "
 	                         "certificate in database");
 	        }
 	    }
 	    if (cert) {
@@ -693,41 +693,45 @@ GenerateCRL (CERTCertDBHandle *certHandl
         SECU_PrintError(progName, "fail to allocate memory\n");
         return SECFailure;
     }
 
     if (modifyFlag == PR_TRUE) {
         signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName,
                                          inFile, decodeOptions, importOptions);
         if (signCrl == NULL) {
+            rv = SECFailure;
             goto loser;
         }
     }
 
     if (!cert) {
         cert = FindSigningCert(certHandle, signCrl, certNickName);
         if (cert == NULL) {
+            rv = SECFailure;
             goto loser;
         }
     }
 
     if (!signCrl) {
         if (modifyFlag == PR_TRUE) {
             if (!outFileName) {
                 int len = strlen(certNickName) + 5;
                 outFileName = PORT_ArenaAlloc(arena, len);
                 PR_snprintf(outFileName, len, "%s.crl", certNickName);
             }
             SECU_PrintError(progName, "Will try to generate crl. "
                             "It will be saved in file: %s",
                             outFileName);
         }
         signCrl = CreateNewCrl(arena, certHandle, cert);
-        if (!signCrl)
+        if (!signCrl) {
+            rv = SECFailure;
             goto loser;
+        }
     }
 
     rv = UpdateCrl(signCrl, inCrlInitFile);
     if (rv != SECSuccess) {
         goto loser;
     }
 
     rv = SignAndStoreCrl(signCrl, cert, outFileName, hashAlgTag, ascii,
--- a/cmd/crmftest/testcrmf.c
+++ b/cmd/crmftest/testcrmf.c
@@ -122,23 +122,27 @@ debug_test(SECItem *src, char *filePath)
     }
     PR_Write(fileDesc, src->data, src->len);
     
 }
 
 SECStatus
 get_serial_number(long *dest)
 {
-   SECStatus   rv;
+    SECStatus rv;
 
-   if (dest == NULL) {
+    if (dest == NULL) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
        return SECFailure;
-   }
+    }
     rv = PK11_GenerateRandom((unsigned char *)dest, sizeof(long));
+    if (rv != SECSuccess) {
+       /* PK11_GenerateRandom calls PORT_SetError */
+       return SECFailure;
+    }
     /* make serial number positive */
     if (*dest < 0L)
     	*dest = - *dest;
     return SECSuccess;
 }
 
 PK11RSAGenParams *
 GetRSAParams(void) 
@@ -932,28 +936,16 @@ DoCMMFStuff(void)
         CERT_DestroyCertificate(cert);
     }
     if (list) {
         CERT_DestroyCertList(list);
     }
     return rv;
 }
 
-static CK_MECHANISM_TYPE
-mapWrapKeyType(KeyType keyType)
-{
-    switch (keyType) {
-    case rsaKey:
-        return CKM_RSA_PKCS;
-    default:
-        break;
-    }
-    return CKM_INVALID_MECHANISM;
-} 
-
 #define KNOWN_MESSAGE_LENGTH 20 /*160 bits*/
 
 int
 DoKeyRecovery( SECKEYPrivateKey *privKey)
 {
 #ifdef DOING_KEY_RECOVERY  /* Doesn't compile yet. */
     SECKEYPublicKey      *pubKey;
     PK11SlotInfo         *slot;
@@ -1528,20 +1520,16 @@ main(int argc, char **argv)
     PLOptState       *optstate;
     PLOptStatus       status;
     char             *password = NULL;
     char             *pwfile = NULL;
     int               irv     = 0;
     PRUint32          flags   = 0;
     SECStatus         rv;
     PRBool            nssInit = PR_FALSE;
-    PRBool            pArg    = PR_FALSE;
-    PRBool            eArg    = PR_FALSE;
-    PRBool            sArg    = PR_FALSE;
-    PRBool            PArg    = PR_FALSE;
 
     memset( &signPair,  0, sizeof signPair);
     memset( &cryptPair, 0, sizeof cryptPair);
     printf ("\ncrmftest v1.0\n");
     optstate = PL_CreateOptState(argc, argv, "d:p:e:s:P:f:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	case 'd':
@@ -1554,43 +1542,39 @@ main(int argc, char **argv)
 	    nssInit = PR_TRUE;
 	    break;
 	case 'p':
 	    personalCert = PORT_Strdup(optstate->value);
 	    if (personalCert == NULL) {
 	        printf ("-p  failed\n");
 	        return 603;
 	    }
-	    pArg = PR_TRUE;
 	    break;
 	case 'e':
 	    recoveryEncrypter = PORT_Strdup(optstate->value);
 	    if (recoveryEncrypter == NULL) {
 	        printf ("-e  failed\n");
 	        return 602;
 	    }
-	    eArg = PR_TRUE;
 	    break;
 	case 's':
 	    caCertName = PORT_Strdup(optstate->value);
 	    if (caCertName == NULL) {
 	        printf ("-s  failed\n");
 	        return 604;
 	    }
-	    sArg = PR_TRUE;
 	    break;
 	case 'P':
 	    password = PORT_Strdup(optstate->value);
 	    if (password == NULL) {
 	        printf ("-P  failed\n");
 	        return 606;
 	    }
             pwdata.source = PW_PLAINTEXT;
             pwdata.data = password;
-	    PArg = PR_TRUE;
 	    break;
         case 'f':
 	    pwfile = PORT_Strdup(optstate->value);
 	    if (pwfile == NULL) {
 	        printf ("-f  failed\n");
 	        return 607;
 	    }
             pwdata.source = PW_FROMFILE;
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -283,17 +283,17 @@ tdea_kat_mmt(char *reqfn)
 {
     char buf[180];      /* holds one line from the input REQUEST file.
                          * needs to be large enough to hold the longest
                          * line "CIPHERTEXT = <180 hex digits>\n".
                          */
     FILE *req;       /* input stream from the REQUEST file */
     FILE *resp;      /* output stream to the RESPONSE file */
     int i, j;
-    int mode;           /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
+    int mode = NSS_DES_EDE3; /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */
     int crypt = DECRYPT;    /* 1 means encrypt, 0 means decrypt */
     unsigned char key[24];              /* TDEA 3 key bundle */
     unsigned int numKeys = 0;
     unsigned char iv[8];		/* for all modes except ECB */
     unsigned char plaintext[8*20];     /* 1 to 20 blocks */
     unsigned int plaintextlen;
     unsigned char ciphertext[8*20];   /* 1 to 20 blocks */  
     unsigned int ciphertextlen;
@@ -992,20 +992,20 @@ aes_kat_mmt(char *reqfn)
 {
     char buf[512];      /* holds one line from the input REQUEST file.
                          * needs to be large enough to hold the longest
                          * line "CIPHERTEXT = <320 hex digits>\n".
                          */
     FILE *aesreq;       /* input stream from the REQUEST file */
     FILE *aesresp;      /* output stream to the RESPONSE file */
     int i, j;
-    int mode;           /* NSS_AES (ECB) or NSS_AES_CBC */
+    int mode = NSS_AES; /* NSS_AES (ECB) or NSS_AES_CBC */
     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
     unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
+    unsigned int keysize = 0;
     unsigned char iv[16];		/* for all modes except ECB */
     unsigned char plaintext[10*16];     /* 1 to 10 blocks */
     unsigned int plaintextlen;
     unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
     unsigned int ciphertextlen;
     SECStatus rv;
 
     aesreq = fopen(reqfn, "r");
@@ -1192,17 +1192,17 @@ aes_ecb_mct(char *reqfn)
                          * needs to be large enough to hold the longest
                          * line "KEY = <64 hex digits>\n".
                          */
     FILE *aesreq;       /* input stream from the REQUEST file */
     FILE *aesresp;      /* output stream to the RESPONSE file */
     int i, j;
     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
     unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
+    unsigned int keysize = 0;
     unsigned char plaintext[16];        /* PT[j] */
     unsigned char plaintext_1[16];      /* PT[j-1] */
     unsigned char ciphertext[16];       /* CT[j] */
     unsigned char ciphertext_1[16];     /* CT[j-1] */
     unsigned char doublecheck[16];
     unsigned int outputlen;
     AESContext *cx = NULL;	/* the operation being tested */
     AESContext *cx2 = NULL;     /* the inverse operation done in parallel
@@ -1475,17 +1475,17 @@ aes_cbc_mct(char *reqfn)
                          * needs to be large enough to hold the longest
                          * line "KEY = <64 hex digits>\n".
                          */
     FILE *aesreq;       /* input stream from the REQUEST file */
     FILE *aesresp;      /* output stream to the RESPONSE file */
     int i, j;
     int encrypt = 0;    /* 1 means encrypt, 0 means decrypt */
     unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
+    unsigned int keysize = 0;
     unsigned char iv[16];
     unsigned char plaintext[16];        /* PT[j] */
     unsigned char plaintext_1[16];      /* PT[j-1] */
     unsigned char ciphertext[16];       /* CT[j] */
     unsigned char ciphertext_1[16];     /* CT[j-1] */
     unsigned char doublecheck[16];
     unsigned int outputlen;
     AESContext *cx = NULL;	/* the operation being tested */
@@ -2098,17 +2098,17 @@ ecdsa_pkv_test(char *reqfn)
                          * line "Qx = <144 hex digits>\n".
                          */
     FILE *ecdsareq;     /* input stream from the REQUEST file */
     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
     char curve[16];     /* "nistxddd" */
     ECParams *ecparams = NULL;
     SECItem pubkey;
     unsigned int i;
-    unsigned int len;
+    unsigned int len = 0;
     PRBool keyvalid = PR_TRUE;
 
     ecdsareq = fopen(reqfn, "r");
     ecdsaresp = stdout;
     strcpy(curve, "nist");
     pubkey.data = NULL;
     while (fgets(buf, sizeof buf, ecdsareq) != NULL) {
 	/* a comment or blank line */
@@ -2355,20 +2355,20 @@ ecdsa_sigver_test(char *reqfn)
                          * needs to be large enough to hold the longest
                          * line "Msg = <256 hex digits>\n".
                          */
     FILE *ecdsareq;     /* input stream from the REQUEST file */
     FILE *ecdsaresp;    /* output stream to the RESPONSE file */
     char curve[16];     /* "nistxddd" */
     ECPublicKey ecpub;
     unsigned int i, j;
-    unsigned int flen;  /* length in bytes of the field size */
-    unsigned int olen;  /* length in bytes of the base point order */
+    unsigned int flen = 0; /* length in bytes of the field size */
+    unsigned int olen = 0; /* length in bytes of the base point order */
     unsigned char msg[512];  /* message that was signed (<= 128 bytes) */
-    unsigned int msglen;
+    unsigned int msglen = 0;
     unsigned char sha1[20];  /* SHA-1 hash (160 bits) */
     unsigned char sig[2*MAX_ECKEY_LEN];
     SECItem signature, digest;
     PRBool keyvalid = PR_TRUE;
     PRBool sigvalid = PR_TRUE;
 
     ecdsareq = fopen(reqfn, "r");
     ecdsaresp = stdout;
@@ -2527,53 +2527,16 @@ ecdsa_sigver_test(char *reqfn)
 loser:
     if (ecpub.ecParams.arena != NULL) {
 	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
     }
     fclose(ecdsareq);
 }
 #endif /* NSS_DISABLE_ECC */
 
-
-/*
- * Read a value from the test and allocate the result.
- */
-static unsigned char *
-alloc_value(char *buf, int *len)
-{
-    unsigned char * value;
-    int i, count;
-
-    if (strncmp(buf, "<None>", 6) == 0) {
-	*len = 0;
-	return NULL;
-    }
-
-    /* find the length of the number */
-    for (count = 0; isxdigit(buf[count]); count++);
-    *len = count/2;
-
-    if (*len == 0) {
-	return NULL;
-    }
-
-    value = PORT_Alloc(*len);
-    if (!value) {
-	*len = 0;
-	return NULL;
-    }
-	
-    for (i=0; i<*len; buf+=2 , i++) {
-	hex_to_byteval(buf, &value[i]);
-    }
-    
-
-    return value;
-}
-
 PRBool
 isblankline(char *b)
 {
    while (isspace(*b)) b++;
    if ((*b == '\n') || (*b == 0)) {
 	return PR_TRUE;
    }
    return PR_FALSE;
@@ -2594,17 +2557,19 @@ drbg(char *reqfn)
     char buf[2000];   /* test case has some very long lines, returned bits
      * as high as 800 bytes (6400 bits). That 1600 byte
      * plus a tag */
     char buf2[2000]; 
     FILE *rngreq;       /* input stream from the REQUEST file */
     FILE *rngresp;      /* output stream to the RESPONSE file */
     
     unsigned int i, j;
+#if 0
     PRBool predictionResistance = PR_FALSE;
+#endif
     unsigned char *nonce =  NULL;
     int nonceLen = 0;
     unsigned char *personalizationString =  NULL;
     int personalizationStringLen = 0;
     unsigned char *additionalInput =  NULL;
     int additionalInputLen = 0;
     unsigned char *entropyInput = NULL;
     int entropyInputLen = 0;
@@ -2717,30 +2682,32 @@ drbg(char *reqfn)
         }
         
         /* [Hash - SHA256] */
         if (strncmp(buf, "[SHA-256]", 9) == 0) {
             fputs(buf, rngresp);
             continue;
         }
         
+#if 0   /* currently unsupported */
         if (strncmp(buf, "[PredictionResistance", 21)  == 0) {
             i = 21;
             while (isspace(buf[i]) || buf[i] == '=') {
                 i++;
-            }    
+            }
             if (strncmp(buf, "False", 5) == 0) {
                 predictionResistance = PR_FALSE;
             } else {
                 predictionResistance = PR_TRUE;
             }
             
             fputs(buf, rngresp);
             continue;
         }
+#endif
         
         if (strncmp(buf, "[EntropyInputLen", 16)  == 0) {
             if (entropyInput) {
                 PORT_ZFree(entropyInput, entropyInputLen);
                 entropyInput = NULL;
                 entropyInputLen = 0;
             }
             if (sscanf(buf, "[EntropyInputLen = %d]", &entropyInputLen) != 1) {
@@ -2985,17 +2952,17 @@ rng_vst(char *reqfn)
                          * needs to be large enough to hold the longest
                          * line "XSeed = <128 hex digits>\n".
                          */
     FILE *rngreq;       /* input stream from the REQUEST file */
     FILE *rngresp;      /* output stream to the RESPONSE file */
     unsigned int i, j;
     unsigned char Q[DSA1_SUBPRIME_LEN];
     PRBool hasQ = PR_FALSE;
-    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
+    unsigned int b = 0; /* 160 <= b <= 512, b is a multiple of 8 */
     unsigned char XKey[512/8];
     unsigned char XSeed[512/8];
     unsigned char GENX[DSA1_SIGNATURE_LEN];
     unsigned char DSAX[DSA1_SUBPRIME_LEN];
     SECStatus rv;
 
     rngreq = fopen(reqfn, "r");
     rngresp = stdout;
@@ -3108,17 +3075,17 @@ rng_mct(char *reqfn)
                          * needs to be large enough to hold the longest
                          * line "XSeed = <128 hex digits>\n".
                          */
     FILE *rngreq;       /* input stream from the REQUEST file */
     FILE *rngresp;      /* output stream to the RESPONSE file */
     unsigned int i, j;
     unsigned char Q[DSA1_SUBPRIME_LEN];
     PRBool hasQ = PR_FALSE;
-    unsigned int b;  /* 160 <= b <= 512, b is a multiple of 8 */
+    unsigned int b = 0; /* 160 <= b <= 512, b is a multiple of 8 */
     unsigned char XKey[512/8];
     unsigned char XSeed[512/8];
     unsigned char GENX[2*SHA1_LENGTH];
     unsigned char DSAX[DSA1_SUBPRIME_LEN];
     SECStatus rv;
 
     rngreq = fopen(reqfn, "r");
     rngresp = stdout;
@@ -3411,18 +3378,18 @@ SECStatus sha_mct_test(unsigned int MDLe
  *
  * reqfn is the pathname of the input REQUEST file.
  *
  * The output RESPONSE file is written to stdout.
  */
 void sha_test(char *reqfn) 
 {
     unsigned int i, j;
-    unsigned int MDlen;   /* the length of the Message Digest in Bytes  */
-    unsigned int msgLen;  /* the length of the input Message in Bytes */
+    unsigned int MDlen = 0; /* the length of the Message Digest in Bytes  */
+    unsigned int msgLen = 0; /* the length of the input Message in Bytes */
     unsigned char *msg = NULL; /* holds the message to digest.*/
     size_t bufSize = 25608; /*MAX buffer size */
     char *buf = NULL;      /* holds one line from the input REQUEST file.*/
     unsigned char seed[HASH_LENGTH_MAX];   /* max size of seed 64 bytes */
     unsigned char MD[HASH_LENGTH_MAX];     /* message digest */
 
     FILE *req = NULL;  /* input stream from the REQUEST file */
     FILE *resp;        /* output stream to the RESPONSE file */
@@ -3589,28 +3556,28 @@ hmac_calc(unsigned char *hmac_computed,
  *
  * The output RESPONSE file is written to stdout.
  */
 void hmac_test(char *reqfn) 
 {
     unsigned int i, j;
     size_t bufSize =      400;    /* MAX buffer size */
     char *buf = NULL;  /* holds one line from the input REQUEST file.*/
-    unsigned int keyLen;          /* Key Length */  
+    unsigned int keyLen = 0;      /* Key Length */
     unsigned char key[200];       /* key MAX size = 184 */
     unsigned int msgLen = 128;    /* the length of the input  */
                                   /*  Message is always 128 Bytes */
     unsigned char *msg = NULL;    /* holds the message to digest.*/
-    unsigned int HMACLen;         /* the length of the HMAC Bytes  */
-    unsigned int TLen;            /* the length of the requested */
+    unsigned int HMACLen = 0;     /* the length of the HMAC Bytes  */
+    unsigned int TLen = 0;        /* the length of the requested */
                                   /* truncated HMAC Bytes */
     unsigned char HMAC[HASH_LENGTH_MAX];  /* computed HMAC */
     unsigned char expectedHMAC[HASH_LENGTH_MAX]; /* for .fax files that have */ 
                                                  /* supplied known answer */
-    HASH_HashType hash_alg;       /* HMAC type */
+    HASH_HashType hash_alg = HASH_AlgNULL; /* HMAC type */
     
 
     FILE *req = NULL;  /* input stream from the REQUEST file */
     FILE *resp;        /* output stream to the RESPONSE file */
 
     buf = PORT_ZAlloc(bufSize);
     if (buf == NULL) {
         goto loser;
@@ -3896,17 +3863,17 @@ dsa_pqgver_test(char *reqfn)
                          */
     FILE *dsareq;     /* input stream from the REQUEST file */
     FILE *dsaresp;    /* output stream to the RESPONSE file */
     int N;
     int L;
     unsigned int i, j;
     PQGParams pqg;
     PQGVerify vfy;
-    unsigned int pghSize;        /* size for p, g, and h */
+    unsigned int pghSize = 0; /* size for p, g, and h */
     dsa_pqg_type type = FIPS186_1;
 
     dsareq = fopen(reqfn, "r");
     dsaresp = stdout;
     memset(&pqg, 0, sizeof(pqg));
     memset(&vfy, 0, sizeof(vfy));
 
     while (fgets(buf, sizeof buf, dsareq) != NULL) {
@@ -4229,17 +4196,17 @@ dsa_pqggen_test(char *reqfn)
     FILE *dsaresp;    /* output stream to the RESPONSE file */
     int count;            /* number of times to generate parameters */
     int N;
     int L;
     int i;
     unsigned int j;
     PQGParams *pqg = NULL;
     PQGVerify *vfy = NULL;
-    unsigned int keySizeIndex;
+    unsigned int keySizeIndex = 0;
     dsa_pqg_type type = FIPS186_1;
 
     dsareq = fopen(reqfn, "r");
     dsaresp = stdout;
     while (fgets(buf, sizeof buf, dsareq) != NULL) {
         /* a comment or blank line */
         if (buf[0] == '#' || buf[0] == '\n') {
             fputs(buf, dsaresp);
--- a/cmd/httpserv/httpserv.c
+++ b/cmd/httpserv/httpserv.c
@@ -334,17 +334,16 @@ typedef struct caRevoInfoStr caRevoInfo;
 static caRevoInfo *caRevoInfos = NULL;
 
 static enum { 
   ocspGetOnly, ocspPostOnly, ocspGetAndPost, ocspRandomGetFailure, ocspGetUnknown
 } ocspMethodsAllowed = ocspGetAndPost;
 
 static const char stopCmd[] = { "GET /stop " };
 static const char getCmd[]  = { "GET " };
-static const char EOFmsg[]  = { "EOF\r\n\r\n\r\n" };
 static const char outHeader[] = {
     "HTTP/1.0 200 OK\r\n"
     "Server: Generic Web Server\r\n"
     "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
     "Content-type: text/plain\r\n"
     "\r\n"
 };
 static const char outOcspHeader[] = {
@@ -707,18 +706,18 @@ handle_connection(
 		  if (entry) {
 		      /* revoked status response */
 		      revoked = PR_TRUE;
 		      DER_DecodeTimeChoice(&revoDate, &entry->revocationDate);
 		  } else {
 		      /* else good status response */
 		      if (!isPost && ocspMethodsAllowed == ocspGetUnknown) {
 			  unknown = PR_TRUE;
-			  nextUpdate = PR_Now() + 60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
-			  revoDate = PR_Now() - 60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
+			  nextUpdate = PR_Now() + (PRTime)60*60*24 * PR_USEC_PER_SEC; /*tomorrow*/
+			  revoDate = PR_Now() - (PRTime)60*60*24 * PR_USEC_PER_SEC; /*yesterday*/
 		      }
 		  }
 	      }
 
 	      {
 		  PRTime now = PR_Now();
 		  PLArenaPool *arena = NULL;
 		  CERTOCSPSingleResponse *sr;
--- a/cmd/lib/basicutil.c
+++ b/cmd/lib/basicutil.c
@@ -679,17 +679,17 @@ static unsigned char nibble(char c) {
     c = PORT_Tolower(c);
     return ( c >= '0' && c <= '9') ? c - '0' :
            ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1;
 }
 
 SECStatus
 SECU_SECItemHexStringToBinary(SECItem* srcdest)
 {
-    int i;
+    unsigned int i;
 
     if (!srcdest) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (srcdest->len < 4 || (srcdest->len % 2) ) {
         /* too short to convert, or even number of characters */
         PORT_SetError(SEC_ERROR_BAD_DATA);
--- a/cmd/lib/derprint.c
+++ b/cmd/lib/derprint.c
@@ -441,17 +441,17 @@ prettyPrintLength(FILE *out, const unsig
 	    if (il < 0) return -1;
 	    *lenp = (unsigned) il;
 	} else {
 	    *lenp = 0;
 	    *indefinitep = PR_TRUE;
 	}
 	lenLen = nb + 1;
 	if (raw) {
-	    int i;
+	    unsigned int i;
 
 	    rv = prettyPrintByte(out, lbyte, lv);
 	    if (rv < 0)
 		return rv;
 	    for (i = 0; i < nb; i++) {
 		rv = prettyPrintByte(out, data[i], lv);
 		if (rv < 0)
 		    return rv;
--- a/cmd/lib/pk11table.c
+++ b/cmd/lib/pk11table.c
@@ -572,17 +572,17 @@ const Constant _consts[] = {
 	mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust),
 	mkEntry(CKT_NSS_VALID_DELEGATOR, Trust),
 
 	mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes),
 	mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize),
 };
 
 const Constant *consts = &_consts[0];
-const int constCount = sizeof(_consts)/sizeof(_consts[0]);
+const unsigned int constCount = sizeof(_consts)/sizeof(_consts[0]);
 
 const Commands _commands[] = {
     {"C_Initialize", F_C_Initialize,
 "C_Initialize pInitArgs\n\n"
 "C_Initialize initializes the PKCS #11 library.\n"
 "  pInitArgs  if this is not NULL_PTR it gets cast to and dereferenced\n",
 	{ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone,
 	 ArgNone, ArgNone, ArgNone, ArgNone, ArgNone }},
@@ -1384,17 +1384,17 @@ const Topics _topics[] = {
 };
 
 const Topics  *topics= &_topics[0];
 const int topicCount = sizeof(_topics) / sizeof(_topics[0]);
 
 const char *
 getName(CK_ULONG value, ConstType type)
 {
-    int i;
+    unsigned int i;
     
     for (i=0; i < constCount; i++) {
         if (consts[i].type == type && consts[i].value == value) {
             return consts[i].name;
         }
         if (type == ConstNone && consts[i].value == value) {
             return consts[i].name;
         }
@@ -1404,17 +1404,17 @@ getName(CK_ULONG value, ConstType type)
 }
 
 const char *
 getNameFromAttribute(CK_ATTRIBUTE_TYPE type)
 {
     return getName(type, ConstAttribute);
 }
 
-int totalKnownType(ConstType type) {
-    int count = 0;
-    int i;
+unsigned int totalKnownType(ConstType type) {
+    unsigned int count = 0;
+    unsigned int i;
  
     for (i=0; i < constCount; i++) {
         if (consts[i].type == type) count++;
     }
     return count;
 }
--- a/cmd/lib/pk11table.h
+++ b/cmd/lib/pk11table.h
@@ -157,24 +157,24 @@ typedef struct _topics {
  * the command array itself. Make name to function and it's arguments
  */
 
 extern const char **valueString;
 extern const int valueCount;
 extern const char **constTypeString;
 extern const int constTypeCount;
 extern const Constant *consts;
-extern const int constCount;
+extern const unsigned int constCount;
 extern const Commands *commands;
 extern const int commandCount;
 extern const Topics *topics;
 extern const int topicCount;
 
 extern const char *
 getName(CK_ULONG value, ConstType type);
 
 extern const char *
 getNameFromAttribute(CK_ATTRIBUTE_TYPE type);
 
-extern int totalKnownType(ConstType type);
+extern unsigned int totalKnownType(ConstType type);
 
 #endif /* _PK11_TABLE_H_ */
 
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -370,40 +370,43 @@ SECU_ChangePW2(PK11SlotInfo *slot, char 
 
 	if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
 	    if (pwdata.source == PW_NONE) {
 		PR_fprintf(PR_STDERR, "Invalid password.  Try again.\n");
 	    } else {
 		PR_fprintf(PR_STDERR, "Invalid password.\n");
 		PORT_Memset(oldpw, 0, PL_strlen(oldpw));
 		PORT_Free(oldpw);
-		return SECFailure;
+		rv = SECFailure;
+                goto done;
 	    }
 	} else
 	    break;
 
 	PORT_Free(oldpw);
     }
 
     newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata);
 
-    if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
+    rv = PK11_ChangePW(slot, oldpw, newpw);
+    if (rv != SECSuccess) {
 	PR_fprintf(PR_STDERR, "Failed to change password.\n");
-	return SECFailure;
+    } else {
+        PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
     }
 
     PORT_Memset(oldpw, 0, PL_strlen(oldpw));
     PORT_Free(oldpw);
 
-    PR_fprintf(PR_STDOUT, "Password changed successfully.\n");
-
 done:
-    PORT_Memset(newpw, 0, PL_strlen(newpw));
-    PORT_Free(newpw);
-    return SECSuccess;
+    if (newpw) {
+        PORT_Memset(newpw, 0, PL_strlen(newpw));
+        PORT_Free(newpw);
+    }
+    return rv;
 }
 
 struct matchobj {
     SECItem index;
     char *nname;
     PRBool found;
 };
 
@@ -1545,17 +1548,17 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *o
     }
 
     PORT_Free(derIssuerB64);
     PORT_Free(derSerialB64);
     
     fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len);
 
     {
-      int i;
+      unsigned int i;
       for (i=0; i < c->serialNumber.len; ++i) {
         unsigned char *chardata = (unsigned char*)(c->serialNumber.data);
         unsigned char c = *(chardata + i);
         
         fprintf(out, "\\x%02x", c);
       }
       fprintf(out, "\" }\n");
     }
@@ -2412,17 +2415,16 @@ loser:
 }
 
 int
 SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int level)
 {
     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTCertificate *c;
     int rv = SEC_ERROR_NO_MEMORY;
-    int iv;
     
     if (!arena)
 	return rv;
 
     /* Decode certificate */
     c = PORT_ArenaZNew(arena, CERTCertificate);
     if (!c)
 	goto loser;
@@ -2738,17 +2740,17 @@ secu_PrintPKCS7Signed(FILE *out, SEC_PKC
 
     /* Parse and list certificates (if any) */
     if (src->rawCerts != NULL) {
 	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
 	iv = 0;
 	while ((aCert = src->rawCerts[iv++]) != NULL) {
 	    sprintf(om, "Certificate (%x)", iv);
 	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
-				      SECU_PrintCertificate);
+				      (SECU_PPFunc)SECU_PrintCertificate);
 	    if (rv)
 		return rv;
 	}
     }
 
     /* Parse and list CRL's (if any) */
     if (src->crls != NULL) {
 	SECU_Indent(out, level + 1);  
@@ -2857,17 +2859,17 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *
 
     /* Parse and list certificates (if any) */
     if (src->rawCerts != NULL) {
 	SECU_Indent(out, level + 1);  fprintf(out, "Certificate List:\n");
 	iv = 0;
 	while ((aCert = src->rawCerts[iv++]) != NULL) {
 	    sprintf(om, "Certificate (%x)", iv);
 	    rv = SECU_PrintSignedData(out, aCert, om, level + 2, 
-				      SECU_PrintCertificate);
+				      (SECU_PPFunc)SECU_PrintCertificate);
 	    if (rv)
 		return rv;
 	}
     }
 
     /* Parse and list CRL's (if any) */
     if (src->crls != NULL) {
 	SECU_Indent(out, level + 1);  
@@ -3187,17 +3189,17 @@ SEC_PrintCertificateAndTrust(CERTCertifi
     SECStatus rv;
     SECItem data;
     CERTCertTrust certTrust;
     
     data.data = cert->derCert.data;
     data.len = cert->derCert.len;
 
     rv = SECU_PrintSignedData(stdout, &data, label, 0,
-			      SECU_PrintCertificate);
+			      (SECU_PPFunc)SECU_PrintCertificate);
     if (rv) {
 	return(SECFailure);
     }
     if (trust) {
 	SECU_PrintTrustFlags(stdout, trust,
 	                     "Certificate Trust Flags", 1);
     } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) {
 	SECU_PrintTrustFlags(stdout, &certTrust,
@@ -3278,33 +3280,33 @@ SECU_displayVerifyLog(FILE *outfile, CER
 		    }
 		}
 	    }
 	    fprintf(outfile, "  ERROR %ld: %s\n", node->error,
 			    SECU_Strerror(node->error));
 	    errstr = NULL;
 	    switch (node->error) {
 	    case SEC_ERROR_INADEQUATE_KEY_USAGE:
-		flags = (unsigned int)node->arg;
+		flags = (unsigned int)((char *)node->arg - (char *)NULL);
 		switch (flags) {
 		case KU_DIGITAL_SIGNATURE:
 		    errstr = "Cert cannot sign.";
 		    break;
 		case KU_KEY_ENCIPHERMENT:
 		    errstr = "Cert cannot encrypt.";
 		    break;
 		case KU_KEY_CERT_SIGN:
 		    errstr = "Cert cannot sign other certs.";
 		    break;
 		default:
 		    errstr = "[unknown usage].";
 		    break;
 		}
 	    case SEC_ERROR_INADEQUATE_CERT_TYPE:
-		flags = (unsigned int)node->arg;
+		flags = (unsigned int)((char *)node->arg - (char *)NULL);
 		switch (flags) {
 		case NS_CERT_TYPE_SSL_CLIENT:
 		case NS_CERT_TYPE_SSL_SERVER:
 		    errstr = "Cert cannot be used for SSL.";
 		    break;
 		case NS_CERT_TYPE_SSL_CA:
 		    errstr = "Cert cannot be used as an SSL CA.";
 		    break;
--- a/cmd/modutil/error.h
+++ b/cmd/modutil/error.h
@@ -128,30 +128,12 @@ typedef enum {
 	DEFAULT_SUCCESS_MSG,
 	UNDEFAULT_SUCCESS_MSG,
 	BROWSER_RUNNING_MSG,
 	ABORTING_MSG,
 
 	LAST_MSG  /* must be last */
 } Message;
 
-static char *msgStrings[] = {
-	"FIPS mode enabled.\n",
-	"FIPS mode disabled.\n",
-	"Using database directory %s...\n",
-	"Creating \"%s\"...",
-	"Module \"%s\" added to database.\n",
-	"Module \"%s\" deleted from database.\n",
-	"Token \"%s\" password changed successfully.\n",
-	"Incorrect password, try again...\n",
-	"Passwords do not match, try again...\n",
-	"done.\n",
-	"Slot \"%s\" %s.\n",
-	"Successfully changed defaults.\n",
-	"Successfully changed defaults.\n",
-"\nWARNING: Performing this operation while the browser is running could cause"
-"\ncorruption of your security databases. If the browser is currently running,"
-"\nyou should exit browser before continuing this operation. Type "
-"\n'q <enter>' to abort, or <enter> to continue: ",
-	"\nAborting...\n"
-};
+/* defined in modutil.c */
+extern char *msgStrings[];
 
 #endif /* MODUTIL_ERROR_H */
--- a/cmd/modutil/installparse.c
+++ b/cmd/modutil/installparse.c
@@ -198,34 +198,34 @@ Pk11Install_yyerror(char *message)
 int
 yyparse()
 {
     register int yym, yyn, yystate;
 #if YYDEBUG
     register char *yys;
     extern char *getenv();
 
-    if (yys = getenv("YYDEBUG"))
+    if ((yys = getenv("YYDEBUG")) != NULL)
     {
         yyn = *yys;
         if (yyn >= '0' && yyn <= '9')
             yydebug = yyn - '0';
     }
 #endif
 
     yynerrs = 0;
     yyerrflag = 0;
     yychar = (-1);
 
     yyssp = yyss;
     yyvsp = yyvs;
     *yyssp = yystate = 0;
 
 yyloop:
-    if (yyn = yydefred[yystate]) goto yyreduce;
+    if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
     if (yychar < 0)
     {
         if ((yychar = yylex()) < 0) yychar = 0;
 #if YYDEBUG
         if (yydebug)
         {
             yys = 0;
             if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
--- a/cmd/modutil/lex.Pk11Install_yy.c
+++ b/cmd/modutil/lex.Pk11Install_yy.c
@@ -1095,16 +1095,17 @@ register char *yy_bp;
 
 	yytext_ptr = yy_bp;
 	yy_hold_char = *yy_cp;
 	yy_c_buf_p = yy_cp;
 	}
 #endif	/* ifndef YY_NO_UNPUT */
 
 
+#ifndef YY_NO_INPUT
 #ifdef __cplusplus
 static int yyinput()
 #else
 static int input()
 #endif
 	{
 	int c;
 
@@ -1166,16 +1167,17 @@ static int input()
 
 	c = *(unsigned char *) yy_c_buf_p;	/* cast for 8-bit char's */
 	*yy_c_buf_p = '\0';	/* preserve yytext */
 	yy_hold_char = *++yy_c_buf_p;
 
 
 	return c;
 	}
+#endif	/* ifndef YY_NO_INPUT */
 
 
 #ifdef YY_USE_PROTOS
 void yyrestart( FILE *input_file )
 #else
 void yyrestart( input_file )
 FILE *input_file;
 #endif
--- a/cmd/modutil/manifest.mn
+++ b/cmd/modutil/manifest.mn
@@ -19,16 +19,16 @@ CSRCS = modutil.c		\
 		$(NULL)
 
 CPPSRCS = 
 
 PROGRAM =  modutil
 
 REQUIRES = seccmd nss dbm
 
-DEFINES = -DNSPR20
+DEFINES = -DNSPR20 -DYY_NO_UNPUT -DYY_NO_INPUT
 
 # sigh
 #INCLUDES += -I$(CORE_DEPTH)/nss/lib/pk11wrap
 
 # USE_STATIC_LIBS = 1 
 
 EXTRA_LIBS = $(JAR_LIBS)
--- a/cmd/modutil/modutil.c
+++ b/cmd/modutil/modutil.c
@@ -117,16 +117,37 @@ static char *optionStrings[] = {
 	"-installdir",
 	"-tempdir",
 	"-secmod",
 	"-nocertdb",
 	"-string",
 	"-chkfips",
 };
 
+char *msgStrings[] = {
+	"FIPS mode enabled.\n",
+	"FIPS mode disabled.\n",
+	"Using database directory %s...\n",
+	"Creating \"%s\"...",
+	"Module \"%s\" added to database.\n",
+	"Module \"%s\" deleted from database.\n",
+	"Token \"%s\" password changed successfully.\n",
+	"Incorrect password, try again...\n",
+	"Passwords do not match, try again...\n",
+	"done.\n",
+	"Slot \"%s\" %s.\n",
+	"Successfully changed defaults.\n",
+	"Successfully changed defaults.\n",
+"\nWARNING: Performing this operation while the browser is running could cause"
+"\ncorruption of your security databases. If the browser is currently running,"
+"\nyou should exit browser before continuing this operation. Type "
+"\n'q <enter>' to abort, or <enter> to continue: ",
+	"\nAborting...\n"
+};
+
 /* Increment i if doing so would have i still be less than j.  If you
    are able to do this, return 0.  Otherwise return 1. */
 #define TRY_INC(i,j)  ( ((i+1)<j) ? (++i, 0) : 1 )
 
 /********************************************************************
  *
  * file-wide variables obtained from the command line
  */
--- a/cmd/multinit/multinit.c
+++ b/cmd/multinit/multinit.c
@@ -309,37 +309,16 @@ appendHex(unsigned char nibble)
     if (nibble <= 9) {
 	appendLabel('0'+nibble);
     } else {
 	appendLabel('a'+nibble-10);
     }
 }
 
 /*
- * append a secitem as colon separated hex bytes.
- */
-static void
-appendItem(SECItem *item)
-{
-    int i;
-
-    if (!buffer.data) {
-	return;
-    }
-
-    appendLabel(':');
-    for (i=0; i < item->len; i++) {
-	unsigned char byte=item->data[i];
-	appendHex(byte >> 4);
-	appendHex(byte & 0xf);
-	appendLabel(':');
-    }
-}
-
-/*
  * append a 32 bit integer (even on a 64 bit platform).
  * for simplicity append it as a hex value, full extension with 0x prefix.
  */
 static void
 appendInt(unsigned int value)
 {
     int i;
 
@@ -488,17 +467,17 @@ sort_CN(CERTCertificate *certa, CERTCert
  */
 void
 do_list_certs(const char *progName, int log)
 {
    CERTCertList *list;
    CERTCertList *sorted;
    CERTCertListNode *node;
    CERTCertTrust trust;
-   int i;
+   unsigned int i;
 
    list = PK11_ListCerts(PK11CertListUnique, NULL);
    if (list == NULL) {
 	fprintf(stderr,"ERROR: no certs found %s\n", 
 		SECU_Strerror(PORT_GetError()));
 	appendLabel('C');
 	appendString("none");
 	return;
--- a/cmd/ocspclnt/ocspclnt.c
+++ b/cmd/ocspclnt/ocspclnt.c
@@ -557,17 +557,17 @@ print_raw_certificates (FILE *out_file, 
 	fprintf (out_file, "No Certificates.\n");
 	return;
     }
 
     fprintf (out_file, "Certificate List:\n");
     while ((raw_cert = raw_certs[i++]) != NULL) {
 	sprintf (cert_label, "Certificate (%d)", i);
 	(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
-				     SECU_PrintCertificate);
+				     (SECU_PPFunc)SECU_PrintCertificate);
     }
 }
 
 
 static void
 print_ocsp_extensions (FILE *out_file, CERTCertExtension **extensions,
 		       char *msg, int level)
 {
@@ -959,17 +959,17 @@ main (int argc, char **argv)
     int		 ccert, vcert;
     const char	*db_dir, *date_str, *cert_usage_str, *name;
     const char	*responder_name, *responder_url, *signer_name;
     PRBool	 add_acceptable_responses, add_service_locator;
     SECItem	*data = NULL;
     PLOptState	*optstate;
     SECStatus	 rv;
     CERTCertDBHandle *handle = NULL;
-    SECCertUsage cert_usage;
+    SECCertUsage cert_usage = certUsageSSLClient;
     PRTime	 verify_time;
     CERTCertificate *cert = NULL;
     PRBool ascii = PR_FALSE;
 
     retval = -1;		/* what we return/exit with on error */
 
     program_name = PL_strrchr(argv[0], '/');
     program_name = program_name ? (program_name + 1) : argv[0];
--- a/cmd/ocspresp/ocspresp.c
+++ b/cmd/ocspresp/ocspresp.c
@@ -124,25 +124,22 @@ main(int argc, char **argv)
     CERTCertDBHandle *certHandle = NULL;
     CERTCertificate *caCert = NULL, *cert = NULL;
     CERTOCSPCertID *cid = NULL;
     PLArenaPool *arena = NULL;
     PRTime now = PR_Now();
     
     SECItem *encoded = NULL;
     CERTOCSPResponse *decoded = NULL;
-    SECStatus statusDecoded;
 
     SECItem *encodedRev = NULL;
     CERTOCSPResponse *decodedRev = NULL;
-    SECStatus statusDecodedRev;
     
     SECItem *encodedFail = NULL;
     CERTOCSPResponse *decodedFail = NULL;
-    SECStatus statusDecodedFail;
 
     CERTCertificate *obtainedSignerCert = NULL;
 
     if (argc != 4 && argc != 6) {
         return Usage();
     }
 
     if (argc == 6) {
@@ -176,50 +173,57 @@ main(int argc, char **argv)
         goto loser;
 
     cid = CERT_CreateOCSPCertID(cert, now);
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     encoded = encode(arena, cid, caCert);
     PORT_Assert(encoded);
     decoded = CERT_DecodeOCSPResponse(encoded);
-    statusDecoded = CERT_GetOCSPResponseStatus(decoded);
-    PORT_Assert(statusDecoded == SECSuccess);
+    PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decoded));
 
-    statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
-                                                &obtainedSignerCert, caCert);
-    PORT_Assert(statusDecoded == SECSuccess);
-    statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
-                                                obtainedSignerCert, now);
-    PORT_Assert(statusDecoded == SECSuccess);
+    PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
+                                                        &obtainedSignerCert, caCert));
+    PORT_CheckSuccess(CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
+                                                   obtainedSignerCert, now));
     CERT_DestroyCertificate(obtainedSignerCert);
 
     encodedRev = encodeRevoked(arena, cid, caCert);
     PORT_Assert(encodedRev);
     decodedRev = CERT_DecodeOCSPResponse(encodedRev);
-    statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev);
-    PORT_Assert(statusDecodedRev == SECSuccess);
+    PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
 
-    statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
-                                                        &obtainedSignerCert, caCert);
-    PORT_Assert(statusDecodedRev == SECSuccess);
-    statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
+    PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
+                                                        &obtainedSignerCert, caCert));
+#ifdef DEBUG
+    {
+        SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
                                                    obtainedSignerCert, now);
-    PORT_Assert(statusDecodedRev == SECFailure);
-    PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
+        PORT_Assert(rv == SECFailure);
+        PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
+    }
+#else
+    (void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
+                                      obtainedSignerCert, now);
+#endif
     CERT_DestroyCertificate(obtainedSignerCert);
     
     encodedFail = CERT_CreateEncodedOCSPErrorResponse(
         arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
     PORT_Assert(encodedFail);
     decodedFail = CERT_DecodeOCSPResponse(encodedFail);
-    statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail);
-    PORT_Assert(statusDecodedFail == SECFailure);
-    PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
-
+#ifdef DEBUG
+    {
+        SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
+        PORT_Assert(rv == SECFailure);
+        PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
+    }
+#else
+    (void)CERT_GetOCSPResponseStatus(decodedFail);
+#endif
     retval = 0;
 loser:
     if (retval != 0)
         SECU_PrintError(argv[0], "tests failed");
     
     if (cid)
         CERT_DestroyOCSPCertID(cid);
     if (cert)
--- a/cmd/oidcalc/oidcalc.c
+++ b/cmd/oidcalc/oidcalc.c
@@ -39,23 +39,23 @@ main(int argc, char **argv)
     nextstr = strchr(curstr, '.');
 
     if ( nextstr ) {
 	*nextstr = '\0';
     }
 
     secondval = atoi(curstr);
     
