Bug 1309068 - Enable -Wshadow, r=franziskus
authorMartin Thomson <martin.thomson@gmail.com>
Wed, 14 Feb 2018 18:46:10 +1100
changeset 14273 942d28a4f3d561cb6ccdd4de2318396276a29258
parent 14272 6ef788e1264f6fd72aa049fe09515e519074874d
child 14274 d706ff184407debda73ac3a74713129bfa06b33f
push id3012
push usermartin.thomson@gmail.com
push dateWed, 28 Feb 2018 22:54:03 +0000
reviewersfranziskus
bugs1309068
Bug 1309068 - Enable -Wshadow, r=franziskus
cmd/bltest/blapitest.c
cmd/certutil/certutil.c
cmd/crlutil/crlutil.c
cmd/crmftest/testcrmf.c
cmd/dbtest/dbtest.c
cmd/httpserv/httpserv.c
cmd/lib/secutil.c
cmd/listsuites/listsuites.c
cmd/lowhashtest/lowhashtest.c
cmd/modutil/install-ds.c
cmd/mpitests/mpi-test.c
cmd/ocspclnt/ocspclnt.c
cmd/ocspresp/ocspresp.c
cmd/pk12util/pk12util.c
cmd/rsaperf/rsaperf.c
cmd/selfserv/selfserv.c
cmd/signtool/javascript.c
cmd/signtool/sign.c
cmd/signtool/zip.c
cmd/smimetools/cmsutil.c
cmd/strsclnt/strsclnt.c
cmd/symkeyutil/symkeyutil.c
cmd/tstclnt/tstclnt.c
cmd/vfyserv/vfyserv.c
cmd/vfyserv/vfyutil.c
coreconf/Werror.mk
coreconf/werror.py
cpputil/databuffer.cc
cpputil/databuffer.h
fuzz/fuzz.gyp
gtests/freebl_gtest/blake2b_unittest.cc
gtests/freebl_gtest/kat/blake2b_kat.h
gtests/nss_bogo_shim/config.h
gtests/nss_bogo_shim/nss_bogo_shim.cc
gtests/pk11_gtest/pk11_signature_test.h
gtests/ssl_gtest/ssl_auth_unittest.cc
gtests/ssl_gtest/ssl_dhe_unittest.cc
gtests/ssl_gtest/ssl_ecdh_unittest.cc
gtests/ssl_gtest/ssl_extension_unittest.cc
gtests/ssl_gtest/ssl_fuzz_unittest.cc
gtests/ssl_gtest/ssl_hrr_unittest.cc
gtests/ssl_gtest/ssl_loopback_unittest.cc
gtests/ssl_gtest/ssl_record_unittest.cc
gtests/ssl_gtest/ssl_resumption_unittest.cc
gtests/ssl_gtest/ssl_skip_unittest.cc
gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
gtests/ssl_gtest/test_io.cc
gtests/ssl_gtest/test_io.h
gtests/ssl_gtest/tls_agent.cc
gtests/ssl_gtest/tls_agent.h
gtests/ssl_gtest/tls_filter.cc
gtests/ssl_gtest/tls_filter.h
gtests/ssl_gtest/tls_protect.cc
lib/certdb/crl.c
lib/ckfw/session.c
lib/freebl/loader.c
lib/freebl/mpi/mpi.c
lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
lib/pk11wrap/pk11pars.c
lib/pkcs7/p7decode.c
lib/pki/pki3hack.c
lib/smime/cmsrecinfo.c
lib/softoken/lowpbe.c
lib/softoken/pkcs11.c
lib/softoken/pkcs11c.c
lib/softoken/pkcs11u.c
lib/softoken/sftkpars.c
lib/ssl/ssl3con.c
nss-tool/enc/enctool.cc
--- a/cmd/bltest/blapitest.c
+++ b/cmd/bltest/blapitest.c
@@ -3719,33 +3719,33 @@ main(int argc, char **argv)
     if (bltest.commands[cmd_RSAPopulateKV].activated) {
         PORT_Free(cipherInfo);
         return doRSAPopulateTestKV();
     }
 
     /* test the RSA_PopulatePrivateKey function */
     if (bltest.commands[cmd_RSAPopulate].activated) {
         unsigned int keySize = 1024;
-        unsigned long exponent = 65537;
+        unsigned long keyExponent = 65537;
         int rounds = 1;
         int ret = -1;
 
         if (bltest.options[opt_KeySize].activated) {
             keySize = PORT_Atoi(bltest.options[opt_KeySize].arg);
         }
         if (bltest.options[opt_Rounds].activated) {
             rounds = PORT_Atoi(bltest.options[opt_Rounds].arg);
         }
         if (bltest.options[opt_Exponent].activated) {
-            exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
+            keyExponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
         }
 
         for (i = 0; i < rounds; i++) {
             printf("Running RSA Populate test round %d\n", i);
-            ret = doRSAPopulateTest(keySize, exponent);
+            ret = doRSAPopulateTest(keySize, keyExponent);
             if (ret != 0) {
                 break;
             }
         }
         if (ret != 0) {
             fprintf(stderr, "RSA Populate test round %d: FAILED\n", i);
         }
         PORT_Free(cipherInfo);
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -777,27 +777,27 @@ ValidateCert(CERTCertDBHandle *handle, c
 
         rv = CERT_VerifyCertificate(handle, cert, checkSig, usage,
                                     timeBoundary, pwdata, log, &usage);
         if (log) {
             if (log->head == NULL) {
                 fprintf(stdout, "%s: certificate is valid\n", progName);
                 GEN_BREAK(SECSuccess)
             } else {
-                char *name;
+                char *nick;
                 CERTVerifyLogNode *node;
 
                 node = log->head;
                 while (node) {
                     if (node->cert->nickname != NULL) {
-                        name = node->cert->nickname;
+                        nick = node->cert->nickname;
                     } else {
-                        name = node->cert->subjectName;
+                        nick = node->cert->subjectName;
                     }
-                    fprintf(stderr, "%s : %s\n", name,
+                    fprintf(stderr, "%s : %s\n", nick,
                             SECU_Strerror(node->error));
                     CERT_DestroyCertificate(node->cert);
                     node = node->next;
                 }
             }
         } else {
             if (rv != SECSuccess) {
                 PRErrorCode perr = PORT_GetError();
@@ -994,17 +994,17 @@ static SECStatus
 DeleteKey(char *nickname, secuPWData *pwdata)
 {
     SECStatus rv;
     CERTCertificate *cert;
     PK11SlotInfo *slot;
 
     slot = PK11_GetInternalKeySlot();
     if (PK11_NeedLogin(slot)) {
-        SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
+        rv = PK11_Authenticate(slot, PR_TRUE, pwdata);
         if (rv != SECSuccess) {
             SECU_PrintError(progName, "could not authenticate to token %s.",
                             PK11_GetTokenName(slot));
             return SECFailure;
         }
     }
     cert = PK11_FindCertFromNickname(nickname, pwdata);
     if (!cert) {
@@ -1061,17 +1061,17 @@ PrintBuildFlags()
 #endif
 #ifdef NSS_NO_INIT_SUPPORT
     PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n");
 #endif
     exit(0);
 }
 
 static void
-PrintSyntax(char *progName)
+PrintSyntax()
 {
 #define FPS fprintf(stderr,
     FPS "Type %s -H for more detailed descriptions\n", progName);
     FPS "Usage:  %s -N [-d certdir] [-P dbprefix] [-f pwfile] [--empty-password]\n", progName);
     FPS "Usage:  %s -T [-d certdir] [-P dbprefix] [-h token-name]\n"
         "\t\t [-f pwfile] [-0 SSO-password]\n", progName);
     FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
         progName);
@@ -1833,17 +1833,17 @@ luBuildFlags(enum usage_level ul, const 
     FPS "%-15s Print enabled build flags relevant for NSS test execution\n",
         "--build-flags");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "\n");
 }
 
 static void
-LongUsage(char *progName, enum usage_level ul, const char *command)
+LongUsage(enum usage_level ul, const char *command)
 {
     luA(ul, command);
     luB(ul, command);
     luE(ul, command);
     luC(ul, command);
     luG(ul, command);
     luD(ul, command);
     luRename(ul, command);
@@ -1861,24 +1861,24 @@ LongUsage(char *progName, enum usage_lev
     luW(ul, command);
     luUpgradeMerge(ul, command);
     luMerge(ul, command);
     luS(ul, command);
 #undef FPS
 }
 
 static void
-Usage(char *progName)
+Usage()
 {
     PR_fprintf(PR_STDERR,
                "%s - Utility to manipulate NSS certificate databases\n\n"
                "Usage:  %s <command> -d <database-directory> <options>\n\n"
                "Valid commands:\n",
                progName, progName);
-    LongUsage(progName, usage_selected, NULL);
+    LongUsage(usage_selected, NULL);
     PR_fprintf(PR_STDERR, "\n"
                           "%s -H <command> : Print available options for the given command\n"
                           "%s -H : Print complete help output of all commands and options\n"
                           "%s --syntax : Print a short summary of all commands and options\n",
                progName, progName, progName);
     exit(1);
 }
 
@@ -2264,54 +2264,53 @@ flagArray opFlagsArray[] =
       { NAME_SIZE(encrypt), CKF_ENCRYPT },
       { NAME_SIZE(decrypt), CKF_DECRYPT },
       { NAME_SIZE(sign), CKF_SIGN },
       { NAME_SIZE(sign_recover), CKF_SIGN_RECOVER },
       { NAME_SIZE(verify), CKF_VERIFY },
       { NAME_SIZE(verify_recover), CKF_VERIFY_RECOVER },
       { NAME_SIZE(wrap), CKF_WRAP },
       { NAME_SIZE(unwrap), CKF_UNWRAP },
-      { NAME_SIZE(derive), CKF_DERIVE },
+      { NAME_SIZE(derive), CKF_DERIVE }
     };
 
-int opFlagsCount = sizeof(opFlagsArray) / sizeof(flagArray);
+int opFlagsCount = PR_ARRAY_SIZE(opFlagsArray);
 
 flagArray attrFlagsArray[] =
     {
       { NAME_SIZE(token), PK11_ATTR_TOKEN },
       { NAME_SIZE(session), PK11_ATTR_SESSION },
       { NAME_SIZE(private), PK11_ATTR_PRIVATE },
       { NAME_SIZE(public), PK11_ATTR_PUBLIC },
       { NAME_SIZE(modifiable), PK11_ATTR_MODIFIABLE },
       { NAME_SIZE(unmodifiable), PK11_ATTR_UNMODIFIABLE },
       { NAME_SIZE(sensitive), PK11_ATTR_SENSITIVE },
       { NAME_SIZE(insensitive), PK11_ATTR_INSENSITIVE },
       { NAME_SIZE(extractable), PK11_ATTR_EXTRACTABLE },
       { NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE }
-
     };
 
-int attrFlagsCount = sizeof(attrFlagsArray) / sizeof(flagArray);
+int attrFlagsCount = PR_ARRAY_SIZE(attrFlagsArray);
 