-    if ( ( firstval < 0 ) || ( firstval > 2 ) ) {
+    if ( firstval > 2 ) {
 	fprintf(stderr, "first component out of range\n");
 	exit(-1);
 	
     }
     
-    if ( ( secondval < 0 ) || ( secondval > 39 ) ) {
+    if ( secondval > 39 ) {
 	fprintf(stderr, "second component out of range\n");
 	exit(-1);
     }
     
     printf("0x%x, ", ( firstval * 40 ) + secondval );
     while ( nextstr ) {
 	curstr = nextstr + 1;
 
--- a/cmd/p7env/p7env.c
+++ b/cmd/p7env/p7env.c
@@ -125,29 +125,27 @@ EncryptFile(FILE *outFile, FILE *inFile,
     return 0;
 }
 
 int
 main(int argc, char **argv)
 {
     char *progName;
     FILE *inFile, *outFile;
-    char *certName;
     CERTCertDBHandle *certHandle;
     struct recipient *recipients, *rcpt;
     PLOptState *optstate;
     PLOptStatus status;
     SECStatus rv;
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
 
     inFile = NULL;
     outFile = NULL;
-    certName = NULL;
     recipients = NULL;
     rcpt = NULL;
 
     /*
      * Parse command line arguments
      * XXX This needs to be enhanced to allow selection of algorithms
      * and key sizes (or to look up algorithms and key sizes for each
      * recipient in the magic database).
--- a/cmd/pk11gcmtest/pk11gcmtest.c
+++ b/cmd/pk11gcmtest/pk11gcmtest.c
@@ -161,32 +161,32 @@ aes_gcm_kat(const char *respfn)
 {
     char buf[512];      /* holds one line from the input REQUEST file.
                          * needs to be large enough to hold the longest
                          * line "CIPHERTEXT = <320 hex digits>\n".
                          */
     FILE *aesresp;      /* input stream from the RESPONSE file */
     int i, j;
     unsigned int test_group = 0;
-    unsigned int num_tests;
+    unsigned int num_tests = 0;
     PRBool is_encrypt;
     unsigned char key[32];              /* 128, 192, or 256 bits */
-    unsigned int keysize;
+    unsigned int keysize = 16;
     unsigned char iv[10*16];            /* 1 to 10 blocks */
-    unsigned int ivsize;
+    unsigned int ivsize = 12;
     unsigned char plaintext[10*16];     /* 1 to 10 blocks */
     unsigned int plaintextlen = 0;
     unsigned char aad[10*16];           /* 1 to 10 blocks */
     unsigned int aadlen = 0;
     unsigned char ciphertext[10*16];    /* 1 to 10 blocks */
-    unsigned int ciphertextlen;
+    unsigned int ciphertextlen = 0;
     unsigned char tag[16];
-    unsigned int tagsize;
+    unsigned int tagsize = 16;
     unsigned char output[10*16];         /* 1 to 10 blocks */
-    unsigned int outputlen;
+    unsigned int outputlen = 0;
 
     unsigned int expected_keylen = 0;
     unsigned int expected_ivlen = 0;
     unsigned int expected_ptlen = 0;
     unsigned int expected_aadlen = 0;
     unsigned int expected_taglen = 0;
     SECStatus rv;
 
--- a/cmd/pk11mode/pk11mode.c
+++ b/cmd/pk11mode/pk11mode.c
@@ -3501,18 +3501,18 @@ CK_RV PKM_FindAllObjects(CK_FUNCTION_LIS
                          CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen) {
     CK_RV crv = CKR_OK;
 
     CK_SESSION_HANDLE h = (CK_SESSION_HANDLE)0;
     CK_SESSION_INFO sinfo;
     CK_ATTRIBUTE_PTR pTemplate;
     CK_ULONG tnObjects = 0;
     int curMode;
-    int i;
-    int  number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
+    unsigned int i;
+    unsigned int  number_of_all_known_attribute_types = totalKnownType(ConstAttribute);
 
     NUMTESTS++; /* increment NUMTESTS */
 
     crv = pFunctionList->C_OpenSession(pSlotList[slotID], CKF_SERIAL_SESSION,
                                        NULL, NULL, &h);
     if ( CKR_OK != crv ) {
         PKM_Error("C_OpenSession(%lu, CKF_SERIAL_SESSION, , )"
                   "returned 0x%08X, %-26s\n", pSlotList[slotID], crv, 
@@ -4553,17 +4553,17 @@ CK_RV
 PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST_PTR pFunctionList,
                         CK_SLOT_ID * pSlotList, CK_ULONG slotID,
                         CK_UTF8CHAR_PTR pwd, CK_ULONG pwdLen,
                         CK_MECHANISM_TYPE mechType,
                         enum_random_t rnd)  {
     CK_SESSION_HANDLE hSession;
     CK_RV crv;
     CK_MECHANISM            mk_mech;
-    CK_VERSION              expected_version, version;
+    CK_VERSION              version;
     CK_OBJECT_CLASS         class = CKO_SECRET_KEY;
     CK_KEY_TYPE             type = CKK_GENERIC_SECRET;
     CK_BBOOL                derive_bool = true;
     CK_ATTRIBUTE            attrs[4];
     CK_ULONG                attrs_count = 4;
     CK_OBJECT_HANDLE        pmk_obj = CK_INVALID_HANDLE;
     CK_OBJECT_HANDLE        mk_obj = CK_INVALID_HANDLE;
     CK_SSL3_MASTER_KEY_DERIVE_PARAMS mkd_params;
@@ -4620,18 +4620,16 @@ PKM_TLSMasterKeyDerive( CK_FUNCTION_LIST
 
     switch (mechType) {
     case CKM_TLS_MASTER_KEY_DERIVE_DH:
         isDH = true;
         /* FALLTHRU */
     case CKM_TLS_MASTER_KEY_DERIVE:
         attrs[3].pValue = NULL;
         attrs[3].ulValueLen = 0;
-        expected_version.major = 3;
-        expected_version.minor = 1;
 
         mkd_params.RandomInfo.pClientRandom = (unsigned char * ) TLSClientRandom;
         mkd_params.RandomInfo.ulClientRandomLen =
         sizeof (TLSClientRandom);
         mkd_params.RandomInfo.pServerRandom = (unsigned char * ) TLSServerRandom;
         mkd_params.RandomInfo.ulServerRandomLen =
         sizeof (TLSServerRandom);
         break;
--- a/cmd/pk12util/pk12util.c
+++ b/cmd/pk12util/pk12util.c
@@ -751,17 +751,17 @@ P12U_ListPKCS12File(char *in_file, PK11S
 			                    "Cannot create output file");
 			} else {
 			    PR_Write(fd, dip->der->data, dip->der->len);
 			    PR_Close(fd);
 			}
 		    } else 
                     if (SECU_PrintSignedData(stdout, dip->der,
                             (dip->hasKey) ? "(has private key)" : "",
-                             0, SECU_PrintCertificate) != 0) {
+                             0, (SECU_PPFunc)SECU_PrintCertificate) != 0) {
                         SECU_PrintError(progName,"PKCS12 print cert bag failed");
                     }
                     if (dip->friendlyName != NULL) {
                         printf("    Friendly Name: %s\n\n",
                                 dip->friendlyName->data);
                     }
 		    if (dip->shroudAlg) {
 			SECU_PrintAlgorithmID(stdout, dip->shroudAlg,
--- a/cmd/pk1sign/pk1sign.c
+++ b/cmd/pk1sign/pk1sign.c
@@ -170,17 +170,17 @@ SignFile(FILE *outFile, PRFileDesc *inFi
 int
 main(int argc, char **argv)
 {
     char *progName;
     FILE *outFile;
     PRFileDesc *inFile;
     char *keyName = NULL;
     CERTCertDBHandle *certHandle;
-    CERTCertificate *cert;
+    CERTCertificate *cert = NULL;
     PLOptState *optstate;
     PLOptStatus status;
     SECStatus rv;
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName+1 : argv[0];
 
     inFile = NULL;
--- a/cmd/pp/pp.c
+++ b/cmd/pp/pp.c
@@ -131,17 +131,17 @@ int main(int argc, char **argv)
     data.len = der.len;
 
     SECU_EnableWrap(wrap);
 
     /* Pretty print it */
     if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 ||
         PORT_Strcmp(typeTag, "c") == 0) {
 	rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0,
-			     SECU_PrintCertificate);
+			     (SECU_PPFunc)SECU_PrintCertificate);
     } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 ||
                PORT_Strcmp(typeTag, "ci") == 0) {
         rv = SECU_PrintSignedContent(outFile, &data, 0, 0,
                                      SECU_PrintDumpDerIssuerAndSerial);
     } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_REQUEST) == 0 ||
                PORT_Strcmp(typeTag, "cr") == 0) {
 	rv = SECU_PrintSignedData(outFile, &data, "Certificate Request", 0,
 			     SECU_PrintCertificateRequest);
--- a/cmd/sdrtest/sdrtest.c
+++ b/cmd/sdrtest/sdrtest.c
@@ -66,19 +66,19 @@ long_usage (char *program_name)
     PR_fprintf (pr_stderr,
 		"  %-13s supply \"password\" on the command line\n",
 		"-p password");
 }
 
 int 
 readStdin(SECItem * result)
 {
-  int bufsize = 0;
+  unsigned int bufsize = 0;
   int cc;
-  int wanted  = 8192;
+  unsigned int wanted  = 8192U;
 
   result->len = 0;
   result->data = NULL;
   do {
     if (bufsize < wanted) {
       unsigned char * tmpData = (unsigned char *)PR_Realloc(result->data, wanted);
       if (!tmpData) {
 	if (verbose) PR_fprintf(pr_stderr, "Allocation of buffer failed\n");
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -497,18 +497,18 @@ mySSLSNISocketConfig(PRFileDesc *fd, con
 
     PORT_Assert(fd && sniNameArr);
     if (!fd || !sniNameArr) {
 	return SSL_SNI_SEND_ALERT;
     }
 
     pwdata = SSL_RevealPinArg(fd);
 
-    for (;current && i < sniNameArrSize;i++) {
-        int j = 0;
+    for (;current && (PRUint32)i < sniNameArrSize;i++) {
+        unsigned int j = 0;
         for (;j < MAX_VIRT_SERVER_NAME_ARRAY_INDEX && nameArr[j];j++) {
             if (!PORT_Strncmp(nameArr[j],
                               (const char *)current[i].data,
                               current[i].len) &&
                 PORT_Strlen(nameArr[j]) == current[i].len) {
                 const char *nickName = nameArr[j];
                 if (j == 0) {
                     /* default cert */
@@ -1124,48 +1124,48 @@ makeCorruptedOCSPResponse(PLArenaPool *a
 
 SECItemArray *
 makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
 		       CERTCertificate *cert, secuPWData *pwdata)
 {
     SECItemArray *result = NULL;
     SECItem *ocspResponse = NULL;
     CERTOCSPSingleResponse **singleResponses;
-    CERTOCSPSingleResponse *sr;
+    CERTOCSPSingleResponse *sr = NULL;
     CERTOCSPCertID *cid = NULL;
     CERTCertificate *ca;
     PRTime now = PR_Now();
     PRTime nextUpdate;
 
     PORT_Assert(cert != NULL);
 
     ca = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), ocspStaplingCA);
     if (!ca)
 	errExit("cannot find CA");
 
     cid = CERT_CreateOCSPCertID(cert, now);
     if (!cid)
 	errExit("cannot created cid");
 
-    nextUpdate = now + 60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
+    nextUpdate = now + (PRTime)60*60*24 * PR_USEC_PER_SEC; /* plus 1 day */
 
     switch (osm) {
 	case osm_good:
 	case osm_badsig:
 	    sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now,
 						   &nextUpdate);
 	    break;
 	case osm_unknown:
 	    sr = CERT_CreateOCSPSingleResponseUnknown(arena, cid, now,
 						      &nextUpdate);
 	    break;
 	case osm_revoked:
 	    sr = CERT_CreateOCSPSingleResponseRevoked(arena, cid, now,
 		&nextUpdate,
-		now - 60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
+		now - (PRTime)60*60*24 * PR_USEC_PER_SEC, /* minus 1 day */
 		NULL);
 	    break;
 	default:
 	    PORT_Assert(0);
 	    break;
     }
 
     if (!sr)
--- a/cmd/shlibsign/shlibsign.c
+++ b/cmd/shlibsign/shlibsign.c
@@ -702,17 +702,17 @@ int main(int argc, char **argv)
     PRFileDesc *fd;
     PRStatus rv = PR_SUCCESS;
     const char  *input_file = NULL; /* read/create encrypted data from here */
     char  *output_file = NULL;	/* write new encrypted data here */
     int bytesRead;
     int bytesWritten;
     unsigned char file_buf[512];
     int count=0;
-    int keySize = 0;
+    unsigned int keySize = 0;
     int i;
     PRBool verify = PR_FALSE;
     static PRBool FIPSMODE = PR_FALSE;
     PRBool successful = PR_FALSE;
 
 #ifdef USES_LINKS
     int ret;
     struct stat stat_buf;
--- a/cmd/signtool/certgen.c
+++ b/cmd/signtool/certgen.c
@@ -415,17 +415,16 @@ set_cert_type(CERTCertificate *cert, uns
 static SECItem *
 sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
 {
     SECStatus rv;
 
     SECItem der2;
     SECItem * result2;
 
-    void	*dummy;
     SECOidTag alg = SEC_OID_UNKNOWN;
 
     alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
     if (alg == SEC_OID_UNKNOWN) {
 	FatalError("Unknown key type");
     }
 
     rv = SECOID_SetAlgorithmID (cert->arena, &cert->signature, alg, 0);
@@ -435,17 +434,17 @@ sign_cert(CERTCertificate *cert, SECKEYP
 	     PROGRAM_NAME);
 	errorCount++;
 	exit (ERRX);
     }
 
     der2.len = 0;
     der2.data = NULL;
 
-    dummy = SEC_ASN1EncodeItem
+    (void)SEC_ASN1EncodeItem
         (cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
 
     if (rv != SECSuccess) {
 	PR_fprintf(errorFD, "%s: error encoding cert\n", PROGRAM_NAME);
 	errorCount++;
 	exit (ERRX);
     }
 
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -11,19 +11,21 @@ static int	is_dir (char *filename);
 
 /***********************************************************
  * Nasty hackish function definitions
  */
 
 long	*mozilla_event_queue = 0;
 
 #ifndef XP_WIN
-char	*XP_GetString (int i)
+char *XP_GetString (int i)
 {
-    return SECU_Strerror (i);
+    /* nasty hackish cast to avoid changing the signature of
+     * JAR_init_callbacks() */
+    return (char *)SECU_Strerror (i);
 }
 #endif
 
 void	FE_SetPasswordEnabled()
 {
 }
 
 
--- a/cmd/ssltap/ssltap.c
+++ b/cmd/ssltap/ssltap.c
@@ -36,22 +36,22 @@
 #include "ocsp.h"
 #include "ocspti.h"     /* internals for pretty-printing routines *only* */
 
 struct _DataBufferList;
 struct _DataBuffer;
 
 typedef struct _DataBufferList {
   struct _DataBuffer *first,*last;
-  int size;
+  unsigned int size;
   int isEncrypted;
   unsigned char * msgBuf;
-  int             msgBufOffset;
-  int             msgBufSize;
-  int             hMACsize;
+  unsigned int msgBufOffset;
+  unsigned int msgBufSize;
+  unsigned int hMACsize;
 } DataBufferList;
 
 typedef struct _DataBuffer {
   unsigned char *buffer;
   int length;
   int offset;  /* offset of first good byte */
   struct _DataBuffer *next;
 } DataBuffer;
@@ -561,36 +561,36 @@ void print_sslv2(DataBufferList *s, unsi
 	       (PRUint32)(GET_SHORT((chv2->cslength))));
     PR_fprintf(PR_STDOUT,"           sid-length = %d (0x%02x)\n",
 	       (PRUint32)(GET_SHORT((chv2->sidlength))),
 	       (PRUint32)(GET_SHORT((chv2->sidlength))));
     PR_fprintf(PR_STDOUT,"           challenge-length = %d (0x%02x)\n",
 	       (PRUint32)(GET_SHORT((chv2->rndlength))),
 	       (PRUint32)(GET_SHORT((chv2->rndlength))));
     PR_fprintf(PR_STDOUT,"           cipher-suites = { \n");
-    for (p=0;p<GET_SHORT((chv2->cslength));p+=3) {
+    for (p=0;p<(PRUint32)GET_SHORT((chv2->cslength));p+=3) {
       PRUint32 cs_int    = GET_24((&chv2->csuites[p]));
       const char *cs_str = V2CipherString(cs_int);
 
       PR_fprintf(PR_STDOUT,"                (0x%06x) %s\n",
 		  cs_int, cs_str);
     }
     q = p;
     PR_fprintf(PR_STDOUT,"                }\n");
-    if (chv2->sidlength) {
+    if (GET_SHORT((chv2->sidlength))) {
       PR_fprintf(PR_STDOUT,"           session-id = { ");
-      for (p=0;p<GET_SHORT((chv2->sidlength));p+=2) {
+      for (p=0;p<(PRUint32)GET_SHORT((chv2->sidlength));p+=2) {
 	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
       }
     }
     q += p;
     PR_fprintf(PR_STDOUT,"}\n");
-    if (chv2->rndlength) {
+    if (GET_SHORT((chv2->rndlength))) {
       PR_fprintf(PR_STDOUT,"           challenge = { ");
-      for (p=0;p<GET_SHORT((chv2->rndlength));p+=2) {
+      for (p=0;p<(PRUint32)GET_SHORT((chv2->rndlength));p+=2) {
 	PR_fprintf(PR_STDOUT,"0x%04x ",(PRUint32)(GET_SHORT((&chv2->csuites[p+q]))));
       }
       PR_fprintf(PR_STDOUT,"}\n");
     }
     PR_fprintf(PR_STDOUT,"}\n");
     break;
     /* end of V2 CLientHello Parsing */
 
@@ -973,17 +973,17 @@ print_status_response(SECItem *data)
  */
 void print_ssl3_handshake(unsigned char *recordBuf, 
                           unsigned int   recordLen,
                           SSLRecord *    sr,
 			  DataBufferList *s)
 {
   struct sslhandshake sslh; 
   unsigned char *     hsdata;  
-  int                 offset=0;
+  unsigned int offset=0;
 
   PR_fprintf(PR_STDOUT,"   handshake {\n");
 
   if (s->msgBufOffset && s->msgBuf) {
     /* append recordBuf to msgBuf, then use msgBuf */
     if (s->msgBufOffset + recordLen > s->msgBufSize) {
       int             newSize = s->msgBufOffset + recordLen;
       unsigned char * newBuf = PORT_Realloc(s->msgBuf, newSize);
@@ -1360,17 +1360,17 @@ void print_ssl3_handshake(unsigned char 
 	if (sslhexparse) print_hex(sslh.length, hsdata);
 	PR_fprintf(PR_STDOUT,"         }\n");
 
       }
     }  /* end of switch sslh.type */
     offset += sslh.length + 4; 
   } /* while */
   if (offset < recordLen) { /* stuff left over */
-    int newMsgLen = recordLen - offset;
+    unsigned int newMsgLen = recordLen - offset;
     if (!s->msgBuf) {
       s->msgBuf = PORT_Alloc(newMsgLen);
       if (!s->msgBuf) {
 	PR_ASSERT(s->msgBuf);
 	showErr( "Malloc failed");
         exit(11);
       }
       s->msgBufSize = newMsgLen;
--- a/cmd/strsclnt/strsclnt.c
+++ b/cmd/strsclnt/strsclnt.c
@@ -493,17 +493,16 @@ init_thread_data(void)
 }
 
 /**************************************************************************
 ** End   thread management routines.
 **************************************************************************/
 
 PRBool useModelSocket = PR_TRUE;
 
-static const char stopCmd[] = { "GET /stop " };
 static const char outHeader[] = {
     "HTTP/1.0 200 OK\r\n"
     "Server: Netscape-Enterprise/2.0a\r\n"
     "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n"
     "Content-type: text/plain\r\n"
     "\r\n"
 };
 
@@ -562,18 +561,18 @@ lockedVars_AddToCount(lockedVars * lv, i
 int
 do_writes(
     void *       a,
     void *       b,
     int          c)
 {
     PRFileDesc *	ssl_sock	= (PRFileDesc *)a;
     lockedVars *	lv 		= (lockedVars *)b;
-    int			sent  		= 0;
-    int 		count		= 0;
+    unsigned int sent = 0;
+    int count = 0;
 
     while (sent < bigBuf.len) {
 
 	count = PR_Send(ssl_sock, bigBuf.data + sent, bigBuf.len - sent, 
 	                0, maxInterval);
 	if (count < 0) {
 	    errWarn("PR_Send bigBuf");
 	    break;
@@ -707,17 +706,17 @@ handle_connection( PRFileDesc *ssl_sock,
 
 #ifdef USE_SOCK_PEER_ID
 
 PRInt32 lastFullHandshakePeerID;
 
 void
 myHandshakeCallback(PRFileDesc *socket, void *arg) 
 {
-    PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32) arg);
+    PR_ATOMIC_SET(&lastFullHandshakePeerID, (PRInt32)((char *)arg - (char *)NULL));
 }
 
 #endif
 
 /* one copy of this function is launched in a separate thread for each
 ** connection to be made.
 */
 int
@@ -727,17 +726,16 @@ do_connects(
     int         tid)
 {
     PRNetAddr  *        addr		= (PRNetAddr *)  a;
     PRFileDesc *        model_sock	= (PRFileDesc *) b;
     PRFileDesc *        ssl_sock	= 0;
     PRFileDesc *        tcp_sock	= 0;
     PRStatus	        prStatus;
     PRUint32            sleepInterval	= 50; /* milliseconds */
-    SECStatus   	result;
     int                 rv 		= SECSuccess;
     PRSocketOptionData  opt;
 
 retry:
 
     tcp_sock = PR_OpenTCPSocket(addr->raw.family);
     if (tcp_sock == NULL) {
 	errExit("PR_OpenTCPSocket");
@@ -834,34 +832,35 @@ retry:
             thisPeerID = PR_ATOMIC_INCREMENT(&sockPeerID);
         } else {
             /* reuse previous sockPeerID for restart handhsake */
             thisPeerID = lastFullHandshakePeerID;
         }
         PR_snprintf(sockPeerIDString, sizeof(sockPeerIDString), "ID%d",
                     thisPeerID);
         SSL_SetSockPeerID(ssl_sock, sockPeerIDString);
-        SSL_HandshakeCallback(ssl_sock, myHandshakeCallback, (void*)thisPeerID);
+        SSL_HandshakeCallback(ssl_sock, myHandshakeCallback,
+                              (char *)NULL + thisPeerID);
 #else
             /* force a full handshake by setting the no cache option */
             SSL_OptionSet(ssl_sock, SSL_NO_CACHE, 1);
 #endif
     }
     rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0);
     if (rv != SECSuccess) {
 	errWarn("SSL_ResetHandshake");
 	goto done;
     }
 
     PR_ATOMIC_INCREMENT(&numConnected);
 
     if (bigBuf.data != NULL) {
-	result = handle_fdx_connection( ssl_sock, tid);
+	(void)handle_fdx_connection( ssl_sock, tid);
     } else {
-	result = handle_connection( ssl_sock, tid);
+	(void)handle_connection( ssl_sock, tid);
     }
 
     PR_ATOMIC_DECREMENT(&numConnected);
 
 done:
     if (ssl_sock) {
 	PR_Close(ssl_sock);
     } else if (tcp_sock) {
--- a/cmd/symkeyutil/symkeyutil.c
+++ b/cmd/symkeyutil/symkeyutil.c
@@ -1010,18 +1010,17 @@ main(int argc, char **argv)
                 for (se = PK11_GetFirstSafe(slotList); se; 
                                     se=PK11_GetNextSafe(slotList,se, PR_FALSE)) {
                     rv = ListKeys(se->slot,&printLabel,&pwdata);
                     if (rv !=SECSuccess) {
                         break;
                     }
                 }
                 if (se) {
-                    SECStatus rv2 = PK11_FreeSlotListElement(slotList, se);
-                    PORT_Assert(SECSuccess == rv2);
+                    PORT_CheckSuccess(PK11_FreeSlotListElement(slotList, se));
                 }
                 PK11_FreeSlotList(slotList);
             }
 	}
     }
 
     /*  Move key (-M)  */
     if (symKeyUtil.commands[cmd_MoveKey].activated) {
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -529,19 +529,19 @@ dumpServerCertificateChain(PRFileDesc *f
     CERTCertificateList *foundChain = NULL;
     SECU_PPFunc dumpFunction = NULL;
     PRBool dumpCertPEM = PR_FALSE;
 
     if (!dumpServerChain) {
 	return;
     }
     else if (dumpServerChain == 1) {
-	dumpFunction = SECU_PrintCertificateBasicInfo;
+	dumpFunction = (SECU_PPFunc)SECU_PrintCertificateBasicInfo;
     } else {
-	dumpFunction = SECU_PrintCertificate;
+	dumpFunction = (SECU_PPFunc)SECU_PrintCertificate;
 	if (dumpServerChain > 2) {
 	    dumpCertPEM = PR_TRUE;
 	}
     }
 
     SECU_EnableWrap(PR_FALSE);
 
     fprintf(stderr, "==== certificate(s) sent by server: ====\n");
@@ -561,17 +561,17 @@ dumpServerCertificateChain(PRFileDesc *f
 
     if (peerCertChain) {
 	peerCert = SSL_RevealCert(fd);
 	if (peerCert) {
 	    foundChain = CERT_CertChainFromCert(peerCert, certificateUsageSSLServer,
 						PR_TRUE);
 	}
 	if (foundChain) {
-	    int count = 0;
+	    unsigned int count = 0;
 	    fprintf(stderr, "==== locally found issuer certificate(s): ====\n");
 	    for(count = 0; count < (unsigned int)foundChain->len; count++) {
 		CERTCertificate *c;
 		PRBool wasSentByServer = PR_FALSE;
 		c = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &foundChain->certs[count]);
 
 		node = CERT_LIST_HEAD(peerCertChain);
 		while ( ! CERT_LIST_END(node, peerCertChain) ) {
@@ -614,17 +614,17 @@ ownAuthCertificate(void *arg, PRFileDesc
 
     if (dumpServerChain) {
 	dumpServerCertificateChain(fd);
     }
 
 
     if (!serverCertAuth->shouldPause) {
         CERTCertificate *cert;
-        int i;
+        unsigned int i;
         const SECItemArray *csa;
 
         if (!serverCertAuth->testFreshStatusFromSideChannel) {
             return SSL_AuthCertificate(serverCertAuth->dbHandle, 
                                        fd, checkSig, isServer);
         }
 
         /* No verification attempt must have happened before now,
@@ -639,18 +639,17 @@ ownAuthCertificate(void *arg, PRFileDesc
 
         csa = SSL_PeerStapledOCSPResponses(fd);
         if (csa) {
             for (i = 0; i < csa->len; ++i) {
 		PORT_SetError(0);
 		if (CERT_CacheOCSPResponseFromSideChannel(
 			serverCertAuth->dbHandle, cert, PR_Now(),
 			&csa->items[i], arg) != SECSuccess) {
-		    PRErrorCode error = PR_GetError();
-		    PORT_Assert(error != 0);
+		    PORT_Assert(PR_GetError() != 0);
 		}
             }
         }
     
         verifyFromSideChannel(cert, serverCertAuth);
         CERT_DestroyCertificate(cert);
         /* return success to ensure our caller will continue and we will 
          * reach the code that handles 
@@ -1278,17 +1277,17 @@ int main(int argc, char **argv)
     if (cipherString) {
     	char *cstringSaved = cipherString;
     	int ndx;
 
 	while (0 != (ndx = *cipherString++)) {
 	    int  cipher;
 
 	    if (ndx == ':') {
-		int ctmp;
+		int ctmp = 0;
 
 		cipher = 0;
 		HEXCHAR_TO_INT(*cipherString, ctmp)
 		cipher |= (ctmp << 12);
 		cipherString++;
 		HEXCHAR_TO_INT(*cipherString, ctmp)
 		cipher |= (ctmp << 8);
 		cipherString++;
--- a/cmd/vfychain/vfychain.c
+++ b/cmd/vfychain/vfychain.c
@@ -328,17 +328,17 @@ parseRevMethodsAndFlags()
 }
 
 SECStatus
 configureRevocationParams(CERTRevocationFlags *flags)
 {
    int i;
    unsigned int testType = REVCONFIG_TEST_UNDEFINED;
    static CERTRevocationTests *revTests = NULL;
-   PRUint64 *revFlags;
+   PRUint64 *revFlags = NULL;
 
    for(i = 0;i < REV_METHOD_INDEX_MAX;i++) {
        if (revMethodsData[i].testType == REVCONFIG_TEST_UNDEFINED) {
            continue;
        }
        if (revMethodsData[i].testType != testType) {
            testType = revMethodsData[i].testType;
            if (testType == REVCONFIG_TEST_CHAIN) {
--- a/cmd/vfyserv/vfyserv.c
+++ b/cmd/vfyserv/vfyserv.c
@@ -505,17 +505,17 @@ main(int argc, char **argv)
 
 	    /* disable all the ciphers, then enable the ones we want. */
 	    disableAllSSLCiphers();
 
 	    while (0 != (ndx = *cipherString++)) {
 		int  cipher;
 
 		if (ndx == ':') {
-		    int ctmp;
+		    int ctmp = 0;
 
 		    cipher = 0;
 		    HEXCHAR_TO_INT(*cipherString, ctmp)
 		    cipher |= (ctmp << 12);
 		    cipherString++;
 		    HEXCHAR_TO_INT(*cipherString, ctmp)
 		    cipher |= (ctmp << 8);
 		    cipherString++;
--- a/cmd/vfyserv/vfyutil.c
+++ b/cmd/vfyserv/vfyutil.c
@@ -598,17 +598,17 @@ lockedVars_AddToCount(lockedVars * lv, i
  * multiple treads. But it should not be a problem since we
  * consider vfyserv to be single threaded(see bug 353477).
  */
 
 void
 dumpCertChain(CERTCertificate *cert, SECCertUsage usage)
 {
     CERTCertificateList *certList;
-    int count = 0;
+    unsigned int count = 0;
 
     certList = CERT_CertChainFromCert(cert, usage, PR_TRUE);
     if (certList == NULL) {
         errWarn("CERT_CertChainFromCert");
         return;
     }
 
     for(count = 0; count < (unsigned int)certList->len; count++) {
--- a/coreconf/Linux.mk
+++ b/coreconf/Linux.mk
@@ -120,24 +120,68 @@ ifdef MOZ_DEBUG_SYMBOLS
 	ifdef MOZ_DEBUG_FLAGS
 		OPTIMIZER += $(MOZ_DEBUG_FLAGS)
 	else
 		OPTIMIZER += -gdwarf-2
 	endif
 endif
 endif
 
+ifndef COMPILER_TAG
+COMPILER_TAG = _$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
+CCC_COMPILER_TAG = _$(shell $(CCC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')
+endif
 
 ifeq ($(USE_PTHREADS),1)
 OS_PTHREAD = -lpthread 
 endif
 
-OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
+OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
+ifeq ($(COMPILER_TAG),_clang)
+# -Qunused-arguments : clang objects to arguments that it doesn't understand
+#    and fixing this would require rearchitecture
+# -Wno-parentheses-equality : because clang warns about macro expansions
+OS_CFLAGS += -Qunused-arguments -Wno-parentheses-equality
+ifdef BUILD_OPT
+# clang is unable to handle glib's expansion of strcmp and similar for optimized
+# builds, so ignore the resulting errors.
+# See https://llvm.org/bugs/show_bug.cgi?id=20144
+OS_CFLAGS += -Wno-array-bounds -Wno-unevaluated-expression
+endif
+# Clang reports its version as an older gcc, but it's OK
+NSS_HAS_GCC48 = true
+endif
+
+# Check for the existence of gcc 4.8
+ifndef NSS_HAS_GCC48
+define GCC48_TEST =
+int main() {\n
+#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 8)\n
+  return 1;\n
+#else\n
+  return 0;\n
+#endif\n
+}\n
+endef
+TEST_GCC48 := /tmp/test_gcc48_$(shell echo $$$$)
+NSS_HAS_GCC48 := (,$(shell echo -e "$(GCC48_TEST)" > $(TEST_GCC48).c && \
+  $(CC) -o $(TEST_GCC48) $(TEST_GCC48).c && \
+  $(TEST_GCC48) && echo true || echo false; \
+  rm -f $(TEST_GCC48) $(TEST_GCC48).c))
+export NSS_HAS_GCC48
+endif
+
+ifeq (true,$(NSS_HAS_GCC48))
+# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
+# Here, we disable use of that #pragma and the warnings it suppresses.
+OS_CFLAGS += -DNSS_NO_GCC48 -Wno-unused-variable
+endif
+
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
 DSO_CFLAGS		= -fPIC
 DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
--- a/coreconf/WIN32.mk
+++ b/coreconf/WIN32.mk
@@ -19,18 +19,19 @@ ifdef NS_USE_GCC
 	RANLIB       = ranlib
 	BSDECHO      = echo
 	RC           = windres.exe -O coff --use-temp-file
 	LINK_DLL      = $(CC) $(OS_DLLFLAGS) $(DLLFLAGS)
 else
 	CC           = cl
 	CCC          = cl
 	LINK         = link
+        LDFLAGS += -nologo
 	AR           = lib
-	AR          += -NOLOGO -OUT:$@
+	AR          += -nologo -OUT:$@
 	RANLIB       = echo
 	BSDECHO      = echo
 	RC           = rc.exe
 	MT           = mt.exe
 	# Check for clang-cl
 	CLANG_CL    := $(shell expr `$(CC) -? 2>&1 | grep -w clang | wc -l` \> 0)
 	# Determine compiler version
 	ifeq ($(CLANG_CL),1)
@@ -98,17 +99,17 @@ XP_DEFINE   += -DXP_PC
 ifdef NS_USE_GCC
 LIB_SUFFIX   = a
 else
 LIB_SUFFIX   = lib
 endif
 DLL_SUFFIX   = dll
 
 ifdef NS_USE_GCC
-    OS_CFLAGS += -mwindows -mms-bitfields
+    OS_CFLAGS += -mwindows -mms-bitfields -Werror
     _GEN_IMPORT_LIB=-Wl,--out-implib,$(IMPORT_LIBRARY)
     DLLFLAGS  += -mwindows -o $@ -shared -Wl,--export-all-symbols $(if $(IMPORT_LIBRARY),$(_GEN_IMPORT_LIB))
     ifdef BUILD_OPT
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
@@ -117,17 +118,17 @@ ifdef NS_USE_GCC
 	OPTIMIZER  += -g
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
     endif
 else # !NS_USE_GCC
-    OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
+    OS_CFLAGS += -W3 -WX -nologo -D_CRT_SECURE_NO_WARNINGS \
 		 -D_CRT_NONSTDC_NO_WARNINGS
     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
     ifeq ($(_MSC_VER),$(_MSC_VER_6))
     ifndef MOZ_DEBUG_SYMBOLS
 	OS_DLLFLAGS += -PDB:NONE
     endif
     endif
     ifdef USE_DYNAMICBASE
@@ -182,21 +183,21 @@ ifeq ($(_MSC_VER),$(_MSC_VER_6))
 ifndef MOZ_DEBUG_SYMBOLS
 	LDFLAGS    += -PDB:NONE 
 endif
 endif
 	# Purify requires /FIXED:NO when linking EXEs.
 	LDFLAGS    += /FIXED:NO
     endif
 ifneq ($(_MSC_VER),$(_MSC_VER_6))
-    # Convert certain deadly warnings to errors (see list at end of file)
-    OS_CFLAGS += -we4002 -we4003 -we4004 -we4006 -we4009 -we4013 \
-     -we4015 -we4028 -we4033 -we4035 -we4045 -we4047 -we4053 -we4054 -we4063 \
-     -we4064 -we4078 -we4087 -we4090 -we4098 -we4390 -we4551 -we4553 -we4715
-
+    # NSS has too many of these to fix, downgrade the warning
+    # Disable C4267: conversion from 'size_t' to 'type', possible loss of data
+    # Disable C4244: conversion from 'type1' to 'type2', possible loss of data
+    # Disable C4018: 'expression' : signed/unsigned mismatch
+    OS_CFLAGS += -w44267 -w44244 -w44018
     ifeq ($(_MSC_VER_GE_12),1)
 	OS_CFLAGS += -FS
     endif
 endif # !MSVC6
 endif # NS_USE_GCC
 
 ifdef USE_64
 DEFINES += -DWIN64
@@ -360,37 +361,8 @@ ifdef LIBRARY_NAME
 endif
 
 #
 # override the TARGETS defined in ruleset.mk, adding IMPORT_LIBRARY
 #
 ifndef TARGETS
     TARGETS = $(LIBRARY) $(SHARED_LIBRARY) $(IMPORT_LIBRARY) $(PROGRAM)
 endif
-
-# list of MSVC warnings converted to errors above:
-# 4002: too many actual parameters for macro 'identifier'
-# 4003: not enough actual parameters for macro 'identifier'
-# 4004: incorrect construction after 'defined'
-# 4006: #undef expected an identifier
-# 4009: string too big; trailing characters truncated
-# 4015: 'identifier' : type of bit field must be integral
-# 4028: formal parameter different from declaration
-# 4033: 'function' must return a value
-# 4035: 'function' : no return value
-# 4045: 'identifier' : array bounds overflow
-# 4047: 'function' : 'type 1' differs in levels of indirection from 'type 2'
-# 4053: one void operand for '?:'
-# 4054: 'conversion' : from function pointer 'type1' to data pointer 'type2'
-# 4059: pascal string too big, length byte is length % 256
-# 4063: case 'identifier' is not a valid value for switch of enum 'identifier'
-# 4064: switch of incomplete enum 'identifier'
-# 4078: case constant 'value' too big for the type of the switch expression
-# 4087: 'function' : declared with 'void' parameter list
-# 4090: 'function' : different 'const' qualifiers
-# 4098: 'function' : void function returning a value
-# 4390: ';' : empty controlled statement found; is this the intent?
-# 4541: RTTI train wreck
-# 4715: not all control paths return a value
-# 4013: function undefined; assuming extern returning int
-# 4553: '==' : operator has no effect; did you intend '='?
-# 4551: function call missing argument list
-
--- a/coreconf/rules.mk
+++ b/coreconf/rules.mk
@@ -267,16 +267,20 @@ endif
 
 
 ifeq ($(OS_TARGET),OS2)
 $(IMPORT_LIBRARY): $(MAPFILE)
 	rm -f $@
 	$(IMPLIB) $@ $<
 	$(RANLIB) $@
 endif
+ifeq ($(OS_ARCH),WINNT)
+$(IMPORT_LIBRARY): $(LIBRARY)
+	cp -f $< $@
+endif
 
 ifdef SHARED_LIBRARY_LIBS
 ifdef BUILD_TREE
 SUB_SHLOBJS = $(foreach dir,$(SHARED_LIBRARY_DIRS),$(shell $(MAKE) -C $(dir) --no-print-directory get_objs))
 else
 SUB_SHLOBJS = $(foreach dir,$(SHARED_LIBRARY_DIRS),$(addprefix $(dir)/,$(shell $(MAKE) -C $(dir) --no-print-directory get_objs)))
 endif
 endif
@@ -428,18 +432,32 @@ else
 	$(CCC) -o $@ -c $(CFLAGS) $<
 endif
 endif
 
 #
 # Please keep the next two rules in sync.
 #
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
-	@$(MAKE_OBJDIR)
+	$(MAKE_OBJDIR)
+ifdef STRICT_CPLUSPLUS_SUFFIX
+	echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
+	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
+	rm -f $(OBJDIR)/t_$*.cc
+else
+ifdef USE_NT_C_SYNTAX
+	$(CCC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
+else
+ifdef NEED_ABSOLUTE_PATH
+	$(CCC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
+else
 	$(CCC) -o $@ -c $(CFLAGS) $<
+endif
+endif
+endif #STRICT_CPLUSPLUS_SUFFIX
 
 $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
 	@$(MAKE_OBJDIR)
 ifdef STRICT_CPLUSPLUS_SUFFIX
 	echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
 	$(CCC) -o $@ -c $(CFLAGS) $(OBJDIR)/t_$*.cc
 	rm -f $(OBJDIR)/t_$*.cc
 else
--- a/external_tests/google_test/Makefile
+++ b/external_tests/google_test/Makefile
@@ -37,9 +37,18 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-MKSHLIB		= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+MKSHLIB	= $(CCC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+ifeq (WINNT,$(OS_ARCH))
+    # -MTd (not -MD) because that makes it link to the right library
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS := $(filterout -MD,$(OS_CFLAGS))
+    OS_CFLAGS += -MTd -EHsc
+    # On windows, we need to create the parent directory
+    # Needed because we include files from a subdirectory
+    MAKE_OBJDIR = $(INSTALL) -D $(dir $@)
+endif
--- a/external_tests/ssl_gtest/Makefile
+++ b/external_tests/ssl_gtest/Makefile
@@ -37,12 +37,24 @@ include $(CORE_DEPTH)/coreconf/rules.mk
 # (6) Execute "component" rules. (OPTIONAL)                           #
 #######################################################################
 
 
 #######################################################################
 # (7) Execute "local" rules. (OPTIONAL).                              #
 #######################################################################
 
-MKPROG = $(CXX)
-CFLAGS += -std=c++0x
+MKPROG = $(CCC)
 include ../../cmd/platrules.mk
 
+ifeq (WINNT,$(OS_ARCH))
+    # -MTd (not -MD) because that makes it link to the right library
+    # -EHsc because gtest has exception handlers
+    OS_CFLAGS := $(filterout -MD,$(OS_CFLAGS))
+    OS_CFLAGS += -MTd -EHsc -nologo
+    # http://www.suodenjoki.dk/us/archive/2010/min-max.htm
+    OS_CFLAGS += -DNOMINMAX
+
+    # Linking to winsock to get htonl
+    OS_LIBS += Ws2_32.lib
+else
+    CFLAGS += -std=c++0x
+endif
--- a/external_tests/ssl_gtest/databuffer.h
+++ b/external_tests/ssl_gtest/databuffer.h
@@ -7,16 +7,21 @@
 #ifndef databuffer_h__
 #define databuffer_h__
 
 #include <algorithm>
 #include <cassert>
 #include <cstring>
 #include <iomanip>
 #include <iostream>
+#if defined(WIN32) || defined(WIN64)
+#include <winsock2.h>
+#else
+#include <arpa/inet.h>
+#endif
 
 namespace nss_test {
 
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
   DataBuffer(const uint8_t *data, size_t len) : data_(nullptr), len_(0) {
     Assign(data, len);
--- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc
@@ -313,20 +313,20 @@ TEST_P(TlsConnectStream, ShortRead) {
   // so skip in that case.
   if (version_ < SSL_LIBRARY_VERSION_TLS_1_1)
     return;
 
   Connect();
   server_->SendData(1200, 1200);
   // Read the first tranche.
   WAIT_(client_->received_bytes() == 1024, 2000);
-  ASSERT_EQ(1024, client_->received_bytes());
+  ASSERT_EQ(1024U, client_->received_bytes());
   // The second tranche should now immediately be available.
   client_->ReadBytes();
-  ASSERT_EQ(1200, client_->received_bytes());
+  ASSERT_EQ(1200U, client_->received_bytes());
 }
 
 INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric,
                         ::testing::Combine(
                           TlsConnectTestBase::kTlsModesStream,
                           TlsConnectTestBase::kTlsV10));
 INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric,
                         ::testing::Combine(
--- a/external_tests/ssl_gtest/tls_agent.cc
+++ b/external_tests/ssl_gtest/tls_agent.cc
@@ -22,17 +22,17 @@ const char* TlsAgent::states[] = {"INIT"
 TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea)
   : name_(name),
     mode_(mode),
     kea_(kea),
     pr_fd_(nullptr),
     adapter_(nullptr),
     ssl_fd_(nullptr),
     role_(role),
-    state_(INIT),
+    state_(STATE_INIT),
     falsestart_enabled_(false),
     expected_version_(0),
     expected_cipher_suite_(0),
     expect_resumption_(false),
     can_falsestart_hook_called_(false),
     sni_hook_called_(false),
     auth_certificate_hook_called_(false),
     handshake_callback_called_(false),
@@ -117,17 +117,17 @@ bool TlsAgent::EnsureTlsSetup() {
 }
 
 void TlsAgent::StartConnect() {
   EXPECT_TRUE(EnsureTlsSetup());
 