 #define MAX_STRING 30
 CK_ULONG
-GetFlags(char *flagsString, flagArray *flagArray, int count)
+GetFlags(char *flagsString, flagArray *flags, int count)
 {
     CK_ULONG flagsValue = strtol(flagsString, NULL, 0);
     int i;
 
     if ((flagsValue != 0) || (*flagsString == 0)) {
         return flagsValue;
     }
     while (*flagsString) {
         for (i = 0; i < count; i++) {
-            if (strncmp(flagsString, flagArray[i].name, flagArray[i].nameSize) ==
+            if (strncmp(flagsString, flags[i].name, flags[i].nameSize) ==
                 0) {
-                flagsValue |= flagArray[i].value;
-                flagsString += flagArray[i].nameSize;
+                flagsValue |= flags[i].value;
+                flagsString += flags[i].nameSize;
                 if (*flagsString != 0) {
                     flagsString++;
                 }
                 break;
             }
         }
         if (i == count) {
             char name[MAX_STRING];
@@ -2686,41 +2685,40 @@ certutil_main(int argc, char **argv, PRB
     progName = PORT_Strrchr(argv[0], '/');
     progName = progName ? progName + 1 : argv[0];
     memcpy(certutil_commands, commands_init, sizeof commands_init);
     memcpy(certutil_options, options_init, sizeof options_init);
 
     rv = SECU_ParseCommandLine(argc, argv, progName, &certutil);
 
     if (rv != SECSuccess)
-        Usage(progName);
+        Usage();
 
     if (certutil.commands[cmd_PrintSyntax].activated) {
-        PrintSyntax(progName);
+        PrintSyntax();
     }
 
     if (certutil.commands[cmd_PrintHelp].activated) {
-        int i;
         char buf[2];
         const char *command = NULL;
         for (i = 0; i < max_cmd; i++) {
             if (i == cmd_PrintHelp)
                 continue;
             if (certutil.commands[i].activated) {
                 if (certutil.commands[i].flag) {
                     buf[0] = certutil.commands[i].flag;
                     buf[1] = 0;
                     command = buf;
                 } else {
                     command = certutil.commands[i].longform;
                 }
                 break;
             }
         }
-        LongUsage(progName, (command ? usage_selected : usage_all), command);
+        LongUsage((command ? usage_selected : usage_all), command);
         exit(1);
     }
 
     if (certutil.commands[cmd_BuildFlags].activated) {
         PrintBuildFlags();
     }
 
     if (certutil.options[opt_PasswordFile].arg) {
@@ -2818,26 +2816,26 @@ certutil_main(int argc, char **argv, PRB
         serialNumber = sn;
     }
 
     /*  -P certdb name prefix */
     if (certutil.options[opt_DBPrefix].activated) {
         if (certutil.options[opt_DBPrefix].arg) {
             certPrefix = certutil.options[opt_DBPrefix].arg;
         } else {
-            Usage(progName);
+            Usage();
         }
     }
 
     /*  --source-prefix certdb name prefix */
     if (certutil.options[opt_SourcePrefix].activated) {
         if (certutil.options[opt_SourcePrefix].arg) {
             srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
         } else {
-            Usage(progName);
+            Usage();
         }
     }
 
     /*  -q PQG file or curve name */
     if (certutil.options[opt_PQGFile].activated) {
         if ((keytype != dsaKey) && (keytype != ecKey)) {
             PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
                                   " (-k dsa) or a named curve for EC keys (-k ec)\n)",
@@ -2911,17 +2909,17 @@ certutil_main(int argc, char **argv, PRB
         for (i = 0; i < certutil.numCommands; i++) {
             if (certutil.commands[i].activated)
                 PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
         }
         PR_fprintf(PR_STDERR, "\n");
         return 255;
     }
     if (commandsEntered == 0) {
-        Usage(progName);
+        Usage();
     }
 
     if (certutil.commands[cmd_ListCerts].activated ||
         certutil.commands[cmd_PrintHelp].activated ||
         certutil.commands[cmd_ListKeys].activated ||
         certutil.commands[cmd_ListModules].activated ||
         certutil.commands[cmd_CheckCertValidity].activated ||
         certutil.commands[cmd_Version].activated) {
--- a/cmd/crlutil/crlutil.c
+++ b/cmd/crlutil/crlutil.c
@@ -765,17 +765,17 @@ loser:
     if (signCrl)
         SEC_DestroyCrl(signCrl);
     if (cert)
         CERT_DestroyCertificate(cert);
     return (rv);
 }
 
 static void
-Usage(char *progName)
+Usage()
 {
     fprintf(stderr,
             "Usage:  %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n"
             "        %s -D -n nickname [-d keydir] [-P dbprefix]\n"
             "        %s -S -i crl\n"
             "        %s -I -i crl -t crlType [-u url] [-d keydir] [-P dbprefix] [-B] "
             "[-p pwd-file] -w [pwd-string]\n"
             "        %s -E -t crlType [-d keydir] [-P dbprefix]\n"
@@ -903,17 +903,17 @@ main(int argc, char **argv)
     crlType = SEC_CRL_TYPE;
     /*
      * Parse command line arguments
      */
     optstate = PL_CreateOptState(argc, argv, "sqBCDGILMSTEP:f:d:i:h:n:p:t:u:r:aZ:o:c:");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
-                Usage(progName);
+                Usage();
                 break;
 
             case 'T':
                 test = PR_TRUE;
                 break;
 
             case 'E':
                 erase = PR_TRUE;
@@ -1033,27 +1033,27 @@ main(int argc, char **argv)
                 case 'u':
                     url = PORT_Strdup(optstate->value);
                     break;
             }
         }
     }
 
     if (deleteCRL && !nickName)
-        Usage(progName);
+        Usage();
     if (importCRL && !inFile)
-        Usage(progName);
+        Usage();
     if (showFileCRL && !inFile)
-        Usage(progName);
+        Usage();
     if ((generateCRL && !nickName) ||
         (modifyCRL && !inFile && !nickName))
-        Usage(progName);
+        Usage();
     if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL ||
           modifyCRL || test || erase))
-        Usage(progName);
+        Usage();
 
     if (listCRL || showFileCRL) {
         readonly = PR_TRUE;
     }
 
     PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
--- a/cmd/crmftest/testcrmf.c
+++ b/cmd/crmftest/testcrmf.c
@@ -572,17 +572,16 @@ Decode(void)
         printf("Error decoding CertReqMessages.\n");
         return 202;
     }
     numMsgs = CRMF_CertReqMessagesGetNumMessages(certReqMsgs);
     if (numMsgs <= 0) {
         printf("WARNING: The DER contained %d messages.\n", numMsgs);
     }
     for (i = 0; i < numMsgs; i++) {
-        SECStatus rv;
         printf("crmftest: Processing cert request %d\n", i);
         certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i);
         if (certReqMsg == NULL) {
             printf("ERROR: Could not access the message at index %d of %s\n",
                    i, filePath);
         }
         rv = CRMF_CertReqMsgGetID(certReqMsg, &lame);
         if (rv) {
--- a/cmd/dbtest/dbtest.c
+++ b/cmd/dbtest/dbtest.c
@@ -53,17 +53,17 @@ getPassword(PK11SlotInfo *slot, PRBool r
         return NULL;
     }
 
     *success = 1;
     return PORT_Strdup(userPassword);
 }
 
 static void
-Usage(const char *progName)
+Usage()
 {
     printf("Usage:  %s [-r] [-f] [-i] [-d dbdir ] \n",
            progName);
     printf("%-20s open database readonly (NSS_INIT_READONLY)\n", "-r");
     printf("%-20s Continue to force initializations even if the\n", "-f");
     printf("%-20s databases cannot be opened (NSS_INIT_FORCEOPEN)\n", " ");
     printf("%-20s Try to initialize the database\n", "-i");
     printf("%-20s Supply a password with which to initialize the db\n", "-p");
@@ -91,17 +91,17 @@ main(int argc, char **argv)
     progName = progName ? progName + 1 : argv[0];
 
     optstate = PL_CreateOptState(argc, argv, "rfip:d:h");
 
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case 'h':
             default:
-                Usage(progName);
+                Usage();
                 break;
 
             case 'r':
                 flags |= NSS_INIT_READONLY;
                 break;
 
             case 'f':
                 flags |= NSS_INIT_FORCEOPEN;
@@ -117,17 +117,17 @@ main(int argc, char **argv)
 
             case 'd':
                 dbDir = PORT_Strdup(optstate->value);
                 break;
         }
     }
     PL_DestroyOptState(optstate);
     if (optstatus == PL_OPT_BAD)
-        Usage(progName);
+        Usage();
 
     if (dbDir) {
         char *tmp = dbDir;
         dbDir = SECU_ConfigDirectory(tmp);
         PORT_Free(tmp);
     } else {
         /* Look in $SSL_DIR */
         dbDir = SECU_ConfigDirectory(SECU_DefaultSSLDir());
@@ -176,17 +176,16 @@ main(int argc, char **argv)
                         secmodName, flags);
     if (rv != SECSuccess) {
         SECU_PrintPRandOSError(progName);
         ret = NSS_INITIALIZE_FAILED_ERR;
     } else {
         ret = SUCCESS;
         if (doInitTest) {
             PK11SlotInfo *slot = PK11_GetInternalKeySlot();
-            SECStatus rv;
             int passwordSuccess = 0;
             int type = CKM_DES3_CBC;
             SECItem keyid = { 0, NULL, 0 };
             unsigned char keyIdData[] = { 0xff, 0xfe };
             PK11SymKey *key = NULL;
 
             keyid.data = keyIdData;
             keyid.len = sizeof(keyIdData);
--- a/cmd/httpserv/httpserv.c
+++ b/cmd/httpserv/httpserv.c
@@ -677,16 +677,17 @@ handle_connection(
                         NSSBase64_DecodeBuffer(arena, &postData, getData, strlen(getData));
                     }
                 }
                 if (postData.len) {
                     request = CERT_DecodeOCSPRequest(&postData);
                 }
                 if (arena) {
                     PORT_FreeArena(arena, PR_FALSE);
+                    arena = NULL;
                 }
                 if (!request || !request->tbsRequest ||
                     !request->tbsRequest->requestList ||
                     !request->tbsRequest->requestList[0]) {
                     PORT_Sprintf(msgBuf, "Cannot decode OCSP request.\r\n");
 
                     iovs[numIOVs].iov_base = msgBuf;
                     iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
@@ -748,21 +749,21 @@ handle_connection(
                                 nextUpdate = PR_Now() + (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /*tomorrow*/
                                 revoDate = PR_Now() - (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC;   /*yesterday*/
                             }
                         }
                     }
 
                     {
                         PRTime now = PR_Now();
-                        PLArenaPool *arena = NULL;
                         CERTOCSPSingleResponse *sr;
                         CERTOCSPSingleResponse **singleResponses;
                         SECItem *ocspResponse;
 
+                        PORT_Assert(!arena);
                         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 
                         if (unknown) {
                             sr = CERT_CreateOCSPSingleResponseUnknown(arena, reqid, now,
                                                                       &nextUpdate);
                         } else if (revoked) {
                             sr = CERT_CreateOCSPSingleResponseRevoked(arena, reqid, now,
                                                                       &nextUpdate, revoDate, NULL);
@@ -782,18 +783,18 @@ handle_connection(
                         if (!ocspResponse) {
                             PORT_Sprintf(msgBuf, "Failed to encode response\r\n");
                             iovs[numIOVs].iov_base = msgBuf;
                             iovs[numIOVs].iov_len = PORT_Strlen(msgBuf);
                             numIOVs++;
                         } else {
                             PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader));
                             PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len);
-                            PORT_FreeArena(arena, PR_FALSE);
                         }
+                        PORT_FreeArena(arena, PR_FALSE);
                     }
                     CERT_DestroyOCSPRequest(request);
                     break;
                 }
             } else if (local_file_fd) {
                 PRInt32 bytes;
                 int errLen;
                 bytes = PR_TransmitFile(ssl_sock, local_file_fd, outHeader,
@@ -1352,17 +1353,16 @@ main(int argc, char **argv)
             fputs("NSS_Init failed.\n", stderr);
             exit(8);
         }
 
         if (caRevoInfos) {
             caRevoIter = &caRevoInfos->link;
             do {
                 PRFileDesc *inFile;
-                int rv = SECFailure;
                 SECItem crlDER;
                 crlDER.data = NULL;
 
                 revoInfo = (caRevoInfo *)caRevoIter;
                 revoInfo->cert = CERT_FindCertByNickname(
                     CERT_GetDefaultCertDB(), revoInfo->nickname);
                 if (!revoInfo->cert) {
                     fprintf(stderr, "cannot find cert with nickname %s\n",
@@ -1408,21 +1408,19 @@ main(int argc, char **argv)
         server_main(listen_sock, 0, 0, 0,
                     0);
     }
 
     VLOG(("httpserv: server_thread: exiting"));
 
     if (provideOcsp) {
         if (caRevoInfos) {
-            PRCList *caRevoIter;
-
             caRevoIter = &caRevoInfos->link;
             do {
-                caRevoInfo *revoInfo = (caRevoInfo *)caRevoIter;
+                revoInfo = (caRevoInfo *)caRevoIter;
                 if (revoInfo->nickname)
                     PORT_Free(revoInfo->nickname);
                 if (revoInfo->crlFilename)
                     PORT_Free(revoInfo->crlFilename);
                 if (revoInfo->cert)
                     CERT_DestroyCertificate(revoInfo->cert);
                 if (revoInfo->id)
                     CERT_DestroyOCSPCertID(revoInfo->id);
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1523,19 +1523,19 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *o
     PORT_Free(derSerialB64);
 
     fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len);
 
     {
         unsigned int i;
         for (i = 0; i < c->serialNumber.len; ++i) {
             unsigned char *chardata = (unsigned char *)(c->serialNumber.data);
-            unsigned char c = *(chardata + i);
-
-            fprintf(out, "\\x%02x", c);
+            unsigned char ch = *(chardata + i);
+
+            fprintf(out, "\\x%02x", ch);
         }
         fprintf(out, "\" }\n");
     }
 
 loser:
     PORT_FreeArena(arena, PR_FALSE);
     return rv;
 }
@@ -3132,17 +3132,17 @@ loser:
 typedef enum {
     noSignature = 0,
     withSignature = 1
 } SignatureOptionType;
 
 static int
 secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m,
                            int level, SECU_PPFunc inner,
-                           SignatureOptionType withSignature)
+                           SignatureOptionType signatureOption)
 {
     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     CERTSignedData *sd;
     int rv = SEC_ERROR_NO_MEMORY;
 
     if (!arena)
         return rv;
 
@@ -3159,17 +3159,17 @@ secu_PrintSignedDataSigOpt(FILE *out, SE
     if (m) {
         SECU_Indent(out, level);
         fprintf(out, "%s:\n", m);
     } else {
         level -= 1;
     }
     rv = (*inner)(out, &sd->data, "Data", level + 1);
 
-    if (withSignature) {
+    if (signatureOption == withSignature) {
         SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm",
                               level + 1);
         DER_ConvertBitString(&sd->signature);
         SECU_PrintAsHex(out, &sd->signature, "Signature", level + 1);
     }
     SECU_PrintFingerprints(out, der, "Fingerprint", level + 1);
 loser:
     PORT_FreeArena(arena, PR_FALSE);
--- a/cmd/listsuites/listsuites.c
+++ b/cmd/listsuites/listsuites.c
@@ -59,19 +59,17 @@ main(int argc, char **argv)
         goto out;
     }
 
     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
 
     /* disable all the SSL3 cipher suites */
     for (i = 0; i < SSL_NumImplementedCiphers; i++) {
         PRUint16 suite = cipherSuites[i];
-        SECStatus rv;
         PRBool enabled;
-        PRErrorCode err;
         SSLCipherSuiteInfo info;
 
         rv = SSL_CipherPrefGetDefault(suite, &enabled);
         if (rv != SECSuccess) {
             err = PR_GetError();
             ++errCount;
             fprintf(stderr,
                     "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
--- a/cmd/lowhashtest/lowhashtest.c
+++ b/cmd/lowhashtest/lowhashtest.c
@@ -385,17 +385,17 @@ testSHA512(NSSLOWInitContext *initCtx)
                                (const unsigned char *)sha512tests[cnt].input,
                                sha512tests[cnt].result, &results[0]);
     }
     rv += test_long_message_sha512(initCtx);
     return rv;
 }
 
 static void
-Usage(char *progName)
+Usage()
 {
     fprintf(stderr, "Usage: %s [algorithm]\n",
             progName);
     fprintf(stderr, "algorithm must be one of %s\n",
             "{ MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 }");
     fprintf(stderr, "default is to test all\n");
     exit(-1);
 }
@@ -431,15 +431,15 @@ main(int argc, char **argv)
     } else if (strcmp(argv[1], "SHA226") == 0) {
         rv += testSHA256(initCtx);
     } else if (strcmp(argv[1], "SHA384") == 0) {
         rv += testSHA384(initCtx);
     } else if (strcmp(argv[1], "SHA512") == 0) {
         rv += testSHA512(initCtx);
     } else {
         SECU_PrintError(progName, "Unsupported hash type %s\n", argv[0]);
-        Usage(progName);
+        Usage();
     }
 
     NSSLOW_Shutdown(initCtx);
 
     return (rv == 0) ? 0 : 1;
 }
--- a/cmd/modutil/install-ds.c
+++ b/cmd/modutil/install-ds.c
@@ -83,21 +83,21 @@ static const char* errString[] = {
     "No ModuleName specification in module %s",
     "No Platforms specification in installer script",
     "Platform %s has an equivalency loop",
     "Module file \"%s\" in platform \"%s\" does not exist"
 };
 
 static char* PR_Strdup(const char* str);
 
-#define PAD(x)                  \
-    {                           \
-        int i;                  \
-        for (i = 0; i < x; i++) \
-            printf(" ");        \
+#define PAD(x)                                \
+    {                                         \
+        int pad_i;                            \
+        for (pad_i = 0; pad_i < (x); pad_i++) \
+            printf(" ");                      \
     }
 #define PADINC 4
 
 Pk11Install_File*
 Pk11Install_File_new()
 {
     Pk11Install_File* new_this;
     new_this = (Pk11Install_File*)PR_Malloc(sizeof(Pk11Install_File));
--- a/cmd/mpitests/mpi-test.c
+++ b/cmd/mpitests/mpi-test.c
@@ -370,24 +370,24 @@ int find_name(char *name);
 void reason(char *fmt, ...);
 
 /*------------------------------------------------------------------------*/
 /*------------------------------------------------------------------------*/
 
 char g_intbuf[4096]; /* buffer for integer comparison   */
 char a_intbuf[4096]; /* buffer for integer comparison   */
 int g_verbose = 1;   /* print out reasons for failure?  */
-int res;
 
-#define IFOK(x)                                            \
-    {                                                      \
-        if (MP_OKAY > (res = (x))) {                       \
-            reason("test %s failed: error %d\n", #x, res); \
-            return 1;                                      \
-        }                                                  \
+#define IFOK(x)                                                 \
+    {                                                           \
+        int ifok_res = (x);                                     \
+        if (MP_OKAY > ifok_res) {                               \
+            reason("test %s failed: error %d\n", #x, ifok_res); \
+            return 1;                                           \
+        }                                                       \
     }
 
 int
 main(int argc, char *argv[])
 {
     int which, res;
 
     srand((unsigned int)time(NULL));
--- a/cmd/ocspclnt/ocspclnt.c
+++ b/cmd/ocspclnt/ocspclnt.c
@@ -33,62 +33,62 @@
 #endif
 
 #define DEFAULT_DB_DIR "~/.netscape"
 
 /* global */
 char *program_name;
 
 static void
-synopsis(char *program_name)
+synopsis(char *progname)
 {
     PRFileDesc *pr_stderr;
 
     pr_stderr = PR_STDERR;
     PR_fprintf(pr_stderr, "Usage:");
     PR_fprintf(pr_stderr,
                "\t%s -p [-d <dir>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t%s -P [-d <dir>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t%s -r <name> [-a] [-L] [-s <name>] [-d <dir>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t%s -R <name> [-a] [-l <location>] [-s <name>] [-d <dir>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t%s -S <name> [-a] [-l <location> -t <name>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
     PR_fprintf(pr_stderr,
                "\t%s -V <name> [-a] -u <usage> [-l <location> -t <name>]\n",
-               program_name);
+               progname);
     PR_fprintf(pr_stderr,
                "\t\t [-s <name>] [-w <time>] [-d <dir>]\n");
 }
 
 static void
-short_usage(char *program_name)
+short_usage(char *progname)
 {
     PR_fprintf(PR_STDERR,
                "Type %s -H for more detailed descriptions\n",
-               program_name);
-    synopsis(program_name);
+               progname);
+    synopsis(progname);
 }
 
 static void
-long_usage(char *program_name)
+long_usage(char *progname)
 {
     PRFileDesc *pr_stderr;
 
     pr_stderr = PR_STDERR;
-    synopsis(program_name);
+    synopsis(progname);
     PR_fprintf(pr_stderr, "\nCommands (must specify exactly one):\n");
     PR_fprintf(pr_stderr,
                "  %-13s Pretty-print a binary request read from stdin\n",
                "-p");
     PR_fprintf(pr_stderr,
                "  %-13s Pretty-print a binary response read from stdin\n",
                "-P");
     PR_fprintf(pr_stderr,
--- a/cmd/ocspresp/ocspresp.c
+++ b/cmd/ocspresp/ocspresp.c
@@ -189,34 +189,34 @@ main(int argc, char **argv)
     PORT_Assert(encodedRev);
     decodedRev = CERT_DecodeOCSPResponse(encodedRev);
     PORT_CheckSuccess(CERT_GetOCSPResponseStatus(decodedRev));
 