   SECStatus rv;
   rv = SSL_ResetHandshake(ssl_fd_, role_ == SERVER ? PR_TRUE : PR_FALSE);
   EXPECT_EQ(SECSuccess, rv);
-  SetState(CONNECTING);
+  SetState(STATE_CONNECTING);
 }
 
 void TlsAgent::EnableSomeEcdheCiphers() {
   EXPECT_TRUE(EnsureTlsSetup());
 
   const uint32_t EcdheCiphers[] = {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@@ -187,22 +187,22 @@ void TlsAgent::SetExpectedVersion(uint16
   expected_version_ = version;
 }
 
 void TlsAgent::SetExpectedReadError(bool err) {
   expected_read_error_ = err;
 }
 
 void TlsAgent::CheckKEAType(SSLKEAType type) const {
-  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(STATE_CONNECTED, state_);
   EXPECT_EQ(type, csinfo_.keaType);
 }
 
 void TlsAgent::CheckAuthType(SSLAuthType type) const {
-  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(STATE_CONNECTED, state_);
   EXPECT_EQ(type, csinfo_.authAlgorithm);
 }
 
 void TlsAgent::EnableFalseStart() {
   EXPECT_TRUE(EnsureTlsSetup());
 
   falsestart_enabled_ = true;
   EXPECT_EQ(SECSuccess,
@@ -247,17 +247,17 @@ void TlsAgent::EnableSrtp() {
 
 void TlsAgent::CheckSrtp() const {
   uint16_t actual;
   EXPECT_EQ(SECSuccess, SSL_GetSRTPCipher(ssl_fd_, &actual));
   EXPECT_EQ(SRTP_AES128_CM_HMAC_SHA1_80, actual);
 }
 
 void TlsAgent::CheckErrorCode(int32_t expected) const {
-  EXPECT_EQ(ERROR, state_);
+  EXPECT_EQ(STATE_ERROR, state_);
   EXPECT_EQ(expected, error_code_);
 }
 
 void TlsAgent::CheckPreliminaryInfo() {
   SSLPreliminaryChannelInfo info;
   EXPECT_EQ(SECSuccess,
             SSL_GetPreliminaryChannelInfo(ssl_fd_, &info, sizeof(info)));
   EXPECT_TRUE(info.valuesSet & ssl_preinfo_version);
@@ -310,17 +310,17 @@ void TlsAgent::Connected() {
   // If either expected values were set or the callbacks were called, check
   // that the final values are correct.
   EXPECT_EQ(expected_version_, info_.protocolVersion);
   EXPECT_EQ(expected_cipher_suite_, info_.cipherSuite);
 
   rv = SSL_GetCipherSuiteInfo(info_.cipherSuite, &csinfo_, sizeof(csinfo_));
   EXPECT_EQ(SECSuccess, rv);
 
-  SetState(CONNECTED);
+  SetState(STATE_CONNECTED);
 }
 
 void TlsAgent::Handshake() {
   SECStatus rv = SSL_ForceHandshake(ssl_fd_);
   if (rv == SECSuccess) {
     Connected();
 
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
@@ -339,25 +339,25 @@ void TlsAgent::Handshake() {
       return;
       break;
 
       // TODO(ekr@rtfm.com): needs special case for DTLS
     case SSL_ERROR_RX_MALFORMED_HANDSHAKE:
     default:
       LOG("Handshake failed with error " << err);
       error_code_ = err;
-      SetState(ERROR);
+      SetState(STATE_ERROR);
       return;
   }
 }
 
 void TlsAgent::PrepareForRenegotiate() {
-  EXPECT_EQ(CONNECTED, state_);
+  EXPECT_EQ(STATE_CONNECTED, state_);
 
-  SetState(CONNECTING);
+  SetState(STATE_CONNECTING);
 }
 
 void TlsAgent::StartRenegotiate() {
   PrepareForRenegotiate();
 
   SECStatus rv = SSL_ReHandshake(ssl_fd_, PR_TRUE);
   EXPECT_EQ(SECSuccess, rv);
 }
@@ -372,17 +372,17 @@ void TlsAgent::SendData(size_t bytes, si
 
     for(size_t i = 0; i < tosend; ++i) {
       block[i] = 0xff & send_ctr_;
       ++send_ctr_;
     }
 
     LOG("Writing " << tosend << " bytes");
     int32_t rv = PR_Write(ssl_fd_, block, tosend);
-    ASSERT_EQ(tosend, rv);
+    ASSERT_EQ(tosend, static_cast<size_t>(rv));
 
     bytes -= tosend;
   }
 }
 
 void TlsAgent::ReadBytes() {
   uint8_t block[1024];
 
@@ -391,18 +391,19 @@ void TlsAgent::ReadBytes() {
   int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
 
   int32_t err = PR_GetError();
   if (err != PR_WOULD_BLOCK_ERROR) {
     if (expected_read_error_) {
       error_code_ = err;
     } else {
       ASSERT_LE(0, rv);
-      LOG("Read " << rv << " bytes");
-      for (size_t i = 0; i < rv; ++i) {
+      size_t count = static_cast<size_t>(rv);
+      LOG("Read " << count << " bytes");
+      for (size_t i = 0; i < count; ++i) {
         ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
         recv_ctr_++;
       }
     }
   }
 
   Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                            &TlsAgent::ReadableCallback);
--- a/external_tests/ssl_gtest/tls_agent.h
+++ b/external_tests/ssl_gtest/tls_agent.h
@@ -26,17 +26,17 @@ enum SessionResumptionMode {
   RESUME_SESSIONID = 1,
   RESUME_TICKET = 2,
   RESUME_BOTH = RESUME_SESSIONID | RESUME_TICKET
 };
 
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
-  enum State { INIT, CONNECTING, CONNECTED, ERROR };
+  enum State { STATE_INIT, STATE_CONNECTING, STATE_CONNECTED, STATE_ERROR };
 
   TlsAgent(const std::string& name, Role role, Mode mode, SSLKEAType kea);
   virtual ~TlsAgent();
 
   bool Init() {
     pr_fd_ = DummyPrSocket::CreateFD(name_, mode_);
     if (!pr_fd_) return false;
 
@@ -91,29 +91,29 @@ class TlsAgent : public PollTarget {
 
   const char* state_str(State state) const { return states[state]; }
 
   PRFileDesc* ssl_fd() { return ssl_fd_; }
 
   uint16_t min_version() const { return vrange_.min; }
   uint16_t max_version() const { return vrange_.max; }
   uint16_t version() const {
-    EXPECT_EQ(CONNECTED, state_);
+    EXPECT_EQ(STATE_CONNECTED, state_);
     return info_.protocolVersion;
   }
 
   bool cipher_suite(int16_t* cipher_suite) const {
-    if (state_ != CONNECTED) return false;
+    if (state_ != STATE_CONNECTED) return false;
 
     *cipher_suite = info_.cipherSuite;
     return true;
   }
 
   std::string cipher_suite_name() const {
-    if (state_ != CONNECTED) return "UNKNOWN";
+    if (state_ != STATE_CONNECTED) return "UNKNOWN";
 
     return csinfo_.cipherSuiteName;
   }
 
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
@@ -145,20 +145,20 @@ class TlsAgent : public PollTarget {
     TlsAgent* agent = static_cast<TlsAgent*>(self);
     agent->ReadableCallback_int();
   }
 
 
   void ReadableCallback_int() {
     LOG("Readable");
     switch (state_) {
-      case CONNECTING:
+      case STATE_CONNECTING:
         Handshake();
         break;
-      case CONNECTED:
+      case STATE_CONNECTED:
         ReadBytes();
         break;
       default:
         break;
     }
   }
 
   static PRInt32 SniHook(PRFileDesc *fd, const SECItem *srvNameArr,
--- a/external_tests/ssl_gtest/tls_connect.cc
+++ b/external_tests/ssl_gtest/tls_connect.cc
@@ -126,18 +126,18 @@ void TlsConnectTestBase::EnsureTlsSetup(
   EXPECT_TRUE(client_->EnsureTlsSetup());
   EXPECT_TRUE(server_->EnsureTlsSetup());
 }
 
 void TlsConnectTestBase::Handshake() {
   client_->Handshake();
   server_->Handshake();
 
-  ASSERT_TRUE_WAIT((client_->state() != TlsAgent::CONNECTING) &&
-                   (server_->state() != TlsAgent::CONNECTING),
+  ASSERT_TRUE_WAIT((client_->state() != TlsAgent::STATE_CONNECTING) &&
+                   (server_->state() != TlsAgent::STATE_CONNECTING),
                    5000);
 }
 
 void TlsConnectTestBase::Connect() {
   server_->StartConnect();
   client_->StartConnect();
   Handshake();
   CheckConnected();
@@ -145,18 +145,18 @@ void TlsConnectTestBase::Connect() {
 
 void TlsConnectTestBase::CheckConnected() {
   // Check the version is as expected
   EXPECT_EQ(client_->version(), server_->version());
   EXPECT_EQ(std::min(client_->max_version(),
                      server_->max_version()),
             client_->version());
 
-  EXPECT_EQ(TlsAgent::CONNECTED, client_->state());
-  EXPECT_EQ(TlsAgent::CONNECTED, server_->state());
+  EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
+  EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
 
   int16_t cipher_suite1, cipher_suite2;
   bool ret = client_->cipher_suite(&cipher_suite1);
   EXPECT_TRUE(ret);
   ret = server_->cipher_suite(&cipher_suite2);
   EXPECT_TRUE(ret);
   EXPECT_EQ(cipher_suite1, cipher_suite2);
 
@@ -175,18 +175,18 @@ void TlsConnectTestBase::CheckConnected(
   CheckResumption(expected_resumption_mode_);
 }
 
 void TlsConnectTestBase::ConnectExpectFail() {
   server_->StartConnect();
   client_->StartConnect();
   Handshake();
 
-  ASSERT_EQ(TlsAgent::ERROR, client_->state());
-  ASSERT_EQ(TlsAgent::ERROR, server_->state());
+  ASSERT_EQ(TlsAgent::STATE_ERROR, client_->state());
+  ASSERT_EQ(TlsAgent::STATE_ERROR, server_->state());
 }
 
 void TlsConnectTestBase::SetExpectedVersion(uint16_t version) {
   client_->SetExpectedVersion(version);
   server_->SetExpectedVersion(version);
 }
 
 void TlsConnectTestBase::EnableSomeEcdheCiphers() {
@@ -247,17 +247,17 @@ void TlsConnectTestBase::CheckSrtp() con
 }
 
 void TlsConnectTestBase::SendReceive() {
   client_->SendData(50);
   server_->SendData(50);
   WAIT_(
       client_->received_bytes() == 50 &&
       server_->received_bytes() == 50, 2000);
-  ASSERT_EQ(50, client_->received_bytes());
-  ASSERT_EQ(50, server_->received_bytes());
+  ASSERT_EQ(50U, client_->received_bytes());
+  ASSERT_EQ(50U, server_->received_bytes());
 }
 
 TlsConnectGeneric::TlsConnectGeneric()
   : TlsConnectTestBase(TlsConnectTestBase::ToMode(std::get<0>(GetParam())),
                        std::get<1>(GetParam())) {}
 
 } // namespace nss_test
--- a/external_tests/ssl_gtest/tls_parser.h
+++ b/external_tests/ssl_gtest/tls_parser.h
@@ -5,17 +5,21 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef tls_parser_h_
 #define tls_parser_h_
 
 #include <memory>
 #include <cstdint>
 #include <cstring>
+#if defined(WIN32) || defined(WIN64)
+#include <winsock2.h>
+#else
 #include <arpa/inet.h>
+#endif
 #include "databuffer.h"
 
 namespace nss_test {
 
 const uint8_t kTlsChangeCipherSpecType = 20;
 const uint8_t kTlsAlertType = 21;
 const uint8_t kTlsHandshakeType = 22;
 
--- a/lib/base/hash.c
+++ b/lib/base/hash.c
@@ -46,19 +46,17 @@ struct nssHashStr {
 };
 
 static PLHashNumber
 nss_identity_hash
 (
   const void *key
 )
 {
-  PRUint32 i = (PRUint32)key;
-  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
-  return (PLHashNumber)i;
+  return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 static PLHashNumber
 nss_item_hash
 (
   const void *key
 )
 {
--- a/lib/base/list.c
+++ b/lib/base/list.c
@@ -212,19 +212,18 @@ nsslist_add_element(nssList *list, void 
     }
     ++list->count;
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_Add(nssList *list, void *data)
 {
-    PRStatus nssrv;
     NSSLIST_LOCK_IF(list);
-    nssrv = nsslist_add_element(list, data);
+    (void)nsslist_add_element(list, data);
     NSSLIST_UNLOCK_IF(list);
     return PR_SUCCESS;
 }
 
 NSS_IMPLEMENT PRStatus
 nssList_AddUnique(nssList *list, void *data)
 {
     PRStatus nssrv;
--- a/lib/base/tracker.c
+++ b/lib/base/tracker.c
@@ -24,17 +24,17 @@
  */
 
 static PLHashNumber PR_CALLBACK
 identity_hash
 (
   const void *key
 )
 {
-  return (PLHashNumber)key;
+  return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 /*
  * trackerOnceFunc
  *
  * This function is called once, using the nssCallOnce function above.
  * It creates a new pointer tracker object; initialising its hash
  * table and protective lock.
--- a/lib/certdb/certdb.c
+++ b/lib/certdb/certdb.c
@@ -2438,17 +2438,16 @@ CERT_EncodeTrustString(CERTCertTrust *tr
 SECStatus
 CERT_ImportCerts(CERTCertDBHandle *certdb, SECCertUsage usage,
 		 unsigned int ncerts, SECItem **derCerts,
 		 CERTCertificate ***retCerts, PRBool keepCerts,
 		 PRBool caOnly, char *nickname)
 {
     unsigned int i;
     CERTCertificate **certs = NULL;
-    SECStatus rv;
     unsigned int fcerts = 0;
 
     if ( ncerts ) {
 	certs = PORT_ZNewArray(CERTCertificate*, ncerts);
 	if ( certs == NULL ) {
 	    return(SECFailure);
 	}
     
@@ -2486,37 +2485,38 @@ CERT_ImportCerts(CERTCertDBHandle *certd
 
 		if(isCA && (fcerts > 1)) {
 		    /* if we are importing only a single cert and specifying
 		     * a nickname, we want to use that nickname if it a CA,
 		     * otherwise if there are more than one cert, we don't
 		     * know which cert it belongs to. But we still may try
                      * the individual canickname from the cert itself.
 		     */
-		    rv = CERT_AddTempCertToPerm(certs[i], canickname, NULL);
+                    /* Bug 1192442 - propagate errors from these calls. */
+		    (void)CERT_AddTempCertToPerm(certs[i], canickname, NULL);
 		} else {
-		    rv = CERT_AddTempCertToPerm(certs[i],
-                                                nickname?nickname:canickname, NULL);
+		    (void)CERT_AddTempCertToPerm(certs[i],
+                                                 nickname?nickname:canickname, NULL);
 		}
 
                 PORT_Free(canickname);
 		/* don't care if it fails - keep going */
 	    }
 	}
     }
 
     if ( retCerts ) {
 	*retCerts = certs;
     } else {
 	if (certs) {
 	    CERT_DestroyCertArray(certs, fcerts);
 	}
     }
 
-    return ((fcerts || !ncerts) ? SECSuccess : SECFailure);
+    return (fcerts || !ncerts) ? SECSuccess : SECFailure;
 }
 
 /*
  * a real list of certificates - need to convert CERTCertificateList
  * stuff and ASN 1 encoder/decoder over to using this...
  */
 CERTCertList *
 CERT_NewCertList(void)
@@ -2888,25 +2888,26 @@ CERT_LockCertRefCount(CERTCertificate *c
 }
 
 /*
  * Free the cert reference count lock
  */
 void
 CERT_UnlockCertRefCount(CERTCertificate *cert)
 {
-    PRStatus prstat;
-
     PORT_Assert(certRefCountLock != NULL);
     
-    prstat = PZ_Unlock(certRefCountLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
+#ifdef DEBUG
+    {
+        PRStatus prstat = PZ_Unlock(certRefCountLock);
+        PORT_Assert(prstat == PR_SUCCESS);
+    }
+#else
+    PZ_Unlock(certRefCountLock);
+#endif
 }
 
 static PZLock *certTrustLock = NULL;
 
 /*
  * Acquire the cert trust lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
@@ -2968,25 +2969,26 @@ cert_DestroyLocks(void)
 }
 
 /*
  * Free the cert trust lock
  */
 void
 CERT_UnlockCertTrust(const CERTCertificate *cert)
 {
-    PRStatus prstat;
-
     PORT_Assert(certTrustLock != NULL);
     
-    prstat = PZ_Unlock(certTrustLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
+#ifdef DEBUG
+    {
+        PRStatus prstat = PZ_Unlock(certTrustLock);
+        PORT_Assert(prstat == PR_SUCCESS);
+    }
+#else
+    PZ_Unlock(certTrustLock);
+#endif
 }
 
 
 /*
  * Get the StatusConfig data for this handle
  */
 CERTStatusConfig *
 CERT_GetStatusConfig(CERTCertDBHandle *handle)
--- a/lib/certdb/crl.c
+++ b/lib/certdb/crl.c
@@ -622,31 +622,30 @@ loser:
 
 CERTSignedCrl *
 crl_storeCRL (PK11SlotInfo *slot,char *url,
                   CERTSignedCrl *newCrl, SECItem *derCrl, int type)
 {
     CERTSignedCrl *oldCrl = NULL, *crl = NULL;
     PRBool deleteOldCrl = PR_FALSE;
     CK_OBJECT_HANDLE crlHandle = CK_INVALID_HANDLE;
-    SECStatus rv;
 
     PORT_Assert(newCrl);
     PORT_Assert(derCrl);
     PORT_Assert(type == SEC_CRL_TYPE);
 
     if (type != SEC_CRL_TYPE) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
 
     /* we can't use the cache here because we must look in the same
        token */
-    rv = SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
-                                &oldCrl, CRL_DECODE_SKIP_ENTRIES);
+    (void)SEC_FindCrlByKeyOnSlot(slot, &newCrl->crl.derName, type,
+                                 &oldCrl, CRL_DECODE_SKIP_ENTRIES);
     /* if there is an old crl on the token, make sure the one we are
        installing is newer. If not, exit out, otherwise delete the
        old crl.
      */
     if (oldCrl != NULL) {
 	/* if it's already there, quietly continue */
 	if (SECITEM_CompareItem(newCrl->derCrl, oldCrl->derCrl) 
 						== SECEqual) {
@@ -2688,17 +2687,17 @@ cert_CheckCertRevocationStatus(CERTCerti
             }
             else
             {
                 /* no revocation date, certificate is permanently revoked */
                 rv = SECFailure;
             }
             if (SECFailure == rv)
             {
-                SECStatus rv2 = CERT_FindCRLEntryReasonExten(entry, &reason);
+                (void)CERT_FindCRLEntryReasonExten(entry, &reason);
                 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE);
             }
             break;
 
         case dpcacheEmpty:
             /* useful for NIST policy */
             status = certRevocationStatusUnknown;
             break;
@@ -3045,17 +3044,17 @@ static SECStatus addCRLToCache(CERTCertD
 /* take ownership of CRL, and insert it into the named CRL cache
  * and indexed CRL cache
  */
 SECStatus cert_CacheCRLByGeneralName(CERTCertDBHandle* dbhandle, SECItem* crl,
                                      const SECItem* canonicalizedName)
 {
     NamedCRLCacheEntry* oldEntry, * newEntry = NULL;
     NamedCRLCache* ncc = NULL;
-    SECStatus rv = SECSuccess, rv2;
+    SECStatus rv = SECSuccess;
 
     PORT_Assert(namedCRLCache.lock);
     PORT_Assert(namedCRLCache.entries);
 
     if (!crl || !canonicalizedName)
     {
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -3083,18 +3082,17 @@ SECStatus cert_CacheCRLByGeneralName(CER
         if (!oldEntry)
         {
             /* add new good entry to the hash table */
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                         (void*) newEntry->canonicalizedName,
                                         (void*) newEntry))
             {
                 PORT_Assert(0);
-                rv2 = NamedCRLCacheEntry_Destroy(newEntry);
-                PORT_Assert(SECSuccess == rv2);
+                NamedCRLCacheEntry_Destroy(newEntry);
                 rv = SECFailure;
             }
         }
         else
         {
             PRBool removed;
             /* remove the old CRL from the cache if needed */
             if (oldEntry->inCRLCache)
@@ -3107,18 +3105,17 @@ SECStatus cert_CacheCRLByGeneralName(CER
             PORT_Assert(removed);
             if (!removed)
             {
                 rv = SECFailure;
 		/* leak old entry since we couldn't remove it from the hash table */
             }
             else
             {
-                rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
-                PORT_Assert(SECSuccess == rv2);
+                PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
             }
             if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                       (void*) newEntry->canonicalizedName,
                                       (void*) newEntry))
             {
                 PORT_Assert(0);
                 rv = SECFailure;
             }
@@ -3155,31 +3152,29 @@ SECStatus cert_CacheCRLByGeneralName(CER
                 PORT_Assert(removed);
                 if (!removed)
                 {
 		    /* leak old entry since we couldn't remove it from the hash table */
                     rv = SECFailure;
                 }
                 else
                 {
-                    rv2 = NamedCRLCacheEntry_Destroy(oldEntry);
-                    PORT_Assert(SECSuccess == rv2);
+                    PORT_CheckSuccess(NamedCRLCacheEntry_Destroy(oldEntry));
                 }
                 if (NULL == PL_HashTableAdd(namedCRLCache.entries,
                                           (void*) newEntry->canonicalizedName,
                                           (void*) newEntry))
                 {
                     PORT_Assert(0);
                     rv = SECFailure;
                 }
             }
         }
     }
-    rv2 = cert_ReleaseNamedCRLCache(ncc);
-    PORT_Assert(SECSuccess == rv2);
+    PORT_CheckSuccess(cert_ReleaseNamedCRLCache(ncc));
 
     return rv;
 }
 
 static SECStatus CachedCrl_Create(CachedCrl** returned, CERTSignedCrl* crl,
                                   CRLOrigin origin)
 {
     CachedCrl* newcrl = NULL;
--- a/lib/certdb/genname.c
+++ b/lib/certdb/genname.c
@@ -62,26 +62,16 @@ static const SEC_ASN1Template CERTOthNam
 };
 
 static const SEC_ASN1Template CERTOtherNameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 0 ,
       offsetof(CERTGeneralName, name.OthName), CERTOthNameTemplate, 
       sizeof(CERTGeneralName) }
 };
 
-static const SEC_ASN1Template CERTOtherName2Template[] = {
-    { SEC_ASN1_SEQUENCE | SEC_ASN1_CONTEXT_SPECIFIC | 0 ,
-      0, NULL, sizeof(CERTGeneralName) },
-    { SEC_ASN1_OBJECT_ID,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, oid) },
-    { SEC_ASN1_ANY,
-	  offsetof(CERTGeneralName, name.OthName) + offsetof(OtherName, name) },
-    { 0, } 
-};
-
 static const SEC_ASN1Template CERT_RFC822NameTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1 ,
           offsetof(CERTGeneralName, name.other),
           SEC_ASN1_SUB(SEC_IA5StringTemplate),
           sizeof (CERTGeneralName)}
 };
 
 static const SEC_ASN1Template CERT_DNSNameTemplate[] = {
--- a/lib/certdb/secname.c
+++ b/lib/certdb/secname.c
@@ -235,24 +235,16 @@ CERT_CopyAVA(PLArenaPool *arena, CERTAVA
 	if (rv) goto loser;
     }
     return ava;
 
   loser:
     return 0;
 }
 
-/************************************************************************/
-/* XXX This template needs to go away in favor of the new SEC_ASN1 version. */
-static const SEC_ASN1Template cert_RDNTemplate[] = {
-    { SEC_ASN1_SET_OF,
-	  offsetof(CERTRDN,avas), cert_AVATemplate, sizeof(CERTRDN) }
-};
-
-
 CERTRDN *
 CERT_CreateRDN(PLArenaPool *arena, CERTAVA *ava0, ...)
 {
     CERTAVA *ava;
     CERTRDN *rdn;
     va_list ap;
     unsigned count;
     CERTAVA **avap;
--- a/lib/certhigh/certhigh.c
+++ b/lib/certhigh/certhigh.c
@@ -19,46 +19,41 @@
 
 
 PRBool
 CERT_MatchNickname(char *name1, char *name2) {
     char *nickname1= NULL;
     char *nickname2 = NULL;
     char *token1;
     char *token2;
-    char *token = NULL;
-    int len;
 
     /* first deal with the straight comparison */
     if (PORT_Strcmp(name1, name2) == 0) {
 	return PR_TRUE;
     }
     /* we need to handle the case where one name has an explicit token and the other
      * doesn't */
     token1 = PORT_Strchr(name1,':');
     token2 = PORT_Strchr(name2,':');
     if ((token1 && token2) || (!token1 && !token2)) {
 	/* either both token names are specified or neither are, not match */
 	return PR_FALSE;
     }
     if (token1) {
-	token=name1;
 	nickname1=token1;
 	nickname2=name2;
     } else {
-	token=name2;
 	nickname1=token2;
 	nickname2=name1;
     }
-    len = nickname1-token;
     nickname1++;
     if (PORT_Strcmp(nickname1,nickname2) != 0) {
 	return PR_FALSE;
     }
-    /* compare the other token with the internal slot here */
+    /* Bug 1192443 - compare the other token with the internal slot here */
     return PR_TRUE;
 }
 
 /*
  * Find all user certificates that match the given criteria.
  * 
  *	"handle" - database to search
  *	"usage" - certificate usage to match
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -1407,23 +1407,23 @@ setRevocationMethod(PKIX_RevocationCheck
                     CERTRevocationMethodIndex certRevMethod,
                     PKIX_RevocationMethodType pkixRevMethod,
                     PKIX_Boolean verifyResponderUsages,
                     PKIX_Boolean isLeafTest,
                     void *plContext)
 {
     PKIX_UInt32 methodFlags = 0;
     PKIX_Error *error = NULL;
-    int priority = 0;
+    PKIX_UInt32 priority = 0;
     
-    if (revTest->number_of_defined_methods <= certRevMethod) {
+    if (revTest->number_of_defined_methods <= (PRUint32)certRevMethod) {
         return NULL;
     }
     if (revTest->preferred_methods) {
-        int i = 0;
+        unsigned int i = 0;
         for (;i < revTest->number_of_preferred_methods;i++) {
             if (revTest->preferred_methods[i] == certRevMethod) 
                 break;
         }
         priority = i;
     }
     methodFlags = revTest->cert_rev_flags_per_method[certRevMethod];
     if (verifyResponderUsages &&
--- a/lib/certhigh/ocsp.c
+++ b/lib/certhigh/ocsp.c
@@ -554,24 +554,29 @@ ocsp_FreeCacheItem(OCSPCacheItem *item)
 static void
 ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item)
 {
     /* The item we're removing could be either the least recently used item,
      * or it could be an item that couldn't get updated with newer status info
      * because of an allocation failure, or it could get removed because we're 
      * cleaning up.
      */
-    PRBool couldRemoveFromHashTable;
     OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread()));
     PR_EnterMonitor(OCSP_Global.monitor);
 
     ocsp_RemoveCacheItemFromLinkedList(cache, item);
-    couldRemoveFromHashTable = PL_HashTableRemove(cache->entries, 
-                                                  item->certID);
-    PORT_Assert(couldRemoveFromHashTable);
+#ifdef DEBUG
+    {
+        PRBool couldRemoveFromHashTable = PL_HashTableRemove(cache->entries,
+                                                             item->certID);
+        PORT_Assert(couldRemoveFromHashTable);
+    }
+#else
+    PL_HashTableRemove(cache->entries, item->certID);
+#endif
     --cache->numberOfEntries;
     ocsp_FreeCacheItem(item);
     PR_ExitMonitor(OCSP_Global.monitor);
 }
 
 static void
 ocsp_CheckCacheSize(OCSPCacheData *cache)
 {
--- a/lib/certhigh/xcrldist.c
+++ b/lib/certhigh/xcrldist.c
@@ -96,19 +96,16 @@ CERT_EncodeCRLDistributionPoints (PLAren
 		break;
 
 	    case relativeDistinguishedName:
 		if (!SEC_ASN1EncodeItem(ourPool, &point->derDistPoint, 
 		      point, RelativeNameTemplate)) 
 		    rv = SECFailure;
 		break;
 
-	    /* distributionPointName is omitted */
-	    case 0: break;
-
 	    default:
 		PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
 		rv = SECFailure;
 		break;
 	    }
 
 	    if (rv != SECSuccess)
 		break;
--- a/lib/ckfw/builtins/binst.c
+++ b/lib/ckfw/builtins/binst.c
@@ -60,20 +60,18 @@ builtins_mdInstance_GetLibraryDescriptio
 
 static CK_VERSION
 builtins_mdInstance_GetLibraryVersion
 (
   NSSCKMDInstance *mdInstance,
   NSSCKFWInstance *fwInstance
 )
 {
-  extern const char __nss_builtins_version[];
-  volatile char c; /* force a reference that won't get optimized away */
-
-  c = __nss_builtins_version[0];
+#define NSS_VERSION_VARIABLE __nss_builtins_version
+#include "verref.h"
   return nss_builtins_LibraryVersion;
 }
 
 static CK_RV
 builtins_mdInstance_GetSlots
 (
   NSSCKMDInstance *mdInstance,
   NSSCKFWInstance *fwInstance,
--- a/lib/ckfw/builtins/certdata.perl
+++ b/lib/ckfw/builtins/certdata.perl
@@ -6,17 +6,16 @@
 use strict;
 
 my %constants;
 my $count = 0;
 my $o;
 my @objects = ();
 my @objsize;
 
-$constants{CKO_DATA} = "static const CK_OBJECT_CLASS cko_data = CKO_DATA;\n";
 $constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n";
 $constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n";
 
 while(<>) {
   my @fields = ();
   my $size;
 
   s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
--- a/lib/ckfw/hash.c
+++ b/lib/ckfw/hash.c
@@ -43,19 +43,17 @@ struct nssCKFWHashStr {
 };
 
 static PLHashNumber
 nss_ckfw_identity_hash
 (
   const void *key
 )
 {
-  PRUint32 i = (PRUint32)key;
-  PR_ASSERT(sizeof(PLHashNumber) == sizeof(PRUint32));
-  return (PLHashNumber)i;
+  return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 /*
  * nssCKFWHash_Create
  *
  */
 NSS_IMPLEMENT nssCKFWHash *
 nssCKFWHash_Create
--- a/lib/ckfw/token.c
+++ b/lib/ckfw/token.c
@@ -1253,33 +1253,32 @@ nssCKFWToken_GetUTCTime
   if( CKR_OK != error ) {
     return error;
   }
 
   /* Sanity-check the data */
   {
     /* Format is YYYYMMDDhhmmss00 */
     int i;
-    int Y, M, D, h, m, s, z;
+    int Y, M, D, h, m, s;
     static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
 
     for( i = 0; i < 16; i++ ) {
       if( (utcTime[i] < '0') || (utcTime[i] > '9') ) {
         goto badtime;
       }
     }
 
     Y = ((utcTime[ 0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
         ((utcTime[ 2] - '0') * 10) + (utcTime[ 3] - '0');
     M = ((utcTime[ 4] - '0') * 10) + (utcTime[ 5] - '0');
     D = ((utcTime[ 6] - '0') * 10) + (utcTime[ 7] - '0');
     h = ((utcTime[ 8] - '0') * 10) + (utcTime[ 9] - '0');
     m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
     s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');
-    z = ((utcTime[14] - '0') * 10) + (utcTime[15] - '0');
 
     if( (Y < 1990) || (Y > 3000) ) goto badtime; /* Y3K problem.  heh heh heh */
     if( (M < 1) || (M > 12) ) goto badtime;
     if( (D < 1) || (D > 31) ) goto badtime;
 
     if( D > dims[M-1] ) goto badtime; /* per-month check */
     if( (2 == M) && (((Y%4)||!(Y%100))&&(Y%400)) && (D > 28) ) goto badtime; /* leap years */
 
--- a/lib/crmf/cmmfchal.c
+++ b/lib/crmf/cmmfchal.c
@@ -25,17 +25,16 @@ cmmf_create_witness_and_challenge(PLAren
     SECItem        encodedRandStr = {siBuffer, NULL, 0};
     SECItem       *dummy;
     unsigned char *randHash, *senderHash, *encChal=NULL;
     unsigned       modulusLen = 0;
     SECStatus      rv = SECFailure;
     CMMFRand       randStr= { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}};
     PK11SlotInfo  *slot;
     PK11SymKey    *symKey = NULL;
-    CK_OBJECT_HANDLE id;
     CERTSubjectPublicKeyInfo *spki = NULL;
 
     
     encodedRandNum = SEC_ASN1EncodeInteger(poolp, &challenge->randomNumber,
 					   inRandom);
     encodedRandNum = &challenge->randomNumber;
     randHash   = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
     senderHash = PORT_ArenaNewArray(poolp, unsigned char, SHA1_LENGTH);
@@ -71,17 +70,17 @@ cmmf_create_witness_and_challenge(PLAren
         rv = SECFailure;
         goto loser;
     }
     slot =PK11_GetBestSlotWithAttributes(CKM_RSA_PKCS, CKF_WRAP, 0, passwdArg);
     if (slot == NULL) {
         rv = SECFailure;
         goto loser;
     }
-    id = PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
+    (void)PK11_ImportPublicKey(slot, inPubKey, PR_FALSE);
     /* In order to properly encrypt the data, we import as a symmetric
      * key, and then wrap that key.  That in essence encrypts the data.
      * This is the method recommended in the PK11 world in order
      * to prevent threading issues as well as breaking any other semantics
      * the PK11 libraries depend on.
      */
     symKey = PK11_ImportSymKey(slot, CKM_RSA_PKCS, PK11_OriginGenerated,
 			       CKA_VALUE, &encodedRandStr, passwdArg);
--- a/lib/crmf/crmfcont.c
+++ b/lib/crmf/crmfcont.c
@@ -852,36 +852,42 @@ crmf_create_encrypted_value_wrapped_priv
 }
 
 CRMFEncryptedKey*
 CRMF_CreateEncryptedKeyWithEncryptedValue (SECKEYPrivateKey *inPrivKey,
 					   CERTCertificate  *inCACert)
 {
     SECKEYPublicKey          *caPubKey = NULL;
     CRMFEncryptedKey         *encKey = NULL;
-    CRMFEncryptedValue       *dummy;
 
     PORT_Assert(inPrivKey != NULL && inCACert != NULL);
     if (inPrivKey == NULL || inCACert == NULL) {
         return NULL;
     }
 
     caPubKey = CERT_ExtractPublicKey(inCACert);
     if (caPubKey == NULL) {
         goto loser;
     }
 
     encKey = PORT_ZNew(CRMFEncryptedKey);
     if (encKey == NULL) {
         goto loser;
     }
-    dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey,
-							caPubKey,
-					       &encKey->value.encryptedValue);
-    PORT_Assert(dummy == &encKey->value.encryptedValue);
+#ifdef DEBUG
+    {
+        CRMFEncryptedValue *dummy =
+            crmf_create_encrypted_value_wrapped_privkey(
+                inPrivKey, caPubKey, &encKey->value.encryptedValue);
+        PORT_Assert(dummy == &encKey->value.encryptedValue);
+    }
+#else
+    crmf_create_encrypted_value_wrapped_privkey(
+        inPrivKey, caPubKey, &encKey->value.encryptedValue);
+#endif
     /* We won't add the der value here, but rather when it 
      * becomes part of a certificate request.
      */
     SECKEY_DestroyPublicKey(caPubKey);
     encKey->encKeyChoice = crmfEncryptedValueChoice;
     return encKey;
  loser:
     if (encKey != NULL) {
--- a/lib/crmf/crmfi.h
+++ b/lib/crmf/crmfi.h
@@ -47,17 +47,17 @@
  */
 #define MAX_WRAPPED_KEY_LEN       RSA_MAX_MODULUS_BITS
 
 #define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
 #define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
 
 struct crmfEncoderArg {
     SECItem *buffer;
-    long     allocatedLen;
+    unsigned long allocatedLen;
 };
 
 struct crmfEncoderOutput {
     CRMFEncoderOutputCallback fn;
     void *outputArg;
 };
 
 /*
--- a/lib/crmf/crmfpop.c
+++ b/lib/crmf/crmfpop.c
@@ -5,17 +5,17 @@
 
 
 #include "crmf.h"
 #include "crmfi.h"
 #include "secasn1.h"
 #include "keyhi.h"
 #include "cryptohi.h"
 
-#define CRMF_DEFAULT_ALLOC_SIZE 1024
+#define CRMF_DEFAULT_ALLOC_SIZE 1024U
 
 SECStatus
 crmf_init_encoder_callback_arg (struct crmfEncoderArg *encoderArg, 
 				SECItem               *derDest) 
 {
     derDest->data = PORT_ZNewArray(unsigned char, CRMF_DEFAULT_ALLOC_SIZE);
     if (derDest->data == NULL) {
         return SECFailure;
@@ -28,17 +28,16 @@ crmf_init_encoder_callback_arg (struct c
 }
 
 /* Caller should release or unmark the pool, instead of doing it here.
 ** But there are NO callers of this function at present...
 */
 SECStatus 
 CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCertReqMsg *inCertReqMsg)
 {
-    SECItem               *dummy;
     CRMFProofOfPossession *pop;
     PLArenaPool           *poolp;
     void                  *mark;
 
     PORT_Assert(inCertReqMsg != NULL && inCertReqMsg->pop == NULL);
     poolp = inCertReqMsg->poolp;
     mark = PORT_ArenaMark(poolp);
     if (CRMF_CertReqMsgGetPOPType(inCertReqMsg) != crmfNoPOPChoice) {
@@ -47,19 +46,19 @@ CRMF_CertReqMsgSetRAVerifiedPOP(CRMFCert
     pop = PORT_ArenaZNew(poolp, CRMFProofOfPossession);
     if (pop == NULL) {
         goto loser;
     }
     pop->popUsed = crmfRAVerified;
     pop->popChoice.raVerified.data = NULL;
     pop->popChoice.raVerified.len  = 0;
     inCertReqMsg->pop = pop;
-    dummy = SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
-			       &(pop->popChoice.raVerified),
-			       CRMFRAVerifiedTemplate);
+    (void)SEC_ASN1EncodeItem(poolp, &(inCertReqMsg->derPOP),
+                             &(pop->popChoice.raVerified),
+                             CRMFRAVerifiedTemplate);
     return SECSuccess;
  loser:
     PORT_ArenaRelease(poolp, mark);
     return SECFailure;
 }
 
 static SECOidTag
 crmf_get_key_sign_tag(SECKEYPublicKey *inPubKey)
--- a/lib/crmf/crmftmpl.c
+++ b/lib/crmf/crmftmpl.c
@@ -133,29 +133,16 @@ const SEC_ASN1Template CRMFCertReqMsgTem
     { 0 }
 };
 
 const SEC_ASN1Template CRMFCertReqMessagesTemplate[] = {
     { SEC_ASN1_SEQUENCE_OF, offsetof(CRMFCertReqMessages, messages), 
       CRMFCertReqMsgTemplate, sizeof (CRMFCertReqMessages)}
 };
 
-static const SEC_ASN1Template CRMFPOPOSigningKeyInputTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL,sizeof(CRMFPOPOSigningKeyInput) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | 
-      SEC_ASN1_CONTEXT_SPECIFIC | 0,
-      offsetof(CRMFPOPOSigningKeyInput, authInfo.sender) },
-    { SEC_ASN1_BIT_STRING | SEC_ASN1_OPTIONAL | 1,
-      offsetof (CRMFPOPOSigningKeyInput, authInfo.publicKeyMAC) },
-    { SEC_ASN1_INLINE | SEC_ASN1_XTRN, 
-      offsetof(CRMFPOPOSigningKeyInput, publicKey), 
-      SEC_ASN1_SUB(CERT_SubjectPublicKeyInfoTemplate) },
-    { 0 }
-};
-
 const SEC_ASN1Template CRMFRAVerifiedTemplate[] = {
     { SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_XTRN, 
       0,
       SEC_ASN1_SUB(SEC_NullTemplate) },
     { 0 }
 };
 
 
@@ -247,24 +234,8 @@ const SEC_ASN1Template CRMFEncryptedValu
 
 const SEC_ASN1Template CRMFEncryptedKeyWithEncryptedValueTemplate [] = {
     { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | 
       SEC_ASN1_CONTEXT_SPECIFIC | 0,
       0,
       CRMFEncryptedValueTemplate},
     { 0 }
 };
-
-static const SEC_ASN1Template CRMFSinglePubInfoTemplate[] = {
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (CRMFSinglePubInfo)},
-    { SEC_ASN1_INTEGER, offsetof(CRMFSinglePubInfo, pubMethod) },
-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC,
-      offsetof(CRMFSinglePubInfo, pubLocation) },
-    { 0 }
-};
-
-static const SEC_ASN1Template CRMFPublicationInfoTemplate[] ={ 
-    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CRMFPKIPublicationInfo) },
-    { SEC_ASN1_INTEGER, offsetof(CRMFPKIPublicationInfo, action) },
-    { SEC_ASN1_POINTER, offsetof(CRMFPKIPublicationInfo, pubInfos),
-      CRMFSinglePubInfoTemplate},
-    { 0 }
-};
--- a/lib/dbm/src/h_page.c
+++ b/lib/dbm/src/h_page.c
@@ -715,33 +715,16 @@ extern int
 			errno = EFTYPE;
 			return (-1);
 		}
 
 	if (!is_bitmap && !bp[0]) {
 		PAGE_INIT(p);
 	} else {
 
-#ifdef DEBUG
-		if(BYTE_ORDER == LITTLE_ENDIAN)
-		  {
-			int is_little_endian;
-			is_little_endian = BYTE_ORDER;
-		  }
-		else if(BYTE_ORDER == BIG_ENDIAN)
-		  {
-			int is_big_endian;
-			is_big_endian = BYTE_ORDER;
-		  }
-		else
-		  {
-			assert(0);
-		  }
-#endif
-
 		if (hashp->LORDER != BYTE_ORDER) {
 			register int i, max;
 
 			if (is_bitmap) {
 				max = hashp->BSIZE >> 2; /* divide by 4 */
 				for (i = 0; i < max; i++)
 					M_32_SWAP(((int *)p)[i]);
 			} else {
--- a/lib/dev/devslot.c
+++ b/lib/dev/devslot.c
@@ -20,19 +20,16 @@
 /* this should track global and per-transaction login information */
 
 #define NSSSLOT_IS_FRIENDLY(slot) \
   (slot->base.flags & NSSSLOT_FLAGS_FRIENDLY)
 
 /* measured as interval */
 static PRIntervalTime s_token_delay_time = 0;
 
-/* The flags needed to open a read-only session. */
-static const CK_FLAGS s_ck_readonly_flags = CKF_SERIAL_SESSION;
-
 NSS_IMPLEMENT PRStatus
 nssSlot_Destroy (
   NSSSlot *slot
 )
 {
     if (slot) {
 	if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) {
 	    PZ_DestroyLock(slot->base.lock);
--- a/lib/dev/devtoken.c
+++ b/lib/dev/devtoken.c
@@ -1461,17 +1461,16 @@ nssToken_TraverseCertificates (
 {
     CK_RV ckrv;
     CK_ULONG count;
     CK_OBJECT_HANDLE *objectHandles;
     CK_ATTRIBUTE_PTR attr;
     CK_ATTRIBUTE cert_template[2];
     CK_ULONG ctsize;
     NSSArena *arena;
-    PRStatus status;
     PRUint32 arraySize, numHandles;
     nssCryptokiObject **objects;
     void *epv = nssToken_GetCryptokiEPV(token);
     nssSession *session = (sessionOpt) ? sessionOpt : token->defaultSession;
 