     PORT_CheckSuccess(CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
                                                        &obtainedSignerCert, caCert));
 #ifdef DEBUG
     {
-        SECStatus rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
-                                                   obtainedSignerCert, now);
+        rv = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
+                                         obtainedSignerCert, now);
         PORT_Assert(rv == SECFailure);
         PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
     }
 #else
     (void)CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
                                       obtainedSignerCert, now);
 #endif
     CERT_DestroyCertificate(obtainedSignerCert);
 
     encodedFail = CERT_CreateEncodedOCSPErrorResponse(
         arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
     PORT_Assert(encodedFail);
     decodedFail = CERT_DecodeOCSPResponse(encodedFail);
 #ifdef DEBUG
     {
-        SECStatus rv = CERT_GetOCSPResponseStatus(decodedFail);
+        rv = CERT_GetOCSPResponseStatus(decodedFail);
         PORT_Assert(rv == SECFailure);
         PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
     }
 #else
     (void)CERT_GetOCSPResponseStatus(decodedFail);
 #endif
     retval = 0;
 loser:
--- a/cmd/pk12util/pk12util.c
+++ b/cmd/pk12util/pk12util.c
@@ -23,17 +23,17 @@
 static char *progName;
 PRBool pk12_debugging = PR_FALSE;
 PRBool dumpRawFile;
 static PRBool pk12uForceUnicode;
 
 PRIntn pk12uErrno = 0;
 
 static void
-Usage(char *progName)
+Usage()
 {
 #define FPS PR_fprintf(PR_STDERR,
     FPS "Usage:	 %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
 				 progName);
     FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
     FPS "\t\t [-v]\n");
 
     FPS "Usage:	 %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
@@ -1015,36 +1015,36 @@ main(int argc, char **argv)
     pk12util.options = pk12util_options;
 
     progName = strrchr(argv[0], '/');
     progName = progName ? progName + 1 : argv[0];
 
     rv = SECU_ParseCommandLine(argc, argv, progName, &pk12util);
 
     if (rv != SECSuccess)
-        Usage(progName);
+        Usage();
 
     pk12_debugging = pk12util.options[opt_Debug].activated;
 
     if ((pk12util.options[opt_Import].activated +
          pk12util.options[opt_Export].activated +
          pk12util.options[opt_List].activated) != 1) {
-        Usage(progName);
+        Usage();
     }
 
     if (pk12util.options[opt_Export].activated &&
         !pk12util.options[opt_Nickname].activated) {
-        Usage(progName);
+        Usage();
     }
 
     rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
     if (rv != SECSuccess) {
         SECU_PrintError(progName,
                         "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option");
-        Usage(progName);
+        Usage();
     }
     pk12uForceUnicode = forceUnicode;
 
     slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
 
     import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List)
                                                          : SECU_GetOptionArg(&pk12util, opt_Import);
     export_file = SECU_GetOptionArg(&pk12util, opt_Export);
@@ -1139,17 +1139,17 @@ main(int argc, char **argv)
         P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
                                 export_file, slot, cipher, certCipher,
                                 &slotPw, &p12FilePw);
 
     } else if (pk12util.options[opt_List].activated) {
         P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
 
     } else {
-        Usage(progName);
+        Usage();
         pk12uErrno = PK12UERR_USAGE;
     }
 
 done:
     if (import_file != NULL)
         PORT_ZFree(import_file, PL_strlen(import_file));
     if (export_file != NULL)
         PORT_ZFree(export_file, PL_strlen(export_file));
--- a/cmd/rsaperf/rsaperf.c
+++ b/cmd/rsaperf/rsaperf.c
@@ -308,17 +308,17 @@ main(int argc, char **argv)
     NSSLOWKEYPublicKey *pubKey = NULL;
     CERTCertificate *cert = NULL;
     char *progName = NULL;
     char *secDir = NULL;
     char *nickname = NULL;
     char *slotname = NULL;
     long keybits = 0;
     RSAOp fn;
-    void *rsaKey = NULL;
+    void *rsaKeyPtr = NULL;
     PLOptState *optstate;
     PLOptStatus optstatus;
     long iters = DEFAULT_ITERS;
     int i;
     PRBool doPriv = PR_FALSE;
     PRBool doPub = PR_FALSE;
     int rv;
     unsigned char buf[BUFFER_BYTES];
@@ -459,17 +459,17 @@ main(int argc, char **argv)
         if (pubHighKey == NULL) {
             fprintf(stderr, "Can't extract public key from certificate");
             exit(1);
         }
 
         if (doPub) {
             /* do public key ops */
             fn = (RSAOp)PK11_PublicKeyOp;
-            rsaKey = (void *)pubHighKey;
+            rsaKeyPtr = (void *)pubHighKey;
 
             kh = PK11_ImportPublicKey(cert->slot, pubHighKey, PR_FALSE);
             if (CK_INVALID_HANDLE == kh) {
                 fprintf(stderr,
                         "Unable to import public key to certificate slot.");
                 exit(1);
             }
             pubHighKey->pkcs11Slot = PK11_ReferenceSlot(cert->slot);
@@ -484,17 +484,17 @@ main(int argc, char **argv)
                         "Can't find private key by name \"%s\"\n", nickname);
                 exit(1);
             }
 
             SECKEY_CacheStaticFlags(privHighKey);
             fn = (RSAOp)PK11_PrivateKeyOp;
             keys.privKey = privHighKey;
             keys.pubKey = pubHighKey;
-            rsaKey = (void *)&keys;
+            rsaKeyPtr = (void *)&keys;
             printf("Using PKCS#11 for RSA decryption with token %s.\n",
                    PK11_GetTokenName(privHighKey->pkcs11Slot));
         }
     } else
 
         if (useSessionKey) {
         /* use PKCS#11 session key objects */
         PK11RSAGenParams rsaparams;
@@ -532,23 +532,23 @@ main(int argc, char **argv)
 
         SECKEY_CacheStaticFlags(privHighKey);
 
         fprintf(stderr, "Keygen completed.\n");
 
         if (doPub) {
             /* do public key operations */
             fn = (RSAOp)PK11_PublicKeyOp;
-            rsaKey = (void *)pubHighKey;
+            rsaKeyPtr = (void *)pubHighKey;
         } else {
             /* do private key operations */
             fn = (RSAOp)PK11_PrivateKeyOp;
             keys.privKey = privHighKey;
             keys.pubKey = pubHighKey;
-            rsaKey = (void *)&keys;
+            rsaKeyPtr = (void *)&keys;
         }
     } else
 
     {
         /* use freebl directly */
         if (!keybits) {
             keybits = DEFAULT_KEY_BITS;
         }
@@ -569,56 +569,56 @@ main(int argc, char **argv)
                                                0xff);
                     peCount++;
                 }
             }
             pe.len = peCount;
             pe.data = &pubEx[0];
             pe.type = siBuffer;
 
-            rsaKey = RSA_NewKey(keybits, &pe);
+            rsaKeyPtr = RSA_NewKey(keybits, &pe);
             fprintf(stderr, "Keygen completed.\n");
         } else {
             /* use a hardcoded key */
             printf("Using hardcoded %ld bits key.\n", keybits);
             if (doPub) {
                 pubKey = getDefaultRSAPublicKey();
             } else {
                 privKey = getDefaultRSAPrivateKey();
             }
         }
 
         if (doPub) {
             /* do public key operations */
             fn = (RSAOp)RSA_PublicKeyOp;
-            if (rsaKey) {
+            if (rsaKeyPtr) {
                 /* convert the RSAPrivateKey to RSAPublicKey */
                 pubKeyStr.arena = NULL;
-                pubKeyStr.modulus = ((RSAPrivateKey *)rsaKey)->modulus;
+                pubKeyStr.modulus = ((RSAPrivateKey *)rsaKeyPtr)->modulus;
                 pubKeyStr.publicExponent =
-                    ((RSAPrivateKey *)rsaKey)->publicExponent;
-                rsaKey = &pubKeyStr;
+                    ((RSAPrivateKey *)rsaKeyPtr)->publicExponent;
+                rsaKeyPtr = &pubKeyStr;
             } else {
                 /* convert NSSLOWKeyPublicKey to RSAPublicKey */
-                rsaKey = (void *)(&pubKey->u.rsa);
+                rsaKeyPtr = (void *)(&pubKey->u.rsa);
             }
-            PORT_Assert(rsaKey);
+            PORT_Assert(rsaKeyPtr);
         } else {
             /* do private key operations */
             fn = (RSAOp)RSA_PrivateKeyOp;
             if (privKey) {
                 /* convert NSSLOWKeyPrivateKey to RSAPrivateKey */
-                rsaKey = (void *)(&privKey->u.rsa);
+                rsaKeyPtr = (void *)(&privKey->u.rsa);
             }
-            PORT_Assert(rsaKey);
+            PORT_Assert(rsaKeyPtr);
         }
     }
 
     memset(buf, 1, sizeof buf);
-    rv = fn(rsaKey, buf2, buf);
+    rv = fn(rsaKeyPtr, buf2, buf);
     if (rv != SECSuccess) {
         PRErrorCode errNum;
         const char *errStr = NULL;
 
         errNum = PORT_GetError();
         if (errNum)
             errStr = SECU_Strerror(errNum);
         else
@@ -633,17 +633,17 @@ main(int argc, char **argv)
     runDataArr = (ThreadRunData **)PORT_Alloc(threadNum * sizeof(ThreadRunData *));
     timeCtx = CreateTimingContext();
     TimingBegin(timeCtx, PR_Now());
     for (i = 0; i < threadNum; i++) {
         runDataArr[i] = (ThreadRunData *)PORT_Alloc(sizeof(ThreadRunData));
         runDataArr[i]->fn = fn;
         runDataArr[i]->buf = buf;
         runDataArr[i]->doIters = &doIters;
-        runDataArr[i]->rsaKey = rsaKey;
+        runDataArr[i]->rsaKey = rsaKeyPtr;
         runDataArr[i]->seconds = seconds;
         runDataArr[i]->iters = iters;
         threadsArr[i] =
             PR_CreateThread(PR_USER_THREAD,
                             ThreadExecFunction,
                             (void *)runDataArr[i],
                             PR_PRIORITY_NORMAL,
                             PR_GLOBAL_THREAD,
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -52,17 +52,17 @@
 #endif
 
 #ifndef PORT_Malloc
 #define PORT_Malloc PR_Malloc
 #endif
 
 int NumSidCacheEntries = 1024;
 
-static int handle_connection(PRFileDesc *, PRFileDesc *, int);
+static int handle_connection(PRFileDesc *, PRFileDesc *);
 
 static const char envVarName[] = { SSL_ENV_VAR_NAME };
 static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" };
 
 #define MAX_VIRT_SERVER_NAME_ARRAY_INDEX 10
 #define MAX_CERT_NICKNAME_ARRAY_INDEX 10
 
 #define DEFAULT_BULK_TEST 16384
@@ -504,17 +504,16 @@ loser:
 #define MAX_THREADS 4096
 #define MAX_PROCS 25
 static int maxThreads = DEFAULT_THREADS;
 
 typedef struct jobStr {
     PRCList link;
     PRFileDesc *tcp_sock;
     PRFileDesc *model_sock;
-    int requestCert;
 } JOB;
 
 static PZLock *qLock;             /* this lock protects all data immediately below */
 static PRLock *lastLoadedCrlLock; /* this lock protects lastLoadedCrl variable */
 static PZCondVar *jobQNotEmptyCv;
 static PZCondVar *freeListNotEmptyCv;
 static PZCondVar *threadCountChangeCv;
 static int threadCount;
@@ -536,51 +535,50 @@ setupJobs(int maxJobs)
 
     for (i = 0; i < maxJobs; ++i) {
         JOB *pJob = jobTable + i;
         PR_APPEND_LINK(&pJob->link, &freeJobs);
     }
     return SECSuccess;
 }
 