     /* Don't ask the module to use an invalid session handle. */
     if (!session || session->handle == CK_INVALID_SESSION) {
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
@@ -1539,17 +1538,17 @@ nssToken_TraverseCertificates (
 	goto loser;
     }
     if (numHandles > 0) {
 	objects = create_objects_from_handles(token, session,
 	                                      objectHandles, numHandles);
 	if (objects) {
 	    nssCryptokiObject **op;
 	    for (op = objects; *op; op++) {
-		status = (*callback)(*op, arg);
+		(void)(*callback)(*op, arg);
 	    }
 	    nss_ZFreeIf(objects);
 	}
     }
     nssArena_Destroy(arena);
     return PR_SUCCESS;
 loser:
     nssArena_Destroy(arena);
--- a/lib/freebl/cts.c
+++ b/lib/freebl/cts.c
@@ -180,17 +180,17 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
 {
     unsigned char *Pn;
     unsigned char Cn_2[MAX_BLOCK_SIZE]; /* block Cn-2 */
     unsigned char Cn_1[MAX_BLOCK_SIZE]; /* block Cn-1 */
     unsigned char Cn[MAX_BLOCK_SIZE];   /* block Cn   */
     unsigned char lastBlock[MAX_BLOCK_SIZE];
     const unsigned char *tmp;
     unsigned int tmpLen;
-    int fullblocks, pad;
+    unsigned int fullblocks, pad;
     unsigned int i;
     SECStatus rv;
 
     if (inlen < blocksize) {
 	PORT_SetError(SEC_ERROR_INPUT_LEN);
 	return SECFailure;
     }
 
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -200,17 +200,17 @@ SECStatus
 DH_Derive(SECItem *publicValue, 
           SECItem *prime, 
           SECItem *privateValue, 
           SECItem *derivedSecret, 
           unsigned int outBytes)
 {
     mp_int p, Xa, Yb, ZZ, psub1;
     mp_err err = MP_OKAY;
-    int len = 0;
+    unsigned int len = 0;
     unsigned int nb;
     unsigned char *secret = NULL;
     if (!publicValue || !prime || !privateValue || !derivedSecret) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     memset(derivedSecret, 0, sizeof *derivedSecret);
     MP_DIGITS(&p)  = 0;
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -242,36 +242,42 @@ prng_reseed_test(RNGContext *rng, const 
     }
     return prng_reseed(rng, entropy, entropy_len, 
 				additional_input, additional_input_len);
 }
 
 /*
  * build some fast inline functions for adding.
  */
-#define PRNG_ADD_CARRY_ONLY(dest, start, cy) \
-   carry = cy; \
-   for (k1=start; carry && k1 >=0 ; k1--) { \
-	carry = !(++dest[k1]); \
-   } 
+#define PRNG_ADD_CARRY_ONLY(dest, start, carry) \
+    { \
+        int k1; \
+        for (k1 = start; carry && k1 >= 0; k1--) { \
+            carry = !(++dest[k1]); \
+        } \
+    }
 
 /*
  * NOTE: dest must be an array for the following to work.
  */
-#define PRNG_ADD_BITS(dest, dest_len, add, len) \
+#define PRNG_ADD_BITS(dest, dest_len, add, len, carry) \
     carry = 0; \
-    for (k1=dest_len -1, k2=len-1; k2 >= 0; --k1, --k2) { \
-	carry += dest[k1]+ add[k2]; \
-	dest[k1] = (PRUint8) carry; \
-	carry >>= 8; \
+    PORT_Assert((dest_len) >= (len)); \
+    { \
+        int k1, k2; \
+        for (k1 = dest_len - 1, k2 = len - 1; k2 >= 0; --k1, --k2) { \
+            carry += dest[k1] + add[k2]; \
+            dest[k1] = (PRUint8) carry; \
+            carry >>= 8; \
+        } \
     }
 
-#define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len) \
-    PRNG_ADD_BITS(dest, dest_len, add, len) \
-    PRNG_ADD_CARRY_ONLY(dest, k1, carry)
+#define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \
+    PRNG_ADD_BITS(dest, dest_len, add, len, carry) \
+    PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry)
 
 /*
  * This function expands the internal state of the prng to fulfill any number
  * of bytes we need for this request. We only use this call if we need more
  * than can be supplied by a single call to SHA256_HashBuf. 
  *
  * This function is specified in NIST SP 800-90 section 10.1.1.4, Hashgen
  */
@@ -281,26 +287,26 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
 {
     PRUint8 data[VSize(rng)];
 
     PORT_Memcpy(data, V(rng), VSize(rng));
     while (no_of_returned_bytes) {
 	SHA256Context ctx;
 	unsigned int len;
 	unsigned int carry;
-	int k1;
 
  	SHA256_Begin(&ctx);
  	SHA256_Update(&ctx, data, sizeof data);
 	SHA256_End(&ctx, returned_bytes, &len, no_of_returned_bytes);
 	returned_bytes += len;
 	no_of_returned_bytes -= len;
 	/* The carry parameter is a bool (increment or not). 
 	 * This increments data if no_of_returned_bytes is not zero */
-	PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, no_of_returned_bytes);
+        carry = no_of_returned_bytes;
+	PRNG_ADD_CARRY_ONLY(data, (sizeof data)- 1, carry);
     }
     PORT_Memset(data, 0, sizeof data); 
 }
 
 /* 
  * Generates new random bytes and advances the internal prng state.	
  * additional bytes are only used in algorithm testing.
  * 
@@ -310,17 +316,16 @@ static SECStatus
 prng_generateNewBytes(RNGContext *rng, 
 		PRUint8 *returned_bytes, unsigned int no_of_returned_bytes,
 		const PRUint8 *additional_input,
 		unsigned int additional_input_len)
 {
     PRUint8 H[SHA256_LENGTH]; /* both H and w since they 
 			       * aren't used concurrently */
     unsigned int carry;
-    int k1, k2;
 
     if (!rng->isValid) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     /* This code only triggers during tests, normal
      * prng operation does not use additional_input */
     if (additional_input){
@@ -331,35 +336,36 @@ prng_generateNewBytes(RNGContext *rng,
 	 * them to the same variable, but keeping their unique names for
 	 * easy comparison to the spec */
 #define w H
 	rng->V_type = prngAdditionalDataType;
  	SHA256_Begin(&ctx);
  	SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data);
  	SHA256_Update(&ctx, additional_input, additional_input_len);
 	SHA256_End(&ctx, w, NULL, sizeof w);
-	PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w)
+	PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w, carry)
 	PORT_Memset(w, 0, sizeof w);
 #undef w 
     }
 
     if (no_of_returned_bytes == SHA256_LENGTH) {
 	/* short_cut to hashbuf and save a copy and a clear */
 	SHA256_HashBuf(returned_bytes, V(rng), VSize(rng) );
     } else {
     	prng_Hashgen(rng, returned_bytes, no_of_returned_bytes);
     }
     /* advance our internal state... */
     rng->V_type = prngGenerateByteType;
     SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data);
-    PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H)
-    PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C);
+    PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H, carry)
+    PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C, carry);
     PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, 
-					sizeof rng->reseed_counter)
-    PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, 1);
+					sizeof rng->reseed_counter, carry)
+    carry = 1;
+    PRNG_ADD_CARRY_ONLY(rng->reseed_counter,(sizeof rng->reseed_counter)-1, carry);
 
     /* continuous rng check */
     if (memcmp(V(rng), rng->oldV, sizeof rng->oldV) == 0) {
 	rng->isValid = PR_FALSE;
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     PORT_Memcpy(rng->oldV, V(rng), sizeof rng->oldV);
@@ -505,17 +511,17 @@ RNG_RandomUpdate(const void *data, size_
      *
      * if 'sizeof(size_t) <= 4' is triggered, it means that we were expecting
      *   sizeof(size_t) to be less than or equal to 4, but it wasn't. Setting 
      *   NS_PTR_GT_32 will correct that mistake.
      */
 
     PR_STATIC_ASSERT(sizeof(size_t) > 4);
 
-    if (bytes > PRNG_MAX_ADDITIONAL_BYTES) {
+    if (bytes > (size_t)PRNG_MAX_ADDITIONAL_BYTES) {
 	bytes = PRNG_MAX_ADDITIONAL_BYTES;
     }
 #else
     PR_STATIC_ASSERT(sizeof(size_t) <= 4);
 #endif
 
     PZ_Lock(globalrng->lock);
     /* if we're passed more than our additionalDataCache, simply
--- a/lib/freebl/dsa.c
+++ b/lib/freebl/dsa.c
@@ -497,17 +497,17 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
                  const SECItem *digest)
 {
     /* FIPS-compliance dictates that digest is a SHA hash. */
     mp_int p, q, g;      /* PQG parameters */
     mp_int r_, s_;       /* tuple (r', s') is received signature) */
     mp_int u1, u2, v, w; /* intermediate values used in verification */
     mp_int y;            /* public key */
     mp_err err;
-    int dsa_subprime_len, dsa_signature_len, offset;
+    unsigned int dsa_subprime_len, dsa_signature_len, offset;
     SECItem localDigest;
     unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
     SECStatus verified = SECFailure;
 
     /* Check args. */
     if (!key || !signature || !digest ) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
--- a/lib/freebl/ecl/ecl-priv.h
+++ b/lib/freebl/ecl/ecl-priv.h
@@ -24,50 +24,49 @@
 
 /* Gets the i'th bit in the binary representation of a. If i >= length(a), 
  * then return 0. (The above behaviour differs from mpl_get_bit, which
  * causes an error if i >= length(a).) */
 #define MP_GET_BIT(a, i) \
 	((i) >= mpl_significant_bits((a))) ? 0 : mpl_get_bit((a), (i))
 
 #if !defined(MP_NO_MP_WORD) && !defined(MP_NO_ADD_WORD)
-#define MP_ADD_CARRY(a1, a2, s, cin, cout)   \
+#define MP_ADD_CARRY(a1, a2, s, carry)   \
     { mp_word w; \
-    w = ((mp_word)(cin)) + (a1) + (a2); \
+    w = ((mp_word)carry) + (a1) + (a2); \
     s = ACCUM(w); \
-    cout = CARRYOUT(w); }
+    carry = CARRYOUT(w); }
 
-#define MP_SUB_BORROW(a1, a2, s, bin, bout)   \
+#define MP_SUB_BORROW(a1, a2, s, borrow)   \
     { mp_word w; \
-    w = ((mp_word)(a1)) - (a2) - (bin); \
+    w = ((mp_word)(a1)) - (a2) - borrow; \
     s = ACCUM(w); \
-    bout = (w >> MP_DIGIT_BIT) & 1; }
+    borrow = (w >> MP_DIGIT_BIT) & 1; }
 
 #else
 /* NOTE, 
- * cin and cout could be the same variable.
- * bin and bout could be the same variable.
+ * carry and borrow are both read and written.
  * a1 or a2 and s could be the same variable.
  * don't trash those outputs until their respective inputs have
  * been read. */
-#define MP_ADD_CARRY(a1, a2, s, cin, cout)   \
+#define MP_ADD_CARRY(a1, a2, s, carry)   \
     { mp_digit tmp,sum; \
     tmp = (a1); \
     sum = tmp + (a2); \
     tmp = (sum < tmp);                     /* detect overflow */ \
-    s = sum += (cin); \
-    cout = tmp + (sum < (cin)); }
+    s = sum += carry; \
+    carry = tmp + (sum < carry); }
 
-#define MP_SUB_BORROW(a1, a2, s, bin, bout)   \
+#define MP_SUB_BORROW(a1, a2, s, borrow)   \
     { mp_digit tmp; \
     tmp = (a1); \
     s = tmp - (a2); \
     tmp = (s > tmp);                    /* detect borrow */ \
-    if ((bin) && !s--) tmp++;	\
-    bout = tmp; }
+    if (borrow && !s--) tmp++;	\
+    borrow = tmp; }
 #endif
 
 
 struct GFMethodStr;
 typedef struct GFMethodStr GFMethod;
 struct GFMethodStr {
 	/* Indicates whether the structure was constructed from dynamic memory 
 	 * or statically created. */
--- a/lib/freebl/ecl/ecl_gf.c
+++ b/lib/freebl/ecl/ecl_gf.c
@@ -237,19 +237,20 @@ ec_GFp_add_3(const mp_int *a, const mp_i
 		r2 = MP_DIGIT(b,2);
 	case 2:
 		r1 = MP_DIGIT(b,1);
 	case 1:
 		r0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
-	MP_ADD_CARRY(a1, r1, r1, carry, carry);
-	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+        carry = 0;
+	MP_ADD_CARRY(a0, r0, r0, carry);
+	MP_ADD_CARRY(a1, r1, r1, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry);
 #else
 	__asm__ (
                 "xorq   %3,%3           \n\t"
                 "addq   %4,%0           \n\t"
                 "adcq   %5,%1           \n\t"
                 "adcq   %6,%2           \n\t"
                 "adcq   $0,%3           \n\t"
                 : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(carry)
@@ -268,19 +269,20 @@ ec_GFp_add_3(const mp_int *a, const mp_i
 	/* Do quick 'subract' if we've gone over 
 	 * (add the 2's complement of the curve field) */
 	 a2 = MP_DIGIT(&meth->irr,2);
 	if (carry ||  r2 >  a2 ||
 		((r2 == a2) && mp_cmp(r,&meth->irr) != MP_LT)) {
 		a1 = MP_DIGIT(&meth->irr,1);
 		a0 = MP_DIGIT(&meth->irr,0);
 #ifndef MPI_AMD64_ADD
-		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a1, r1, carry, carry);
-		MP_SUB_BORROW(r2, a2, r2, carry, carry);
+                carry = 0;
+		MP_SUB_BORROW(r0, a0, r0, carry);
+		MP_SUB_BORROW(r1, a1, r1, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry);
 #else
 		__asm__ (
 			"subq   %3,%0           \n\t"
 			"sbbq   %4,%1           \n\t"
 			"sbbq   %5,%2           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2)
 			: "r" (a0), "r" (a1), "r" (a2),
 			  "0" (r0), "1" (r1), "2" (r2)
@@ -324,20 +326,21 @@ ec_GFp_add_4(const mp_int *a, const mp_i
 		r2 = MP_DIGIT(b,2);
 	case 2:
 		r1 = MP_DIGIT(b,1);
 	case 1:
 		r0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
-	MP_ADD_CARRY(a1, r1, r1, carry, carry);
-	MP_ADD_CARRY(a2, r2, r2, carry, carry);
-	MP_ADD_CARRY(a3, r3, r3, carry, carry);
+        carry = 0;
+	MP_ADD_CARRY(a0, r0, r0, carry);
+	MP_ADD_CARRY(a1, r1, r1, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry);
 #else
 	__asm__ (
                 "xorq   %4,%4           \n\t"
                 "addq   %5,%0           \n\t"
                 "adcq   %6,%1           \n\t"
                 "adcq   %7,%2           \n\t"
                 "adcq   %8,%3           \n\t"
                 "adcq   $0,%4           \n\t"
@@ -359,20 +362,21 @@ ec_GFp_add_4(const mp_int *a, const mp_i
 	 * (add the 2's complement of the curve field) */
 	 a3 = MP_DIGIT(&meth->irr,3);
 	if (carry ||  r3 >  a3 ||
 		((r3 == a3) && mp_cmp(r,&meth->irr) != MP_LT)) {
 		a2 = MP_DIGIT(&meth->irr,2);
 		a1 = MP_DIGIT(&meth->irr,1);
 		a0 = MP_DIGIT(&meth->irr,0);
 #ifndef MPI_AMD64_ADD
-		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a1, r1, carry, carry);
-		MP_SUB_BORROW(r2, a2, r2, carry, carry);
-		MP_SUB_BORROW(r3, a3, r3, carry, carry);
+                carry = 0;
+		MP_SUB_BORROW(r0, a0, r0, carry);
+		MP_SUB_BORROW(r1, a1, r1, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry);
 #else
 		__asm__ (
 			"subq   %4,%0           \n\t"
 			"sbbq   %5,%1           \n\t"
 			"sbbq   %6,%2           \n\t"
 			"sbbq   %7,%3           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3)
 			: "r" (a0), "r" (a1), "r" (a2), "r" (a3),
@@ -421,21 +425,22 @@ ec_GFp_add_5(const mp_int *a, const mp_i
 	case 3:
 		r2 = MP_DIGIT(b,2);
 	case 2:
 		r1 = MP_DIGIT(b,1);
 	case 1:
 		r0 = MP_DIGIT(b,0);
 	}
 
-	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
-	MP_ADD_CARRY(a1, r1, r1, carry, carry);
-	MP_ADD_CARRY(a2, r2, r2, carry, carry);
-	MP_ADD_CARRY(a3, r3, r3, carry, carry);
-	MP_ADD_CARRY(a4, r4, r4, carry, carry);
+        carry = 0;
+	MP_ADD_CARRY(a0, r0, r0, carry);
+	MP_ADD_CARRY(a1, r1, r1, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry);
+	MP_ADD_CARRY(a4, r4, r4, carry);
 
 	MP_CHECKOK(s_mp_pad(r, 5));
 	MP_DIGIT(r, 4) = r4;
 	MP_DIGIT(r, 3) = r3;
 	MP_DIGIT(r, 2) = r2;
 	MP_DIGIT(r, 1) = r1;
 	MP_DIGIT(r, 0) = r0;
 	MP_SIGN(r) = MP_ZPOS;
@@ -445,21 +450,22 @@ ec_GFp_add_5(const mp_int *a, const mp_i
 	 * (add the 2's complement of the curve field) */
 	 a4 = MP_DIGIT(&meth->irr,4);
 	if (carry ||  r4 >  a4 ||
 		((r4 == a4) && mp_cmp(r,&meth->irr) != MP_LT)) {
 		a3 = MP_DIGIT(&meth->irr,3);
 		a2 = MP_DIGIT(&meth->irr,2);
 		a1 = MP_DIGIT(&meth->irr,1);
 		a0 = MP_DIGIT(&meth->irr,0);
-		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a1, r1, carry, carry);
-		MP_SUB_BORROW(r2, a2, r2, carry, carry);
-		MP_SUB_BORROW(r3, a3, r3, carry, carry);
-		MP_SUB_BORROW(r4, a4, r4, carry, carry);
+                carry = 0;
+		MP_SUB_BORROW(r0, a0, r0, carry);
+		MP_SUB_BORROW(r1, a1, r1, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry);
+		MP_SUB_BORROW(r4, a4, r4, carry);
 		MP_DIGIT(r, 4) = r4;
 		MP_DIGIT(r, 3) = r3;
 		MP_DIGIT(r, 2) = r2;
 		MP_DIGIT(r, 1) = r1;
 		MP_DIGIT(r, 0) = r0;
 	}
 	
 	s_mp_clamp(r);
@@ -502,22 +508,23 @@ ec_GFp_add_6(const mp_int *a, const mp_i
 	case 3:
 		r2 = MP_DIGIT(b,2);
 	case 2:
 		r1 = MP_DIGIT(b,1);
 	case 1:
 		r0 = MP_DIGIT(b,0);
 	}
 
-	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
-	MP_ADD_CARRY(a1, r1, r1, carry, carry);
-	MP_ADD_CARRY(a2, r2, r2, carry, carry);
-	MP_ADD_CARRY(a3, r3, r3, carry, carry);
-	MP_ADD_CARRY(a4, r4, r4, carry, carry);
-	MP_ADD_CARRY(a5, r5, r5, carry, carry);
+        carry = 0;
+	MP_ADD_CARRY(a0, r0, r0, carry);
+	MP_ADD_CARRY(a1, r1, r1, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry);
+	MP_ADD_CARRY(a3, r3, r3, carry);
+	MP_ADD_CARRY(a4, r4, r4, carry);
+	MP_ADD_CARRY(a5, r5, r5, carry);
 
 	MP_CHECKOK(s_mp_pad(r, 6));
 	MP_DIGIT(r, 5) = r5;
 	MP_DIGIT(r, 4) = r4;
 	MP_DIGIT(r, 3) = r3;
 	MP_DIGIT(r, 2) = r2;
 	MP_DIGIT(r, 1) = r1;
 	MP_DIGIT(r, 0) = r0;
@@ -529,22 +536,23 @@ ec_GFp_add_6(const mp_int *a, const mp_i
 	a5 = MP_DIGIT(&meth->irr,5);
 	if (carry ||  r5 >  a5 ||
 		((r5 == a5) && mp_cmp(r,&meth->irr) != MP_LT)) {
 		a4 = MP_DIGIT(&meth->irr,4);
 		a3 = MP_DIGIT(&meth->irr,3);
 		a2 = MP_DIGIT(&meth->irr,2);
 		a1 = MP_DIGIT(&meth->irr,1);
 		a0 = MP_DIGIT(&meth->irr,0);
-		MP_SUB_BORROW(r0, a0, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a1, r1, carry, carry);
-		MP_SUB_BORROW(r2, a2, r2, carry, carry);
-		MP_SUB_BORROW(r3, a3, r3, carry, carry);
-		MP_SUB_BORROW(r4, a4, r4, carry, carry);
-		MP_SUB_BORROW(r5, a5, r5, carry, carry);
+                carry = 0;
+		MP_SUB_BORROW(r0, a0, r0, carry);
+		MP_SUB_BORROW(r1, a1, r1, carry);
+		MP_SUB_BORROW(r2, a2, r2, carry);
+		MP_SUB_BORROW(r3, a3, r3, carry);
+		MP_SUB_BORROW(r4, a4, r4, carry);
+		MP_SUB_BORROW(r5, a5, r5, carry);
 		MP_DIGIT(r, 5) = r5;
 		MP_DIGIT(r, 4) = r4;
 		MP_DIGIT(r, 3) = r3;
 		MP_DIGIT(r, 2) = r2;
 		MP_DIGIT(r, 1) = r1;
 		MP_DIGIT(r, 0) = r0;
 	}
 	
@@ -582,19 +590,20 @@ ec_GFp_sub_3(const mp_int *a, const mp_i
 		b2 = MP_DIGIT(b,2);
 	case 2:
 		b1 = MP_DIGIT(b,1);
 	case 1:
 		b0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
-	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
-	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+        borrow = 0;
+	MP_SUB_BORROW(r0, b0, r0, borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow);
 #else
 	__asm__ (
                 "xorq   %3,%3           \n\t"
                 "subq   %4,%0           \n\t"
                 "sbbq   %5,%1           \n\t"
                 "sbbq   %6,%2           \n\t"
                 "adcq   $0,%3           \n\t"
                 : "=r"(r0), "=r"(r1), "=r"(r2), "=r" (borrow)
@@ -605,19 +614,20 @@ ec_GFp_sub_3(const mp_int *a, const mp_i
 
 	/* Do quick 'add' if we've gone under 0
 	 * (subtract the 2's complement of the curve field) */
 	if (borrow) {
 	 	b2 = MP_DIGIT(&meth->irr,2);
 		b1 = MP_DIGIT(&meth->irr,1);
 		b0 = MP_DIGIT(&meth->irr,0);
 #ifndef MPI_AMD64_ADD
-		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
-		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
-		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
+                borrow = 0;
+		MP_ADD_CARRY(b0, r0, r0, borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow);
 #else
 		__asm__ (
 			"addq   %3,%0           \n\t"
 			"adcq   %4,%1           \n\t"
 			"adcq   %5,%2           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2)
 			: "r" (b0), "r" (b1), "r" (b2),
   			  "0" (r0), "1" (r1), "2" (r2)
@@ -670,20 +680,21 @@ ec_GFp_sub_4(const mp_int *a, const mp_i
 		b2 = MP_DIGIT(b,2);
 	case 2:
 		b1 = MP_DIGIT(b,1);
 	case 1:
 		b0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
-	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
-	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
-	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
+        borrow = 0;
+	MP_SUB_BORROW(r0, b0, r0, borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow);
 #else
 	__asm__ (
                 "xorq   %4,%4           \n\t"
                 "subq   %5,%0           \n\t"
                 "sbbq   %6,%1           \n\t"
                 "sbbq   %7,%2           \n\t"
                 "sbbq   %8,%3           \n\t"
                 "adcq   $0,%4           \n\t"
@@ -696,20 +707,21 @@ ec_GFp_sub_4(const mp_int *a, const mp_i
 	/* Do quick 'add' if we've gone under 0
 	 * (subtract the 2's complement of the curve field) */
 	if (borrow) {
 	 	b3 = MP_DIGIT(&meth->irr,3);
 	 	b2 = MP_DIGIT(&meth->irr,2);
 		b1 = MP_DIGIT(&meth->irr,1);
 		b0 = MP_DIGIT(&meth->irr,0);
 #ifndef MPI_AMD64_ADD
-		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
-		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
-		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
-		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
+                borrow = 0;
+		MP_ADD_CARRY(b0, r0, r0, borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow);
 #else
 		__asm__ (
 			"addq   %4,%0           \n\t"
 			"adcq   %5,%1           \n\t"
 			"adcq   %6,%2           \n\t"
 			"adcq   %7,%3           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2), "=r"(r3)
 			: "r" (b0), "r" (b1), "r" (b2), "r" (b3),
@@ -766,34 +778,36 @@ ec_GFp_sub_5(const mp_int *a, const mp_i
 	case 3:
 		b2 = MP_DIGIT(b,2);
 	case 2:
 		b1 = MP_DIGIT(b,1);
 	case 1:
 		b0 = MP_DIGIT(b,0);
 	}
 
-	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
-	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
-	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
-	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
-	MP_SUB_BORROW(r4, b4, r4, borrow, borrow);
+        borrow = 0;
+	MP_SUB_BORROW(r0, b0, r0, borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow);
+	MP_SUB_BORROW(r4, b4, r4, borrow);
 
 	/* Do quick 'add' if we've gone under 0
 	 * (subtract the 2's complement of the curve field) */
 	if (borrow) {
 	 	b4 = MP_DIGIT(&meth->irr,4);
 	 	b3 = MP_DIGIT(&meth->irr,3);
 	 	b2 = MP_DIGIT(&meth->irr,2);
 		b1 = MP_DIGIT(&meth->irr,1);
 		b0 = MP_DIGIT(&meth->irr,0);
-		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
-		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
-		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
-		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
+                borrow = 0;
+		MP_ADD_CARRY(b0, r0, r0, borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow);
 	}
 	MP_CHECKOK(s_mp_pad(r, 5));
 	MP_DIGIT(r, 4) = r4;
 	MP_DIGIT(r, 3) = r3;
 	MP_DIGIT(r, 2) = r2;
 	MP_DIGIT(r, 1) = r1;
 	MP_DIGIT(r, 0) = r0;
 	MP_SIGN(r) = MP_ZPOS;
@@ -838,37 +852,39 @@ ec_GFp_sub_6(const mp_int *a, const mp_i
 	case 3:
 		b2 = MP_DIGIT(b,2);
 	case 2:
 		b1 = MP_DIGIT(b,1);
 	case 1:
 		b0 = MP_DIGIT(b,0);
 	}
 
-	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
-	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
-	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
-	MP_SUB_BORROW(r3, b3, r3, borrow, borrow);
-	MP_SUB_BORROW(r4, b4, r4, borrow, borrow);
-	MP_SUB_BORROW(r5, b5, r5, borrow, borrow);
+        borrow = 0;
+	MP_SUB_BORROW(r0, b0, r0, borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow);
+	MP_SUB_BORROW(r3, b3, r3, borrow);
+	MP_SUB_BORROW(r4, b4, r4, borrow);
+	MP_SUB_BORROW(r5, b5, r5, borrow);
 
 	/* Do quick 'add' if we've gone under 0
 	 * (subtract the 2's complement of the curve field) */
 	if (borrow) {
 	 	b5 = MP_DIGIT(&meth->irr,5);
 	 	b4 = MP_DIGIT(&meth->irr,4);
 	 	b3 = MP_DIGIT(&meth->irr,3);
 	 	b2 = MP_DIGIT(&meth->irr,2);
 		b1 = MP_DIGIT(&meth->irr,1);
 		b0 = MP_DIGIT(&meth->irr,0);
-		MP_ADD_CARRY(b0, r0, r0, 0,      borrow);
-		MP_ADD_CARRY(b1, r1, r1, borrow, borrow);
-		MP_ADD_CARRY(b2, r2, r2, borrow, borrow);
-		MP_ADD_CARRY(b3, r3, r3, borrow, borrow);
-		MP_ADD_CARRY(b4, r4, r4, borrow, borrow);
+                borrow = 0;
+		MP_ADD_CARRY(b0, r0, r0, borrow);
+		MP_ADD_CARRY(b1, r1, r1, borrow);
+		MP_ADD_CARRY(b2, r2, r2, borrow);
+		MP_ADD_CARRY(b3, r3, r3, borrow);
+		MP_ADD_CARRY(b4, r4, r4, borrow);
 	}
 
 	MP_CHECKOK(s_mp_pad(r, 6));
 	MP_DIGIT(r, 5) = r5;
 	MP_DIGIT(r, 4) = r4;
 	MP_DIGIT(r, 3) = r3;
 	MP_DIGIT(r, 2) = r2;
 	MP_DIGIT(r, 1) = r1;
--- a/lib/freebl/ecl/ecl_mult.c
+++ b/lib/freebl/ecl/ecl_mult.c
@@ -124,17 +124,17 @@ ec_pts_mul_basic(const mp_int *k1, const
 mp_err
 ec_pts_mul_simul_w2(const mp_int *k1, const mp_int *k2, const mp_int *px,
 					const mp_int *py, mp_int *rx, mp_int *ry,
 					const ECGroup *group)
 {
 	mp_err res = MP_OKAY;
 	mp_int precomp[4][4][2];
 	const mp_int *a, *b;
-	int i, j;
+        unsigned int i, j;
 	int ai, bi, d;
 
 	ARGCHK(group != NULL, MP_BADARG);
 	ARGCHK(!((k1 == NULL)
 			 && ((k2 == NULL) || (px == NULL)
 				 || (py == NULL))), MP_BADARG);
 
 	/* if some arguments are not defined used ECPoint_mul */
@@ -231,17 +231,17 @@ ec_pts_mul_simul_w2(const mp_int *k1, co
 	}
 
 	d = (mpl_significant_bits(a) + 1) / 2;
 
 	/* R = inf */
 	mp_zero(rx);
 	mp_zero(ry);
 
-	for (i = d - 1; i >= 0; i--) {
+        for (i = d; i-- > 0;) {
 		ai = MP_GET_BIT(a, 2 * i + 1);
 		ai <<= 1;
 		ai |= MP_GET_BIT(a, 2 * i);
 		bi = MP_GET_BIT(b, 2 * i + 1);
 		bi <<= 1;
 		bi |= MP_GET_BIT(b, 2 * i);
 		/* R = 2^2 * R */
 		MP_CHECKOK(group->point_dbl(rx, ry, rx, ry, group));
--- a/lib/freebl/ecl/ecp_192.c
+++ b/lib/freebl/ecl/ecp_192.c
@@ -67,44 +67,46 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
                 r2b= MP_DIGIT(a, 5);
                 r2a= MP_DIGIT(a, 4);
                 r1b = MP_DIGIT(a, 3);
                 r1a = MP_DIGIT(a, 2);
                 r0b = MP_DIGIT(a, 1);
                 r0a = MP_DIGIT(a, 0);
 
 		/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
-		MP_ADD_CARRY(r0a, a3a, r0a, 0,    carry);
-		MP_ADD_CARRY(r0b, a3b, r0b, carry, carry);
-		MP_ADD_CARRY(r1a, a3a, r1a, carry, carry);
-		MP_ADD_CARRY(r1b, a3b, r1b, carry, carry);
-		MP_ADD_CARRY(r2a, a4a, r2a, carry, carry);
-		MP_ADD_CARRY(r2b, a4b, r2b, carry, carry);
+                carry = 0;
+		MP_ADD_CARRY(r0a, a3a, r0a, carry);
+		MP_ADD_CARRY(r0b, a3b, r0b, carry);
+		MP_ADD_CARRY(r1a, a3a, r1a, carry);
+		MP_ADD_CARRY(r1b, a3b, r1b, carry);
+		MP_ADD_CARRY(r2a, a4a, r2a, carry);
+		MP_ADD_CARRY(r2b, a4b, r2b, carry);
 		r3 = carry; carry = 0;
-		MP_ADD_CARRY(r0a, a5a, r0a, 0,     carry);
-		MP_ADD_CARRY(r0b, a5b, r0b, carry, carry);
-		MP_ADD_CARRY(r1a, a5a, r1a, carry, carry);
-		MP_ADD_CARRY(r1b, a5b, r1b, carry, carry);
-		MP_ADD_CARRY(r2a, a5a, r2a, carry, carry);
-		MP_ADD_CARRY(r2b, a5b, r2b, carry, carry);
-		r3 += carry; 
-		MP_ADD_CARRY(r1a, a4a, r1a, 0,     carry);
-		MP_ADD_CARRY(r1b, a4b, r1b, carry, carry);
-		MP_ADD_CARRY(r2a,   0, r2a, carry, carry);
-		MP_ADD_CARRY(r2b,   0, r2b, carry, carry);
+		MP_ADD_CARRY(r0a, a5a, r0a, carry);
+		MP_ADD_CARRY(r0b, a5b, r0b, carry);
+		MP_ADD_CARRY(r1a, a5a, r1a, carry);
+		MP_ADD_CARRY(r1b, a5b, r1b, carry);
+		MP_ADD_CARRY(r2a, a5a, r2a, carry);
+		MP_ADD_CARRY(r2b, a5b, r2b, carry);
+		r3 += carry; carry = 0;
+		MP_ADD_CARRY(r1a, a4a, r1a, carry);
+		MP_ADD_CARRY(r1b, a4b, r1b, carry);
+		MP_ADD_CARRY(r2a,   0, r2a, carry);
+		MP_ADD_CARRY(r2b,   0, r2b, carry);
 		r3 += carry;
 
 		/* reduce out the carry */
 		while (r3) {
-			MP_ADD_CARRY(r0a, r3, r0a, 0,     carry);
-			MP_ADD_CARRY(r0b,  0, r0b, carry, carry);
-			MP_ADD_CARRY(r1a, r3, r1a, carry, carry);
-			MP_ADD_CARRY(r1b,  0, r1b, carry, carry);
-			MP_ADD_CARRY(r2a,  0, r2a, carry, carry);
-			MP_ADD_CARRY(r2b,  0, r2b, carry, carry);
+                        carry = 0;
+			MP_ADD_CARRY(r0a, r3, r0a, carry);
+			MP_ADD_CARRY(r0b,  0, r0b, carry);
+			MP_ADD_CARRY(r1a, r3, r1a, carry);
+			MP_ADD_CARRY(r1b,  0, r1b, carry);
+			MP_ADD_CARRY(r2a,  0, r2a, carry);
+			MP_ADD_CARRY(r2b,  0, r2b, carry);
 			r3 = carry;
 		}
 
 		/* check for final reduction */
 		/*
 		 * our field is 0xffffffffffffffff, 0xfffffffffffffffe,
 		 * 0xffffffffffffffff. That means we can only be over and need
 		 * one more reduction 
@@ -116,18 +118,19 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
 		 * complement value (1,1,0)).  (r0, r1, r2)
 		 */
 		if (((r2b == 0xffffffff) && (r2a == 0xffffffff) 
 			&& (r1b == 0xffffffff) ) &&
 			   ((r1a == 0xffffffff) || 
 			    (r1a == 0xfffffffe) && (r0a == 0xffffffff) &&
 					(r0b == 0xffffffff)) ) {
 			/* do a quick subtract */
-			MP_ADD_CARRY(r0a, 1, r0a, 0, carry);
-			MP_ADD_CARRY(r0b, carry, r0a, 0, carry);
+                        carry = 0;
+			MP_ADD_CARRY(r0a, 1, r0a, carry);
+			MP_ADD_CARRY(r0b, carry, r0a, carry);
 			r1a += 1+carry;
 			r1b = r2a = r2b = 0;
 		}
 
 		/* set the lower words of r */
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r, 6));
 		}
@@ -149,26 +152,27 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
 		}
 
                 r2 = MP_DIGIT(a, 2);
                 r1 = MP_DIGIT(a, 1);
                 r0 = MP_DIGIT(a, 0);
 
 		/* implement r = (a2,a1,a0)+(a5,a5,a5)+(a4,a4,0)+(0,a3,a3) */
 #ifndef MPI_AMD64_ADD 
-		MP_ADD_CARRY(r0, a3, r0, 0,     carry);
-		MP_ADD_CARRY(r1, a3, r1, carry, carry);
-		MP_ADD_CARRY(r2, a4, r2, carry, carry);
-		r3 = carry; 
-		MP_ADD_CARRY(r0, a5, r0, 0,     carry);
-		MP_ADD_CARRY(r1, a5, r1, carry, carry);
-		MP_ADD_CARRY(r2, a5, r2, carry, carry);
-		r3 += carry; 
-		MP_ADD_CARRY(r1, a4, r1, 0,     carry);
-		MP_ADD_CARRY(r2,  0, r2, carry, carry);
+                carry = 0;
+		MP_ADD_CARRY(r0, a3, r0, carry);
+		MP_ADD_CARRY(r1, a3, r1, carry);
+		MP_ADD_CARRY(r2, a4, r2, carry);
+		r3 = carry; carry = 0;
+		MP_ADD_CARRY(r0, a5, r0, carry);
+		MP_ADD_CARRY(r1, a5, r1, carry);
+		MP_ADD_CARRY(r2, a5, r2, carry);
+		r3 += carry; carry = 0;
+		MP_ADD_CARRY(r1, a4, r1, carry);
+		MP_ADD_CARRY(r2,  0, r2, carry);
 		r3 += carry;
 
 #else 
                 r2 = MP_DIGIT(a, 2);
                 r1 = MP_DIGIT(a, 1);
                 r0 = MP_DIGIT(a, 0);
 
                 /* set the lower words of r */
@@ -190,19 +194,20 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
                 : "0" (r0), "1" (r1), "2" (r2), "3" (r3), 
 		  "4" (a3), "5" (a4), "6"(a5)
                 : "%cc" );
 #endif 
 
 		/* reduce out the carry */
 		while (r3) {
 #ifndef MPI_AMD64_ADD
-			MP_ADD_CARRY(r0, r3, r0, 0,     carry);
-			MP_ADD_CARRY(r1, r3, r1, carry, carry);
-			MP_ADD_CARRY(r2,  0, r2, carry, carry);
+                        carry = 0;
+			MP_ADD_CARRY(r0, r3, r0, carry);
+			MP_ADD_CARRY(r1, r3, r1, carry);
+			MP_ADD_CARRY(r2,  0, r2, carry);
 			r3 = carry;
 #else
 			a3=r3;
               		__asm__ (
                 	"xorq   %3,%3           \n\t"
                 	"addq   %4,%0           \n\t"
                 	"adcq   %4,%1           \n\t"
                 	"adcq   $0,%2           \n\t"
@@ -224,17 +229,18 @@ ec_GFp_nistp192_mod(const mp_int *a, mp_
 		 *     r1 == 0xfffffffffffffffffe and r0 = 0xfffffffffffffffff
 		 * In all cases, we subtract the field (or add the 2's 
 		 * complement value (1,1,0)).  (r0, r1, r2)
 		 */
 		if (r3 || ((r2 == MP_DIGIT_MAX) &&
 		      ((r1 == MP_DIGIT_MAX) || 
 			((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
 			/* do a quick subtract */
-			MP_ADD_CARRY(r0, 1, r0, 0, carry);
+                        carry = 0;
+			MP_ADD_CARRY(r0, 1, r0, carry);
 			r1 += 1+carry;
 			r2 = 0;
 		}
 		/* set the lower words of r */
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r, 3));
 		}
 		MP_DIGIT(r, 2) = r2;
@@ -275,19 +281,20 @@ ec_GFp_nistp192_add(const mp_int *a, con
 		r2 = MP_DIGIT(b,2);
 	case 2:
 		r1 = MP_DIGIT(b,1);
 	case 1:
 		r0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_ADD_CARRY(a0, r0, r0, 0,     carry);
-	MP_ADD_CARRY(a1, r1, r1, carry, carry);
-	MP_ADD_CARRY(a2, r2, r2, carry, carry);
+        carry = 0;
+	MP_ADD_CARRY(a0, r0, r0, carry);
+	MP_ADD_CARRY(a1, r1, r1, carry);
+	MP_ADD_CARRY(a2, r2, r2, carry);
 #else
 	__asm__ (
                 "xorq   %3,%3           \n\t"
                 "addq   %4,%0           \n\t"
                 "adcq   %5,%1           \n\t"
                 "adcq   %6,%2           \n\t"
                 "adcq   $0,%3           \n\t"
                 : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(carry)
@@ -297,19 +304,20 @@ ec_GFp_nistp192_add(const mp_int *a, con
 #endif
 
 	/* Do quick 'subract' if we've gone over 
 	 * (add the 2's complement of the curve field) */
 	if (carry || ((r2 == MP_DIGIT_MAX) &&
 		      ((r1 == MP_DIGIT_MAX) || 
 			((r1 == (MP_DIGIT_MAX-1)) && (r0 == MP_DIGIT_MAX))))) {
 #ifndef MPI_AMD64_ADD
-		MP_ADD_CARRY(r0, 1, r0, 0,     carry);
-		MP_ADD_CARRY(r1, 1, r1, carry, carry);
-		MP_ADD_CARRY(r2, 0, r2, carry, carry);
+                carry = 0;
+		MP_ADD_CARRY(r0, 1, r0, carry);
+		MP_ADD_CARRY(r1, 1, r1, carry);
+		MP_ADD_CARRY(r2, 0, r2, carry);
 #else
 		__asm__ (
 			"addq   $1,%0           \n\t"
 			"adcq   $1,%1           \n\t"
 			"adcq   $0,%2           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2)
 			: "0" (r0), "1" (r1), "2" (r2)
 			: "%cc" );
@@ -357,19 +365,20 @@ ec_GFp_nistp192_sub(const mp_int *a, con
 		b2 = MP_DIGIT(b,2);
 	case 2:
 		b1 = MP_DIGIT(b,1);
 	case 1:
 		b0 = MP_DIGIT(b,0);
 	}
 
 #ifndef MPI_AMD64_ADD
-	MP_SUB_BORROW(r0, b0, r0, 0,     borrow);
-	MP_SUB_BORROW(r1, b1, r1, borrow, borrow);
-	MP_SUB_BORROW(r2, b2, r2, borrow, borrow);
+	borrow = 0;
+	MP_SUB_BORROW(r0, b0, r0, borrow);
+	MP_SUB_BORROW(r1, b1, r1, borrow);
+	MP_SUB_BORROW(r2, b2, r2, borrow);
 #else
 	__asm__ (
                 "xorq   %3,%3           \n\t"
                 "subq   %4,%0           \n\t"
                 "sbbq   %5,%1           \n\t"
                 "sbbq   %6,%2           \n\t"
                 "adcq   $0,%3           \n\t"
                 : "=r"(r0), "=r"(r1), "=r"(r2), "=r"(borrow)
@@ -377,19 +386,20 @@ ec_GFp_nistp192_sub(const mp_int *a, con
 		  "1" (r1), "2" (r2)
                 : "%cc" );
 #endif
 
 	/* Do quick 'add' if we've gone under 0
 	 * (subtract the 2's complement of the curve field) */
 	if (borrow) {
 #ifndef MPI_AMD64_ADD
-		MP_SUB_BORROW(r0, 1, r0, 0,     borrow);
-		MP_SUB_BORROW(r1, 1, r1, borrow, borrow);
-		MP_SUB_BORROW(r2,  0, r2, borrow, borrow);
+		borrow = 0;
+		MP_SUB_BORROW(r0, 1, r0, borrow);
+		MP_SUB_BORROW(r1, 1, r1, borrow);
+		MP_SUB_BORROW(r2,  0, r2, borrow);
 #else
 		__asm__ (
 			"subq   $1,%0           \n\t"
 			"sbbq   $1,%1           \n\t"
 			"sbbq   $0,%2           \n\t"
 			: "=r"(r0), "=r"(r1), "=r"(r2)
 			: "0" (r0), "1" (r1), "2" (r2)
 			: "%cc" );
--- a/lib/freebl/ecl/ecp_224.c
+++ b/lib/freebl/ecl/ecp_224.c
@@ -67,87 +67,91 @@ ec_GFp_nistp224_mod(const mp_int *a, mp_
 		r0a = MP_DIGIT(a, 0);
 
 
 		/* implement r = (a3a,a2,a1,a0)
 			+(a5a, a4,a3b,  0)
 			+(  0, a6,a5b,  0)
 			-(  0	 0,    0|a6b, a6a|a5b )
 			-(  a6b, a6a|a5b, a5a|a4b, a4a|a3b ) */
-		MP_ADD_CARRY (r1b, a3b, r1b, 0,     carry);
-		MP_ADD_CARRY (r2a, a4a, r2a, carry, carry);
-		MP_ADD_CARRY (r2b, a4b, r2b, carry, carry);
-		MP_ADD_CARRY (r3a, a5a, r3a, carry, carry);
-		r3b = carry;
-		MP_ADD_CARRY (r1b, a5b, r1b, 0,     carry);
-		MP_ADD_CARRY (r2a, a6a, r2a, carry, carry);
-		MP_ADD_CARRY (r2b, a6b, r2b, carry, carry);
-		MP_ADD_CARRY (r3a,   0, r3a, carry, carry);
-		r3b += carry;
-		MP_SUB_BORROW(r0a, a3b, r0a, 0,     carry);
-		MP_SUB_BORROW(r0b, a4a, r0b, carry, carry);
-		MP_SUB_BORROW(r1a, a4b, r1a, carry, carry);
-		MP_SUB_BORROW(r1b, a5a, r1b, carry, carry);
-		MP_SUB_BORROW(r2a, a5b, r2a, carry, carry);
-		MP_SUB_BORROW(r2b, a6a, r2b, carry, carry);
-		MP_SUB_BORROW(r3a, a6b, r3a, carry, carry);
-		r3b -= carry;
-		MP_SUB_BORROW(r0a, a5b, r0a, 0,     carry);
-		MP_SUB_BORROW(r0b, a6a, r0b, carry, carry);
-		MP_SUB_BORROW(r1a, a6b, r1a, carry, carry);
+                carry = 0;
+		MP_ADD_CARRY (r1b, a3b, r1b, carry);
+		MP_ADD_CARRY (r2a, a4a, r2a, carry);
+		MP_ADD_CARRY (r2b, a4b, r2b, carry);
+		MP_ADD_CARRY (r3a, a5a, r3a, carry);
+		r3b = carry; carry = 0;
+		MP_ADD_CARRY (r1b, a5b, r1b, carry);
+		MP_ADD_CARRY (r2a, a6a, r2a, carry);
+		MP_ADD_CARRY (r2b, a6b, r2b, carry);
+		MP_ADD_CARRY (r3a,   0, r3a, carry);
+		r3b += carry; carry = 0;
+		MP_SUB_BORROW(r0a, a3b, r0a, carry);
+		MP_SUB_BORROW(r0b, a4a, r0b, carry);
+		MP_SUB_BORROW(r1a, a4b, r1a, carry);
+		MP_SUB_BORROW(r1b, a5a, r1b, carry);
+		MP_SUB_BORROW(r2a, a5b, r2a, carry);
+		MP_SUB_BORROW(r2b, a6a, r2b, carry);
+		MP_SUB_BORROW(r3a, a6b, r3a, carry);
+		r3b -= carry; carry = 0;
+		MP_SUB_BORROW(r0a, a5b, r0a, carry);
+		MP_SUB_BORROW(r0b, a6a, r0b, carry);
+		MP_SUB_BORROW(r1a, a6b, r1a, carry);
 		if (carry) {
-			MP_SUB_BORROW(r1b, 0, r1b, carry, carry);
-			MP_SUB_BORROW(r2a, 0, r2a, carry, carry);
-			MP_SUB_BORROW(r2b, 0, r2b, carry, carry);
-			MP_SUB_BORROW(r3a, 0, r3a, carry, carry);
+			MP_SUB_BORROW(r1b, 0, r1b, carry);
+			MP_SUB_BORROW(r2a, 0, r2a, carry);
+			MP_SUB_BORROW(r2b, 0, r2b, carry);
+			MP_SUB_BORROW(r3a, 0, r3a, carry);
 			r3b -= carry;
 		}
 
 		while (r3b > 0) {
 			int tmp;
-			MP_ADD_CARRY(r1b, r3b, r1b, 0,     carry);
+                        carry = 0;
+			MP_ADD_CARRY(r1b, r3b, r1b, carry);
 			if (carry) {
-				MP_ADD_CARRY(r2a,  0, r2a, carry, carry);
-				MP_ADD_CARRY(r2b,  0, r2b, carry, carry);
-				MP_ADD_CARRY(r3a,  0, r3a, carry, carry);
+				MP_ADD_CARRY(r2a,  0, r2a, carry);
+				MP_ADD_CARRY(r2b,  0, r2b, carry);
+				MP_ADD_CARRY(r3a,  0, r3a, carry);
 			}
-			tmp = carry;
-			MP_SUB_BORROW(r0a, r3b, r0a, 0,     carry);
+			tmp = carry; carry = 0;
+			MP_SUB_BORROW(r0a, r3b, r0a, carry);
 			if (carry) {
-				MP_SUB_BORROW(r0b, 0, r0b, carry, carry);
-				MP_SUB_BORROW(r1a, 0, r1a, carry, carry);
-				MP_SUB_BORROW(r1b, 0, r1b, carry, carry);
-				MP_SUB_BORROW(r2a, 0, r2a, carry, carry);
-				MP_SUB_BORROW(r2b, 0, r2b, carry, carry);
-				MP_SUB_BORROW(r3a, 0, r3a, carry, carry);
+				MP_SUB_BORROW(r0b, 0, r0b, carry);
+				MP_SUB_BORROW(r1a, 0, r1a, carry);
+				MP_SUB_BORROW(r1b, 0, r1b, carry);
+				MP_SUB_BORROW(r2a, 0, r2a, carry);
+				MP_SUB_BORROW(r2b, 0, r2b, carry);
+				MP_SUB_BORROW(r3a, 0, r3a, carry);
 				tmp -= carry;
 			}
 			r3b = tmp;
 		}
 
 		while (r3b < 0) {
 			mp_digit maxInt = MP_DIGIT_MAX;
-                	MP_ADD_CARRY (r0a, 1, r0a, 0,     carry);
-                	MP_ADD_CARRY (r0b, 0, r0b, carry, carry);
-                	MP_ADD_CARRY (r1a, 0, r1a, carry, carry);
-                	MP_ADD_CARRY (r1b, maxInt, r1b, carry, carry);
-                	MP_ADD_CARRY (r2a, maxInt, r2a, carry, carry);
-                	MP_ADD_CARRY (r2b, maxInt, r2b, carry, carry);
-                	MP_ADD_CARRY (r3a, maxInt, r3a, carry, carry);
+                        carry = 0;
+                	MP_ADD_CARRY (r0a, 1, r0a, carry);
+                	MP_ADD_CARRY (r0b, 0, r0b, carry);
+                	MP_ADD_CARRY (r1a, 0, r1a, carry);
+                	MP_ADD_CARRY (r1b, maxInt, r1b, carry);
+                	MP_ADD_CARRY (r2a, maxInt, r2a, carry);
+                	MP_ADD_CARRY (r2b, maxInt, r2b, carry);
+                	MP_ADD_CARRY (r3a, maxInt, r3a, carry);
 			r3b += carry;
 		}
 		/* check for final reduction */
 		/* now the only way we are over is if the top 4 words are all ones */
 		if ((r3a == MP_DIGIT_MAX) && (r2b == MP_DIGIT_MAX)
 			&& (r2a == MP_DIGIT_MAX) && (r1b == MP_DIGIT_MAX) &&
 			 ((r1a != 0) || (r0b != 0) || (r0a != 0)) ) {
 			/* one last subraction */
-			MP_SUB_BORROW(r0a, 1, r0a, 0,     carry);
-			MP_SUB_BORROW(r0b, 0, r0b, carry, carry);
-			MP_SUB_BORROW(r1a, 0, r1a, carry, carry);
+                        carry = 0;
+			MP_SUB_BORROW(r0a, 1, r0a, carry);
+			MP_SUB_BORROW(r0b, 0, r0b, carry);
+			MP_SUB_BORROW(r1a, 0, r1a, carry);
 			r1b = r2a = r2b = r3a = 0;
 		}
 
 
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r, 7));
 		}
 		/* set the lower words of r */
@@ -189,71 +193,79 @@ ec_GFp_nistp224_mod(const mp_int *a, mp_
 		r1 = MP_DIGIT(a, 1);
 		r0 = MP_DIGIT(a, 0);
 
 		/* implement r = (a3a,a2,a1,a0)
 			+(a5a, a4,a3b,  0)
 			+(  0, a6,a5b,  0)
 			-(  0	 0,    0|a6b, a6a|a5b )
 			-(  a6b, a6a|a5b, a5a|a4b, a4a|a3b ) */
-		MP_ADD_CARRY (r1, a3b, r1, 0,     carry);
-		MP_ADD_CARRY (r2, a4 , r2, carry, carry);
-		MP_ADD_CARRY (r3, a5a, r3, carry, carry);
-		MP_ADD_CARRY (r1, a5b, r1, 0,     carry);
-		MP_ADD_CARRY (r2, a6 , r2, carry, carry);
-		MP_ADD_CARRY (r3,   0, r3, carry, carry);
+                carry = 0;
+		MP_ADD_CARRY (r1, a3b, r1, carry);
+		MP_ADD_CARRY (r2, a4 , r2, carry);
+		MP_ADD_CARRY (r3, a5a, r3, carry);
+                carry = 0;
+		MP_ADD_CARRY (r1, a5b, r1, carry);
+		MP_ADD_CARRY (r2, a6 , r2, carry);
+		MP_ADD_CARRY (r3,   0, r3, carry);
 
-		MP_SUB_BORROW(r0, a4a_a3b, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a5a_a4b, r1, carry, carry);
-		MP_SUB_BORROW(r2, a6a_a5b, r2, carry, carry);
-		MP_SUB_BORROW(r3, a6b    , r3, carry, carry);
-		MP_SUB_BORROW(r0, a6a_a5b, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a6b    , r1, carry, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a4a_a3b, r0, carry);
+		MP_SUB_BORROW(r1, a5a_a4b, r1, carry);
+		MP_SUB_BORROW(r2, a6a_a5b, r2, carry);
+		MP_SUB_BORROW(r3, a6b    , r3, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a6a_a5b, r0, carry);
+		MP_SUB_BORROW(r1, a6b    , r1, carry);
 		if (carry) {
-			MP_SUB_BORROW(r2, 0, r2, carry, carry);
-			MP_SUB_BORROW(r3, 0, r3, carry, carry);
+			MP_SUB_BORROW(r2, 0, r2, carry);
+			MP_SUB_BORROW(r3, 0, r3, carry);
 		}
 
 
 		/* if the value is negative, r3 has a 2's complement 
 		 * high value */
 		r3b = (int)(r3 >>32);
 		while (r3b > 0) {
 			r3 &= 0xffffffff;
-			MP_ADD_CARRY(r1,((mp_digit)r3b) << 32, r1, 0, carry);
+                        carry = 0;
+			MP_ADD_CARRY(r1,((mp_digit)r3b) << 32, r1, carry);
 			if (carry) {
-				MP_ADD_CARRY(r2,  0, r2, carry, carry);
-				MP_ADD_CARRY(r3,  0, r3, carry, carry);
+				MP_ADD_CARRY(r2,  0, r2, carry);
+				MP_ADD_CARRY(r3,  0, r3, carry);
 			}
-			MP_SUB_BORROW(r0, r3b, r0, 0, carry);
+			carry = 0;
+			MP_SUB_BORROW(r0, r3b, r0, carry);
 			if (carry) {
-				MP_SUB_BORROW(r1, 0, r1, carry, carry);
-				MP_SUB_BORROW(r2, 0, r2, carry, carry);
-				MP_SUB_BORROW(r3, 0, r3, carry, carry);
+				MP_SUB_BORROW(r1, 0, r1, carry);
+				MP_SUB_BORROW(r2, 0, r2, carry);
+				MP_SUB_BORROW(r3, 0, r3, carry);
 			}
 			r3b = (int)(r3 >>32);
 		}
 
 		while (r3b < 0) {
-                	MP_ADD_CARRY (r0, 1, r0, 0,     carry);
-                	MP_ADD_CARRY (r1, MP_DIGIT_MAX <<32, r1, carry, carry);
-                	MP_ADD_CARRY (r2, MP_DIGIT_MAX, r2, carry, carry);
-                	MP_ADD_CARRY (r3, MP_DIGIT_MAX >> 32, r3, carry, carry);
+                        carry = 0;
+                	MP_ADD_CARRY (r0, 1, r0, carry);
+                	MP_ADD_CARRY (r1, MP_DIGIT_MAX <<32, r1, carry);
+                	MP_ADD_CARRY (r2, MP_DIGIT_MAX, r2, carry);
+                	MP_ADD_CARRY (r3, MP_DIGIT_MAX >> 32, r3, carry);
 			r3b = (int)(r3 >>32);
 		}
 		/* check for final reduction */
 		/* now the only way we are over is if the top 4 words are 
 		 * all ones. Subtract the curve. (curve is 2^224 - 2^96 +1)
 		 */
 		if ((r3 == (MP_DIGIT_MAX >> 32)) && (r2 == MP_DIGIT_MAX)
 			&& ((r1 & MP_DIGIT_MAX << 32)== MP_DIGIT_MAX << 32) &&
 			 ((r1 != MP_DIGIT_MAX << 32 ) || (r0 != 0)) ) {
 			/* one last subraction */
-			MP_SUB_BORROW(r0, 1, r0, 0,     carry);
-			MP_SUB_BORROW(r1, MP_DIGIT_MAX << 32, r1, carry, carry);
+			carry = 0;
+			MP_SUB_BORROW(r0, 1, r0, carry);
+			MP_SUB_BORROW(r1, MP_DIGIT_MAX << 32, r1, carry);
 			r2 = r3 = 0;
 		}
 
 
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r, 4));
 		}
 		/* set the lower words of r */
--- a/lib/freebl/ecl/ecp_256.c
+++ b/lib/freebl/ecl/ecp_256.c
@@ -63,125 +63,128 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_
 		r2 = MP_DIGIT(a,2);
 		r3 = MP_DIGIT(a,3);
 		r4 = MP_DIGIT(a,4);
 		r5 = MP_DIGIT(a,5);
 		r6 = MP_DIGIT(a,6);
 		r7 = MP_DIGIT(a,7);
 
 		/* sum 1 */
-		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a12, r4, carry, carry);
-		MP_ADD_CARRY(r5, a13, r5, carry, carry);
-		MP_ADD_CARRY(r6, a14, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry);
-		r8 = carry;
-		MP_ADD_CARRY(r3, a11, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a12, r4, carry, carry);
-		MP_ADD_CARRY(r5, a13, r5, carry, carry);
-		MP_ADD_CARRY(r6, a14, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry);
-		r8 += carry;
+                carry = 0;
+		MP_ADD_CARRY(r3, a11, r3, carry);
+		MP_ADD_CARRY(r4, a12, r4, carry);
+		MP_ADD_CARRY(r5, a13, r5, carry);
+		MP_ADD_CARRY(r6, a14, r6, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry);
+		r8 = carry; carry = 0;
+		MP_ADD_CARRY(r3, a11, r3, carry);
+		MP_ADD_CARRY(r4, a12, r4, carry);
+		MP_ADD_CARRY(r5, a13, r5, carry);
+		MP_ADD_CARRY(r6, a14, r6, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry);
+		r8 += carry; carry = 0;
 		/* sum 2 */
-		MP_ADD_CARRY(r3, a12, r3, 0,     carry);
-		MP_ADD_CARRY(r4, a13, r4, carry, carry);
-		MP_ADD_CARRY(r5, a14, r5, carry, carry);
-		MP_ADD_CARRY(r6, a15, r6, carry, carry);
-		MP_ADD_CARRY(r7,   0, r7, carry, carry);
-		r8 += carry;
+		MP_ADD_CARRY(r3, a12, r3, carry);
+		MP_ADD_CARRY(r4, a13, r4, carry);
+		MP_ADD_CARRY(r5, a14, r5, carry);
+		MP_ADD_CARRY(r6, a15, r6, carry);
+		MP_ADD_CARRY(r7,   0, r7, carry);
+		r8 += carry; carry = 0;
 		/* combine last bottom of sum 3 with second sum 2 */
-		MP_ADD_CARRY(r0, a8,  r0, 0,     carry);
-		MP_ADD_CARRY(r1, a9,  r1, carry, carry);
-		MP_ADD_CARRY(r2, a10, r2, carry, carry);
-		MP_ADD_CARRY(r3, a12, r3, carry, carry);
-		MP_ADD_CARRY(r4, a13, r4, carry, carry);
-		MP_ADD_CARRY(r5, a14, r5, carry, carry);
-		MP_ADD_CARRY(r6, a15, r6, carry, carry);
-		MP_ADD_CARRY(r7, a15, r7, carry, carry); /* from sum 3 */
-		r8 += carry;
+		MP_ADD_CARRY(r0, a8,  r0, carry);
+		MP_ADD_CARRY(r1, a9,  r1, carry);
+		MP_ADD_CARRY(r2, a10, r2, carry);
+		MP_ADD_CARRY(r3, a12, r3, carry);
+		MP_ADD_CARRY(r4, a13, r4, carry);
+		MP_ADD_CARRY(r5, a14, r5, carry);
+		MP_ADD_CARRY(r6, a15, r6, carry);
+		MP_ADD_CARRY(r7, a15, r7, carry); /* from sum 3 */
+		r8 += carry; carry = 0;
 		/* sum 3 (rest of it)*/
-		MP_ADD_CARRY(r6, a14, r6, 0,     carry);
-		MP_ADD_CARRY(r7,   0, r7, carry, carry);
-		r8 += carry;
+		MP_ADD_CARRY(r6, a14, r6, carry);
+		MP_ADD_CARRY(r7,   0, r7, carry);
+		r8 += carry; carry = 0;
 		/* sum 4 (rest of it)*/
-		MP_ADD_CARRY(r0, a9,  r0, 0,     carry);
-		MP_ADD_CARRY(r1, a10, r1, carry, carry);
-		MP_ADD_CARRY(r2, a11, r2, carry, carry);
-		MP_ADD_CARRY(r3, a13, r3, carry, carry);
-		MP_ADD_CARRY(r4, a14, r4, carry, carry);
-		MP_ADD_CARRY(r5, a15, r5, carry, carry);
-		MP_ADD_CARRY(r6, a13, r6, carry, carry);
-		MP_ADD_CARRY(r7, a8,  r7, carry, carry);
-		r8 += carry;
+		MP_ADD_CARRY(r0, a9,  r0, carry);
+		MP_ADD_CARRY(r1, a10, r1, carry);
+		MP_ADD_CARRY(r2, a11, r2, carry);
+		MP_ADD_CARRY(r3, a13, r3, carry);
+		MP_ADD_CARRY(r4, a14, r4, carry);
+		MP_ADD_CARRY(r5, a15, r5, carry);
+		MP_ADD_CARRY(r6, a13, r6, carry);
+		MP_ADD_CARRY(r7, a8,  r7, carry);
+		r8 += carry; carry = 0;
 		/* diff 5 */
-		MP_SUB_BORROW(r0, a11, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a12, r1, carry, carry);
-		MP_SUB_BORROW(r2, a13, r2, carry, carry);
-		MP_SUB_BORROW(r3,   0, r3, carry, carry);
-		MP_SUB_BORROW(r4,   0, r4, carry, carry);
-		MP_SUB_BORROW(r5,   0, r5, carry, carry);
-		MP_SUB_BORROW(r6, a8,  r6, carry, carry);
-		MP_SUB_BORROW(r7, a10, r7, carry, carry);
-		r8 -= carry;
+		MP_SUB_BORROW(r0, a11, r0, carry);
+		MP_SUB_BORROW(r1, a12, r1, carry);
+		MP_SUB_BORROW(r2, a13, r2, carry);
+		MP_SUB_BORROW(r3,   0, r3, carry);
+		MP_SUB_BORROW(r4,   0, r4, carry);
+		MP_SUB_BORROW(r5,   0, r5, carry);
+		MP_SUB_BORROW(r6, a8,  r6, carry);
+		MP_SUB_BORROW(r7, a10, r7, carry);
+		r8 -= carry; carry = 0;
 		/* diff 6 */
-		MP_SUB_BORROW(r0, a12, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a13, r1, carry, carry);
-		MP_SUB_BORROW(r2, a14, r2, carry, carry);
-		MP_SUB_BORROW(r3, a15, r3, carry, carry);
-		MP_SUB_BORROW(r4,   0, r4, carry, carry);
-		MP_SUB_BORROW(r5,   0, r5, carry, carry);
-		MP_SUB_BORROW(r6, a9,  r6, carry, carry);
-		MP_SUB_BORROW(r7, a11, r7, carry, carry);
-		r8 -= carry;
+		MP_SUB_BORROW(r0, a12, r0, carry);
+		MP_SUB_BORROW(r1, a13, r1, carry);
+		MP_SUB_BORROW(r2, a14, r2, carry);
+		MP_SUB_BORROW(r3, a15, r3, carry);
+		MP_SUB_BORROW(r4,   0, r4, carry);
+		MP_SUB_BORROW(r5,   0, r5, carry);
+		MP_SUB_BORROW(r6, a9,  r6, carry);
+		MP_SUB_BORROW(r7, a11, r7, carry);
+		r8 -= carry; carry = 0;
 		/* diff 7 */
-		MP_SUB_BORROW(r0, a13, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a14, r1, carry, carry);
-		MP_SUB_BORROW(r2, a15, r2, carry, carry);
-		MP_SUB_BORROW(r3, a8,  r3, carry, carry);
-		MP_SUB_BORROW(r4, a9,  r4, carry, carry);
-		MP_SUB_BORROW(r5, a10, r5, carry, carry);
-		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
-		MP_SUB_BORROW(r7, a12, r7, carry, carry);
-		r8 -= carry;
+		MP_SUB_BORROW(r0, a13, r0, carry);
+		MP_SUB_BORROW(r1, a14, r1, carry);
+		MP_SUB_BORROW(r2, a15, r2, carry);
+		MP_SUB_BORROW(r3, a8,  r3, carry);
+		MP_SUB_BORROW(r4, a9,  r4, carry);
+		MP_SUB_BORROW(r5, a10, r5, carry);
+		MP_SUB_BORROW(r6, 0,   r6, carry);
+		MP_SUB_BORROW(r7, a12, r7, carry);
+		r8 -= carry; carry = 0;
 		/* diff 8 */
-		MP_SUB_BORROW(r0, a14, r0, 0,     carry);
-		MP_SUB_BORROW(r1, a15, r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,   r2, carry, carry);
-		MP_SUB_BORROW(r3, a9,  r3, carry, carry);
-		MP_SUB_BORROW(r4, a10, r4, carry, carry);
-		MP_SUB_BORROW(r5, a11, r5, carry, carry);
-		MP_SUB_BORROW(r6, 0,   r6, carry, carry);
-		MP_SUB_BORROW(r7, a13, r7, carry, carry);
+		MP_SUB_BORROW(r0, a14, r0, carry);
+		MP_SUB_BORROW(r1, a15, r1, carry);
+		MP_SUB_BORROW(r2, 0,   r2, carry);
+		MP_SUB_BORROW(r3, a9,  r3, carry);
+		MP_SUB_BORROW(r4, a10, r4, carry);
+		MP_SUB_BORROW(r5, a11, r5, carry);
+		MP_SUB_BORROW(r6, 0,   r6, carry);
+		MP_SUB_BORROW(r7, a13, r7, carry);
 		r8 -= carry;
 
 		/* reduce the overflows */
 		while (r8 > 0) {
-			mp_digit r8_d = r8;
-			MP_ADD_CARRY(r0, r8_d,         r0, 0,     carry);
-			MP_ADD_CARRY(r1, 0,            r1, carry, carry);
-			MP_ADD_CARRY(r2, 0,            r2, carry, carry);
-			MP_ADD_CARRY(r3, 0-r8_d,       r3, carry, carry);
-			MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry, carry);
-			MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_ADD_CARRY(r6, 0-(r8_d+1),   r6, carry, carry);
-			MP_ADD_CARRY(r7, (r8_d-1),     r7, carry, carry);
+			mp_digit r8_d = r8; carry = 0;
+			carry = 0;
+			MP_ADD_CARRY(r0, r8_d,         r0, carry);
+			MP_ADD_CARRY(r1, 0,            r1, carry);
+			MP_ADD_CARRY(r2, 0,            r2, carry);
+			MP_ADD_CARRY(r3, 0-r8_d,       r3, carry);
+			MP_ADD_CARRY(r4, MP_DIGIT_MAX, r4, carry);
+			MP_ADD_CARRY(r5, MP_DIGIT_MAX, r5, carry);
+			MP_ADD_CARRY(r6, 0-(r8_d+1),   r6, carry);
+			MP_ADD_CARRY(r7, (r8_d-1),     r7, carry);
 			r8 = carry;
 		}
 
 		/* reduce the underflows */
 		while (r8 < 0) {
 			mp_digit r8_d = -r8;
-			MP_SUB_BORROW(r0, r8_d,         r0, 0,     carry);
-			MP_SUB_BORROW(r1, 0,            r1, carry, carry);
-			MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-			MP_SUB_BORROW(r3, 0-r8_d,       r3, carry, carry);
-			MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry, carry);
-			MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry, carry);
-			MP_SUB_BORROW(r6, 0-(r8_d+1),   r6, carry, carry);
-			MP_SUB_BORROW(r7, (r8_d-1),     r7, carry, carry);
+			carry = 0;
+			MP_SUB_BORROW(r0, r8_d,         r0, carry);
+			MP_SUB_BORROW(r1, 0,            r1, carry);
+			MP_SUB_BORROW(r2, 0,            r2, carry);
+			MP_SUB_BORROW(r3, 0-r8_d,       r3, carry);
+			MP_SUB_BORROW(r4, MP_DIGIT_MAX, r4, carry);
+			MP_SUB_BORROW(r5, MP_DIGIT_MAX, r5, carry);
+			MP_SUB_BORROW(r6, 0-(r8_d+1),   r6, carry);
+			MP_SUB_BORROW(r7, (r8_d-1),     r7, carry);
 			r8 = 0-carry;
 		}
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r,8));
 		}
 		MP_SIGN(r) = MP_ZPOS;
 		MP_USED(r) = 8;
 
@@ -224,90 +227,104 @@ ec_GFp_nistp256_mod(const mp_int *a, mp_
 		a4l = a4 << 32;
 		a4h = a4 >> 32;
 		r3 = MP_DIGIT(a,3);
 		r2 = MP_DIGIT(a,2);
 		r1 = MP_DIGIT(a,1);
 		r0 = MP_DIGIT(a,0);
 
 		/* sum 1 */
-		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 = carry;
-		MP_ADD_CARRY(r1, a5h << 32, r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6,        r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 += carry;
+                carry = 0;
+		carry = 0;
+		MP_ADD_CARRY(r1, a5h << 32, r1, carry);
+		MP_ADD_CARRY(r2, a6,        r2, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry);
+		r4 = carry; carry = 0;
+		carry = 0;
+		MP_ADD_CARRY(r1, a5h << 32, r1, carry);
+		MP_ADD_CARRY(r2, a6,        r2, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry);
+		r4 += carry; carry = 0;
 		/* sum 2 */
-		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
-		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
-		r4 += carry;
-		MP_ADD_CARRY(r1, a6l,       r1, 0,     carry);
-		MP_ADD_CARRY(r2, a6h | a7l, r2, carry, carry);
-		MP_ADD_CARRY(r3, a7h,       r3, carry, carry);
-		r4 += carry;
+		carry = 0;
+		MP_ADD_CARRY(r1, a6l,       r1, carry);
+		MP_ADD_CARRY(r2, a6h | a7l, r2, carry);
+		MP_ADD_CARRY(r3, a7h,       r3, carry);
+		r4 += carry; carry = 0;
+		carry = 0;
+		MP_ADD_CARRY(r1, a6l,       r1, carry);
+		MP_ADD_CARRY(r2, a6h | a7l, r2, carry);
+		MP_ADD_CARRY(r3, a7h,       r3, carry);
+		r4 += carry; carry = 0;
 
 		/* sum 3 */
-		MP_ADD_CARRY(r0, a4,        r0, 0,     carry);
-		MP_ADD_CARRY(r1, a5l >> 32, r1, carry, carry);
-		MP_ADD_CARRY(r2, 0,         r2, carry, carry);
-		MP_ADD_CARRY(r3, a7,        r3, carry, carry);
-		r4 += carry;
+		carry = 0;
+		MP_ADD_CARRY(r0, a4,        r0, carry);
+		MP_ADD_CARRY(r1, a5l >> 32, r1, carry);
+		MP_ADD_CARRY(r2, 0,         r2, carry);
+		MP_ADD_CARRY(r3, a7,        r3, carry);
+		r4 += carry; carry = 0;
 		/* sum 4 */
-		MP_ADD_CARRY(r0, a4h | a5l,     r0, 0,     carry);
-		MP_ADD_CARRY(r1, a5h|(a6h<<32), r1, carry, carry);
-		MP_ADD_CARRY(r2, a7,            r2, carry, carry);
-		MP_ADD_CARRY(r3, a6h | a4l,     r3, carry, carry);
+		carry = 0;
+		MP_ADD_CARRY(r0, a4h | a5l,     r0, carry);
+		MP_ADD_CARRY(r1, a5h|(a6h<<32), r1, carry);
+		MP_ADD_CARRY(r2, a7,            r2, carry);
+		MP_ADD_CARRY(r3, a6h | a4l,     r3, carry);
 		r4 += carry;
 		/* diff 5 */
-		MP_SUB_BORROW(r0, a5h | a6l,    r0, 0,     carry);
-		MP_SUB_BORROW(r1, a6h,          r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-		MP_SUB_BORROW(r3, (a4l>>32)|a5l,r3, carry, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a5h | a6l,    r0, carry);
+		MP_SUB_BORROW(r1, a6h,          r1, carry);
+		MP_SUB_BORROW(r2, 0,            r2, carry);
+		MP_SUB_BORROW(r3, (a4l>>32)|a5l,r3, carry);
 		r4 -= carry;
 		/* diff 6 */
-		MP_SUB_BORROW(r0, a6,  		r0, 0,     carry);
-		MP_SUB_BORROW(r1, a7,           r1, carry, carry);
-		MP_SUB_BORROW(r2, 0,            r2, carry, carry);
-		MP_SUB_BORROW(r3, a4h|(a5h<<32),r3, carry, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a6,  		r0, carry);
+		MP_SUB_BORROW(r1, a7,           r1, carry);
+		MP_SUB_BORROW(r2, 0,            r2, carry);
+		MP_SUB_BORROW(r3, a4h|(a5h<<32),r3, carry);
 		r4 -= carry;
 		/* diff 7 */
-		MP_SUB_BORROW(r0, a6h|a7l,	r0, 0,     carry);
-		MP_SUB_BORROW(r1, a7h|a4l,      r1, carry, carry);
-		MP_SUB_BORROW(r2, a4h|a5l,      r2, carry, carry);
-		MP_SUB_BORROW(r3, a6l,          r3, carry, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a6h|a7l,	r0, carry);
+		MP_SUB_BORROW(r1, a7h|a4l,      r1, carry);
+		MP_SUB_BORROW(r2, a4h|a5l,      r2, carry);
+		MP_SUB_BORROW(r3, a6l,          r3, carry);
 		r4 -= carry;
 		/* diff 8 */
-		MP_SUB_BORROW(r0, a7,	        r0, 0,     carry);
-		MP_SUB_BORROW(r1, a4h<<32,      r1, carry, carry);
-		MP_SUB_BORROW(r2, a5,           r2, carry, carry);
-		MP_SUB_BORROW(r3, a6h<<32,      r3, carry, carry);
+		carry = 0;
+		MP_SUB_BORROW(r0, a7,	        r0, carry);
+		MP_SUB_BORROW(r1, a4h<<32,      r1, carry);
+		MP_SUB_BORROW(r2, a5,           r2, carry);
+		MP_SUB_BORROW(r3, a6h<<32,      r3, carry);
 		r4 -= carry;
 
 		/* reduce the overflows */
 		while (r4 > 0) {
 			mp_digit r4_long = r4;
 			mp_digit r4l = (r4_long << 32);
-			MP_ADD_CARRY(r0, r4_long,      r0, 0,     carry);
-			MP_ADD_CARRY(r1, 0-r4l,        r1, carry, carry);
-			MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry, carry);
-			MP_ADD_CARRY(r3, r4l-r4_long-1,r3, carry, carry);
+                        carry = 0;
+			carry = 0;
+			MP_ADD_CARRY(r0, r4_long,      r0, carry);
+			MP_ADD_CARRY(r1, 0-r4l,        r1, carry);
+			MP_ADD_CARRY(r2, MP_DIGIT_MAX, r2, carry);
+			MP_ADD_CARRY(r3, r4l-r4_long-1,r3, carry);
 			r4 = carry;
 		}
 
 		/* reduce the underflows */
 		while (r4 < 0) {
 			mp_digit r4_long = -r4;
 			mp_digit r4l = (r4_long << 32);
-			MP_SUB_BORROW(r0, r4_long,      r0, 0,     carry);
-			MP_SUB_BORROW(r1, 0-r4l,        r1, carry, carry);
-			MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry, carry);
-			MP_SUB_BORROW(r3, r4l-r4_long-1,r3, carry, carry);
+			carry = 0;
+			MP_SUB_BORROW(r0, r4_long,      r0, carry);
+			MP_SUB_BORROW(r1, 0-r4l,        r1, carry);
+			MP_SUB_BORROW(r2, MP_DIGIT_MAX, r2, carry);
+			MP_SUB_BORROW(r3, r4l-r4_long-1,r3, carry);
 			r4 = 0-carry;
 		}
 
 		if (a != r) {
 			MP_CHECKOK(s_mp_pad(r,4));
 		}
 		MP_SIGN(r) = MP_ZPOS;
 		MP_USED(r) = 4;
--- a/lib/freebl/ecl/ecp_521.c
+++ b/lib/freebl/ecl/ecp_521.c
@@ -12,17 +12,17 @@
 /* Fast modular reduction for p521 = 2^521 - 1.  a can be r. Uses
  * algorithm 2.31 from Hankerson, Menezes, Vanstone. Guide to 
  * Elliptic Curve Cryptography. */
 static mp_err
 ec_GFp_nistp521_mod(const mp_int *a, mp_int *r, const GFMethod *meth)
 {
 	mp_err res = MP_OKAY;
 	int a_bits = mpl_significant_bits(a);
-	int i;
+	unsigned int i;
 
 	/* m1, m2 are statically-allocated mp_int of exactly the size we need */
 	mp_int m1;
 
 	mp_digit s1[ECP521_DIGITS] = { 0 };
 
 	MP_SIGN(&m1) = MP_ZPOS;
 	MP_ALLOC(&m1) = ECP521_DIGITS;
--- a/lib/freebl/ecl/ecp_jac.c
+++ b/lib/freebl/ecl/ecp_jac.c
@@ -382,17 +382,17 @@ mp_err
 ec_GFp_pts_mul_jac(const mp_int *k1, const mp_int *k2, const mp_int *px,
 				   const mp_int *py, mp_int *rx, mp_int *ry,
 				   const ECGroup *group)
 {
 	mp_err res = MP_OKAY;
 	mp_int precomp[4][4][2];
 	mp_int rz;
 	const mp_int *a, *b;
-	int i, j;
+	unsigned int i, j;
 	int ai, bi, d;
 
 	for (i = 0; i < 4; i++) {
 		for (j = 0; j < 4; j++) {
 			MP_DIGITS(&precomp[i][j][0]) = 0;
 			MP_DIGITS(&precomp[i][j][1]) = 0;
 		}
 	}
@@ -489,17 +489,17 @@ ec_GFp_pts_mul_jac(const mp_int *k1, con
 	}
 
 	d = (mpl_significant_bits(a) + 1) / 2;
 
 	/* R = inf */
 	MP_CHECKOK(mp_init(&rz));
 	MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, &rz));
 
-	for (i = d - 1; i >= 0; i--) {
+        for (i = d; i-- > 0;) {
 		ai = MP_GET_BIT(a, 2 * i + 1);
 		ai <<= 1;
 		ai |= MP_GET_BIT(a, 2 * i);
 		bi = MP_GET_BIT(b, 2 * i + 1);
 		bi <<= 1;
 		bi |= MP_GET_BIT(b, 2 * i);
 		/* R = 2^2 * R */
 		MP_CHECKOK(ec_GFp_pt_dbl_jac(rx, ry, &rz, rx, ry, &rz, group));
--- a/lib/freebl/ldvector.c
+++ b/lib/freebl/ldvector.c
@@ -289,20 +289,17 @@ static const struct FREEBLVectorStr vect
     EC_CopyParams
 
     /* End of Version 3.017 */
 };
 
 const FREEBLVector *
 FREEBL_GetVector(void)
 {
-    extern const char __nss_freebl_version[];
+#define NSS_VERSION_VARIABLE __nss_freebl_version
+#include "verref.h"
 
-    /* force a reference that won't get optimized away */
-    volatile char c;
-
-    c = __nss_freebl_version[0];
 #ifdef FREEBL_NO_DEPEND
     FREEBL_InitStubs();
 #endif
     return &vector;
 }
 
--- a/lib/freebl/loader.c
+++ b/lib/freebl/loader.c
@@ -127,35 +127,40 @@ freebl_LoadDSO( void )
   if (!name) {
     PR_SetError(PR_LOAD_LIBRARY_ERROR, 0);
     return PR_FAILURE;
   }
 
   handle = loader_LoadLibrary(name);
   if (handle) {
     PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
-    PRStatus status;
     if (address) {
       FREEBLGetVectorFn  * getVector = (FREEBLGetVectorFn *)address;
       const FREEBLVector * dsoVector = getVector();
       if (dsoVector) {
 	unsigned short dsoVersion = dsoVector->version;
 	unsigned short  myVersion = FREEBL_VERSION;
 	if (MSB(dsoVersion) == MSB(myVersion) && 
 	    LSB(dsoVersion) >= LSB(myVersion) &&
 	    dsoVector->length >= sizeof(FREEBLVector)) {
           vector = dsoVector;
 	  libraryName = name;
 	  blLib = handle;
 	  return PR_SUCCESS;
 	}
       }
     }
-    status = PR_UnloadLibrary(handle);
-    PORT_Assert(PR_SUCCESS == status);
+#ifdef DEBUG
+    {
+      PRStatus status = PR_UnloadLibrary(blLib);
+      PORT_Assert(PR_SUCCESS == status);
+    }
+#else
+    PR_UnloadLibrary(blLib);
+#endif
   }
   return PR_FAILURE;
 }
 
 static const PRCallOnceType pristineCallOnce;
 static PRCallOnceType loadFreeBLOnce;
 
 static PRStatus
@@ -896,18 +901,22 @@ BL_Unload(void)
   char *disableUnload = NULL;
   vector = NULL;
   /* If an SSL socket is configured with SSL_BYPASS_PKCS11, but the application
    * never does a handshake on it, BL_Unload will be called even though freebl
    * was never loaded. So, don't assert blLib. */
   if (blLib) {
       disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
       if (!disableUnload) {
+#ifdef DEBUG
           PRStatus status = PR_UnloadLibrary(blLib);
           PORT_Assert(PR_SUCCESS == status);
+#else
+          PR_UnloadLibrary(blLib);
+#endif
       }
       blLib = NULL;
   }
   loadFreeBLOnce = pristineCallOnce;
 }
 
 /* ============== New for 3.003 =============================== */
 
--- a/lib/freebl/md5.c
+++ b/lib/freebl/md5.c
@@ -254,17 +254,17 @@ MD5_Begin(MD5Context *cx)
 #endif
 
 #define MASK 0x00ff00ff
 #ifdef IS_LITTLE_ENDIAN
 #define lendian(i32) \
 	(i32)
 #else
 #define lendian(i32) \
-	(tmp = i32 >> 16 | i32 << 16, (tmp & MASK) << 8 | tmp >> 8 & MASK)
+	(tmp = (i32 >> 16) | (i32 << 16), ((tmp & MASK) << 8) | ((tmp >> 8) & MASK))
 #endif
 
 #ifndef IS_LITTLE_ENDIAN
 
 #define lebytes(b4) \
 	((b4)[3] << 24 | (b4)[2] << 16 | (b4)[1] << 8 | (b4)[0])
 
 static void
--- a/lib/freebl/mpi/mpcpucache.c
+++ b/lib/freebl/mpi/mpcpucache.c
@@ -1,13 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "mpi.h"
+#include "prtypes.h"
 
 /*
  * This file implements a single function: s_mpi_getProcessorLineSize();
  * s_mpi_getProcessorLineSize() returns the size in bytes of the cache line
  * if a cache exists, or zero if there is no cache. If more than one
  * cache line exists, it should return the smallest line size (which is 
  * usually the L1 cache).
  *
@@ -614,78 +615,62 @@ static const int n_manufacturers = sizeo
 #define MAN_UNKNOWN 9
 
 #if !defined(AMD_64)
 #define SSE2_FLAG (1<<26)
 unsigned long
 s_mpi_is_sse2()
 {
     unsigned long eax, ebx, ecx, edx;
-    int manufacturer = MAN_UNKNOWN;
-    int i;
-    char string[13];
 
     if (is386() || is486()) {
 	return 0;
     }
     freebl_cpuid(0, &eax, &ebx, &ecx, &edx);
-    /* string holds the CPU's manufacturer ID string - a twelve
-     * character ASCII string stored in ebx, edx, ecx, and
-     * the 32-bit extended feature flags are in edx, ecx.
-     */
-    *(int *)string = ebx;
-    *(int *)&string[4] = (int)edx;
-    *(int *)&string[8] = (int)ecx;
-    string[12] = 0;
 
     /* has no SSE2 extensions */
     if (eax == 0) {
 	return 0;
     }
 
-    for (i=0; i < n_manufacturers; i++) {
-	if ( strcmp(manMap[i],string) == 0) {
-	    manufacturer = i;
-	    break;
-	}
-    }
-
     freebl_cpuid(1,&eax,&ebx,&ecx,&edx);
     return (edx & SSE2_FLAG) == SSE2_FLAG;
 }
 #endif
 
 unsigned long
 s_mpi_getProcessorLineSize()
 {
     unsigned long eax, ebx, ecx, edx;
+    PRUint32 cpuid[3];
     unsigned long cpuidLevel;
     unsigned long cacheLineSize = 0;
     int manufacturer = MAN_UNKNOWN;
     int i;
-    char string[65];
+    char string[13];
 
 #if !defined(AMD_64)
     if (is386()) {
 	return 0; /* 386 had no cache */
     } if (is486()) {
 	return 32; /* really? need more info */
     }
 #endif
 
     /* Pentium, cpuid command is available */
     freebl_cpuid(0, &eax, &ebx, &ecx, &edx);
     cpuidLevel = eax;
     /* string holds the CPU's manufacturer ID string - a twelve
      * character ASCII string stored in ebx, edx, ecx, and
      * the 32-bit extended feature flags are in edx, ecx.
      */
-    *(int *)string = ebx;
-    *(int *)&string[4] = (int)edx;
-    *(int *)&string[8] = (int)ecx;
+    cpuid[0] = ebx;
+    cpuid[1] = ecx;
+    cpuid[2] = edx;
+    memcpy(string, cpuid, sizeof(cpuid));
     string[12] = 0;
 
     manufacturer = MAN_UNKNOWN;
     for (i=0; i < n_manufacturers; i++) {
 	if ( strcmp(manMap[i],string) == 0) {
 	    manufacturer = i;
 	}
     }
--- a/lib/freebl/mpi/mpi-priv.h
+++ b/lib/freebl/mpi/mpi-priv.h
@@ -249,18 +249,20 @@ void     MPI_ASM_DECL s_mpv_mul_d_add_pr
 void     MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
                                                 mp_size a_len,
                                                 mp_digit *sqrs);
 
 mp_err   MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
                             mp_digit divisor, mp_digit *quot, mp_digit *rem);
 
 /* c += a * b * (MP_RADIX ** offset);  */
+/* Callers of this macro should be aware that the return type might vary;
+ * it should be treated as a void function. */
 #define s_mp_mul_d_add_offset(a, b, c, off) \
-(s_mpv_mul_d_add_prop(MP_DIGITS(a), MP_USED(a), b, MP_DIGITS(c) + off), MP_OKAY)
+  s_mpv_mul_d_add_prop(MP_DIGITS(a), MP_USED(a), b, MP_DIGITS(c) + off)
 
 typedef struct {
   mp_int       N;	/* modulus N */
   mp_digit     n0prime; /* n0' = - (n0 ** -1) mod MP_RADIX */
 } mp_mont_modulus;
 
 mp_err s_mp_mul_mont(const mp_int *a, const mp_int *b, mp_int *c, 
 	               mp_mont_modulus *mmm);
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -1090,17 +1090,17 @@ mp_err mp_div_2d(const mp_int *a, mp_dig
   standard iterative square-and-multiply technique.
  */
 
 mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c)
 {
   mp_int   s, x;
   mp_err   res;
   mp_digit d;
-  int      dig, bit;
+  unsigned int      dig, bit;
 
   ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
 
   if(mp_cmp_z(b) < 0)
     return MP_RANGE;
 
   if((res = mp_init(&s)) != MP_OKAY)
     return res;
@@ -1465,17 +1465,17 @@ mp_err mp_sqrmod(const mp_int *a, const 
   s_mp_reduce() below for details)
  */
 
 mp_err s_mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c)
 {
   mp_int   s, x, mu;
   mp_err   res;
   mp_digit d;
-  int      dig, bit;
+  unsigned int      dig, bit;
 
   ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
 
   if(mp_cmp_z(b) < 0 || mp_cmp_z(m) <= 0)
     return MP_RANGE;
 
   if((res = mp_init(&s)) != MP_OKAY)
     return res;
@@ -1999,17 +1999,17 @@ mp_err mp_xgcd(const mp_int *a, const mp
 } /* end mp_xgcd() */
 
 /* }}} */
 
 mp_size mp_trailing_zeros(const mp_int *mp)
 {
   mp_digit d;
   mp_size  n = 0;
-  int      ix;
+  unsigned int      ix;
 
   if (!mp || !MP_DIGITS(mp) || !mp_cmp_z(mp))
     return n;
 
   for (ix = 0; !(d = MP_DIGIT(mp,ix)) && (ix < MP_USED(mp)); ++ix)
     n += MP_DIGIT_BIT;
   if (!d)
     return 0;	/* shouldn't happen, but ... */
@@ -2911,36 +2911,34 @@ void     s_mp_exch(mp_int *a, mp_int *b)
    Shift mp leftward by p digits, growing if needed, and zero-filling
    the in-shifted digits at the right end.  This is a convenient
    alternative to multiplication by powers of the radix
  */   
 
 mp_err   s_mp_lshd(mp_int *mp, mp_size p)
 {
   mp_err  res;
-  mp_size pos;
-  int     ix;
+  unsigned int     ix;
 
   if(p == 0)
     return MP_OKAY;
 
   if (MP_USED(mp) == 1 && MP_DIGIT(mp, 0) == 0)
     return MP_OKAY;
 
   if((res = s_mp_pad(mp, USED(mp) + p)) != MP_OKAY)
     return res;
 
-  pos = USED(mp) - 1;
-
   /* Shift all the significant figures over as needed */
-  for(ix = pos - p; ix >= 0; ix--) 
+  for (ix = USED(mp) - p; ix-- > 0;) {
     DIGIT(mp, ix + p) = DIGIT(mp, ix);
+  }
 
   /* Fill the bottom digits with zeroes */
-  for(ix = 0; ix < p; ix++)
+  for(ix = 0; (mp_size)ix < p; ix++)
     DIGIT(mp, ix) = 0;
 
   return MP_OKAY;
 
 } /* end s_mp_lshd() */
 
 /* }}} */
 
@@ -3041,17 +3039,17 @@ void     s_mp_div_2(mp_int *mp)
 
 /* }}} */
 
 /* {{{ s_mp_mul_2(mp) */
 
 mp_err s_mp_mul_2(mp_int *mp)
 {
   mp_digit *pd;
-  int      ix, used;
+  unsigned int ix, used;
   mp_digit kin = 0;
 
   /* Shift digits leftward by 1 bit */
   used = MP_USED(mp);
   pd = MP_DIGITS(mp);
   for (ix = 0; ix < used; ix++) {
     mp_digit d = *pd;
     *pd++ = (d << 1) | kin;
@@ -4667,20 +4665,20 @@ mp_read_unsigned_octets(mp_int *mp, cons
     }
     MP_DIGIT(mp, 0) = d;
   }
   return MP_OKAY;
 } /* end mp_read_unsigned_octets() */
 /* }}} */
 
 /* {{{ mp_unsigned_octet_size(mp) */
-int    
+unsigned int
 mp_unsigned_octet_size(const mp_int *mp)
 {
-  int  bytes;
+  unsigned int bytes;
   int  ix;
   mp_digit  d = 0;
 
   ARGCHK(mp != NULL, MP_BADARG);
   ARGCHK(MP_ZPOS == SIGN(mp), MP_BADARG);
 
   bytes = (USED(mp) * sizeof(mp_digit));
 
@@ -4707,22 +4705,22 @@ mp_unsigned_octet_size(const mp_int *mp)
 /* }}} */
 
 /* {{{ mp_to_unsigned_octets(mp, str) */
 /* output a buffer of big endian octets no longer than specified. */
 mp_err 
 mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
 {
   int  ix, pos = 0;
-  int  bytes;
+  unsigned int  bytes;
 
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
 
   /* Iterate over each digit... */
   for(ix = USED(mp) - 1; ix >= 0; ix--) {
     mp_digit  d = DIGIT(mp, ix);
     int       jx;
 
     /* Unpack digit bytes, high order first */
     for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
@@ -4739,22 +4737,22 @@ mp_to_unsigned_octets(const mp_int *mp, 
 /* }}} */
 
 /* {{{ mp_to_signed_octets(mp, str) */
 /* output a buffer of big endian octets no longer than specified. */
 mp_err 
 mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
 {
   int  ix, pos = 0;
-  int  bytes;
+  unsigned int  bytes;
 
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes >= 0 && bytes <= maxlen, MP_BADARG);
+  ARGCHK(bytes <= maxlen, MP_BADARG);
 
   /* Iterate over each digit... */
   for(ix = USED(mp) - 1; ix >= 0; ix--) {
     mp_digit  d = DIGIT(mp, ix);
     int       jx;
 
     /* Unpack digit bytes, high order first */
     for(jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
@@ -4779,22 +4777,22 @@ mp_to_signed_octets(const mp_int *mp, un
 /* }}} */
 
 /* {{{ mp_to_fixlen_octets(mp, str) */
 /* output a buffer of big endian octets exactly as long as requested. */
 mp_err 
 mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
 {
   int  ix, pos = 0;
-  int  bytes;
+  unsigned int  bytes;
 
   ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
 
   bytes = mp_unsigned_octet_size(mp);
-  ARGCHK(bytes >= 0 && bytes <= length, MP_BADARG);
+  ARGCHK(bytes <= length, MP_BADARG);
 
   /* place any needed leading zeros */
   for (;length > bytes; --length) {
 	*str++ = 0;
   }
 
   /* Iterate over each digit... */
   for(ix = USED(mp) - 1; ix >= 0; ix--) {
--- a/lib/freebl/mpi/mpi.h
+++ b/lib/freebl/mpi/mpi.h
@@ -253,17 +253,17 @@ int    mp_tovalue(char ch, int r);
 #define mp_todecimal(M, S) mp_toradix((M), (S), 10)
 #define mp_tohex(M, S)     mp_toradix((M), (S), 16)
 
 /* Error strings           */
 const  char  *mp_strerror(mp_err ec);
 
 /* Octet string conversion functions */
 mp_err mp_read_unsigned_octets(mp_int *mp, const unsigned char *str, mp_size len);
-int    mp_unsigned_octet_size(const mp_int *mp);
+unsigned int mp_unsigned_octet_size(const mp_int *mp);
 mp_err mp_to_unsigned_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
 mp_err mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen);
 mp_err mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size len);
 
 /* Miscellaneous */
 mp_size mp_trailing_zeros(const mp_int *mp);
 void freebl_cpuid(unsigned long op, unsigned long *eax,
                          unsigned long *ebx, unsigned long *ecx,
--- a/lib/freebl/mpi/mplogic.c
+++ b/lib/freebl/mpi/mplogic.c
@@ -398,19 +398,19 @@ mp_err mpl_get_bits(const mp_int *a, mp_
   return (mp_err)mask;
 }
 
 /*
   mpl_significant_bits
   returns number of significnant bits in abs(a).
   returns 1 if value is zero.
  */
-mp_err mpl_significant_bits(const mp_int *a)
+mp_size mpl_significant_bits(const mp_int *a)
 {
-  mp_err bits 	= 0;
+  mp_size bits = 0;
   int    ix;
 
   ARGCHK(a != NULL, MP_BADARG);
 
   ix = MP_USED(a);
   for (ix = MP_USED(a); ix > 0; ) {
     mp_digit d;
     d = MP_DIGIT(a, --ix);
--- a/lib/freebl/mpi/mplogic.h
+++ b/lib/freebl/mpi/mplogic.h
@@ -42,11 +42,11 @@ mp_err mpl_num_set(mp_int *a, int *num);
 mp_err mpl_num_clear(mp_int *a, int *num);       /* count clear bits  */
 mp_err mpl_parity(mp_int *a);                    /* determine parity  */
 
 /* Get & Set the value of a bit */
 
 mp_err mpl_set_bit(mp_int *a, mp_size bitNum, mp_size value);
 mp_err mpl_get_bit(const mp_int *a, mp_size bitNum);
 mp_err mpl_get_bits(const mp_int *a, mp_size lsbNum, mp_size numBits);
-mp_err mpl_significant_bits(const mp_int *a);
+mp_size mpl_significant_bits(const mp_int *a);
 
 #endif /* end _H_MPLOGIC_ */
--- a/lib/freebl/mpi/mpmontg.c
+++ b/lib/freebl/mpi/mpmontg.c
@@ -42,17 +42,17 @@ mp_err s_mp_redc(mp_int *T, mp_mont_modu
   mp_err res;
   mp_size i;
 
   i = (MP_USED(&mmm->N) << 1) + 1;
   MP_CHECKOK( s_mp_pad(T, i) );
   for (i = 0; i < MP_USED(&mmm->N); ++i ) {
     mp_digit m_i = MP_DIGIT(T, i) * mmm->n0prime;
     /* T += N * m_i * (MP_RADIX ** i); */
-    MP_CHECKOK( s_mp_mul_d_add_offset(&mmm->N, m_i, T, i) );
+    s_mp_mul_d_add_offset(&mmm->N, m_i, T, i);
   }
   s_mp_clamp(T);
 
   /* T /= R */
   s_mp_rshd( T, MP_USED(&mmm->N) );
 
   if ((res = s_mp_cmp(T, &mmm->N)) >= 0) {
     /* T = T - N */
--- a/lib/freebl/mpi/mpprime.c
+++ b/lib/freebl/mpi/mpprime.c
@@ -389,17 +389,17 @@ mp_err mpp_sieve(mp_int *trial, const mp
 
 #define SIEVE_SIZE 32*1024
 
 mp_err mpp_make_prime(mp_int *start, mp_size nBits, mp_size strong,
 		      unsigned long * nTries)
 {
   mp_digit      np;
   mp_err        res;
-  int           i	= 0;
+  unsigned int i = 0;
   mp_int        trial;
   mp_int        q;
   mp_size       num_tests;
   unsigned char *sieve;
   
   ARGCHK(start != 0, MP_BADARG);
   ARGCHK(nBits > 16, MP_RANGE);
 
--- a/lib/freebl/nsslowhash.c
+++ b/lib/freebl/nsslowhash.c
@@ -280,24 +280,19 @@ static int nsslow_GetFIPSEnabled(void) {
 static int post = 0;
 static int post_failed = 0;
 
 static NSSLOWInitContext dummyContext = { 0 };
 
 NSSLOWInitContext *
 NSSLOW_Init(void)
 {
-    SECStatus rv;
     CK_RV crv;
 #ifdef FREEBL_NO_DEPEND
-    PRBool nsprAvailable = PR_FALSE;
-
-
-    rv = FREEBL_InitStubs();
-    nsprAvailable = (rv ==  SECSuccess ) ? PR_TRUE : PR_FALSE;
+    (void)FREEBL_InitStubs();
 #endif
 
     if (post_failed) {
 	return NULL;
     }
 	
 
     if (!post && nsslow_GetFIPSEnabled()) {
--- a/lib/freebl/pqg.c
+++ b/lib/freebl/pqg.c
@@ -489,17 +489,17 @@ cleanup:
 SECStatus
 makePrimefromPrimesShaweTaylor(
       HASH_HashType hashtype,	/* selected Hashing algorithm */
       unsigned int  length,     /* input. Length of prime in bits. */
       mp_int    *   c0,         /* seed prime */
       mp_int    *   q,          /* sub prime, can be 1 */
       mp_int    *   prime,      /* output.  */
       SECItem   *   prime_seed, /* input/output.  */
-      int       *   prime_gen_counter) /* input/output.  */
+      unsigned int *prime_gen_counter) /* input/output.  */
 {
     mp_int c;
     mp_int c0_2;
     mp_int t;
     mp_int a;
     mp_int z;
     mp_int two_length_minus_1;
     SECStatus rv = SECFailure;
@@ -722,17 +722,17 @@ cleanup:
 */
 SECStatus
 makePrimefromSeedShaweTaylor(
       HASH_HashType hashtype,	/* selected Hashing algorithm */
       unsigned int  length,     /* input.  Length of prime in bits. */
 const SECItem   *   input_seed,       /* input.  */
       mp_int    *   prime,      /* output.  */
       SECItem   *   prime_seed, /* output.  */
-      int       *   prime_gen_counter) /* output.  */
+      unsigned int *prime_gen_counter) /* output.  */
 {
     mp_int c;
     mp_int c0;
     mp_int one;
     SECStatus rv = SECFailure;
     int hashlen = HASH_ResultLen(hashtype);
     int outlen = hashlen*PR_BITS_PER_BYTE;
     int offset;
@@ -877,17 +877,17 @@ cleanup:
 static SECStatus
 findQfromSeed(
       unsigned int  L,          /* input.  Length of p in bits. */
       unsigned int  N,          /* input.  Length of q in bits. */
       unsigned int  g,          /* input.  Length of seed in bits. */
 const SECItem   *   seed,       /* input.  */
       mp_int    *   Q,          /* input. */
       mp_int    *   Q_,         /* output. */
-      int       *  qseed_len,   /* output */
+      unsigned int *qseed_len,   /* output */
       HASH_HashType *hashtypePtr,  /* output. Hash uses */
       pqgGenType    *typePtr)      /* output. Generation Type used */
 {
     HASH_HashType hashtype;
     SECItem  firstseed = { 0, 0, 0 };
     SECItem  qseed = { 0, 0, 0 };
     SECStatus rv;
 
@@ -932,17 +932,17 @@ const SECItem   *   seed,       /* input
     }
     /*
      * OK finally try FIPS186_3 Shawe-Taylor 
      */
     firstseed = *seed;
     firstseed.len = seed->len/3;
     for (hashtype = getFirstHash(L,N); hashtype != HASH_AlgTOTAL; 
 					hashtype=getNextHash(hashtype)) {
-	int count;
+	unsigned int count;
 
 	rv = makePrimefromSeedShaweTaylor(hashtype, N, &firstseed, Q_, 
 		&qseed, &count);
 	if (rv != SECSuccess) {
 	    continue;
 	}
 	if (mp_cmp(Q,Q_) == 0) {
 	    /* check qseed as well... */
@@ -1224,17 +1224,16 @@ cleanup:
 ** and so that the correctness of this code can be easily verified.
 ** So, please forgive the ugly c code.
 **/
 static SECStatus
 pqg_ParamGen(unsigned int L, unsigned int N, pqgGenType type,
 	 unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy)
 {
     unsigned int  n;        /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
-    unsigned int  b;        /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int  seedlen;  /* Per FIPS 186-3 app A.1.1.2  (was 'g' 186-1)*/
     unsigned int  counter;  /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int  offset;   /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     unsigned int  outlen;   /* Per FIPS 186-3, appendix A.1.1.2. */
     unsigned int  maxCount;
     HASH_HashType hashtype;
     SECItem      *seed;     /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
     PLArenaPool  *arena  = NULL;
@@ -1304,18 +1303,17 @@ pqg_ParamGen(unsigned int L, unsigned in
     /* Select Hash and Compute lengths. */
     /* getFirstHash gives us the smallest acceptable hash for this key
      * strength */
     hashtype = getFirstHash(L,N);
     outlen = HASH_ResultLen(hashtype)*PR_BITS_PER_BYTE;
 
     /* Step 3: n = Ceil(L/outlen)-1; (same as n = Floor((L-1)/outlen)) */
     n = (L - 1) / outlen; 
-    /* Step 4: b = L -1 - (n*outlen); (same as n = (L-1) mod outlen) */
-    b = (L - 1) % outlen;
+    /* Step 4: (skipped since we don't use b): b = L -1 - (n*outlen); */
     seedlen = seedBytes * PR_BITS_PER_BYTE;    /* bits in seed */
 step_5:
     /* ******************************************************************
     ** Step 5. (Step 1 in 186-1)
     ** "Choose an abitrary sequence of at least N bits and call it SEED.
     **  Let g be the length of SEED in bits."
     */
     if (++iterations > MAX_ITERATIONS) {        /* give up after a while */
@@ -1343,17 +1341,17 @@ step_5:
     ** FIPS186_3_ST_TYPE. 
     */
     if (type == FIPS186_1_TYPE) {
 	CHECK_SEC_OK( makeQfromSeed(seedlen, seed, &Q) );
     } else if (type == FIPS186_3_TYPE) {
 	CHECK_SEC_OK( makeQ2fromSeed(hashtype, N, seed, &Q) );
     } else {
 	/* FIPS186_3_ST_TYPE */
-	int qgen_counter, pgen_counter;
+	unsigned int qgen_counter, pgen_counter;
 
         /* Step 1 (L,N) already checked for acceptability */
 
 	firstseed = *seed;
 	qgen_counter = 0;
 	/* Step 2. Use N and firstseed to  generate random prime q
 	 * using Apendix C.6 */
 	CHECK_SEC_OK( makePrimefromSeedShaweTaylor(hashtype, N, &firstseed, &Q,
@@ -1584,17 +1582,17 @@ PQG_VerifyParams(const PQGParams *params
                  const PQGVerify *vfy, SECStatus *result)
 {
     SECStatus rv = SECSuccess;
     unsigned int g, n, L, N, offset, outlen;
     mp_int p0, P, Q, G, P_, Q_, G_, r, h;
     mp_err err = MP_OKAY;
     int j;
     unsigned int counter_max = 0; /* handle legacy L < 1024 */
-    int qseed_len;
+    unsigned int qseed_len;
     SECItem pseed_ = {0, 0, 0};
     HASH_HashType hashtype;
     pqgGenType type;
 
 #define CHECKPARAM(cond)      \
     if (!(cond)) {            \
 	*result = SECFailure; \
 	goto cleanup;         \
@@ -1677,18 +1675,18 @@ PQG_VerifyParams(const PQGParams *params
     /* This function checks all possible hash and generation types to
      * find a Q_ which matches Q. */
     CHECKPARAM( findQfromSeed(L, N, g, &vfy->seed, &Q, &Q_, &qseed_len,
 					&hashtype, &type) == SECSuccess );
     CHECKPARAM( mp_cmp(&Q, &Q_) == 0 );
     if (type == FIPS186_3_ST_TYPE) {
 	SECItem qseed = { 0, 0, 0 };
 	SECItem pseed = { 0, 0, 0 };
-	int first_seed_len;
-	int pgen_counter = 0;
+	unsigned int first_seed_len;
+	unsigned int pgen_counter = 0;
 
 	/* extract pseed and qseed from domain_parameter_seed, which is
 	 * first_seed || pseed || qseed. qseed is first_seed + small_integer
 	 * pseed is qseed + small_integer. This means most of the time 
 	 * first_seed.len == qseed.len == pseed.len. Rarely qseed.len and/or
 	 * pseed.len will be one greater than first_seed.len, so we can
 	 * depend on the fact that 
 	 *   first_seed.len = floor(domain_parameter_seed.len/3).
--- a/lib/freebl/rsa.c
+++ b/lib/freebl/rsa.c
@@ -243,17 +243,17 @@ RSA_NewKey(int keySizeInBits, SECItem *p
     int kiter;
     mp_err   err = MP_OKAY;
     SECStatus rv = SECSuccess;
     int prerr = 0;
     RSAPrivateKey *key = NULL;
     PLArenaPool *arena = NULL;
     /* Require key size to be a multiple of 16 bits. */
     if (!publicExponent || keySizeInBits % 16 != 0 ||
-	    BAD_RSA_KEY_SIZE(keySizeInBits/8, publicExponent->len)) {
+	    BAD_RSA_KEY_SIZE((unsigned int)keySizeInBits/8, publicExponent->len)) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return NULL;
     }
     /* 1. Allocate arena & key */
     arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
     if (!arena) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return NULL;
--- a/lib/freebl/sha512.c
+++ b/lib/freebl/sha512.c
@@ -137,18 +137,18 @@ static __inline__ PRUint32 swap4b(PRUint
 #else
 #define ROTR32(x,n) ((x >> n) | (x << ((8 * sizeof x) - n)))
 #define ROTL32(x,n) ((x << n) | (x >> ((8 * sizeof x) - n)))
 #endif
 
 /* Capitol Sigma and lower case sigma functions */
 #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x,22))
 #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x,25))
-#define s0(x) (t1 = x, ROTR32(t1, 7) ^ ROTR32(t1,18) ^ SHR(t1, 3))
-#define s1(x) (t2 = x, ROTR32(t2,17) ^ ROTR32(t2,19) ^ SHR(t2,10))
+#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ SHR(x, 3))
+#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ SHR(x,10))
 
 SHA256Context *
 SHA256_NewContext(void)
 {
     SHA256Context *ctx = PORT_New(SHA256Context);
     return ctx;
 }
 
@@ -167,18 +167,16 @@ SHA256_Begin(SHA256Context *ctx)
     memset(ctx, 0, sizeof *ctx);
     memcpy(H, H256, sizeof H256);
 }
 
 static void
 SHA256_Compress(SHA256Context *ctx)
 {
   {
-    register PRUint32 t1, t2;
-
 #if defined(IS_LITTLE_ENDIAN)
     BYTESWAP4(W[0]);
     BYTESWAP4(W[1]);
     BYTESWAP4(W[2]);
     BYTESWAP4(W[3]);
     BYTESWAP4(W[4]);
     BYTESWAP4(W[5]);
     BYTESWAP4(W[6]);
@@ -649,18 +647,18 @@ void SHA224_Clone(SHA224Context *dest, S
 #define ROTL64(x,n) _rotl64(x,n)
 #else
 #define ROTR64(x,n) ((x >> n) | (x << (64 - n)))
 #define ROTL64(x,n) ((x << n) | (x >> (64 - n)))
 #endif
 
 #define S0(x) (ROTR64(x,28) ^ ROTR64(x,34) ^ ROTR64(x,39))
 #define S1(x) (ROTR64(x,14) ^ ROTR64(x,18) ^ ROTR64(x,41))
-#define s0(x) (t1 = x, ROTR64(t1, 1) ^ ROTR64(t1, 8) ^ SHR(t1,7))
-#define s1(x) (t2 = x, ROTR64(t2,19) ^ ROTR64(t2,61) ^ SHR(t2,6))
+#define s0(x) (ROTR64(x, 1) ^ ROTR64(x, 8) ^ SHR(x,7))
+#define s1(x) (ROTR64(x,19) ^ ROTR64(x,61) ^ SHR(x,6))
 
 #if PR_BYTES_PER_LONG == 8
 #define ULLC(hi,lo) 0x ## hi ## lo ## UL
 #elif defined(_MSC_VER)
 #define ULLC(hi,lo) 0x ## hi ## lo ## ui64
 #else
 #define ULLC(hi,lo) 0x ## hi ## lo ## ULL
 #endif
@@ -675,20 +673,24 @@ static __inline__ PRUint64 swap8b(PRUint
     __asm__("bswapq %0" : "+r" (value));
     return (value);
 }
 #define SHA_HTONLL(x) swap8b(x)
 
 #else
 #define SHA_MASK16 ULLC(0000FFFF,0000FFFF)
 #define SHA_MASK8  ULLC(00FF00FF,00FF00FF)
-#define SHA_HTONLL(x) (t1 = x, \
-  t1 = ((t1 & SHA_MASK8 ) <<  8) | ((t1 >>  8) & SHA_MASK8 ), \
-  t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16), \
-  (t1 >> 32) | (t1 << 32))
+static PRUint64 swap8b(PRUint64 x)
+{
+    PRUint64 t1 = x;
+    t1 = ((t1 & SHA_MASK8 ) <<  8) | ((t1 >>  8) & SHA_MASK8 );
+    t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16);
+    return (t1 >> 32) | (t1 << 32);
+}
+#define SHA_HTONLL(x) swap8b(x)
 #endif
 #define BYTESWAP8(x)  x = SHA_HTONLL(x)
 
 #else /* no long long */
 
 #if defined(IS_LITTLE_ENDIAN)
 #define ULLC(hi,lo) { 0x ## lo ## U, 0x ## hi ## U }
 #else
@@ -922,21 +924,16 @@ SHA512_Begin(SHA512Context *ctx)
     }
 #endif
 
 static void
 SHA512_Compress(SHA512Context *ctx)
 {
 #if defined(IS_LITTLE_ENDIAN)
   {
-#if defined(HAVE_LONG_LONG)
-    PRUint64 t1;
-#else
-    PRUint32 t1;
-#endif
     BYTESWAP8(W[0]);
     BYTESWAP8(W[1]);
     BYTESWAP8(W[2]);
     BYTESWAP8(W[3]);
     BYTESWAP8(W[4]);
     BYTESWAP8(W[5]);
     BYTESWAP8(W[6]);
     BYTESWAP8(W[7]);
@@ -947,17 +944,16 @@ SHA512_Compress(SHA512Context *ctx)
     BYTESWAP8(W[12]);
     BYTESWAP8(W[13]);
     BYTESWAP8(W[14]);
     BYTESWAP8(W[15]);
   }
 #endif
 
   {
-    PRUint64 t1, t2;
 #ifdef NOUNROLL512
     {
 	/* prepare the "message schedule"   */
 	int t;
 	for (t = 16; t < 80; ++t) {
 	    INITW(t);
 	}
     }
@@ -1218,20 +1214,18 @@ SHA512_Update(SHA512Context *ctx, const 
 }
 
 void 
 SHA512_End(SHA512Context *ctx, unsigned char *digest,
            unsigned int *digestLen, unsigned int maxDigestLen)
 {
 #if defined(HAVE_LONG_LONG)
     unsigned int inBuf  = (unsigned int)ctx->sizeLo & 0x7f;
-    PRUint64 t1;
 #else
     unsigned int inBuf  = (unsigned int)ctx->sizeLo.lo & 0x7f;
-    PRUint32 t1;
 #endif
     unsigned int padLen = (inBuf < 112) ? (112 - inBuf) : (112 + 128 - inBuf);
     PRUint64 lo;
     LL_SHL(lo, ctx->sizeLo, 3);
 
     SHA512_Update(ctx, pad, padLen);
 
 #if defined(HAVE_LONG_LONG)
@@ -1263,21 +1257,16 @@ SHA512_End(SHA512Context *ctx, unsigned 
     if (digestLen)
 	*digestLen = padLen;
 }
 
 void
 SHA512_EndRaw(SHA512Context *ctx, unsigned char *digest,
               unsigned int *digestLen, unsigned int maxDigestLen)
 {
-#if defined(HAVE_LONG_LONG)
-    PRUint64 t1;
-#else
-    PRUint32 t1;
-#endif
     PRUint64 h[8];
     unsigned int len;
 
     memcpy(h, ctx->h, sizeof(h));
 
 #if defined(IS_LITTLE_ENDIAN)
     BYTESWAP8(h[0]);
     BYTESWAP8(h[1]);
--- a/lib/freebl/sha_fast.c
+++ b/lib/freebl/sha_fast.c
@@ -143,17 +143,16 @@ SHA1_Update(SHA1Context *ctx, const unsi
  *  SHA: Generate hash value from context
  */
 void 
 SHA1_End(SHA1Context *ctx, unsigned char *hashout,
          unsigned int *pDigestLen, unsigned int maxDigestLen)
 {
   register PRUint64 size;
   register PRUint32 lenB;
-  PRUint32 tmpbuf[5];
 
   static const unsigned char bulk_pad[64] = { 0x80,0,0,0,0,0,0,0,0,0,
           0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
           0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0  };
 #define tmp lenB
 
   PORT_Assert (maxDigestLen >= SHA1_LENGTH);
 
@@ -183,17 +182,16 @@ SHA1_End(SHA1Context *ctx, unsigned char
 
 void
 SHA1_EndRaw(SHA1Context *ctx, unsigned char *hashout,
             unsigned int *pDigestLen, unsigned int maxDigestLen)
 {
 #if defined(SHA_NEED_TMP_VARIABLE)
   register PRUint32 tmp;
 #endif
-  PRUint32 tmpbuf[5];
   PORT_Assert (maxDigestLen >= SHA1_LENGTH);
 
   SHA_STORE_RESULT;
   if (pDigestLen)
     *pDigestLen = SHA1_LENGTH;
 }
 
 #undef B
--- a/lib/freebl/sha_fast.h
+++ b/lib/freebl/sha_fast.h
@@ -142,16 +142,17 @@ static __inline__ PRUint32 swap4b(PRUint
 #define SHA_STORE_RESULT \
   if (!((ptrdiff_t)hashout % sizeof(PRUint32))) { \
     SHA_STORE(0); \
     SHA_STORE(1); \
     SHA_STORE(2); \
     SHA_STORE(3); \
     SHA_STORE(4); \
   } else { \
+    PRUint32 tmpbuf[5]; \
     tmpbuf[0] = SHA_HTONL(ctx->H[0]); \
     tmpbuf[1] = SHA_HTONL(ctx->H[1]); \
     tmpbuf[2] = SHA_HTONL(ctx->H[2]); \
     tmpbuf[3] = SHA_HTONL(ctx->H[3]); \
     tmpbuf[4] = SHA_HTONL(ctx->H[4]); \
     memcpy(hashout, tmpbuf, SHA1_LENGTH); \
   }
 
--- a/lib/freebl/stubs.c
+++ b/lib/freebl/stubs.c
@@ -319,26 +319,28 @@ PR_Read_stub(PRFileDesc *fd, void *buf, 
     lfd = (int *)fd;
     return read(*lfd, buf, amount);
 }
 
 extern PROffset32
 PR_Seek_stub(PRFileDesc *fd, PROffset32 offset, PRSeekWhence whence)
 {
     int *lfd;
-    int lwhence = SEEK_SET;;
+    int lwhence = SEEK_SET;
     STUB_SAFE_CALL3(PR_Seek, fd, offset, whence);
     lfd = (int *)fd;
     switch (whence) {
         case PR_SEEK_CUR:
             lwhence = SEEK_CUR;
             break;
         case PR_SEEK_END:
             lwhence = SEEK_END;
             break;
+        case PR_SEEK_SET:
+            break;
     }
 
     return lseek(*lfd, offset, lwhence);
 }
 
 
 /*
  * library 
--- a/lib/jar/jarfile.c
+++ b/lib/jar/jarfile.c
@@ -31,21 +31,22 @@ PR_STATIC_ASSERT(512 == sizeof(union Tar
 static int 
 jar_guess_jar(const char *filename, JAR_FILE fp);
 
 static int 
 jar_inflate_memory(unsigned int method, long *length, long expected_out_len, 
                    char **data);
 
 static int 
-jar_physical_extraction(JAR_FILE fp, char *outpath, long offset, long length);
+jar_physical_extraction(JAR_FILE fp, char *outpath, unsigned long offset,
+                        unsigned long length);
 
 static int 
-jar_physical_inflate(JAR_FILE fp, char *outpath, long offset, long length, 
-                     unsigned int method);
+jar_physical_inflate(JAR_FILE fp, char *outpath, unsigned long offset,
+                     unsigned long length, unsigned int method);
 
 static int 
 jar_verify_extract(JAR *jar, char *path, char *physical_path);
 
 static JAR_Physical *
 jar_get_physical(JAR *jar, char *pathname);
 
 static int 
@@ -69,16 +70,20 @@ jar_listzip(JAR *jar, JAR_FILE fp);
 /* conversions */
 static int 
 dosdate(char *date, const char *s);
 
 static int 
 dostime(char *time, const char *s);
 
 #ifdef NSS_X86_OR_X64
+/* The following macros throw up warnings. */
+#ifdef __GNUC__
+#pragma GCC diagnostic ignored "-Wstrict-aliasing"
+#endif
 #define x86ShortToUint32(ii)   ((const PRUint32)*((const PRUint16 *)(ii)))
 #define x86LongToUint32(ii)    (*(const PRUint32 *)(ii))
 #else
 static PRUint32
 x86ShortToUint32(const void *ii);
 
 static PRUint32
 x86LongToUint32(const void *ll);
@@ -236,27 +241,28 @@ JAR_extract(JAR *jar, char *path, char *
  *  in one bulk calloc. (Necessary under Win16 platform.)
  *  This is done for uncompressed entries only.
  *
  */
 
 #define CHUNK 32768
 
 static int 
-jar_physical_extraction(JAR_FILE fp, char *outpath, long offset, long length)
+jar_physical_extraction(JAR_FILE fp, char *outpath, unsigned long offset,
+                        unsigned long length)
 {
     JAR_FILE out;
     char *buffer = (char *)PORT_ZAlloc(CHUNK);
     int status = 0;
 
     if (buffer == NULL)
 	return JAR_ERR_MEMORY;
 
     if ((out = JAR_FOPEN (outpath, "wb")) != NULL) {
-	long at = 0;
+	unsigned long at = 0;
 
 	JAR_FSEEK (fp, offset, (PRSeekWhence)0);
 	while (at < length) {
 	    long chunk = (at + CHUNK <= length) ? CHUNK : length - at;
 	    if (JAR_FREAD (fp, buffer, chunk) != chunk) {
 		status = JAR_ERR_DISK;
 		break;
 	    }
@@ -284,17 +290,17 @@ jar_physical_extraction(JAR_FILE fp, cha
  *
  */
 /* input and output chunks differ, assume 4x compression */
 
 #define ICHUNK 8192
 #define OCHUNK 32768
 
 static int 
-jar_physical_inflate(JAR_FILE fp, char *outpath, long offset, long length, 
+jar_physical_inflate(JAR_FILE fp, char *outpath, unsigned long offset, unsigned long length,
                      unsigned int method)
 {
     char *inbuf, *outbuf;
     int status = 0;
     z_stream zs;
     JAR_FILE out;
 
     /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
@@ -310,21 +316,21 @@ jar_physical_inflate(JAR_FILE fp, char *
     status = inflateInit2 (&zs, -MAX_WBITS);
     if (status != Z_OK) {
 	PORT_Free (inbuf);
 	PORT_Free (outbuf);
 	return JAR_ERR_GENERAL;
     }
 
     if ((out = JAR_FOPEN (outpath, "wb")) != NULL) {
-	long at = 0;
+	unsigned long at = 0;
 
 	JAR_FSEEK (fp, offset, (PRSeekWhence)0);
 	while (at < length) {
-	    long chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
+	    unsigned long chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
 	    unsigned long tin;
 
 	    if (JAR_FREAD (fp, inbuf, chunk) != chunk) {
 		/* incomplete read */
 		JAR_FCLOSE (out);
 		PORT_Free (inbuf);
 		PORT_Free (outbuf);
 		return JAR_ERR_CORRUPT;
@@ -348,17 +354,17 @@ jar_physical_inflate(JAR_FILE fp, char *
 		if (status != Z_OK && status != Z_STREAM_END) {
 		    /* error during decompression */
 		    JAR_FCLOSE (out);
 		    PORT_Free (inbuf);
 		    PORT_Free (outbuf);
 		    return JAR_ERR_CORRUPT;
 		}
 		ochunk = zs.total_out - prev_total;
-		if (JAR_FWRITE (out, outbuf, ochunk) < ochunk) {
+		if (JAR_FWRITE (out, outbuf, ochunk) < (long)ochunk) {
 		    /* most likely a disk full error */
 		    status = JAR_ERR_DISK;
 		    break;
 		}
 		if (status == Z_STREAM_END)
 		    break;
 	    }
 	}
@@ -815,32 +821,29 @@ loser:
  *
  */
 static int 
 jar_listtar(JAR *jar, JAR_FILE fp)
 {
     char *s;
     JAR_Physical *phy;
     long pos = 0L;
-    long sz, mode;
-    time_t when;
+    long sz;
     union TarEntry tarball;
 
     while (1) {
 	JAR_FSEEK (fp, pos, (PRSeekWhence)0);
 
 	if (JAR_FREAD (fp, &tarball, sizeof tarball) < sizeof tarball)
 	    break;
 
 	if (!*tarball.val.filename)
 	    break;
 
-	when = octalToLong (tarball.val.time);
 	sz   = octalToLong (tarball.val.size);
-	mode = octalToLong (tarball.val.mode);
 
 	/* Tag the end of filename */
 	s = tarball.val.filename;
 	while (*s && *s != ' ') 
 	    s++;
 	*s = 0;
 
 	/* Add to our linked list */
--- a/lib/jar/jarsign.c
+++ b/lib/jar/jarsign.c
@@ -166,17 +166,16 @@ static void jar_pk7_out (void *arg, cons
 }
 
 int 
 jar_create_pk7(CERTCertDBHandle *certdb, void *keydb, CERTCertificate *cert, 
                char *password, JAR_FILE infp, JAR_FILE outfp)
 {
     SEC_PKCS7ContentInfo *cinfo;
     const SECHashObject *hashObj;
-    char *errstring;
     void *mw = NULL;
     void *hashcx;
     unsigned int len;
     int status = 0;
     SECStatus rv;
     SECItem digest;
     unsigned char digestdata[32];
     unsigned char buffer[4096];
@@ -226,13 +225,12 @@ jar_create_pk7(CERTCertDBHandle *certdb,
     PORT_SetError(0);
 
     /* if calling from mozilla thread*/
     rv = SEC_PKCS7Encode(cinfo, jar_pk7_out, outfp, NULL, NULL, mw);
     if (rv != SECSuccess)
 	status = PORT_GetError();
     SEC_PKCS7DestroyContentInfo (cinfo);
     if (rv != SECSuccess) {
-	errstring = JAR_get_error (status);
 	return ((status < 0) ? status : JAR_ERR_GENERAL);
     }
     return 0;
 }
--- a/lib/libpkix/include/pkix_certstore.h
+++ b/lib/libpkix/include/pkix_certstore.h
@@ -5,16 +5,17 @@
  * This file defines functions associated with the PKIX_CertStore type.
  *
  */
 
 #ifndef _PKIX_CERTSTORE_H
 #define _PKIX_CERTSTORE_H
 
 #include "pkixt.h"
+#include "certt.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /* General
  *
  * Please refer to the libpkix Programmer's Guide for detailed information
@@ -322,17 +323,17 @@ typedef PKIX_Error *
  */
 typedef PKIX_Error *
 (*PKIX_CertStore_CheckRevokationByCrlCallback)(
         PKIX_CertStore *store,
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         PKIX_Boolean  crlDownloadDone,
-        PKIX_UInt32 *reasonCode,
+        CERTCRLEntryReasonCode *reasonCode,
         PKIX_RevocationStatus *revStatus,
         void *plContext);
 
 /*
  * FUNCTION: PKIX_CertStore_CrlContinue
  * DESCRIPTION:
  *
  *  This function continues the non-blocking operation initiated by an earlier
--- a/lib/libpkix/pkix/checker/pkix_crlchecker.c
+++ b/lib/libpkix/pkix/checker/pkix_crlchecker.c
@@ -190,17 +190,17 @@ pkix_CrlChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *pReasonCode,
+        CERTCRLEntryReasonCode *pReasonCode,
         void *plContext)
 {
     PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn;
     PKIX_CertStore *certStore = NULL;
     pkix_CrlChecker *state = NULL;
     PKIX_UInt32 crlStoreIndex = 0;
     PKIX_UInt32 numCrlStores = 0;
     PKIX_Boolean storeIsLocal = PKIX_FALSE;
@@ -289,17 +289,17 @@ PKIX_Error *
 pkix_CrlChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *pReasonCode,
+        CERTCRLEntryReasonCode *pReasonCode,
         void **pNBIOContext,
         void *plContext)
 {
     PKIX_CertStore_CheckRevokationByCrlCallback storeCheckRevocationFn = NULL;
     PKIX_CertStore_ImportCrlCallback storeImportCrlFn = NULL;
     PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
     PKIX_CertStore *certStore = NULL;
     PKIX_CertStore *localStore = NULL;
--- a/lib/libpkix/pkix/checker/pkix_crlchecker.h
+++ b/lib/libpkix/pkix/checker/pkix_crlchecker.h
@@ -26,29 +26,29 @@ pkix_CrlChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *reasonCode,
+        CERTCRLEntryReasonCode *reasonCode,
         void *plContext);
 
 PKIX_Error *
 pkix_CrlChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *reasonCode,
+        CERTCRLEntryReasonCode *reasonCode,
         void **pNBIOContext,
         void *plContext);
 
 PKIX_Error *
 pkix_CrlChecker_Create(PKIX_RevocationMethodType methodType,
                        PKIX_UInt32 flags,
                        PKIX_UInt32 priority,
                        pkix_LocalRevocationCheckFn localRevChecker,
--- a/lib/libpkix/pkix/checker/pkix_ocspchecker.c
+++ b/lib/libpkix/pkix/checker/pkix_ocspchecker.c
@@ -142,17 +142,17 @@ pkix_OcspChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *pReasonCode,
+        CERTCRLEntryReasonCode *pReasonCode,
         void *plContext)
 {
         PKIX_PL_OcspCertID    *cid = NULL;
         PKIX_Boolean           hasFreshStatus = PKIX_FALSE;
         PKIX_Boolean           statusIsGood = PKIX_FALSE;
         SECErrorCodes          resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP;
         PKIX_RevocationStatus  revStatus = PKIX_RevStatus_NoInfo;
 
@@ -217,17 +217,17 @@ PKIX_Error *
 pkix_OcspChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *pReasonCode,
+        CERTCRLEntryReasonCode *pReasonCode,
         void **pNBIOContext,
         void *plContext)
 {
         SECErrorCodes resultCode = SEC_ERROR_REVOKED_CERTIFICATE_OCSP;
         PKIX_Boolean uriFound = PKIX_FALSE;
         PKIX_Boolean passed = PKIX_TRUE;
         pkix_OcspChecker *checker = NULL;
         PKIX_PL_OcspCertID *cid = NULL;
--- a/lib/libpkix/pkix/checker/pkix_ocspchecker.h
+++ b/lib/libpkix/pkix/checker/pkix_ocspchecker.h
@@ -25,29 +25,29 @@ pkix_OcspChecker_CheckLocal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_Boolean chainVerificationState,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *reasonCode,
+        CERTCRLEntryReasonCode *reasonCode,
         void *plContext);
 
 PKIX_Error *
 pkix_OcspChecker_CheckExternal(
         PKIX_PL_Cert *cert,
         PKIX_PL_Cert *issuer,
         PKIX_PL_Date *date,
         pkix_RevocationMethod *checkerObject,
         PKIX_ProcessingParams *procParams,
         PKIX_UInt32 methodFlags,
         PKIX_RevocationStatus *pRevStatus,
-        PKIX_UInt32 *reasonCode,
+        CERTCRLEntryReasonCode *reasonCode,
         void **pNBIOContext,
         void *plContext);
 
 PKIX_Error *
 pkix_OcspChecker_Create(PKIX_RevocationMethodType methodType,
                         PKIX_UInt32 flags,
                         PKIX_UInt32 priority,
                         pkix_LocalRevocationCheckFn localRevChecker,
--- a/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+++ b/lib/libpkix/pkix/checker/pkix_revocationchecker.c
@@ -344,17 +344,17 @@ PKIX_RevocationChecker_Check(
                 sizeof(PKIX_RevocationStatus) * PKIX_RevocationMethod_MAX);
 
     date = procParams->date;
 
     /* Need to have two loops if we testing all local info first:
      *    first we are going to test all local(cached) info
      *    second, all remote info(fetching) */
     for (tries = 0;tries < 2;tries++) {
-        int methodNum = 0;
+        unsigned int methodNum = 0;
         for (;methodNum < revList->length;methodNum++) {
             PKIX_UInt32 methodFlags = 0;
 