-typedef int startFn(PRFileDesc *a, PRFileDesc *b, int c);
+typedef int startFn(PRFileDesc *a, PRFileDesc *b);
 
 typedef enum { rs_idle = 0,
                rs_running = 1,
                rs_zombie = 2 } runState;
 
 typedef struct perThreadStr {
     PRFileDesc *a;
     PRFileDesc *b;
-    int c;
     int rv;
     startFn *startFunc;
     PRThread *prThread;
     runState state;
 } perThread;
 
 static perThread *threads;
 
 void
 thread_wrapper(void *arg)
 {
     perThread *slot = (perThread *)arg;
 
-    slot->rv = (*slot->startFunc)(slot->a, slot->b, slot->c);
+    slot->rv = (*slot->startFunc)(slot->a, slot->b);
 
     /* notify the thread exit handler. */
     PZ_Lock(qLock);
     slot->state = rs_zombie;
     --threadCount;
     PZ_NotifyAllCondVar(threadCountChangeCv);
     PZ_Unlock(qLock);
 }
 
 int
-jobLoop(PRFileDesc *a, PRFileDesc *b, int c)
+jobLoop(PRFileDesc *a, PRFileDesc *b)
 {
     PRCList *myLink = 0;
     JOB *myJob;
 
     PZ_Lock(qLock);
     do {
         myLink = 0;
         while (PR_CLIST_IS_EMPTY(&jobQ) && !stopping) {
@@ -590,31 +588,29 @@ jobLoop(PRFileDesc *a, PRFileDesc *b, in
             myLink = PR_LIST_HEAD(&jobQ);
             PR_REMOVE_AND_INIT_LINK(myLink);
         }
         PZ_Unlock(qLock);
         myJob = (JOB *)myLink;
         /* myJob will be null when stopping is true and jobQ is empty */
         if (!myJob)
             break;
-        handle_connection(myJob->tcp_sock, myJob->model_sock,
-                          myJob->requestCert);
+        handle_connection(myJob->tcp_sock, myJob->model_sock);
         PZ_Lock(qLock);
         PR_APPEND_LINK(myLink, &freeJobs);
         PZ_NotifyCondVar(freeListNotEmptyCv);
     } while (PR_TRUE);
     return 0;
 }
 
 SECStatus
 launch_threads(
     startFn *startFunc,
     PRFileDesc *a,
     PRFileDesc *b,
-    int c,
     PRBool local)
 {
     int i;
     SECStatus rv = SECSuccess;
 
     /* create the thread management serialization structs */
     qLock = PZ_NewLock(nssILockSelfServ);
     jobQNotEmptyCv = PZ_NewCondVar(qLock);
@@ -640,17 +636,16 @@ launch_threads(
 
     PZ_Lock(qLock);
     for (i = 0; i < maxThreads; ++i) {
         perThread *slot = threads + i;
 
         slot->state = rs_running;
         slot->a = a;
         slot->b = b;
-        slot->c = c;
         slot->startFunc = startFunc;
         slot->prThread = PR_CreateThread(PR_USER_THREAD,
                                          thread_wrapper, slot, PR_PRIORITY_NORMAL,
                                          (PR_TRUE ==
                                           local)
                                              ? PR_LOCAL_THREAD
                                              : PR_GLOBAL_THREAD,
                                          PR_JOINABLE_THREAD, 0);
@@ -888,18 +883,17 @@ int /* returns count */
     }
     PZ_Unlock(lv->lock);
     return rv;
 }
 
 int
 do_writes(
     PRFileDesc *ssl_sock,
-    PRFileDesc *model_sock,
-    int requestCert)
+    PRFileDesc *model_sock)
 {
     int sent = 0;
     int count = 0;
     lockedVars *lv = (lockedVars *)model_sock;
 
     VLOG(("selfserv: do_writes: starting"));
     while (sent < bigBuf.len) {
 
@@ -920,18 +914,17 @@ do_writes(
     FLUSH;
     VLOG(("selfserv: do_writes: exiting"));
     return (sent < bigBuf.len) ? SECFailure : SECSuccess;
 }
 
 static int
 handle_fdx_connection(
     PRFileDesc *tcp_sock,
-    PRFileDesc *model_sock,
-    int requestCert)
+    PRFileDesc *model_sock)
 {
     PRFileDesc *ssl_sock = NULL;
     SECStatus result;
     int firstTime = 1;
     lockedVars lv;
     PRSocketOptionData opt;
     char buf[10240];
 
@@ -955,18 +948,17 @@ handle_fdx_connection(
     } else {
         ssl_sock = tcp_sock;
     }
 
     lockedVars_Init(&lv);
     lockedVars_AddToCount(&lv, 1);
 
     /* Attempt to launch the writer thread. */
-    result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv,
-                           requestCert);
+    result = launch_thread(do_writes, ssl_sock, (PRFileDesc *)&lv);
 
     if (result == SECSuccess)
         do {
             /* do reads here. */
             int count;
             count = PR_Read(ssl_sock, buf, sizeof buf);
             if (count < 0) {
                 errWarn("FDX PR_Read");
@@ -1088,17 +1080,17 @@ makeCorruptedOCSPResponse(PLArenaPool *a
 
     result->items[0].data = ocspResponse->data;
     result->items[0].len = ocspResponse->len;
 
     return result;
 }
 
 SECItemArray *
-makeSignedOCSPResponse(PLArenaPool *arena, ocspStaplingModeType osm,
+makeSignedOCSPResponse(PLArenaPool *arena,
                        CERTCertificate *cert, secuPWData *pwdata)
 {
     SECItemArray *result = NULL;
     SECItem *ocspResponse = NULL;
     CERTOCSPSingleResponse **singleResponses;
     CERTOCSPSingleResponse *sr = NULL;
     CERTOCSPCertID *cid = NULL;
     CERTCertificate *ca;
@@ -1112,17 +1104,17 @@ makeSignedOCSPResponse(PLArenaPool *aren
         errExit("cannot find CA");
 
     cid = CERT_CreateOCSPCertID(cert, now);
     if (!cid)
         errExit("cannot created cid");
 
     nextUpdate = now + (PRTime)60 * 60 * 24 * PR_USEC_PER_SEC; /* plus 1 day */
 
-    switch (osm) {
+    switch (ocspStaplingMode) {
         case osm_good:
         case osm_badsig:
             sr = CERT_CreateOCSPSingleResponseGood(arena, cid, now,
                                                    &nextUpdate);
             break;
         case osm_unknown:
             sr = CERT_CreateOCSPSingleResponseUnknown(arena, cid, now,
                                                       &nextUpdate);
@@ -1145,17 +1137,17 @@ makeSignedOCSPResponse(PLArenaPool *aren
     singleResponses = PORT_ArenaNewArray(arena, CERTOCSPSingleResponse *, 2);
     if (singleResponses == NULL)
         errExit("cannot allocate singleResponses");
 
     singleResponses[0] = sr;
     singleResponses[1] = NULL;
 
     ocspResponse = CERT_CreateEncodedOCSPSuccessResponse(arena,
-                                                         (osm == osm_badsig)
+                                                         (ocspStaplingMode == osm_badsig)
                                                              ? NULL
                                                              : ca,
                                                          ocspResponderID_byName, now, singleResponses,
                                                          &pwdata);
     if (!ocspResponse)
         errExit("cannot created ocspResponse");
 
     CERT_DestroyCertificate(ca);
@@ -1170,17 +1162,17 @@ makeSignedOCSPResponse(PLArenaPool *aren
 
     CERT_DestroyOCSPCertID(cid);
     cid = NULL;
 
     return result;
 }
 
 void
-setupCertStatus(PLArenaPool *arena, enum ocspStaplingModeEnum ocspStaplingMode,
+setupCertStatus(PLArenaPool *arena,
                 CERTCertificate *cert, int index, secuPWData *pwdata)
 {
     if (ocspStaplingMode == osm_random) {
         /* 6 different responses */
         int r = rand() % 6;
         switch (r) {
             case 0:
                 ocspStaplingMode = osm_good;
@@ -1208,17 +1200,17 @@ setupCertStatus(PLArenaPool *arena, enum
     if (ocspStaplingMode != osm_disabled) {
         SECItemArray *multiOcspResponses = NULL;
         switch (ocspStaplingMode) {
             case osm_good:
             case osm_revoked:
             case osm_unknown:
             case osm_badsig:
                 multiOcspResponses =
-                    makeSignedOCSPResponse(arena, ocspStaplingMode, cert,
+                    makeSignedOCSPResponse(arena, cert,
                                            pwdata);
                 break;
             case osm_corrupted:
                 multiOcspResponses = makeCorruptedOCSPResponse(arena);
                 break;
             case osm_failure:
                 multiOcspResponses = makeTryLaterOCSPResponse(arena);
                 break;
@@ -1231,20 +1223,17 @@ setupCertStatus(PLArenaPool *arena, enum
         }
         if (multiOcspResponses) {
             certStatus[index] = multiOcspResponses;
         }
     }
 }
 
 int
-handle_connection(
-    PRFileDesc *tcp_sock,
-    PRFileDesc *model_sock,
-    int requestCert)
+handle_connection(PRFileDesc *tcp_sock, PRFileDesc *model_sock)
 {
     PRFileDesc *ssl_sock = NULL;
     PRFileDesc *local_file_fd = NULL;
     char *post;
     char *pBuf; /* unused space at end of buf */
     const char *errString;
     PRStatus status;
     int bufRem;    /* unused bytes at end of buf */
@@ -1267,17 +1256,16 @@ handle_connection(
 
     VLOG(("selfserv: handle_connection: starting"));
     opt.option = PR_SockOpt_Nonblocking;
     opt.value.non_blocking = PR_FALSE;
     PR_SetSocketOption(tcp_sock, &opt);
 
     VLOG(("selfserv: handle_connection: starting\n"));
     if (useModelSocket && model_sock) {
-        SECStatus rv;
         ssl_sock = SSL_ImportFD(model_sock, tcp_sock);
         if (!ssl_sock) {
             errWarn("SSL_ImportFD with model");
             goto cleanup;
         }
         rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 1);
         if (rv != SECSuccess) {
             errWarn("SSL_ResetHandshake");
@@ -1583,18 +1571,17 @@ sigusr1_handler(int sig)
     stop_server();
 }
 
 #endif
 
 SECStatus
 do_accepts(
     PRFileDesc *listen_sock,
-    PRFileDesc *model_sock,
-    int requestCert)
+    PRFileDesc *model_sock)
 {
     PRNetAddr addr;
     PRErrorCode perr;
 #ifdef XP_UNIX
     struct sigaction act;
 #endif
 
     VLOG(("selfserv: do_accepts: starting"));
@@ -1654,17 +1641,16 @@ do_accepts(
         PR_REMOVE_AND_INIT_LINK(myLink);
         /* could release qLock here and reaquire it 7 lines below, but
         ** why bother for 4 assignment statements?
         */
         {
             JOB *myJob = (JOB *)myLink;
             myJob->tcp_sock = tcp_sock;
             myJob->model_sock = model_sock;
-            myJob->requestCert = requestCert;
         }
 
         PR_APPEND_LINK(myLink, &jobQ);
         PZ_NotifyCondVar(jobQNotEmptyCv);
         PZ_Unlock(qLock);
     }
 