             PKIX_DECREF(method);
             PKIX_CHECK(
                 PKIX_List_GetItem(revList, methodNum,
                                   (PKIX_PL_Object**)&method, plContext),
                 PKIX_LISTGETITEMFAILED);
@@ -367,17 +367,18 @@ PKIX_RevocationChecker_Check(
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
                 PKIX_CHECK_NO_GOTO(
                     (*method->localRevChecker)(cert, issuer, date,
                                                method, procParams,
                                                methodFlags, 
                                                chainVerificationState,
                                                &revStatus,
-                                               pReasonCode, plContext),
+                                               (CERTCRLEntryReasonCode *)pReasonCode,
+                                               plContext),
                     PKIX_REVCHECKERCHECKFAILED);
                 methodStatus[methodNum] = revStatus;
                 if (revStatus == PKIX_RevStatus_Revoked) {
                     /* if error was generated use it as final error. */
                     overallStatus = PKIX_RevStatus_Revoked;
                     goto cleanup;
                 }
                 if (pkixErrorResult) {
@@ -392,17 +393,18 @@ PKIX_RevocationChecker_Check(
                 chainVerificationState &&
                 methodStatus[methodNum] == PKIX_RevStatus_NoInfo) {
                 if (!(methodFlags & PKIX_REV_M_FORBID_NETWORK_FETCHING)) {
                     PKIX_RevocationStatus revStatus = PKIX_RevStatus_NoInfo;
                     PKIX_CHECK_NO_GOTO(
                         (*method->externalRevChecker)(cert, issuer, date,
                                                       method,
                                                       procParams, methodFlags,
-                                                      &revStatus, pReasonCode,
+                                                      &revStatus,
+                                                      (CERTCRLEntryReasonCode *)pReasonCode,
                                                       &nbioContext, plContext),
                         PKIX_REVCHECKERCHECKFAILED);
                     methodStatus[methodNum] = revStatus;
                     if (revStatus == PKIX_RevStatus_Revoked) {
                         /* if error was generated use it as final error. */
                         overallStatus = PKIX_RevStatus_Revoked;
                         goto cleanup;
                     }
--- a/lib/libpkix/pkix/checker/pkix_revocationchecker.h
+++ b/lib/libpkix/pkix/checker/pkix_revocationchecker.h
@@ -7,16 +7,17 @@
  * RevocationChecker Object Type Definition
  *
  */
 
 #ifndef _PKIX_REVOCATIONCHECKER_H
 #define _PKIX_REVOCATIONCHECKER_H
 
 #include "pkixt.h"
+#include "certt.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
 /* NOTE: nbio logistic removed. Will be replaced later. */
 
 /*
--- a/lib/libpkix/pkix/checker/pkix_revocationmethod.h
+++ b/lib/libpkix/pkix/checker/pkix_revocationmethod.h
@@ -26,30 +26,30 @@ typedef struct pkix_RevocationMethodStru
 typedef PKIX_Error *
 pkix_LocalRevocationCheckFn(PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer,
                             PKIX_PL_Date *date, 
                             pkix_RevocationMethod *checkerObject,
                             PKIX_ProcessingParams *procParams,
                             PKIX_UInt32 methodFlags,
                             PKIX_Boolean chainVerificationState,
                             PKIX_RevocationStatus *pRevStatus,
-                            PKIX_UInt32 *reasonCode,
+                            CERTCRLEntryReasonCode *reasonCode,
                             void *plContext);
 
 /* External revocation check function prototype definition.
  * Revocation methods that required external communications(crldp
  * ocsp) shoult implement this prototype. */
 typedef PKIX_Error *
 pkix_ExternalRevocationCheckFn(PKIX_PL_Cert *cert, PKIX_PL_Cert *issuer,
                                PKIX_PL_Date *date,
                                pkix_RevocationMethod *checkerObject,
                                PKIX_ProcessingParams *procParams,
                                PKIX_UInt32 methodFlags,
                                PKIX_RevocationStatus *pRevStatus,
-                               PKIX_UInt32 *reasonCode,
+                               CERTCRLEntryReasonCode *reasonCode,
                                void **pNBIOContext, void *plContext);
 
 /* Revocation method structure assosiates revocation types with
  * a set of flags on the method, a priority of the method (0
  * corresponds to the highest priority), and method local/external
  * checker functions. */
 struct pkix_RevocationMethodStruct {
     PKIX_RevocationMethodType methodType;
--- a/lib/libpkix/pkix/crlsel/pkix_crlselector.c
+++ b/lib/libpkix/pkix/crlsel/pkix_crlselector.c
@@ -185,17 +185,17 @@ pkix_CRLSelector_Hashcode(
         crlSelector = (PKIX_CRLSelector *)object;
 
         PKIX_HASHCODE(crlSelector->params, &paramsHash, plContext,
                 PKIX_OBJECTHASHCODEFAILED);
 
         PKIX_HASHCODE(crlSelector->context, &contextHash, plContext,
                 PKIX_OBJECTHASHCODEFAILED);
 
-        hash = 31 * ((PKIX_UInt32)crlSelector->matchCallback +
+        hash = 31 * ((PKIX_UInt32)((char *)crlSelector->matchCallback - (char *)NULL) +
                     (contextHash << 3)) + paramsHash;
 
         *pHashcode = hash;
 
 cleanup:
 
         PKIX_RETURN(CRLSELECTOR);
 }
--- a/lib/libpkix/pkix/results/pkix_policynode.c
+++ b/lib/libpkix/pkix/results/pkix_policynode.c
@@ -819,17 +819,17 @@ pkix_PolicyNode_Hashcode(
                 PKIX_OBJECTNOTPOLICYNODE);
 
         node = (PKIX_PolicyNode *)object;
 
         PKIX_CHECK(pkix_SinglePolicyNode_Hashcode
                 (node, &nodeHash, plContext),
                 PKIX_SINGLEPOLICYNODEHASHCODEFAILED);
 
-        nodeHash = 31*nodeHash + (PKIX_UInt32)(node->parent);
+        nodeHash = 31*nodeHash + (PKIX_UInt32)((char *)node->parent - (char *)NULL);
 
         PKIX_HASHCODE
                 (node->children,
                 &childrenHash,
                 plContext,
                 PKIX_OBJECTHASHCODEFAILED);
 
         nodeHash = 31*nodeHash + childrenHash;
--- a/lib/libpkix/pkix/store/pkix_store.c
+++ b/lib/libpkix/pkix/store/pkix_store.c
@@ -69,21 +69,21 @@ pkix_CertStore_Hashcode(
         if (certStore->certStoreContext) {
                 PKIX_CHECK(PKIX_PL_Object_Hashcode
                     ((PKIX_PL_Object *) certStore->certStoreContext,
                     &tempHash,
                     plContext),
                    PKIX_CERTSTOREHASHCODEFAILED);
         }
 
-        *pHashcode = (PKIX_UInt32) certStore->certCallback +
-                     (PKIX_UInt32) certStore->crlCallback +
-                     (PKIX_UInt32) certStore->certContinue +
-                     (PKIX_UInt32) certStore->crlContinue +
-                     (PKIX_UInt32) certStore->trustCallback +
+        *pHashcode = (PKIX_UInt32)((char *)certStore->certCallback - (char *)NULL) +
+                     (PKIX_UInt32)((char *)certStore->crlCallback - (char *)NULL) +
+                     (PKIX_UInt32)((char *)certStore->certContinue - (char *)NULL) +
+                     (PKIX_UInt32)((char *)certStore->crlContinue - (char *)NULL) +
+                     (PKIX_UInt32)((char *)certStore->trustCallback - (char *)NULL) +
                      (tempHash << 7);
 
 cleanup:
 
         PKIX_RETURN(CERTSTORE);
 }
 
 /*
--- a/lib/libpkix/pkix/top/pkix_build.c
+++ b/lib/libpkix/pkix/top/pkix_build.c
@@ -1521,17 +1521,17 @@ cleanup:
 /* Match trust anchor to select params in order to find next cert. */
 static PKIX_Error*
 pkix_Build_SelectCertsFromTrustAnchors(
     PKIX_List *trustAnchorsList,
     PKIX_ComCertSelParams *certSelParams,
     PKIX_List **pMatchList,
     void *plContext) 
 {
-    int anchorIndex = 0;
+    unsigned int anchorIndex = 0;
     PKIX_TrustAnchor *anchor = NULL;
     PKIX_PL_Cert *trustedCert = NULL;
     PKIX_List *matchList = NULL;
     PKIX_CertSelector *certSel = NULL;
     PKIX_CertSelector_MatchCallback selectorMatchCB = NULL;
 
     PKIX_ENTER(BUILD, "pkix_Build_SelectCertsFromTrustAnchors");
     
--- a/lib/libpkix/pkix/util/pkix_error.c
+++ b/lib/libpkix/pkix/util/pkix_error.c
@@ -320,17 +320,17 @@ pkix_Error_Hashcode(
         PKIX_UInt32 *pResult,
         void *plContext)
 {
         PKIX_ENTER(ERROR, "pkix_Error_Hashcode");
         PKIX_NULLCHECK_TWO(object, pResult);
 
         /* XXX Unimplemented */
         /* XXX Need to make hashcodes equal when two errors are equal */
-        *pResult = (PKIX_UInt32)object;
+        *pResult = (PKIX_UInt32)((char *)object - (char *)NULL);
 
         PKIX_RETURN(ERROR);
 }
 
 /* --Initializers------------------------------------------------- */
 
 /*
  * PKIX_ERRORCLASSNAMES is an array of strings, with each string holding a
--- a/lib/libpkix/pkix/util/pkix_logger.c
+++ b/lib/libpkix/pkix/util/pkix_logger.c
@@ -487,17 +487,17 @@ pkix_Logger_Hashcode(
         PKIX_CHECK(pkix_CheckType(object, PKIX_LOGGER_TYPE, plContext),
                     PKIX_OBJECTNOTLOGGER);
 
         logger = (PKIX_Logger *)object;
 
         PKIX_HASHCODE(logger->context, &tempHash, plContext,
                 PKIX_OBJECTHASHCODEFAILED);
 
-        hash = (((((PKIX_UInt32) logger->callback + tempHash) << 7) +
+        hash = (((((PKIX_UInt32)((char *)logger->callback - (char *)NULL) + tempHash) << 7) +
                 logger->maxLevel) << 7) + (PKIX_UInt32)logger->logComponent;
 
         *pHashcode = hash;
 
 cleanup:
 
         PKIX_RETURN(LOGGER);
 }
--- a/lib/libpkix/pkix/util/pkix_tools.h
+++ b/lib/libpkix/pkix/util/pkix_tools.h
@@ -1432,18 +1432,18 @@ extern PLHashNumber PR_CALLBACK pkix_Err
  * when their respective PKIX_"type"_RegisterSelf functions are called.
  * User-defined types can be registered using PKIX_PL_Object_RegisterType.
  * (see comments in pkix_pl_system.h)
  */
 
 typedef struct pkix_ClassTable_EntryStruct pkix_ClassTable_Entry;
 struct pkix_ClassTable_EntryStruct {
         char *description;
-        PKIX_Int32 objCounter;
-        PKIX_Int32 typeObjectSize;
+        PKIX_UInt32 objCounter;
+        PKIX_UInt32 typeObjectSize;
         PKIX_PL_DestructorCallback destructor;
         PKIX_PL_EqualsCallback equalsFunction;
         PKIX_PL_HashcodeCallback hashcodeFunction;
         PKIX_PL_ToStringCallback toStringFunction;
         PKIX_PL_ComparatorCallback comparator;
         PKIX_PL_DuplicateCallback duplicateFunction;
 };
 
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -260,42 +260,42 @@ pkix_pl_HttpDefaultClient_HdrCheckComple
  
          case HTTP_UNKNOWN_CONTENT_LENGTH:
              /* Unknown contentLength indicator.Will be set by
               * pkix_pl_HttpDefaultClient_RecvBody whey connection get closed */
              client->rcv_http_data_len = HTTP_UNKNOWN_CONTENT_LENGTH;
              contentLength =                 /* Try to reserve 4K+ buffer */
                  client->filledupBytes + HTTP_DATA_BUFSIZE;
              if (client->maxResponseLen > 0 &&
-                 contentLength > client->maxResponseLen) {
+                 contentLength > (PKIX_Int32)client->maxResponseLen) {
                  if (client->filledupBytes < client->maxResponseLen) {
                      contentLength = client->maxResponseLen;
                  } else {
                      client->connectStatus = HTTP_ERROR;
                      goto cleanup;
                  }
              }
              /* set available number of bytes in the buffer */
              client->capacity = contentLength;
              client->connectStatus = HTTP_RECV_BODY;
              *pKeepGoing = PKIX_TRUE;
              break;
  
          default:
              client->rcv_http_data_len = contentLength;
              if (client->maxResponseLen > 0 &&
-                 client->maxResponseLen < contentLength) {
+                 (PKIX_Int32)client->maxResponseLen < contentLength) {
                  client->connectStatus = HTTP_ERROR;
                  goto cleanup;
              }
              
              /*
               * Do we have all of the message body, or do we need to read some more?
               */
-             if (client->filledupBytes < contentLength) {
+             if ((PKIX_Int32)client->filledupBytes < contentLength) {
                  client->connectStatus = HTTP_RECV_BODY;
                  *pKeepGoing = PKIX_TRUE;
              } else {
                  client->connectStatus = HTTP_COMPLETE;
                  *pKeepGoing = PKIX_FALSE;
              }
          }
  
@@ -930,17 +930,17 @@ pkix_pl_HttpDefaultClient_RecvBody(
             /* Check the buffer capacity: increase and
              * reallocate if it is low. */
             int freeBuffSize = client->capacity - client->filledupBytes;
             if (freeBuffSize < HTTP_MIN_AVAILABLE_BUFFER_SIZE) {
                 /* New length will be consist of available(downloaded) bytes,
                  * plus remaining capacity, plus new expansion. */
                 int currBuffSize = client->capacity;
                 /* Try to increase the buffer by 4K */
-                int newLength = currBuffSize + HTTP_DATA_BUFSIZE;
+                unsigned int newLength = currBuffSize + HTTP_DATA_BUFSIZE;
                 if (client->maxResponseLen > 0 &&
                     newLength > client->maxResponseLen) {
                         newLength = client->maxResponseLen;
                 }
                 /* Check if we can grow the buffer and report an error if
                  * new size is not larger than the current size of the buffer.*/
                 if (newLength <= client->filledupBytes) {
                     client->rcv_http_data_len = client->filledupBytes;
@@ -1475,29 +1475,25 @@ cleanup:
 
 }
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_Cancel(
         SEC_HTTP_REQUEST_SESSION request,
         void *plContext)
 {
-        PKIX_PL_HttpDefaultClient *client = NULL;
-
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Cancel");
         PKIX_NULLCHECK_ONE(request);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)request,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
                 plContext),
                 PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
 
-        client = (PKIX_PL_HttpDefaultClient *)request;
-
         /* XXX Not implemented */
 
 cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
 }
 
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldaprequest.c
@@ -258,26 +258,22 @@ pkix_pl_LdapRequest_EncodeAttrs(
  * FUNCTION: pkix_pl_LdapRequest_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_pl_LdapRequest_Destroy(
         PKIX_PL_Object *object,
         void *plContext)
 {
-        PKIX_PL_LdapRequest *ldapRq = NULL;
-
         PKIX_ENTER(LDAPREQUEST, "pkix_pl_LdapRequest_Destroy");
         PKIX_NULLCHECK_ONE(object);
 
         PKIX_CHECK(pkix_CheckType(object, PKIX_LDAPREQUEST_TYPE, plContext),
                     PKIX_OBJECTNOTLDAPREQUEST);
 
-        ldapRq = (PKIX_PL_LdapRequest *)object;
-
         /*
          * All dynamic fields in an LDAPRequest are allocated
          * in an arena, and will be freed when the arena is destroyed.
          */
 
 cleanup:
 
         PKIX_RETURN(LDAPREQUEST);
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c
@@ -374,24 +374,22 @@ NameCacheHasFetchedCrlInfo(PKIX_PL_Cert 
                            void *plContext)
 {
     /* Returning true result in this case will mean, that case info
      * is currect and should used as is. */
     NamedCRLCache* nameCrlCache = NULL;
     PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE;
     PKIX_List *dpList = NULL;
     pkix_pl_CrlDp *dp = NULL;
-    CERTCertificate *cert;
     PKIX_UInt32 dpIndex = 0;
     SECStatus rv = SECSuccess;
     PRTime reloadDelay = 0, badCrlInvalDelay = 0;
 
     PKIX_ENTER(CERTSTORE, "ChechCacheHasFetchedCrl");
 
-    cert = pkixCert->nssCert;
     reloadDelay = 
         ((PKIX_PL_NssContext*)plContext)->crlReloadDelay *
                                                 PR_USEC_PER_SEC;
     badCrlInvalDelay =
         ((PKIX_PL_NssContext*)plContext)->badDerCrlReloadDelay *
                                                 PR_USEC_PER_SEC;
     if (!time) {
         time = PR_Now();
@@ -475,17 +473,17 @@ cleanup:
  */
 static PKIX_Error *
 pkix_pl_Pk11CertStore_CheckRevByCrl(
         PKIX_CertStore *store,
         PKIX_PL_Cert *pkixCert,
         PKIX_PL_Cert *pkixIssuer,
         PKIX_PL_Date *date,
         PKIX_Boolean  crlDownloadDone,
-        PKIX_UInt32  *pReasonCode,
+        CERTCRLEntryReasonCode *pReasonCode,
         PKIX_RevocationStatus *pStatus,
         void *plContext)
 {
     PKIX_RevocationStatus pkixRevStatus = PKIX_RevStatus_NoInfo;
     CERTRevocationStatus revStatus = certRevocationStatusUnknown;
     PKIX_Boolean hasFetchedCrlInCache = PKIX_TRUE;
     CERTCertificate *cert = NULL, *issuer = NULL;
     SECStatus rv = SECSuccess;
@@ -670,17 +668,17 @@ fatal:
 }
 
 static PKIX_Error *
 RemovePartitionedDpsFromList(PKIX_List *dpList, PKIX_PL_Date *date,
                              void *plContext)
 {
     NamedCRLCache* nameCrlCache = NULL;
     pkix_pl_CrlDp *dp = NULL;
-    int dpIndex = 0;
+    unsigned int dpIndex = 0;
     PRTime time;
     PRTime reloadDelay = 0, badCrlInvalDelay = 0;
     SECStatus rv;
 
     PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_ListRemovePrtDp");
 
     if (!dpList || !dpList->length) {
         PKIX_RETURN(CERTSTORE);
@@ -774,17 +772,16 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_C
     SEC_HTTP_REQUEST_SESSION pRequestSession = NULL;
     PRUint16 myHttpResponseCode;
     const char *myHttpResponseData = NULL;
     PRUint32 myHttpResponseDataLen;
     SECItem *uri = NULL;
     SECItem *derCrlCopy = NULL;
     CERTSignedCrl *nssCrl = NULL;
     CERTGeneralName *genName = NULL;
-    PKIX_Int32 savedError = -1;
     SECItem **derGenNames = NULL;
     SECItem  *derGenName = NULL;
 
     PKIX_ENTER(CERTSTORE, "pkix_pl_Pk11CertStore_DownloadCrl");
 
     /* Do not support dps others than a one with GeneralName
      * name type. */
     if (dp->distPointType != generalName ||
@@ -794,53 +791,48 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_C
     genName = dp->name.fullName;
     derGenNames = dp->nssdp->derFullName;
     do {
         derGenName = *derGenNames;
         do {
             if (!derGenName ||
                 !genName->name.other.data) {
                 /* get to next name if no data. */
-                savedError = PKIX_UNSUPPORTEDCRLDPTYPE;
                 break;
             }
             uri = &genName->name.other;
             location = (char*)PR_Malloc(1 + uri->len);
             if (!location) {
-                savedError = PKIX_ALLOCERROR;
                 break;
             }
             PORT_Memcpy(location, uri->data, uri->len);
             location[uri->len] = 0;
             if (CERT_ParseURL(location, &hostname,
                               &port, &path) != SECSuccess) {
                 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL);
-                savedError = PKIX_URLPARSINGFAILED;
                 break;
             }
     
             PORT_Assert(hostname != NULL);
             PORT_Assert(path != NULL);
 
             if ((*hcv1->createSessionFcn)(hostname, port, 
                                           &pServerSession) != SECSuccess) {
                 PORT_SetError(SEC_ERROR_BAD_CRL_DP_URL);
-                savedError = PKIX_URLPARSINGFAILED;
                 break;
             }
 
             if ((*hcv1->createFcn)(pServerSession, "http", path, "GET",
                 /* Users with slow connections might not get CRL revocation 
                    checking for certs that use big CRLs because of the timeout
                    We absolutely need code that limits our retry attempts.
                  */
                           PR_SecondsToInterval(
                               ((PKIX_PL_NssContext*)plContext)->timeoutSeconds),
                                    &pRequestSession) != SECSuccess) {
-                savedError = PKIX_HTTPSERVERERROR;
                 break;
             }
 
             myHttpResponseDataLen =
                 ((PKIX_PL_NssContext*)plContext)->maxResponseLength;
             if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH)
                 myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH;
 
@@ -853,22 +845,20 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_C
             if ((*hcv1->trySendAndReceiveFcn)(
                     pRequestSession, 
                     NULL,
                     &myHttpResponseCode,
                     NULL,
                     NULL,
                     &myHttpResponseData,
                     &myHttpResponseDataLen) != SECSuccess) {
-                savedError = PKIX_HTTPSERVERERROR;
                 break;
             }
 
             if (myHttpResponseCode != 200) {
-                savedError = PKIX_HTTPSERVERERROR;
                 break;
             }
         } while(0);
         if (!myHttpResponseData) {
             /* Going to the next one. */
             genName = CERT_GetNextGeneralName(genName);
             derGenNames++;
         }
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -57,17 +57,22 @@ static PKIX_Boolean socketTraceFlag = PK
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
  * RETURNS:
  *  none
  */
 static void pkix_pl_socket_timestamp() {
         PRInt64 prTime;
         prTime = PR_Now();
+/* We shouldn't use PR_ALTERNATE_INT64_TYPEDEF, but nor can we use PRId64 */
+#if PR_BYTES_PER_LONG == 8 && !defined(PR_ALTERNATE_INT64_TYPEDEF)
+        printf("%ld:\n", prTime);
+#else
         printf("%lld:\n", prTime);
+#endif
 }
 
 /*
  * FUNCTION: pkix_pl_socket_hexDigit
  * DESCRIPTION:
  *
  *  This functions prints to stdout the byte "byteVal" as two hex digits.
  *
@@ -135,17 +140,17 @@ static void pkix_pl_socket_linePrefix(PK
  *      The address of the first of the bytes to be printed
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
  * RETURNS:
  *  none
  */
 static void pkix_pl_socket_traceLine(char *ptr) {
         PKIX_UInt32 i = 0;
-        pkix_pl_socket_linePrefix((PKIX_UInt32)ptr);
+        pkix_pl_socket_linePrefix((PKIX_UInt32)((char *)ptr - (char *)NULL));
         for (i = 0; i < 16; i++) {
                 printf(" ");
                 pkix_pl_socket_hexDigit(ptr[i]);
                 if (i == 7) {
                         printf("  ");
                 }
         }
         printf("  ");
@@ -179,17 +184,17 @@ static void pkix_pl_socket_traceLine(cha
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety definitions in Programmer's Guide)
  * RETURNS:
  *  none
  */
 static void pkix_pl_socket_tracePartialLine(char *ptr, PKIX_UInt32 nBytes) {
         PKIX_UInt32 i = 0;
         if (nBytes > 0) {
-                pkix_pl_socket_linePrefix((PKIX_UInt32)ptr);
+                pkix_pl_socket_linePrefix((PKIX_UInt32)((char *)ptr - (char *)NULL));
         }
         for (i = 0; i < nBytes; i++) {
                 printf(" ");
                 pkix_pl_socket_hexDigit(ptr[i]);
                 if (i == 7) {
                         printf("  ");
                 }
         }
@@ -238,17 +243,17 @@ void pkix_pl_socket_tracebuff(void *buf,
 
         if (socketTraceFlag == PKIX_FALSE) return;
 
         pkix_pl_socket_timestamp();
         /*
          * Special case: if called with length of zero, just do address
          */
         if (nBytes == 0) {
-                pkix_pl_socket_linePrefix((PKIX_UInt32)buf);
+                pkix_pl_socket_linePrefix((PKIX_UInt32)((char *)buf - (char *)NULL));
                 printf("\n");
         } else {
                 while (bytesRemaining >= 16) {
                         pkix_pl_socket_traceLine(&bufptr[offset]);
                         bytesRemaining -= 16;
                         offset += 16;
                 }
                 pkix_pl_socket_tracePartialLine
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -1510,17 +1510,16 @@ PKIX_PL_Cert_Create(
         PKIX_PL_ByteArray *byteArray,
         PKIX_PL_Cert **pCert,
         void *plContext)
 {
         CERTCertificate *nssCert = NULL;
         SECItem *derCertItem = NULL;
         void *derBytes = NULL;
         PKIX_UInt32 derLength;
-        PKIX_Boolean copyDER;
         PKIX_PL_Cert *cert = NULL;
         CERTCertDBHandle *handle;
 
         PKIX_ENTER(CERT, "PKIX_PL_Cert_Create");
         PKIX_NULLCHECK_TWO(pCert, byteArray);
 
         PKIX_CHECK(PKIX_PL_ByteArray_GetPointer
                     (byteArray, &derBytes, plContext),
@@ -1537,17 +1536,16 @@ PKIX_PL_Cert_Create(
 
         (void) PORT_Memcpy(derCertItem->data, derBytes, derLength);
 
         /*
          * setting copyDER to true forces NSS to make its own copy of the DER,
          * allowing us to free our copy without worrying about whether NSS
          * is still using it
          */
-        copyDER = PKIX_TRUE;
         handle  = CERT_GetDefaultCertDB();
         nssCert = CERT_NewTempCertificate(handle, derCertItem,
 					  /* nickname */ NULL, 
 					  /* isPerm   */ PR_FALSE, 
 					  /* copyDer  */ PR_TRUE);
         if (!nssCert){
                 PKIX_ERROR(PKIX_CERTDECODEDERCERTIFICATEFAILED);
         }
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
@@ -346,17 +346,17 @@ cleanup:
  */
 static PKIX_Error *
 pkix_pl_CRL_ToString_Helper(
         PKIX_PL_CRL *crl,
         PKIX_PL_String **pString,
         void *plContext)
 {
         char *asciiFormat = NULL;
-        PKIX_UInt32 crlVersion;
+        PKIX_UInt32 crlVersion = 0;
         PKIX_PL_X500Name *crlIssuer = NULL;
         PKIX_PL_OID *nssSignatureAlgId = NULL;
         PKIX_PL_BigInt *crlNumber = NULL;
         PKIX_List *crlEntryList = NULL;
         PKIX_List *critExtOIDs = NULL;
         PKIX_PL_String *formatString = NULL;
         PKIX_PL_String *crlIssuerString = NULL;
         PKIX_PL_String *lastUpdateString = NULL;
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c
@@ -68,17 +68,17 @@ pkix_pl_lifecycle_ObjectTableUpdate(int 
     return SECSuccess;
 }
 #endif /* PKIX_OBJECT_LEAK_TEST */
 
 
 PKIX_UInt32
 pkix_pl_lifecycle_ObjectLeakCheck(int *initObjCountTable)
 {
-        int   typeCounter = 0;
+        unsigned int typeCounter = 0;
         PKIX_UInt32 numObjects = 0;
         char  classNameBuff[128];
         char *className = NULL;
 
         for (; typeCounter < PKIX_NUMTYPES; typeCounter++) {
                 pkix_ClassTable_Entry *entry = &systemClasses[typeCounter];
                 PKIX_UInt32 objCountDiff = entry->objCounter;
 
@@ -240,33 +240,39 @@ cleanup:
 }
 
 /*
  * PKIX_PL_Shutdown (see comments in pkix_pl_system.h)
  */
 PKIX_Error *
 PKIX_PL_Shutdown(void *plContext)
 {
+#ifdef DEBUG
         PKIX_UInt32 numLeakedObjects = 0;
+#endif
 
         PKIX_ENTER(OBJECT, "PKIX_PL_Shutdown");
 
         if (!pkix_pl_initialized) {
             /* The library was not initilized */
             PKIX_RETURN(OBJECT);
         }
 
         PR_DestroyLock(classTableLock);
 
         pkix_pl_HttpCertStore_Shutdown(plContext);
 
+#ifdef DEBUG
         numLeakedObjects = pkix_pl_lifecycle_ObjectLeakCheck(NULL);
         if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) {
            PORT_Assert(numLeakedObjects == 0);
         }
+#else
+        pkix_pl_lifecycle_ObjectLeakCheck(NULL);
+#endif
 
         if (plContext != NULL) {
                 PKIX_PL_NssContext_Destroy(plContext);
         }
 
         pkix_pl_initialized = PKIX_FALSE;
 
         PKIX_RETURN(OBJECT);
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
@@ -366,17 +366,17 @@ static PKIX_Error *
 pkix_pl_Object_Hashcode_Default(
         PKIX_PL_Object *object,
         PKIX_UInt32 *pValue,
         void *plContext)
 {
         PKIX_ENTER(OBJECT, "pkix_pl_Object_Hashcode_Default");
         PKIX_NULLCHECK_TWO(object, pValue);
 
-        *pValue = (PKIX_UInt32)object;
+        *pValue = (PKIX_UInt32)((char *)object - (char *)NULL);
 
         PKIX_RETURN(OBJECT);
 }
 
 /*
  * FUNCTION: pkix_pl_Object_RetrieveEqualsCallback
  * DESCRIPTION:
  *
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -486,20 +486,16 @@ static void*           plContext = NULL;
 struct NSSInitContextStr {
     NSSInitContext *next;
     PRUint32 magic;
 };
 
 #define NSS_INIT_MAGIC 0x1413A91C
 static SECStatus nss_InitShutdownList(void);
 
-#ifdef DEBUG
-static CERTCertificate dummyCert;
-#endif
-
 /* All initialized to zero in BSS */
 static PRCallOnceType nssInitOnce;
 static PZLock *nssInitLock;
 static PZCondVar *nssInitCondition;
 static int nssIsInInit;
 
 static PRStatus
 nss_doLockInit(void)
@@ -566,18 +562,21 @@ nss_Init(const char *configdir, const ch
     nssIsInInit++;
     PZ_Unlock(nssInitLock);
 
     /* this tells us whether or not some library has already initialized us.
      * if so, we don't want to double call some of the basic initialization
      * functions */
 
     if (!isReallyInitted) {
+#ifdef DEBUG
+        CERTCertificate dummyCert;
 	/* New option bits must not change the size of CERTCertificate. */
 	PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
+#endif
 
 	if (SECSuccess != cert_InitLocks()) {
 	    goto loser;
 	}
 
 	if (SECSuccess != InitCRLCache()) {
 	    goto loser;
 	}
@@ -1241,19 +1240,18 @@ NSS_VersionCheck(const char *importedVer
      * This release has a simple version compatibility
      * check algorithm.  This release is not backward
      * compatible with previous major releases.  It is
      * not compatible with future major, minor, or
      * patch releases or builds.
      */
     int vmajor = 0, vminor = 0, vpatch = 0, vbuild = 0;
     const char *ptr = importedVersion;
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_base_version[0];
+#define NSS_VERSION_VARIABLE __nss_base_version
+#include "verref.h"
 
     while (isdigit(*ptr)) {
         vmajor = 10 * vmajor + *ptr - '0';
         ptr++;
     }
     if (*ptr == '.') {
         ptr++;
         while (isdigit(*ptr)) {
--- a/lib/pk11wrap/pk11cert.c
+++ b/lib/pk11wrap/pk11cert.c
@@ -138,16 +138,18 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERT
 
 	if (pubKey == NULL) {
 	   return PR_FALSE;
 	}
 
 	PK11_SETATTRS(&theTemplate,0,NULL,0);
 	switch (pubKey->keyType) {
 	case rsaKey:
+	case rsaPssKey:
+	case rsaOaepKey:
 	    PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data,
 						pubKey->u.rsa.modulus.len);
 	    break;
 	case dsaKey:
 	    PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data,
 						pubKey->u.dsa.publicValue.len);
 	    break;
 	case dhKey:
@@ -223,17 +225,16 @@ static CERTCertificate *
 pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, 
 	      CK_ATTRIBUTE *privateLabel, char **nickptr)
 {
     NSSCertificate *c;
     nssCryptokiObject *co = NULL;
     nssPKIObject *pkio;
     NSSToken *token;
     NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
-    PRStatus status;
 
     /* Get the cryptoki object from the handle */
     token = PK11Slot_GetNSSToken(slot);
     if (token->defaultSession) {
 	co = nssCryptokiObject_Create(token, token->defaultSession, certID);
     } else {
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
     }
@@ -273,17 +274,17 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJ
 	*nickptr = pk11_buildNickname(slot, &label, privateLabel, &id);
     }
 
     /* This function may destroy the cert in "c" and all its subordinate
      * structures, and replace the value in "c" with the address of a 
      * different NSSCertificate that it found in the cache.
      * Presumably, the nickname which we just output above remains valid. :)
      */
-    status = nssTrustDomain_AddCertsToCache(td, &c, 1);
+    (void)nssTrustDomain_AddCertsToCache(td, &c, 1);
     return STAN_GetCERTCertificateOrRelease(c);
 }
 
 /*
  * Build an CERTCertificate structure from a PKCS#11 object ID.... certID
  * Must be a CertObject. This code does not explicitly checks that.
  */
 CERTCertificate *
@@ -2000,29 +2001,26 @@ PK11_TraverseCertsForSubjectInSlot(CERTC
     }
     return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure;
 }
 
 SECStatus
 PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot,
 	SECStatus(* callback)(CERTCertificate*, void *), void *arg)
 {
-    struct nss3_cert_cbstr pk11cb;
     PRStatus nssrv = PR_SUCCESS;
     NSSToken *token;
     NSSTrustDomain *td;
     NSSUTF8 *nick;
     PRBool created = PR_FALSE;
     nssCryptokiObject **instances;
     nssPKIObjectCollection *collection = NULL;
     NSSCertificate **certs;
     nssList *nameList = NULL;
     nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
-    pk11cb.callback = callback;
-    pk11cb.arg = arg;
     token = PK11Slot_GetNSSToken(slot);
     if (!nssToken_IsPresent(token)) {
 	return SECSuccess;
     }
     if (nickname->data[nickname->len-1] != '\0') {
 	nick = nssUTF8_Create(NULL, nssStringType_UTF8String, 
 	                      nickname->data, nickname->len);
 	created = PR_TRUE;
@@ -2695,12 +2693,13 @@ PK11_GetAllSlotsForCert(CERTCertificate 
  *
  * If you ignore this warning, your process is TAINTED and will most likely misbehave.
  */
 SECStatus
 __PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname)
 {
     /* Can't set nickname of temp cert. */
     if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) {
-        return SEC_ERROR_INVALID_ARGS;
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
     return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname);
 }
--- a/lib/pk11wrap/pk11load.c
+++ b/lib/pk11wrap/pk11load.c
@@ -584,18 +584,22 @@ SECMOD_UnloadModule(SECMODModule *mod) {
     /* do we want the semantics to allow unloading the internal library?
      * if not, we should change this to SECFailure and move it above the
      * mod->loaded = PR_FALSE; */
     if (mod->internal && (mod->dllName == NULL)) {
         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
           if (softokenLib) {
               disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
               if (!disableUnload) {
+#ifdef DEBUG
                   PRStatus status = PR_UnloadLibrary(softokenLib);
                   PORT_Assert(PR_SUCCESS == status);
+#else
+                  PR_UnloadLibrary(softokenLib);
+#endif
               }
               softokenLib = NULL;
           }
           loadSoftokenOnce = pristineCallOnce;
         }
 	return SECSuccess;
     }
 
--- a/lib/pk11wrap/pk11merge.c
+++ b/lib/pk11wrap/pk11merge.c
@@ -745,18 +745,17 @@ pk11_mergeCert(PK11SlotInfo *targetSlot,
     CERTCertificate *sourceCert = NULL;
     CK_OBJECT_HANDLE targetCertID = CK_INVALID_HANDLE;
     char *nickname = NULL;
     SECStatus rv = SECSuccess;
     PLArenaPool *arena = NULL;
     CK_ATTRIBUTE sourceCKAID = {CKA_ID, NULL, 0};
     CK_ATTRIBUTE targetCKAID = {CKA_ID, NULL, 0};
     SECStatus lrv = SECSuccess;
-    int error;
-
+    int error = SEC_ERROR_LIBRARY_FAILURE;
 
     sourceCert = PK11_MakeCertFromHandle(sourceSlot, id, NULL);
     if (sourceCert == NULL) {
 	rv = SECFailure;
 	goto done;
     }
 
     nickname = PK11_GetObjectNickname(sourceSlot, id);
--- a/lib/pk11wrap/pk11obj.c
+++ b/lib/pk11wrap/pk11obj.c
@@ -1776,17 +1776,16 @@ PK11_MatchItem(PK11SlotInfo *slot, CK_OB
 	{ CKA_ID, NULL, 0 },
 	{ CKA_CLASS, NULL, 0 }
     };
     /* if you change the array, change the variable below as well */
     CK_ATTRIBUTE *keyclass = &theTemplate[1];
     int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
     /* if you change the array, change the variable below as well */
     CK_OBJECT_HANDLE peerID;
-    CK_OBJECT_HANDLE parent;
     PLArenaPool *arena;
     CK_RV crv;
 
     /* now we need to create space for the public key */
     arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL) return CK_INVALID_HANDLE;
 
     crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize);
@@ -1805,17 +1804,16 @@ PK11_MatchItem(PK11SlotInfo *slot, CK_OB
 	return CK_INVALID_HANDLE;
      }
 	
 	
 
     /*
      * issue the find
      */
-    parent = *(CK_OBJECT_CLASS *)(keyclass->pValue);
     *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass;
 
     peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize);
     PORT_FreeArena(arena,PR_FALSE);
 
     return peerID;
 }
 
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -417,17 +417,16 @@ loser:
 }
 
 SECStatus
 PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
 	SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue,
 	PRBool isPerm, PRBool isPrivate, unsigned int keyUsage,
 	SECKEYPrivateKey **privk, void *wincx) 
 {
-    CK_KEY_TYPE keyType = CKK_RSA;
     SECStatus rv = SECFailure;
     SECKEYRawPrivateKey *lpk = NULL;
     const SEC_ASN1Template *keyTemplate, *paramTemplate;
     void *paramDest = NULL;
     PLArenaPool *arena = NULL;
 
     arena = PORT_NewArena(2048);
     if(!arena) {
@@ -444,36 +443,33 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK
 
     switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
 	case SEC_OID_PKCS1_RSA_ENCRYPTION:
 	    prepare_rsa_priv_key_export_for_asn1(lpk);
 	    keyTemplate = SECKEY_RSAPrivateKeyExportTemplate;
 	    paramTemplate = NULL;
 	    paramDest = NULL;
 	    lpk->keyType = rsaKey;
-	    keyType = CKK_RSA;
 	    break;
 	case SEC_OID_ANSIX9_DSA_SIGNATURE:
 	    prepare_dsa_priv_key_export_for_asn1(lpk);
 	    keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
 	    paramTemplate = SECKEY_PQGParamsTemplate;
 	    paramDest = &(lpk->u.dsa.params);
 	    lpk->keyType = dsaKey;
-	    keyType = CKK_DSA;
 	    break;
 	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
 	    if(!publicValue) {
 		goto loser;
 	    }
 	    prepare_dh_priv_key_export_for_asn1(lpk);
 	    keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
 	    paramTemplate = NULL;
 	    paramDest = NULL;
 	    lpk->keyType = dhKey;
-	    keyType = CKK_DH;
 	    break;
 
 	default:
 	    keyTemplate   = NULL;
 	    paramTemplate = NULL;
 	    paramDest     = NULL;
 	    break;
     }
--- a/lib/pk11wrap/pk11skey.c
+++ b/lib/pk11wrap/pk11skey.c
@@ -1816,16 +1816,18 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
     if (symKey == NULL) {
 	return NULL;
     }
 
     symKey->origin = PK11_OriginDerive;
 
     switch (privKey->keyType) {
     case rsaKey:
+    case rsaPssKey:
+    case rsaOaepKey:
     case nullKey:
 	PORT_SetError(SEC_ERROR_BAD_KEY);
 	break;
     case dsaKey:
     case keaKey:
     case fortezzaKey:
 	{
 	    CK_KEA_DERIVE_PARAMS param;
--- a/lib/pk11wrap/pk11slot.c
+++ b/lib/pk11wrap/pk11slot.c
@@ -550,20 +550,20 @@ PK11_FindSlotsByNames(const char *dllNam
             for (i=0; i < mlp->module->slotCount; i++) {
                 PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i]:NULL);
                 PORT_Assert(tmpSlot);
                 if (!tmpSlot) {
                     rv = SECFailure;
                     break;
                 }
                 if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) &&
-                    ( (!tokenName) || (tmpSlot->token_name &&
-                    (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) &&
-                    ( (!slotName) || (tmpSlot->slot_name &&
-                    (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) {
+                    ( (!tokenName) ||
+                      (0==PORT_Strcmp(tmpSlot->token_name, tokenName)) ) &&
+                    ( (!slotName) ||
+                      (0==PORT_Strcmp(tmpSlot->slot_name, slotName)) ) ) {
                     if (tmpSlot) {
                         PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE);
                         slotcount++;
                     }
                 }
             }
         }
     }
@@ -1100,17 +1100,16 @@ PK11_ReadMechanismList(PK11SlotInfo *slo
  * of NSS. It reads the information associated with a card or token,
  * that is not going to change unless the card or token changes.
  */
 SECStatus
 PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
 {
     CK_TOKEN_INFO tokenInfo;
     CK_RV crv;
-    char *tmp;
     SECStatus rv;
     PRStatus status;
 
     /* set the slot flags to the current token values */
     if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
     if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
     if (crv != CKR_OK) {
@@ -1134,18 +1133,18 @@ PK11_InitToken(PK11SlotInfo *slot, PRBoo
 	 						? PR_TRUE : PR_FALSE);
     slot->lastLoginCheck = 0;
     slot->lastState = 0;
     /* on some platforms Active Card incorrectly sets the 
      * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
     if (slot->isActiveCard) {
 	slot->protectedAuthPath = PR_FALSE;
     }
-    tmp = PK11_MakeString(NULL,slot->token_name,
-			(char *)tokenInfo.label, sizeof(tokenInfo.label));
+    (void)PK11_MakeString(NULL,slot->token_name,
+			  (char *)tokenInfo.label, sizeof(tokenInfo.label));
     slot->minPassword = tokenInfo.ulMinPinLen;
     slot->maxPassword = tokenInfo.ulMaxPinLen;
     PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
 
     nssToken_UpdateName(slot->nssToken);
 
     slot->defRWSession = (PRBool)((!slot->readOnly) && 
 					(tokenInfo.ulMaxSessionCount == 1));
@@ -1344,17 +1343,16 @@ pk11_isRootSlot(PK11SlotInfo *slot)
  * this and InitToken is Init slot does those one time initialization stuff,
  * usually associated with the reader, while InitToken may get called multiple
  * times as tokens are removed and re-inserted.
  */
 void
 PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
 {
     SECStatus rv;
-    char *tmp;
     CK_SLOT_INFO slotInfo;
 
     slot->functionList = mod->functionList;
     slot->isInternal = mod->internal;
     slot->slotID = slotID;
     slot->isThreadSafe = mod->isThreadSafe;
     slot->hasRSAInfo = PR_FALSE;
     
@@ -1366,17 +1364,17 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
 
     /* test to make sure claimed mechanism work */
     slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
     slot->module = mod; /* NOTE: we don't make a reference here because
 			 * modules have references to their slots. This
 			 * works because modules keep implicit references
 			 * from their slots, and won't unload and disappear
 			 * until all their slots have been freed */
-    tmp = PK11_MakeString(NULL,slot->slot_name,
+    (void)PK11_MakeString(NULL,slot->slot_name,
 	 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
     slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
 #define ACTIVE_CARD "ActivCard SA"
     slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID,
 				ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0);
     if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
 	slot->isPerm = PR_TRUE;
 	/* permanment slots must have the token present always */
@@ -2047,17 +2045,17 @@ PK11_GetBestSlotMultipleWithAttributes(C
 		CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, 
 		unsigned int mech_count, void *wincx)
 {
     PK11SlotList *list = NULL;
     PK11SlotListElement *le ;
     PK11SlotInfo *slot = NULL;
     PRBool freeit = PR_FALSE;
     PRBool listNeedLogin = PR_FALSE;
-    int i;
+    unsigned int i;
     SECStatus rv;
 
     list = PK11_GetSlotList(type[0]);
 
     if ((list == NULL) || (list->head == NULL)) {
 	/* We need to look up all the tokens for the mechanism */
 	list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
 	freeit = PR_TRUE;
--- a/lib/pkcs12/p12d.c
+++ b/lib/pkcs12/p12d.c
@@ -2805,17 +2805,17 @@ SEC_PKCS12DecoderRenameCertNicknames(SEC
     CERTCertificate *cert;
     SECStatus srv;
 
     if(!p12dcx || p12dcx->error || !p12dcx->safeBags || !nicknameCb) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    for (i = 0; safeBag = p12dcx->safeBags[i]; i++) {
+    for (i = 0; (safeBag = p12dcx->safeBags[i]); i++) {
         SECItem *newNickname = NULL;
         SECItem *defaultNickname = NULL;
         SECStatus rename_rv;
 
         if (SECOID_FindOIDTag(&(safeBag->safeBagType)) !=
             SEC_OID_PKCS12_V1_CERT_BAG_ID) {
             continue;
         }
--- a/lib/pkcs12/p12e.c
+++ b/lib/pkcs12/p12e.c
@@ -690,17 +690,16 @@ sec_pkcs12_append_bag(SEC_PKCS12ExportCo
  * the contents are set.  The contents could be set later by the calling
  * routine.
  */
 sec_PKCS12SafeBag *
 sec_PKCS12CreateSafeBag(SEC_PKCS12ExportContext *p12ctxt, SECOidTag bagType, 
 			void *bagData)
 {
     sec_PKCS12SafeBag *safeBag;
-    PRBool setName = PR_TRUE;
     void *mark = NULL;
     SECStatus rv = SECSuccess;
     SECOidData *oidData = NULL;
 
     if(!p12ctxt) {
 	return NULL;
     }
 
@@ -735,17 +734,16 @@ sec_PKCS12CreateSafeBag(SEC_PKCS12Export
 	    break;
 	case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
 	    safeBag->safeBagContent.pkcs8ShroudedKeyBag = 
 	        (SECKEYEncryptedPrivateKeyInfo *)bagData;
 	    break;
 	case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID:
 	    safeBag->safeBagContent.safeContents = 
 	        (sec_PKCS12SafeContents *)bagData;
-	    setName = PR_FALSE;
 	    break;
 	default:
 	    goto loser;
     }
 
     oidData = SECOID_FindOIDByTag(bagType);
     if(oidData) {
 	rv = SECITEM_CopyItem(p12ctxt->arena, &safeBag->safeBagType, &oidData->oid);
@@ -1527,35 +1525,32 @@ sec_pkcs12_encoder_start_context(SEC_PKC
     }
 
     /* set up the authenticated safe content info based on the 
      * type of integrity being used.  this should be changed to
      * enforce integrity mode, but will not be implemented until
      * it is confirmed that integrity must be in place
      */
     if(p12exp->integrityEnabled && !p12exp->pwdIntegrity) {
-	SECStatus rv;
-
 	/* create public key integrity mode */
 	p12enc->aSafeCinfo = SEC_PKCS7CreateSignedData(
 				p12exp->integrityInfo.pubkeyInfo.cert,
 				certUsageEmailSigner,
 				p12exp->integrityInfo.pubkeyInfo.certDb,
 				p12exp->integrityInfo.pubkeyInfo.algorithm,
 				NULL,
 				p12exp->pwfn,
 				p12exp->pwfnarg);
 	if(!p12enc->aSafeCinfo) {
 	    goto loser;
 	}
 	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
 	    goto loser;
 	}
-	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
-	PORT_Assert(rv == SECSuccess);
+	PORT_CheckSuccess(SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo));
     } else {
 	p12enc->aSafeCinfo = SEC_PKCS7CreateData();
 
 	/* init password pased integrity mode */
 	if(p12exp->integrityEnabled) {
 	    SECItem  pwd = {siBuffer,NULL, 0};
 	    SECItem *salt = sec_pkcs12_generate_salt();
 	    PK11SymKey *symKey;
--- a/lib/pkcs7/p7decode.c
+++ b/lib/pkcs7/p7decode.c
@@ -1285,17 +1285,16 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
 			   HASH_HashType digest_type,
 			   PRBool keepcerts,
 			   const PRTime *atTime)
 {
     SECAlgorithmID **digestalgs, *bulkid;
     const SECItem *digest;
     SECItem **digests;
     SECItem **rawcerts;
-    CERTSignedCrl **crls;
     SEC_PKCS7SignerInfo **signerinfos, *signerinfo;
     CERTCertificate *cert, **certs;
     PRBool goodsig;
     CERTCertDBHandle *certdb, *defaultdb; 
     SECOidTag encTag,digestTag;
     HASH_HashType found_type;
     int i, certcount;
     SECKEYPublicKey *publickey;
@@ -1335,32 +1334,30 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
       case SEC_OID_PKCS7_SIGNED_DATA:
 	{
 	    SEC_PKCS7SignedData *sdp;
 
 	    sdp = cinfo->content.signedData;
 	    digestalgs = sdp->digestAlgorithms;
 	    digests = sdp->digests;
 	    rawcerts = sdp->rawCerts;
-	    crls = sdp->crls;
 	    signerinfos = sdp->signerInfos;
 	    content_type = &(sdp->contentInfo.contentType);
 	    sigkey = NULL;
 	    bulkid = NULL;
 	}
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7SignedAndEnvelopedData *saedp;
 
 	    saedp = cinfo->content.signedAndEnvelopedData;
 	    digestalgs = saedp->digestAlgorithms;
 	    digests = saedp->digests;
 	    rawcerts = saedp->rawCerts;
-	    crls = saedp->crls;
 	    signerinfos = saedp->signerInfos;
 	    content_type = &(saedp->encContentInfo.contentType);
 	    sigkey = saedp->sigKey;
 	    bulkid = &(saedp->encContentInfo.contentEncAlg);
 	}
 	break;
     }
 
--- a/lib/pkcs7/p7encode.c
+++ b/lib/pkcs7/p7encode.c
@@ -54,23 +54,20 @@ sec_pkcs7_encoder_start_encrypt (SEC_PKC
 {
     SECOidTag kind;
     sec_PKCS7CipherObject *encryptobj;
     SEC_PKCS7RecipientInfo **recipientinfos, *ri;
     SEC_PKCS7EncryptedContentInfo *enccinfo;
     SECKEYPublicKey *publickey = NULL;
     SECKEYPrivateKey *ourPrivKey = NULL;
     PK11SymKey  *bulkkey;
-    void *mark, *wincx;
+    void *mark;
     int i;
     PLArenaPool *arena = NULL;
 
-    /* Get the context in case we need it below. */
-    wincx = cinfo->pwfn_arg;
-
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       default:
       case SEC_OID_PKCS7_DATA:
       case SEC_OID_PKCS7_DIGESTED_DATA:
       case SEC_OID_PKCS7_SIGNED_DATA:
 	recipientinfos = NULL;
 	enccinfo = NULL;
--- a/lib/pkcs7/p7local.c
+++ b/lib/pkcs7/p7local.c
@@ -392,17 +392,17 @@ sec_PKCS7EncryptLength (sec_PKCS7CipherO
  * added to it another block, all of which is padding.)
  */ 
 SECStatus
 sec_PKCS7Decrypt (sec_PKCS7CipherObject *obj, unsigned char *output,
 		  unsigned int *output_len_p, unsigned int max_output_len,
 		  const unsigned char *input, unsigned int input_len,
 		  PRBool final)
 {
-    int blocks, bsize, pcount, padsize;
+    unsigned int blocks, bsize, pcount, padsize;
     unsigned int max_needed, ifraglen, ofraglen, output_len;
     unsigned char *pbuf;
     SECStatus rv;
 
     PORT_Assert (! obj->encrypt);
 
     /*
      * Check that we have enough room for the output.  Our caller should
--- a/lib/pki/certificate.c
+++ b/lib/pki/certificate.c
@@ -890,26 +890,25 @@ NSS_EXTERN PRStatus
 nssCertificateList_DoCallback (
   nssList *certList, 
   PRStatus (* callback)(NSSCertificate *c, void *arg),
   void *arg
 )
 {
     nssListIterator *certs;
     NSSCertificate *cert;
-    PRStatus nssrv;
     certs = nssList_CreateIterator(certList);
     if (!certs) {
         return PR_FAILURE;
     }
     for (cert  = (NSSCertificate *)nssListIterator_Start(certs);
          cert != (NSSCertificate *)NULL;
          cert  = (NSSCertificate *)nssListIterator_Next(certs))
     {
-	nssrv = (*callback)(cert, arg);
+	(void)(*callback)(cert, arg);
     }
     nssListIterator_Finish(certs);
     nssListIterator_Destroy(certs);
     return PR_SUCCESS;
 }
 
 static PRStatus add_ref_callback(NSSCertificate *c, void *a)
 {
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -1267,17 +1267,17 @@ done:
 ** surviving entries to the front of the object list
 ** and nullifying the rest.
 */
 static PRStatus
 DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
 {
     int numNotDestroyed = 0;     /* the ones skipped plus the failures */
     int failureCount = 0;        /* actual deletion failures by devices */
-    int index;
+    unsigned int index;
 
     nssPKIObject_AddRef(tObject);
     nssPKIObject_Lock(tObject);
     /* Keep going even if a module fails to delete. */
     for (index = 0; index < tObject->numInstances; index++) {
 	nssCryptokiObject *instance = tObject->instances[index];
 	if (!instance) {
 	    continue;
@@ -1322,17 +1322,17 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
 {
     PRStatus nssrv = PR_SUCCESS;
 
     NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
     NSSTrust *nssTrust = nssTrustDomain_FindTrustForCertificate(td, c);
     /* caller made sure nssTrust isn't NULL */
     nssPKIObject *tobject = &nssTrust->object;
     nssPKIObject *cobject = &c->object;
-    int i;
+    unsigned int i;
 
     /* Iterate through the cert and trust object instances looking for
      * those with matching pk11 slots to delete. Even if some device
      * can't delete we keep going. Keeping a status variable for the
      * loop so that once it's failed the other gets set.
      */
     NSSRWLock_LockRead(td->tokensLock);
     nssPKIObject_AddRef(cobject);
--- a/lib/pki/pkibase.c
+++ b/lib/pki/pkibase.c
@@ -898,46 +898,45 @@ nssPKIObjectCollection_GetObjects (
 }
 
 NSS_IMPLEMENT PRStatus
 nssPKIObjectCollection_Traverse (
   nssPKIObjectCollection *collection,
   nssPKIObjectCallback *callback
 )
 {
-    PRStatus status;
     PRCList *link = PR_NEXT_LINK(&collection->head);
     pkiObjectCollectionNode *node;
     while (link != &collection->head) {
 	node = (pkiObjectCollectionNode *)link;
 	if (!node->haveObject) {
 	    node->object = (*collection->createObject)(node->object);
 	    if (!node->object) {
 		link = PR_NEXT_LINK(link);
 		/*remove bogus object from list*/
 		nssPKIObjectCollection_RemoveNode(collection,node);
 		continue;
 	    }
 	    node->haveObject = PR_TRUE;
 	}
 	switch (collection->objectType) {
 	case pkiObjectType_Certificate: 
-	    status = (*callback->func.cert)((NSSCertificate *)node->object, 
+	    (void)(*callback->func.cert)((NSSCertificate *)node->object, 
 	                                    callback->arg);
 	    break;
 	case pkiObjectType_CRL: 
-	    status = (*callback->func.crl)((NSSCRL *)node->object, 
+	    (void)(*callback->func.crl)((NSSCRL *)node->object, 
 	                                   callback->arg);
 	    break;
 	case pkiObjectType_PrivateKey: 
-	    status = (*callback->func.pvkey)((NSSPrivateKey *)node->object, 
+	    (void)(*callback->func.pvkey)((NSSPrivateKey *)node->object, 
 	                                     callback->arg);
 	    break;
 	case pkiObjectType_PublicKey: 
-	    status = (*callback->func.pbkey)((NSSPublicKey *)node->object, 
+	    (void)(*callback->func.pbkey)((NSSPublicKey *)node->object, 
 	                                     callback->arg);
 	    break;
 	}
 	link = PR_NEXT_LINK(link);
     }
     return PR_SUCCESS;
 }
 
@@ -1052,28 +1051,27 @@ cert_createObject(nssPKIObject *o)
 }
 
 NSS_IMPLEMENT nssPKIObjectCollection *
 nssCertificateCollection_Create (
   NSSTrustDomain *td,
   NSSCertificate **certsOpt
 )
 {
-    PRStatus status;
     nssPKIObjectCollection *collection;
     collection = nssPKIObjectCollection_Create(td, NULL, nssPKIMonitor);
     collection->objectType = pkiObjectType_Certificate;
     collection->destroyObject = cert_destroyObject;
     collection->getUIDFromObject = cert_getUIDFromObject;
     collection->getUIDFromInstance = cert_getUIDFromInstance;
     collection->createObject = cert_createObject;
     if (certsOpt) {
 	for (; *certsOpt; certsOpt++) {
 	    nssPKIObject *object = (nssPKIObject *)(*certsOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, object);
+	    (void)nssPKIObjectCollection_AddObject(collection, object);
 	}
     }
     return collection;
 }
 
 NSS_IMPLEMENT NSSCertificate **
 nssPKIObjectCollection_GetCertificates (
   nssPKIObjectCollection *collection,
@@ -1159,28 +1157,27 @@ crl_createObject(nssPKIObject *o)
 }
 
 NSS_IMPLEMENT nssPKIObjectCollection *
 nssCRLCollection_Create (
   NSSTrustDomain *td,
   NSSCRL **crlsOpt
 )
 {
-    PRStatus status;
     nssPKIObjectCollection *collection;
     collection = nssPKIObjectCollection_Create(td, NULL, nssPKILock);
     collection->objectType = pkiObjectType_CRL;
     collection->destroyObject = crl_destroyObject;
     collection->getUIDFromObject = crl_getUIDFromObject;
     collection->getUIDFromInstance = crl_getUIDFromInstance;
     collection->createObject = crl_createObject;
     if (crlsOpt) {
 	for (; *crlsOpt; crlsOpt++) {
 	    nssPKIObject *object = (nssPKIObject *)(*crlsOpt);
-	    status = nssPKIObjectCollection_AddObject(collection, object);
+	    (void)nssPKIObjectCollection_AddObject(collection, object);
 	}
     }
     return collection;
 }
 
 NSS_IMPLEMENT NSSCRL **
 nssPKIObjectCollection_GetCRLs (
   nssPKIObjectCollection *collection,
--- a/lib/pki/tdcache.c
+++ b/lib/pki/tdcache.c
@@ -324,17 +324,17 @@ NSS_IMPLEMENT void
 nssTrustDomain_RemoveCertFromCacheLOCKED (
   NSSTrustDomain *td,
   NSSCertificate *cert
 )
 {
     nssList *subjectList;
     cache_entry *ce;
     NSSArena *arena;
-    NSSUTF8 *nickname;
+    NSSUTF8 *nickname = NULL;
 
 #ifdef DEBUG_CACHE
     log_cert_ref("attempt to remove cert", cert);
 #endif
     ce = (cache_entry *)nssHash_Lookup(td->cache->issuerAndSN, cert);
     if (!ce || ce->entry.cert != cert) {
 	/* If it's not in the cache, or a different cert is (this is really
 	 * for safety reasons, though it shouldn't happen), do nothing 
@@ -771,32 +771,38 @@ add_cert_to_cache (
     nssrv = add_subject_entry(arena, td->cache, cert, 
 						certNickname, &subjectList);
     if (nssrv != PR_SUCCESS) {
 	goto loser;
     }
     added++;
     /* If a new subject entry was created, also need nickname and/or email */
     if (subjectList != NULL) {
+#ifdef nodef
 	PRBool handle = PR_FALSE;
+#endif
 	if (certNickname) {
 	    nssrv = add_nickname_entry(arena, td->cache, 
 						certNickname, subjectList);
 	    if (nssrv != PR_SUCCESS) {
 		goto loser;
 	    }
+#ifdef nodef
 	    handle = PR_TRUE;
+#endif
 	    added++;
 	}
 	if (cert->email) {
 	    nssrv = add_email_entry(td->cache, cert, subjectList);
 	    if (nssrv != PR_SUCCESS) {
 		goto loser;
 	    }
+#ifdef nodef
 	    handle = PR_TRUE;
+#endif
 	    added += 2;
 	}
 #ifdef nodef
 	/* I think either a nickname or email address must be associated
 	 * with the cert.  However, certs are passed to NewTemp without
 	 * either.  This worked in the old code, so it must work now.
 	 */
 	if (!handle) {
--- a/lib/pki/trustdomain.c
+++ b/lib/pki/trustdomain.c
@@ -986,17 +986,16 @@ collector(nssCryptokiObject *instance, v
 
 NSS_IMPLEMENT PRStatus *
 NSSTrustDomain_TraverseCertificates (
   NSSTrustDomain *td,
   PRStatus (*callback)(NSSCertificate *c, void *arg),
   void *arg
 )
 {
-    PRStatus status = PR_FAILURE;
     NSSToken *token = NULL;
     NSSSlot **slots = NULL;
     NSSSlot **slotp;
     nssPKIObjectCollection *collection = NULL;
     nssPKIObjectCallback pkiCallback;
     nssUpdateLevel updateLevel;
     NSSCertificate **cached = NULL;
     nssList *certList;
@@ -1023,30 +1022,30 @@ NSSTrustDomain_TraverseCertificates (
 	token = nssSlot_GetToken(*slotp);
 	if (token) {
 	    nssSession *session;
 	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
 	    /* get a session for the token */
 	    session = nssTrustDomain_GetSessionForToken(td, token);
 	    if (session) {
 		/* perform the traversal */
-		status = nssToken_TraverseCertificates(token,
+		(void)nssToken_TraverseCertificates(token,
 						       session,
 						       tokenOnly,
 						       collector,
 						       collection);
 	    }
 	    nssToken_Destroy(token);
 	}
     }
 
     /* Traverse the collection */
     pkiCallback.func.cert = callback;
     pkiCallback.arg = arg;
-    status = nssPKIObjectCollection_Traverse(collection, &pkiCallback);
+    (void)nssPKIObjectCollection_Traverse(collection, &pkiCallback);
 loser:
     if (slots) {
 	nssSlotArray_Destroy(slots);
     }
     if (collection) {
 	nssPKIObjectCollection_Destroy(collection);
     }
     return NULL;
--- a/lib/smime/cmsasn1.c
+++ b/lib/smime/cmsasn1.c
@@ -46,20 +46,16 @@ const SEC_ASN1Template NSSCMSMessageTemp
 	  offsetof(NSSCMSMessage,contentInfo.contentType) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
      | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
 	  offsetof(NSSCMSMessage,contentInfo.content),
 	  &nss_cms_chooser },
     { 0 }
 };
 
-static const SEC_ASN1Template NSS_PointerToCMSMessageTemplate[] = {
-    { SEC_ASN1_POINTER, 0, NSSCMSMessageTemplate }
-};
-
 /* -----------------------------------------------------------------------------
  * ENCAPSULATED & ENCRYPTED CONTENTINFO
  * (both use a NSSCMSContentInfo)
  */
 static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = {
     { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM,
 	  0, NULL, sizeof(NSSCMSContentInfo) },
     { SEC_ASN1_OBJECT_ID,
--- a/lib/smime/cmscipher.c
+++ b/lib/smime/cmscipher.c
@@ -361,17 +361,17 @@ NSS_CMSCipherContext_EncryptLength(NSSCM
  * added to it another block, all of which is padding.)
  */ 
 SECStatus
 NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output,
 		  unsigned int *output_len_p, unsigned int max_output_len,
 		  const unsigned char *input, unsigned int input_len,
 		  PRBool final)
 {
-    int blocks, bsize, pcount, padsize;
+    unsigned int blocks, bsize, pcount, padsize;
     unsigned int max_needed, ifraglen, ofraglen, output_len;
     unsigned char *pbuf;
     SECStatus rv;
 
     PORT_Assert (! cc->encrypt);
 
     /*
      * Check that we have enough room for the output.  Our caller should
--- a/lib/smime/cmsencode.c
+++ b/lib/smime/cmsencode.c
@@ -117,25 +117,23 @@ nss_cms_encoder_out(void *arg, const cha
  * encryption and/or digesting and possibly set up child encoders.
  */
 static void
 nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)
 {
     NSSCMSEncoderContext *p7ecx;
     NSSCMSContentInfo *rootcinfo, *cinfo;
     PRBool after = !before;
-    PLArenaPool *poolp;
     SECOidTag childtype;
     SECItem *item;
 
     p7ecx = (NSSCMSEncoderContext *)arg;
     PORT_Assert(p7ecx != NULL);
 
     rootcinfo = &(p7ecx->cmsg->contentInfo);
-    poolp = p7ecx->cmsg->poolp;
 
 #ifdef CMSDEBUG
     fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);
 #endif
 
     /*
      * Watch for the content field, at which point we want to instruct
      * the ASN.1 encoder to start taking bytes from the buffer.
@@ -196,22 +194,19 @@ nss_cms_encoder_notify(void *arg, PRBool
  * nss_cms_before_data - setup the current encoder to receive data
  */
 static SECStatus
 nss_cms_before_data(NSSCMSEncoderContext *p7ecx)
 {
     SECStatus rv;
     SECOidTag childtype;
     NSSCMSContentInfo *cinfo;
-    PLArenaPool *poolp;
     NSSCMSEncoderContext *childp7ecx;
     const SEC_ASN1Template *template;
 
-    poolp = p7ecx->cmsg->poolp;
-
     /* call _Encode_BeforeData handlers */
     switch (p7ecx->type) {
     case SEC_OID_PKCS7_SIGNED_DATA:
 	/* we're encoding a signedData, so set up the digests */
 	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);
 	break;
     case SEC_OID_PKCS7_DIGESTED_DATA:
 	/* we're encoding a digestedData, so set up the digest */
--- a/lib/smime/cmsrecinfo.c
+++ b/lib/smime/cmsrecinfo.c
@@ -521,42 +521,39 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSR
     return rv;
 }
 
 PK11SymKey *
 NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, 
 	CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag)
 {
     PK11SymKey *bulkkey = NULL;
-    SECAlgorithmID *encalg;
     SECOidTag encalgtag;
     SECItem *enckey;
     int error;
 
     ri->cert = CERT_DupCertificate(cert);
         	/* mark the recipientInfo so we can find it later */
 
     switch (ri->recipientInfoType) {
     case NSSCMSRecipientInfoID_KeyTrans:
-	encalg = &(ri->ri.keyTransRecipientInfo.keyEncAlg);
 	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg));
 	enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */
 	switch (encalgtag) {
 	case SEC_OID_PKCS1_RSA_ENCRYPTION:
 	    /* RSA encryption algorithm: */
 	    /* get the symmetric (bulk) key by unwrapping it using our private key */
 	    bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
 	    break;
 	default:
 	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
 	    goto loser;
 	}
 	break;
     case NSSCMSRecipientInfoID_KeyAgree:
-	encalg = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg);
 	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg));
 	enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
 	switch (encalgtag) {
 	case SEC_OID_X942_DIFFIE_HELMAN_KEY:
 	    /* Diffie-Helman key exchange */
 	    /* XXX not yet implemented */
 	    /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
 	    /* we support ephemeral-static DH only, so if the recipientinfo */
@@ -568,17 +565,16 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
 	    goto loser;
 	    break;
 	default:
 	    error = SEC_ERROR_UNSUPPORTED_KEYALG;
 	    goto loser;
 	}
 	break;
     case NSSCMSRecipientInfoID_KEK:
-	encalg = &(ri->ri.kekRecipientInfo.keyEncAlg);
 	encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg));
 	enckey = &(ri->ri.kekRecipientInfo.encKey);
 	/* not supported yet */
 	error = SEC_ERROR_UNSUPPORTED_KEYALG;
 	goto loser;
 	break;
     }
     /* XXXX continue here */
--- a/lib/smime/cmsudf.c
+++ b/lib/smime/cmsudf.c
@@ -74,24 +74,24 @@ nss_cmstype_shutdown(void *appData, void
     	nsscmstypeOnce = nsscmstypeClearOnce;
     }
     return SECSuccess;
 }
 
 static PLHashNumber
 nss_cmstype_hash_key(const void *key)
 {
-   return (PLHashNumber) key;
+   return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 static PRIntn
 nss_cmstype_compare_keys(const void *v1, const void *v2)
 {
-   PLHashNumber value1 = (PLHashNumber) v1;
-   PLHashNumber value2 = (PLHashNumber) v2;
+   PLHashNumber value1 = nss_cmstype_hash_key(v1);
+   PLHashNumber value2 = nss_cmstype_hash_key(v2);
 
    return (value1 == value2);
 }
 
 /*
  * initialize our hash tables, called once on the first attemat to register
  * a new SMIME type.
  */
--- a/lib/smime/smimeutil.c
+++ b/lib/smime/smimeutil.c
@@ -754,29 +754,27 @@ loser:
     return cert;
 }
 
 extern const char __nss_smime_version[];
 
 PRBool
 NSSSMIME_VersionCheck(const char *importedVersion)
 {
+#define NSS_VERSION_VARIABLE __nss_smime_version
+#include "verref.h"
     /*
      * This is the secret handshake algorithm.
      *
      * This release has a simple version compatibility
      * check algorithm.  This release is not backward
      * compatible with previous major releases.  It is
      * not compatible with future major, minor, or
      * patch releases.
      */
-    volatile char c; /* force a reference that won't get optimized away */
-
-    c = __nss_smime_version[0];
-
     return NSS_VersionCheck(importedVersion);
 }
 
 const char *
 NSSSMIME_GetVersion(void)
 {
     return NSS_VERSION;
 }
--- a/lib/softoken/legacydb/keydb.c
+++ b/lib/softoken/legacydb/keydb.c
@@ -1471,17 +1471,19 @@ seckey_encrypt_private_key( PLArenaPool 
 {
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SECStatus rv = SECFailure;
     PLArenaPool *temparena = NULL;
     SECItem *der_item = NULL;
     SECItem *cipherText = NULL;
     SECItem *dummy = NULL;
 #ifndef NSS_DISABLE_ECC
+#ifdef EC_DEBUG
     SECItem *fordebug = NULL;
+#endif
     int savelen;
 #endif
 
     temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if(temparena == NULL)
 	goto loser;
 
     /* allocate structures */
@@ -1584,19 +1586,21 @@ seckey_encrypt_private_key( PLArenaPool 
 	/* At this point dummy should contain the encoded params */
 	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
 				   SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy);
 
 	if (rv == SECFailure) {
 	    goto loser;
 	}
 	
+#ifdef EC_DEBUG
 	fordebug = &(pki->privateKey);
 	SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", 
 		  pk->keyType, fordebug);
+#endif
 
 	break;
 #endif /* NSS_DISABLE_ECC */
       default:
 	/* We don't support DH or Fortezza private keys yet */
 	PORT_Assert(PR_FALSE);
 	break;
     }
@@ -1699,17 +1703,17 @@ static NSSLOWKEYPrivateKey *
 seckey_decrypt_private_key(SECItem*epki,
 			   SDB *sdbpw)
 {
     NSSLOWKEYPrivateKey *pk = NULL;
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SECStatus rv = SECFailure;
     PLArenaPool *temparena = NULL, *permarena = NULL;
     SECItem *dest = NULL;
-#ifndef NSS_DISABLE_ECC
+#ifdef EC_DEBUG
     SECItem *fordebug = NULL;
 #endif
 
     if((epki == NULL) || (sdbpw == NULL))
 	goto loser;
 
     temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
@@ -1812,19 +1816,21 @@ seckey_decrypt_private_key(SECItem*epki,
 					lg_nsslowkey_DHPrivateKeyTemplate,
 					&newPrivateKey);
 		break;
 #ifndef NSS_DISABLE_ECC
 	      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 		pk->keyType = NSSLOWKEYECKey;
 		lg_prepare_low_ec_priv_key_for_asn1(pk);
 
+#ifdef EC_DEBUG
 		fordebug = &pki->privateKey;
 		SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", 
 			  pk->keyType, fordebug);
+#endif
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
 					lg_nsslowkey_ECPrivateKeyTemplate,
 					&newPrivateKey);
 		if (rv != SECSuccess)
 		    goto loser;
 
@@ -1985,59 +1991,53 @@ nsslowkey_FindKeyNicknameByPublicKey(NSS
 }
 /* ===== ENCODING ROUTINES ===== */
 
 static SECStatus
 encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
 		   SECItem *encCheck)
 {
     SECOidData *oidData;
-    SECStatus rv;
     
     oidData = SECOID_FindOIDByTag(alg);
     if ( oidData == NULL ) {
-	rv = SECFailure;
-	goto loser;
+	return SECFailure;
     }
 
     entry->len = 1 + oidData->oid.len + encCheck->len;
     if ( arena ) {
 	entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
     } else {
 	entry->data = (unsigned char *)PORT_Alloc(entry->len);
     }
     
     if ( entry->data == NULL ) {
-	goto loser;
+	return SECFailure;
     }
 	
     /* first length of oid */
     entry->data[0] = (unsigned char)oidData->oid.len;
     /* next oid itself */
     PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
     /* finally the encrypted check string */
     PORT_Memcpy(&entry->data[1+oidData->oid.len], encCheck->data,
 		encCheck->len);
 
-    return(SECSuccess);
-
-loser:
-    return(SECFailure);
+    return SECSuccess;
 }
     
 
 #define MAX_DB_SIZE 0xffff 
 /*
  * Clear out all the keys in the existing database
  */
 static SECStatus
 nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle)
 {
     SECStatus rv;
-    int ret;
     int errors = 0;
 
     if ( handle->db == NULL ) {
 	return(SECSuccess);
     }
 
     if (handle->readOnly) {
 	/* set an error code */
@@ -2075,125 +2075,119 @@ nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *
 	}
     }
     if ( rv != SECSuccess ) {
 	errors++;
     }
 
 done:
     /* sync the database */
-    ret = keydb_Sync(handle, 0);
+    (void)keydb_Sync(handle, 0);
     db_InitComplete(handle->db);
 
     return (errors == 0 ? SECSuccess : SECFailure);
 }
 
 static int
 keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
     
     PORT_Assert(kdbLock != NULL);
     PZ_Lock(kdbLock);
 
     ret = (* db->get)(db, key, data, flags);
 
-    prstat = PZ_Unlock(kdbLock);
+    (void)PZ_Unlock(kdbLock);
 
     return(ret);
 }
 
 static int
 keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret = 0;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
 
     PORT_Assert(kdbLock != NULL);
     PZ_Lock(kdbLock);
 
     ret = (* db->put)(db, key, data, flags);
     
-    prstat = PZ_Unlock(kdbLock);
+    (void)PZ_Unlock(kdbLock);
 
     return(ret);
 }
 
 static int
 keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
 
     PORT_Assert(kdbLock != NULL);
     PZ_Lock(kdbLock);
 
     ret = (* db->sync)(db, flags);
     
-    prstat = PZ_Unlock(kdbLock);
+    (void)PZ_Unlock(kdbLock);
 
     return(ret);
 }
 
 static int
 keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
 
     PORT_Assert(kdbLock != NULL);
     PZ_Lock(kdbLock);
 
     ret = (* db->del)(db, key, flags);
     
-    prstat = PZ_Unlock(kdbLock);
+    (void)PZ_Unlock(kdbLock);
 
     return(ret);
 }
 
 static int
 keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
     
     PORT_Assert(kdbLock != NULL);
     PZ_Lock(kdbLock);
     
     ret = (* db->seq)(db, key, data, flags);
 
-    prstat = PZ_Unlock(kdbLock);
+    (void)PZ_Unlock(kdbLock);
 
     return(ret);
 }
 
 static void
 keydb_Close(NSSLOWKEYDBHandle *kdb)
 {
-    PRStatus prstat;
     PRLock *kdbLock = kdb->lock;
     DB *db = kdb->db;
 
     PORT_Assert(kdbLock != NULL);
     SKIP_AFTER_FORK(PZ_Lock(kdbLock));
 
     (* db->close)(db);
     
-    SKIP_AFTER_FORK(prstat = PZ_Unlock(kdbLock));
+    SKIP_AFTER_FORK(PZ_Unlock(kdbLock));
 
     return;
 }
 
 /*
  * SDB Entry Points for the Key DB 
  */
 
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -205,18 +205,16 @@ lg_invalidAttribute(CK_ATTRIBUTE *attr)
 CK_BBOOL lg_staticTrueValue = CK_TRUE;
 CK_BBOOL lg_staticFalseValue = CK_FALSE;
 static const CK_ATTRIBUTE lg_StaticTrueAttr = 
   LG_DEF_ATTRIBUTE(&lg_staticTrueValue,sizeof(lg_staticTrueValue));
 static const CK_ATTRIBUTE lg_StaticFalseAttr = 
   LG_DEF_ATTRIBUTE(&lg_staticFalseValue,sizeof(lg_staticFalseValue));
 static const CK_ATTRIBUTE lg_StaticNullAttr = LG_DEF_ATTRIBUTE(NULL,0);
 char lg_StaticOneValue = 1;
-static const CK_ATTRIBUTE lg_StaticOneAttr = 
-  LG_DEF_ATTRIBUTE(&lg_StaticOneValue,sizeof(lg_StaticOneValue));
 
 /*
  * helper functions which get the database and call the underlying 
  * low level database function.
  */
 static char *
 lg_FindKeyNicknameByPublicKey(SDB *sdb, SECItem *dbKey)
 {
@@ -429,21 +427,16 @@ lg_GetPubItem(NSSLOWKEYPublicKey *pubKey
 	    break;
 #endif /* NSS_DISABLE_ECC */
     default:
 	    break;
     }
     return pubItem;
 }
 
-static const SEC_ASN1Template lg_SerialTemplate[] = {
-    { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
-    { 0 }
-};
-
 static CK_RV
 lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
 				CK_ATTRIBUTE *attribute)
 {
     unsigned char hash[SHA1_LENGTH];
     CK_KEY_TYPE keyType = CKK_RSA;
 
     switch (type) {
--- a/lib/softoken/legacydb/lginit.c
+++ b/lib/softoken/legacydb/lginit.c
@@ -471,24 +471,24 @@ lg_Close(SDB *sdb)
     }
     PORT_Free(sdb);
     return CKR_OK;
 }
 
 static PLHashNumber
 lg_HashNumber(const void *key)
 {
-    return (PLHashNumber) key;
+    return (PLHashNumber)((char *)key - (char *)NULL);
 }
 
 PRIntn
 lg_CompareValues(const void *v1, const void *v2)
 {
-    PLHashNumber value1 = (PLHashNumber) v1;
-    PLHashNumber value2 = (PLHashNumber) v2;
+    PLHashNumber value1 = lg_HashNumber(v1);
+    PLHashNumber value2 = lg_HashNumber(v2);
     return (value1 == value2);
 }
 
 /*
  * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle
  * with and sdb structure.
  */
 CK_RV 
@@ -582,19 +582,19 @@ loser:
 CK_RV
 legacy_Open(const char *configdir, const char *certPrefix, 
 	    const char *keyPrefix, int certVersion, int keyVersion,
 	    int flags, SDB **certDB, SDB **keyDB)
 {
     CK_RV crv = CKR_OK;
     SECStatus rv;
     PRBool readOnly = (flags == SDB_RDONLY)? PR_TRUE: PR_FALSE;
-    volatile char c; /* force a reference that won't get optimized away */
 
-    c = __nss_dbm_version[0];
+#define NSS_VERSION_VARIABLE __nss_dbm_version
+#include "verref.h"
 
     rv = SECOID_Init();
     if (SECSuccess != rv) {
         return CKR_DEVICE_ERROR;
     }
     nsslowcert_InitLocks();
 
     if (keyDB) *keyDB = NULL;
--- a/lib/softoken/legacydb/pcertdb.c
+++ b/lib/softoken/legacydb/pcertdb.c
@@ -98,23 +98,22 @@ nsslowcert_LockDB(NSSLOWCERTCertDBHandle
 }
 
 /*
  * Free the global cert database lock.
  */
 static void
 nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle)
 {
-    PRStatus prstat;
-    
-    prstat = PZ_ExitMonitor(handle->dbMon);
-    
+#ifdef DEBUG
+    PRStatus prstat = PZ_ExitMonitor(handle->dbMon);
     PORT_Assert(prstat == PR_SUCCESS);
-    
-    return;
+#else
+    PZ_ExitMonitor(handle->dbMon);
+#endif
 }
 
 
 /*
  * Acquire the cert reference count lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
  * that turns out to be necessary.
@@ -129,25 +128,26 @@ nsslowcert_LockCertRefCount(NSSLOWCERTCe
 }
 
 /*
  * Free the cert reference count lock
  */
 static void
 nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
 {
-    PRStatus prstat;
-
     PORT_Assert(certRefCountLock != NULL);
     
-    prstat = PZ_Unlock(certRefCountLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
+#ifdef DEBUG
+    {
+        PRStatus prstat = PZ_Unlock(certRefCountLock);
+        PORT_Assert(prstat == PR_SUCCESS);
+    }
+#else
+    PZ_Unlock(certRefCountLock);
+#endif
 }
 
 /*
  * Acquire the cert trust lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
  * that turns out to be necessary.
  */
@@ -161,25 +161,26 @@ nsslowcert_LockCertTrust(NSSLOWCERTCerti
 }
 
 /*
  * Free the cert trust lock
  */
 static void
 nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
 {
-    PRStatus prstat;
-
     PORT_Assert(certTrustLock != NULL);
     
-    prstat = PZ_Unlock(certTrustLock);
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
+#ifdef DEBUG
+    {
+        PRStatus prstat = PZ_Unlock(certTrustLock);
+        PORT_Assert(prstat == PR_SUCCESS);
+    }
+#else
+    PZ_Unlock(certTrustLock);
+#endif
 }
 
 
 /*
  * Acquire the cert reference count lock
  * There is currently one global lock for all certs, but I'm putting a cert
  * arg here so that it will be easy to make it per-cert in the future if
  * that turns out to be necessary.
@@ -194,135 +195,130 @@ nsslowcert_LockFreeList(void)
 }
 
 /*
  * Free the cert reference count lock
  */
 static void
 nsslowcert_UnlockFreeList(void)
 {
-    PRStatus prstat = PR_SUCCESS;
-
     PORT_Assert(freeListLock != NULL);
     
-    SKIP_AFTER_FORK(prstat = PZ_Unlock(freeListLock));
-    
-    PORT_Assert(prstat == PR_SUCCESS);
-
-    return;
+#ifdef DEBUG
+    {
+        PRStatus prstat = PR_SUCCESS;
+        SKIP_AFTER_FORK(prstat = PZ_Unlock(freeListLock));
+        PORT_Assert(prstat == PR_SUCCESS);
+    }
+#else
+    SKIP_AFTER_FORK(PZ_Unlock(freeListLock));
+#endif
 }
 
 NSSLOWCERTCertificate *
 nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
 {
     if (c) {
 	nsslowcert_LockCertRefCount(c);
 	++c->referenceCount;
 	nsslowcert_UnlockCertRefCount(c);
     }
     return c;
 }
 
 static int
 certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     
     PORT_Assert(dbLock != NULL);
     PZ_Lock(dbLock);
 
     ret = (* db->get)(db, key, data, flags);
 
-    prstat = PZ_Unlock(dbLock);
+    (void)PZ_Unlock(dbLock);
 
     return(ret);
 }
 
 static int
 certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret = 0;
 
     PORT_Assert(dbLock != NULL);
     PZ_Lock(dbLock);
 
     ret = (* db->put)(db, key, data, flags);
     
-    prstat = PZ_Unlock(dbLock);
+    (void)PZ_Unlock(dbLock);
 
     return(ret);
 }
 
 static int
 certdb_Sync(DB *db, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
 
     PORT_Assert(dbLock != NULL);
     PZ_Lock(dbLock);
 
     ret = (* db->sync)(db, flags);
     
-    prstat = PZ_Unlock(dbLock);
+    (void)PZ_Unlock(dbLock);
 
     return(ret);
 }
 
 #define DB_NOT_FOUND -30991  /* from DBM 3.2 */
 static int
 certdb_Del(DB *db, DBT *key, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
 
     PORT_Assert(dbLock != NULL);
     PZ_Lock(dbLock);
 
     ret = (* db->del)(db, key, flags);
     
-    prstat = PZ_Unlock(dbLock);
+    (void)PZ_Unlock(dbLock);
 
     /* don't fail if the record is already deleted */
     if (ret == DB_NOT_FOUND) {
 	ret = 0;
     }
 
     return(ret);
 }
 
 static int
 certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
 {
-    PRStatus prstat;
     int ret;
     
     PORT_Assert(dbLock != NULL);
     PZ_Lock(dbLock);
     
     ret = (* db->seq)(db, key, data, flags);
 
-    prstat = PZ_Unlock(dbLock);
+    (void)PZ_Unlock(dbLock);
 
     return(ret);
 }
 
 static void
 certdb_Close(DB *db)
 {
-    PRStatus prstat = PR_SUCCESS;
-
     PORT_Assert(dbLock != NULL);
     SKIP_AFTER_FORK(PZ_Lock(dbLock));
 
     (* db->close)(db);
     
-    SKIP_AFTER_FORK(prstat = PZ_Unlock(dbLock));
+    SKIP_AFTER_FORK(PZ_Unlock(dbLock));
 
     return;
 }
 
 void
 pkcs11_freeNickname(char *nickname, char *space)
 {
     if (nickname && nickname != space) {
@@ -2425,17 +2421,16 @@ static certDBEntrySubject *
 NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
 		  SECItem *keyID, char *nickname, char *emailAddr,
 		  unsigned int flags)
 {
     PLArenaPool *arena = NULL;
     certDBEntrySubject *entry;
     SECStatus rv;
     unsigned int nnlen;
-    unsigned int eaddrlen;
     
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if ( arena == NULL ) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	goto loser;
     }
 
     entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
@@ -2475,17 +2470,16 @@ NewDBSubjectEntry(SECItem *derSubject, S
     /* copy email addr */
     if ( emailAddr && ( *emailAddr != '\0' ) ) {
 	emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
 	if ( emailAddr == NULL ) {
 	    entry->emailAddrs = NULL;
 	    goto loser;
 	}
 	
-	eaddrlen = PORT_Strlen(emailAddr) + 1;
 	entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
 	if ( entry->emailAddrs == NULL ) {
 	    PORT_Free(emailAddr);
 	    goto loser;
 	}
 	entry->emailAddrs[0] = PORT_ArenaStrdup(arena,emailAddr);
 	if (entry->emailAddrs[0]) {
 	    entry->nemailAddrs = 1;
@@ -3581,17 +3575,16 @@ UpdateV6DB(NSSLOWCERTCertDBHandle *handl
     DBT key, data;
     unsigned char *buf, *tmpbuf = NULL;
     certDBEntryType type;
     certDBEntryNickname *nnEntry = NULL;
     certDBEntrySubject *subjectEntry = NULL;
     certDBEntrySMime *emailEntry = NULL;
     char *nickname;
     char *emailAddr;
-    SECStatus rv;
     
     /*
      * Sequence through the old database and copy all of the entries
      * to the new database.  Subject name entries will have the new
      * fields inserted into them (with zero length).
      */
     ret = (* updatedb->seq)(updatedb, &key, &data, R_FIRST);
     if ( ret ) {
@@ -3695,17 +3688,17 @@ UpdateV6DB(NSSLOWCERTCertDBHandle *handl
 		    }
 		    
 		    subjectEntry->nickname =
 			(char *)PORT_ArenaAlloc(subjectEntry->common.arena,
 						key.size - 1);
 		    if ( subjectEntry->nickname ) {
 			PORT_Memcpy(subjectEntry->nickname, nickname,
 				    key.size - 1);
-			rv = WriteDBSubjectEntry(handle, subjectEntry);
+			(void)WriteDBSubjectEntry(handle, subjectEntry);
 		    }
 		} else if ( type == certDBEntryTypeSMimeProfile ) {
 		    emailAddr = &((char *)key.data)[1];
 
 		    /* get the matching smime entry in the new DB */
 		    emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr);
 		    if ( emailEntry == NULL ) {
 			goto endloop;
@@ -3724,17 +3717,17 @@ UpdateV6DB(NSSLOWCERTCertDBHandle *handl
 		    if ( subjectEntry->emailAddrs ) {
 			subjectEntry->emailAddrs[0] =
 			     (char *)PORT_ArenaAlloc(subjectEntry->common.arena,
 						key.size - 1);
 			if ( subjectEntry->emailAddrs[0] ) {
 			    PORT_Memcpy(subjectEntry->emailAddrs[0], emailAddr,
 				    key.size - 1);
 			    subjectEntry->nemailAddrs = 1;
-			    rv = WriteDBSubjectEntry(handle, subjectEntry);
+			    (void)WriteDBSubjectEntry(handle, subjectEntry);
 			}
 		    }
 		}
 		
 endloop