     FPRINTF(stderr, "selfserv: Closing listen socket.\n");
@@ -1813,17 +1799,16 @@ handshakeCallback(PRFileDesc *fd, void *
             SECITEM_FreeItem(hostInfo, PR_TRUE);
         }
     }
 }
 
 void
 server_main(
     PRFileDesc *listen_sock,
-    int requestCert,
     SECKEYPrivateKey **privKey,
     CERTCertificate **cert,
     const char *expectedHostNameVal)
 {
     int i;
     PRFileDesc *model_sock = NULL;
     int rv;
     SECStatus secStatus;
@@ -2016,17 +2001,17 @@ server_main(
     }
 
     if (MakeCertOK)
         SSL_BadCertHook(model_sock, myBadCertHandler, NULL);
 
     /* end of ssl configuration. */
 
     /* Now, do the accepting, here in the main thread. */
-    rv = do_accepts(listen_sock, model_sock, requestCert);
+    rv = do_accepts(listen_sock, model_sock);
 
     terminateWorkerThreads();
 
     if (useModelSocket && model_sock) {
         if (model_sock) {
             PR_Close(model_sock);
         }
     }
@@ -2649,19 +2634,18 @@ main(int argc, char **argv)
                     exit(9);
                 }
                 ndx = tolower(ndx) - 'a';
                 if (ndx < PR_ARRAY_SIZE(ssl3CipherSuites)) {
                     cipher = ssl3CipherSuites[ndx];
                 }
             }
             if (cipher > 0) {
-                SECStatus status;
-                status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
-                if (status != SECSuccess)
+                rv = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED);
+                if (rv != SECSuccess)
                     SECU_PrintError(progName, "SSL_CipherPrefSet()");
             } else {
                 fprintf(stderr,
                         "Invalid cipher specification (-c arg).\n");
                 exit(9);
             }
         }
         PORT_Free(cstringSaved);
@@ -2679,45 +2663,45 @@ main(int argc, char **argv)
         }
         privKey[i] = PK11_FindKeyByAnyCert(cert[i], &pwdata);
         if (privKey[i] == NULL) {
             fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n",
                     certNicknameArray[i]);
             exit(11);
         }
         if (privKey[i]->keyType != ecKey)
-            setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata);
+            setupCertStatus(certStatusArena, cert[i], i, &pwdata);
     }
 
     if (configureWeakDHE > 0) {
         fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n");
         rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
         if (rv != SECSuccess) {
             goto cleanup;
         }
         fprintf(stderr, "selfserv: Done creating dynamic weak DH parameters\n");
     }
 
     /* allocate the array of thread slots, and launch the worker threads. */
-    rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
+    rv = launch_threads(&jobLoop, 0, 0, useLocalThreads);
 
     if (rv == SECSuccess && logStats) {
         loggerThread = PR_CreateThread(PR_SYSTEM_THREAD,
                                        logger, NULL, PR_PRIORITY_NORMAL,
                                        useLocalThreads ? PR_LOCAL_THREAD
                                                        : PR_GLOBAL_THREAD,
                                        PR_JOINABLE_THREAD, 0);
         if (loggerThread == NULL) {
             fprintf(stderr, "selfserv: Failed to launch logger thread!\n");
             rv = SECFailure;
         }
     }
 
     if (rv == SECSuccess) {
-        server_main(listen_sock, requestCert, privKey, cert,
+        server_main(listen_sock, privKey, cert,
                     expectedHostNameVal);
     }
 
     VLOG(("selfserv: server_thread: exiting"));
 
 cleanup:
     printSSLStatistics();
     ssl3stats = SSL_GetStatistics();
@@ -2726,17 +2710,16 @@ cleanup:
         exit(1);
     }
     if (failedToNegotiateName) {
         fprintf(stderr, "selfserv: Failed properly negotiate server name\n");
         exit(1);
     }
 
     {
-        int i;
         for (i = 0; i < certNicknameIndex; i++) {
             if (cert[i]) {
                 CERT_DestroyCertificate(cert[i]);
             }
             if (privKey[i]) {
                 SECKEY_DestroyPrivateKey(privKey[i]);
             }
             PORT_Free(certNicknameArray[i]);
--- a/cmd/signtool/javascript.c
+++ b/cmd/signtool/javascript.c
@@ -1295,17 +1295,16 @@ extract_js(char *filename)
     if (dumpParse) {
         PrintHTMLStream(outputFD, head);
     }
 
     /*
      * Now we have a stream of tags and text.  Go through and deal with each.
      */
     for (curitem = head; curitem; curitem = curitem->next) {
-        TagItem *tagp = NULL;
         AVPair *pairp = NULL;
         char *src = NULL, *id = NULL, *codebase = NULL;
         PRBool hasEventHandler = PR_FALSE;
         int i;
 
         /* Reset archive directory for each tag */
         if (archiveDir) {
             PR_Free(archiveDir);
@@ -1664,21 +1663,24 @@ loser:
  *
  * e n s u r e E x i s t s
  *
  * Check for existence of indicated directory.  If it doesn't exist,
  * it will be created.
  * Returns PR_SUCCESS if the directory is present, PR_FAILURE otherwise.
  */
 static PRStatus
-ensureExists(char *base, char *path)
+ensureExists(char *basepath, char *path)
 {
     char fn[FNSIZE];
     PRDir *dir;
-    sprintf(fn, "%s/%s", base, path);
+    int c = snprintf(fn, sizeof(fn), "%s/%s", basepath, path);
+    if (c >= sizeof(fn)) {
+        return PR_FAILURE;
+    }
 
     /*PR_fprintf(outputFD, "Trying to open directory %s.\n", fn);*/
 
     if ((dir = PR_OpenDir(fn))) {
         PR_CloseDir(dir);
         return PR_SUCCESS;
     }
     return PR_MkDir(fn, 0777);
--- a/cmd/signtool/sign.c
+++ b/cmd/signtool/sign.c
@@ -170,36 +170,36 @@ typedef struct {
 /*
  *  S i g n A l l A r c
  *
  *  Javascript may generate multiple .arc directories, one
  *  for each jar archive needed. Sign them all.
  *
  */
 int
-SignAllArc(char *jartree, char *keyName, int javascript, char *metafile,
-           char *install_script, int optimize, PRBool recurse)
+SignAllArc(char *jartree, char *keyName, int javascript, char *metafilename,
+           char *install_script, int optimize_level, PRBool recurse)
 {
     SignArcInfo info;
 
     info.keyName = keyName;
     info.javascript = javascript;
-    info.metafile = metafile;
+    info.metafile = metafilename;
     info.install_script = install_script;
-    info.optimize = optimize;
+    info.optimize = optimize_level;
 
     return foreach (jartree, "", sign_all_arc_fn, recurse,
                     PR_TRUE /*include dirs*/, (void *)&info);
 }
 
 static int
 sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename,
                 void *arg)
 {
-    char *zipfile = NULL;
+    char *zipfilename = NULL;
     char *arc = NULL, *archive = NULL;
     int retval = 0;
     SignArcInfo *infop = (SignArcInfo *)arg;
 
     /* Make sure there is one and only one ".arc" in the relative path,
      * and that it is at the end of the path (don't sign .arcs within .arcs) */
     if ((PL_strcaserstr(relpath, ".arc") == relpath + strlen(relpath) - 4) &&
         (PL_strcasestr(relpath, ".arc") == relpath + strlen(relpath) - 4)) {
@@ -207,40 +207,40 @@ sign_all_arc_fn(char *relpath, char *bas
         if (!infop) {
             PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
             errorCount++;
             retval = -1;
             goto finish;
         }
         archive = PR_smprintf("%s/%s", basedir, relpath);
 
-        zipfile = PL_strdup(archive);
-        arc = PORT_Strrchr(zipfile, '.');
+        zipfilename = PL_strdup(archive);
+        arc = PORT_Strrchr(zipfilename, '.');
 
         if (arc == NULL) {
             PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME);
             errorCount++;
             retval = -1;
             goto finish;
         }
 
         PL_strcpy(arc, ".jar");
 
         if (verbosity >= 0) {
-            PR_fprintf(outputFD, "\nsigning: %s\n", zipfile);
+            PR_fprintf(outputFD, "\nsigning: %s\n", zipfilename);
         }
-        retval = SignArchive(archive, infop->keyName, zipfile,
+        retval = SignArchive(archive, infop->keyName, zipfilename,
                              infop->javascript, infop->metafile, infop->install_script,
                              infop->optimize, PR_TRUE /* recurse */);
     }
 finish:
     if (archive)
         PR_Free(archive);
-    if (zipfile)
-        PR_Free(zipfile);
+    if (zipfilename)
+        PR_Free(zipfilename);
 
     return retval;
 }
 
 /*********************************************************************
  *
  * c r e a t e _ p k 7
  */
@@ -702,123 +702,123 @@ SignFile(FILE *outFile, FILE *inFile, CE
  *  From the supplied manifest file, calculates
  *  digests on the various sections, creating a .SF
  *  file in the process.
  *
  */
 static int
 generate_SF_file(char *manifile, char *who)
 {
-    FILE *sf;
-    FILE *mf;
+    FILE *sfFile;
+    FILE *mfFile;
     long r1, r2, r3;
     char whofile[FNSIZE];
     char *buf, *name = NULL;
     char *md5, *sha1;
     JAR_Digest dig;
     int line = 0;
 
     strcpy(whofile, who);
 
-    if ((mf = fopen(manifile, "rb")) == NULL) {
+    if ((mfFile = fopen(manifile, "rb")) == NULL) {
         perror(manifile);
         exit(ERRX);
     }
 
-    if ((sf = fopen(whofile, "wb")) == NULL) {
+    if ((sfFile = fopen(whofile, "wb")) == NULL) {
         perror(who);
         exit(ERRX);
     }
 
     buf = (char *)PORT_ZAlloc(BUFSIZ);
 
     if (buf)
         name = (char *)PORT_ZAlloc(BUFSIZ);
 
     if (buf == NULL || name == NULL)
         out_of_memory();
 
-    fprintf(sf, "Signature-Version: 1.0\n");
-    fprintf(sf, "Created-By: %s\n", CREATOR);
-    fprintf(sf, "Comments: %s\n", BREAKAGE);
+    fprintf(sfFile, "Signature-Version: 1.0\n");
+    fprintf(sfFile, "Created-By: %s\n", CREATOR);
+    fprintf(sfFile, "Comments: %s\n", BREAKAGE);
 
-    if (fgets(buf, BUFSIZ, mf) == NULL) {
+    if (fgets(buf, BUFSIZ, mfFile) == NULL) {
         PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME);
         errorCount++;
         exit(ERRX);
     }
 
     if (strncmp(buf, "Manifest-Version:", 17)) {
         PR_fprintf(errorFD, "%s: not a manifest file!\n", PROGRAM_NAME);
         errorCount++;
         exit(ERRX);
     }
 
-    fseek(mf, 0L, SEEK_SET);
+    fseek(mfFile, 0L, SEEK_SET);
 
     /* Process blocks of headers, and calculate their hashen */
 
     while (1) {
         /* Beginning range */
-        r1 = ftell(mf);
+        r1 = ftell(mfFile);
 
-        if (fgets(name, BUFSIZ, mf) == NULL)
+        if (fgets(name, BUFSIZ, mfFile) == NULL)
             break;
 
         line++;
 
         if (r1 != 0 && strncmp(name, "Name:", 5)) {
             PR_fprintf(errorFD,
                        "warning: unexpected input in manifest file \"%s\" at line %d:\n",
                        manifile, line);
             PR_fprintf(errorFD, "%s\n", name);
             warningCount++;
         }
 
         r2 = r1;
-        while (fgets(buf, BUFSIZ, mf)) {
+        while (fgets(buf, BUFSIZ, mfFile)) {
             if (*buf == 0 || *buf == '\n' || *buf == '\r')
                 break;
 
             line++;
 
             /* Ending range for hashing */
-            r2 = ftell(mf);
+            r2 = ftell(mfFile);
         }
 
-        r3 = ftell(mf);
+        r3 = ftell(mfFile);
 
         if (r1) {
-            fprintf(sf, "\n");
-            fprintf(sf, "%s", name);
+            fprintf(sfFile, "\n");
+            fprintf(sfFile, "%s", name);
         }
 
-        calculate_MD5_range(mf, r1, r2, &dig);
+        calculate_MD5_range(mfFile, r1, r2, &dig);
 
         if (optimize == 0) {
-            fprintf(sf, "Digest-Algorithms: MD5 SHA1\n");
+            fprintf(sfFile, "Digest-Algorithms: MD5 SHA1\n");
 
             md5 = BTOA_DataToAscii(dig.md5, MD5_LENGTH);
-            fprintf(sf, "MD5-Digest: %s\n", md5);
+            fprintf(sfFile, "MD5-Digest: %s\n", md5);
             PORT_Free(md5);
         }
 
         sha1 = BTOA_DataToAscii(dig.sha1, SHA1_LENGTH);
-        fprintf(sf, "SHA1-Digest: %s\n", sha1);
+        fprintf(sfFile, "SHA1-Digest: %s\n", sha1);
         PORT_Free(sha1);
 
         /* restore normalcy after changing offset position */
-        fseek(mf, r3, SEEK_SET);
+        fseek(mfFile, r3, SEEK_SET);
     }
 
     PORT_Free(buf);
     PORT_Free(name);
 
-    fclose(sf);
-    fclose(mf);
+    fclose(sfFile);
+    fclose(mfFile);
 
     return 0;
 }
 
 /*
  *  c a l c u l a t e _ M D 5 _ r a n g e
  *
  *  Calculate the MD5 digest on a range of bytes in
--- a/cmd/signtool/zip.c
+++ b/cmd/signtool/zip.c
@@ -124,17 +124,17 @@ handle_zerror(int err, char *msg)
 /****************************************************************
  *
  * J z i p A d d
  *
  * Adds a new file into a ZIP file.  The ZIP file must have already
  * been opened with JzipOpen.
  */
 int
-JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level)
+JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int lvl)
 {
     ZIPentry *entry;
     PRFileDesc *readfp;
     PRFileDesc *zipfp;
     unsigned long crc;
     unsigned long local_size_pos;
     int num;
     int err;
@@ -314,17 +314,17 @@ JzipAdd(char *fullname, char *filename, 
     zstream.next_out = outbuf;
     zstream.avail_out = BUFSIZ;
     /* Setting the windowBits to -MAX_WBITS is an undocumented feature of
      * zlib (see deflate.c in zlib).  It is the same thing that Java does
      * when you specify the nowrap option for deflation in java.util.zip.
      * It causes zlib to leave out its headers and footers, which don't
      * work in PKZIP files.
      */
-    err = deflateInit2(&zstream, compression_level, Z_DEFLATED,
+    err = deflateInit2(&zstream, lvl, Z_DEFLATED,
                        -MAX_WBITS, 8 /*default*/, Z_DEFAULT_STRATEGY);
     if (err != Z_OK) {
         handle_zerror(err, zstream.msg);
         exit(ERRX);
     }
 
     while ((zstream.avail_in = PR_Read(readfp, inbuf, BUFSIZ)) > 0) {
         zstream.next_in = inbuf;
--- a/cmd/smimetools/cmsutil.c
+++ b/cmd/smimetools/cmsutil.c
@@ -63,17 +63,17 @@ DigestFile(PLArenaPool *poolp, SECItem *
 
     NSS_CMSDigestContext_Update(digcx, input->data, input->len);
 
     rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
     return rv;
 }
 
 static void
-Usage(char *progName)
+Usage(void)
 {
     fprintf(stderr,
             "Usage:  %s [-C|-D|-E|-O|-S] [<options>] [-d dbdir] [-u certusage]\n"
             " -C            create a CMS encrypted data message\n"
             " -D            decode a CMS message\n"
             "  -b           decode a batch of files named in infile\n"
             "  -c content   use this detached content\n"
             "  -n           suppress output of content\n"
@@ -275,17 +275,16 @@ decode(FILE *out, SECItem *input, const 
                 nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
                 if (decodeOptions->headerLevel >= 0)
                     fprintf(out, "nsigners=%d; ", nsigners);
                 if (nsigners == 0) {
                     /* Might be a cert transport message
                     ** or might be an invalid message, such as a QA test message
                     ** or a message from an attacker.
                     */
-                    SECStatus rv;
                     rv = NSS_CMSSignedData_VerifyCertsOnly(sigd,
                                                            decodeOptions->options->certHandle,
                                                            decodeOptions->options->certUsage);
                     if (rv != SECSuccess) {
                         fprintf(stderr, "cmsutil: Verify certs-only failed!\n");
                         goto loser;
                     }
                     return cmsg;
@@ -1122,27 +1121,27 @@ main(int argc, char **argv)
             case 'E':
                 mode = ENVELOPE;
                 break;
             case 'G':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -G only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 signOptions.signingTime = PR_TRUE;
                 break;
             case 'H':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -H only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 decodeOptions.suppressContent = PR_TRUE;
                 if (!strcmp(optstate->value, "MD2"))
                     signOptions.hashAlgTag = SEC_OID_MD2;
                 else if (!strcmp(optstate->value, "MD4"))
                     signOptions.hashAlgTag = SEC_OID_MD4;
                 else if (!strcmp(optstate->value, "MD5"))
@@ -1162,75 +1161,75 @@ main(int argc, char **argv)
                     exit(1);
                 }
                 break;
             case 'N':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -N only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 signOptions.nickname = PORT_Strdup(optstate->value);
                 break;
             case 'O':
                 mode = CERTSONLY;
                 break;
             case 'P':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -P only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 signOptions.smimeProfile = PR_TRUE;
                 break;
             case 'S':
                 mode = SIGN;
                 break;
             case 'T':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -T only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 signOptions.detached = PR_TRUE;
                 break;
             case 'Y':
                 if (mode != SIGN) {
                     fprintf(stderr,
                             "%s: option -Y only supported with option -S.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 signOptions.encryptionKeyPreferenceNick = strdup(optstate->value);
                 break;
 
             case 'b':
                 if (mode != DECODE) {
                     fprintf(stderr,
                             "%s: option -b only supported with option -D.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 batch = PR_TRUE;
                 break;
 
             case 'c':
                 if (mode != DECODE) {
                     fprintf(stderr,
                             "%s: option -c only supported with option -D.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 contentFile = PR_Open(optstate->value, PR_RDONLY, 006600);
                 if (contentFile == NULL) {
                     fprintf(stderr, "%s: unable to open \"%s\" for reading.\n",
                             progName, optstate->value);
                     exit(1);
                 }
@@ -1256,17 +1255,17 @@ main(int argc, char **argv)
                 encryptOptions.envFile = PR_Open(envFileName, PR_RDONLY, 00660);
                 break;
 
             case 'h':
                 if (mode != DECODE) {
                     fprintf(stderr,
                             "%s: option -h only supported with option -D.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 decodeOptions.headerLevel = atoi(optstate->value);
                 if (decodeOptions.headerLevel < 0) {
                     fprintf(stderr, "option -h cannot have a negative value.\n");
                     exit(1);
                 }
                 break;
@@ -1283,64 +1282,64 @@ main(int argc, char **argv)
                 }
                 break;
 
             case 'k':
                 if (mode != DECODE) {
                     fprintf(stderr,
                             "%s: option -k only supported with option -D.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 decodeOptions.keepCerts = PR_TRUE;
                 break;
 
             case 'n':
                 if (mode != DECODE) {
                     fprintf(stderr,
                             "%s: option -n only supported with option -D.\n",
                             progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 decodeOptions.suppressContent = PR_TRUE;
                 break;
             case 'o':
                 outFile = fopen(optstate->value, "wb");
                 if (outFile == NULL) {
                     fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
                             progName, optstate->value);
                     exit(1);
                 }
                 break;
             case 'p':
                 if (!optstate->value) {
                     fprintf(stderr, "%s: option -p must have a value.\n", progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
 
                 options.password = strdup(optstate->value);
                 break;
 
             case 'f':
                 if (!optstate->value) {
                     fprintf(stderr, "%s: option -f must have a value.\n", progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
 
                 options.pwfile = strdup(optstate->value);
                 break;
 
             case 'r':
                 if (!optstate->value) {
                     fprintf(stderr, "%s: option -r must have a value.\n", progName);
-                    Usage(progName);
+                    Usage();
                     exit(1);
                 }
                 envelopeOptions.recipients = ptrarray;
                 str = (char *)optstate->value;
                 do {
                     tok = strchr(str, ',');
                     if (tok)
                         *tok = '\0';
@@ -1363,21 +1362,21 @@ main(int argc, char **argv)
                 break;
             }
             case 'v':
                 cms_verbose = 1;
                 break;
         }
     }
     if (status == PL_OPT_BAD)
-        Usage(progName);
+        Usage();
     PL_DestroyOptState(optstate);
 
     if (mode == UNKNOWN)
-        Usage(progName);
+        Usage();
 
     if (mode != CERTSONLY && !batch) {
         rv = SECU_FileToItem(&input, inFile);
         if (rv != SECSuccess) {
             SECU_PrintError(progName, "unable to read infile");
             exit(1);
         }
     }
@@ -1524,17 +1523,17 @@ main(int argc, char **argv)
             cmsg = signed_data_certsonly(&certsonlyOptions);
             if (!cmsg) {
                 SECU_PrintError(progName, "problem with certs-only");
                 exitstatus = 1;
             }
             break;
         default:
             fprintf(stderr, "One of options -D, -S or -E must be set.\n");
-            Usage(progName);
+            Usage();
             exitstatus = 1;
     }
 
     if (signOptions.nickname) {
         PORT_Free(signOptions.nickname);
     }
 
     if ((mode == SIGN || mode == ENVELOPE || mode == CERTSONLY) &&
--- a/cmd/strsclnt/strsclnt.c
+++ b/cmd/strsclnt/strsclnt.c
@@ -132,17 +132,17 @@ SECItem bigBuf;
 #define PRINTF   \
     if (verbose) \
     printf
 #define FPRINTF  \
     if (verbose) \
     fprintf
 
 static void
-Usage(const char *progName)
+Usage(void)
 {
     fprintf(stderr,
             "Usage: %s [-n nickname] [-p port] [-d dbdir] [-c connections]\n"
             "          [-BDNovqs] [-f filename] [-N | -P percentage]\n"
             "          [-w dbpasswd] [-C cipher(s)] [-t threads] [-W pwfile]\n"
             "          [-V [min-version]:[max-version]] [-a sniHostName] hostname\n"
             " where -v means verbose\n"
             "       -o flag is interpreted as follows:\n"
@@ -255,17 +255,16 @@ myBadCertHandler(void *arg, PRFileDesc *
                 err, SECU_Strerror(err));
     return (MakeCertOK ? SECSuccess : SECFailure);
 }
 
 void
 printSecurityInfo(PRFileDesc *fd)
 {
     CERTCertificate *cert = NULL;
-    SSL3Statistics *ssl3stats = SSL_GetStatistics();
     SECStatus result;
     SSLChannelInfo channel;
     SSLCipherSuiteInfo suite;
 
     static int only_once;
 
     if (only_once && verbose < 2)
         return;
@@ -1090,17 +1089,16 @@ client_main(
         int ndx;
 
         /* disable all the ciphers, then enable the ones we want. */
         disableAllSSLCiphers();
 
         while (0 != (ndx = *cipherString)) {
             const char *startCipher = cipherString++;
             int cipher = 0;
-            SECStatus rv;
 
             if (ndx == ':') {
                 cipher = hexchar_to_int(*cipherString++);
                 cipher <<= 4;
                 cipher |= hexchar_to_int(*cipherString++);
                 cipher <<= 4;
                 cipher |= hexchar_to_int(*cipherString++);
                 cipher <<= 4;
@@ -1348,17 +1346,17 @@ main(int argc, char **argv)
                 ThrottleUp = PR_TRUE;
                 break;
 
             case 'V':
                 if (SECU_ParseSSLVersionRangeString(optstate->value,
                                                     enabledVersions, &enabledVersions) !=
                     SECSuccess) {
                     fprintf(stderr, "Bad version specified.\n");
-                    Usage(progName);
+                    Usage();
                 }
                 break;
 
             case 'a':
                 sniHostName = PL_strdup(optstate->value);
                 break;
 
             case 'c':
@@ -1426,37 +1424,37 @@ main(int argc, char **argv)
                 break;
 
             case 'z':
                 enableCompression = PR_TRUE;
                 break;
 
             case 0: /* positional parameter */
                 if (hostName) {
-                    Usage(progName);
+                    Usage();
                 }
                 hostName = PL_strdup(optstate->value);
                 break;
 
             default:
             case '?':
-                Usage(progName);
+                Usage();
                 break;
         }
     }
     PL_DestroyOptState(optstate);
 
     if (!hostName || status == PL_OPT_BAD)
-        Usage(progName);
+        Usage();
 
     if (fullhs != NO_FULLHS_PERCENTAGE && (fullhs < 0 || fullhs > 100 || NoReuse))
-        Usage(progName);
+        Usage();
 
     if (port == 0)
-        Usage(progName);
+        Usage();
 
     if (fileName)
         readBigFile(fileName);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);
 
     tmp = PR_GetEnvSecure("NSS_DEBUG_TIMEOUT");
     if (tmp && tmp[0]) {
--- a/cmd/symkeyutil/symkeyutil.c
+++ b/cmd/symkeyutil/symkeyutil.c
@@ -1029,20 +1029,20 @@ main(int argc, char **argv)
     }
 
     /*  Move key (-M)  */
     if (symKeyUtil.commands[cmd_MoveKey].activated) {
         PK11SlotInfo *target;
         char *targetName = symKeyUtil.options[opt_TargetToken].arg;
         PK11SymKey *newKey;
         PK11SymKey *symKey = FindKey(slot, name, &keyID, &pwdata);
-        char *keyName = PK11_GetSymKeyNickname(symKey);
+        char *keyName;
 
         if (!symKey) {
-            char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
+            keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);
             PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",
                        progName, keyName, PK11_GetTokenName(slot));
             PORT_Free(keyName);
             goto shutdown;
         }
         target = PK11_FindSlotByName(targetName);
         if (!target) {
             PR_fprintf(PR_STDERR, "%s: Couldn't find slot %s\n",
@@ -1056,16 +1056,17 @@ main(int argc, char **argv)
             goto shutdown;
         }
         rv = SECFailure;
         newKey = PK11_MoveSymKey(target, CKA_ENCRYPT, 0, PR_TRUE, symKey);
         if (!newKey) {
             PR_fprintf(PR_STDERR, "%s: Couldn't move the key \n", progName);
             goto shutdown;
         }
+        keyName = PK11_GetSymKeyNickname(symKey);
         if (keyName) {
             rv = PK11_SetSymKeyNickname(newKey, keyName);
             if (rv != SECSuccess) {
                 PK11_DeleteTokenSymKey(newKey);
                 PK11_FreeSymKey(newKey);
                 PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",
                            progName);
                 goto shutdown;
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -167,31 +167,31 @@ printSecurityInfo(PRFileDesc *fd)
     if (scts && scts->len) {
         fprintf(stderr, "Received a Signed Certificate Timestamp of length"
                         " %u\n",
                 scts->len);
     }
 }
 
 static void
-PrintUsageHeader(const char *progName)
+PrintUsageHeader()
 {
     fprintf(stderr,
             "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
             "[-D | -d certdir] [-C] [-b | -R root-module] \n"
             "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
             "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
             "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
             "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n"
             "\n",
             progName);
 }
 
 static void
-PrintParameterUsage(void)
+PrintParameterUsage()
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
                     "%-20s Default is host from the -h argument.\n",
             "-a name",
             "", "");
     fprintf(stderr, "%-20s Hostname to connect with\n", "-h host");
     fprintf(stderr, "%-20s Port number for SSL server\n", "-p port");
@@ -254,27 +254,27 @@ PrintParameterUsage(void)
                     "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
             "-I", "", "");
     fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
     fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
     fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
 }
 
 static void
-Usage(const char *progName)
+Usage()
 {
-    PrintUsageHeader(progName);
+    PrintUsageHeader();
     PrintParameterUsage();
     exit(1);
 }
 
 static void
-PrintCipherUsage(const char *progName)
+PrintCipherUsage()
 {
-    PrintUsageHeader(progName);
+    PrintUsageHeader();
     fprintf(stderr, "%-20s Letter(s) chosen from the following list\n",
             "-c ciphers");
     fprintf(stderr,
             "c    SSL3 RSA WITH RC4 128 MD5\n"
             "d    SSL3 RSA WITH 3DES EDE CBC SHA\n"
             "e    SSL3 RSA WITH DES CBC SHA\n"
             "i    SSL3 RSA WITH NULL MD5\n"
             "n    SSL3 RSA WITH RC4 128 SHA\n"
@@ -298,17 +298,17 @@ PrintCipherUsage(const char *progName)
 void
 milliPause(PRUint32 milli)
 {
     PRIntervalTime ticks = PR_MillisecondsToInterval(milli);
     PR_Sleep(ticks);
 }
 
 void
-disableAllSSLCiphers(void)
+disableAllSSLCiphers()
 {
     const PRUint16 *cipherSuites = SSL_GetImplementedCiphers();
     int i = SSL_GetNumImplementedCiphers();
     SECStatus rv;
 
     /* disable all the SSL3 cipher suites */
     while (--i >= 0) {
         PRUint16 suite = cipherSuites[i];
@@ -839,17 +839,17 @@ separateReqHeader(const PRFileDesc *outF
 #define HEXCHAR_TO_INT(c, i)                   \
     if (((c) >= '0') && ((c) <= '9')) {        \
         i = (c) - '0';                         \
     } else if (((c) >= 'a') && ((c) <= 'f')) { \
         i = (c) - 'a' + 10;                    \
     } else if (((c) >= 'A') && ((c) <= 'F')) { \
         i = (c) - 'A' + 10;                    \
     } else {                                   \
-        Usage(progName);                       \
+        Usage();                               \
     }
 
 static SECStatus
 restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
                                         ServerCertAuth *serverCertAuth,
                                         PRBool override)
 {
     SECStatus rv;
@@ -1010,27 +1010,27 @@ handshakeCallback(PRFileDesc *fd, void *
     if (stopAfterHandshake) {
         requestToExit = PR_TRUE;
     }
 }
 
 #define REQUEST_WAITING (requestString && !requestSent)
 
 static SECStatus
-installServerCertificate(PRFileDesc *s, char *nickname)
+installServerCertificate(PRFileDesc *s, char *nick)
 {
     CERTCertificate *cert;
     SECKEYPrivateKey *privKey = NULL;
 
-    if (!nickname) {
+    if (!nick) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    cert = PK11_FindCertFromNickname(nickname, &pwdata);
+    cert = PK11_FindCertFromNickname(nick, &pwdata);
     if (cert == NULL) {
         return SECFailure;
     }
 
     privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
     if (privKey == NULL) {
         return SECFailure;
     }
@@ -1124,17 +1124,17 @@ connectToServer(PRFileDesc *s, PRPollDes
             return SECFailure;
         }
     }
 
     return SECSuccess;
 }
 
 static int
-run(void)
+run()
 {
     int headerSeparatorPtrnId = 0;
     int error = 0;
     SECStatus rv;
     PRStatus status;
     PRInt32 filesReady;
     int npds;
     PRFileDesc *s = NULL;
@@ -1220,29 +1220,28 @@ run(void)
                 HEXCHAR_TO_INT(*cipherString, ctmp)
                 cipher |= (ctmp << 4);
                 cipherString++;
                 HEXCHAR_TO_INT(*cipherString, ctmp)
                 cipher |= ctmp;
                 cipherString++;
             } else {
                 if (!isalpha(ndx))
-                    Usage(progName);
+                    Usage();
                 ndx = tolower(ndx) - 'a';
                 if (ndx < PR_ARRAY_SIZE(ssl3CipherSuites)) {
                     cipher = ssl3CipherSuites[ndx];
                 }
             }
             if (cipher > 0) {
-                SECStatus status;
-                status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
-                if (status != SECSuccess)
+                rv = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
+                if (rv != SECSuccess)
                     SECU_PrintError(progName, "SSL_CipherPrefSet()");
             } else {
-                Usage(progName);
+                Usage();
             }
         }
         PORT_Free(cstringSaved);
     }
 
     rv = SSL_VersionRangeSet(s, &enabledVersions);
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "error setting SSL/TLS version range ");
@@ -1648,28 +1647,28 @@ main(int argc, char **argv)
     /* XXX: 'B' was used in the past but removed in 3.28,
      *      please leave some time before resuing it. */
     optstate = PL_CreateOptState(argc, argv,
                                  "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
             default:
-                Usage(progName);
+                Usage();
                 break;
 
             case '4':
                 allowIPv6 = PR_FALSE;
                 if (!allowIPv4)
-                    Usage(progName);
+                    Usage();
                 break;
             case '6':
                 allowIPv4 = PR_FALSE;
                 if (!allowIPv6)
-                    Usage(progName);
+                    Usage();
                 break;
 
             case 'A':
                 requestStringLen = ReadFile(optstate->value, &requestString);
                 if (requestStringLen < 0) {
                     fprintf(stderr, "Couldn't read file %s\n", optstate->value);
                     exit(1);
                 }
@@ -1730,17 +1729,17 @@ main(int argc, char **argv)
                 break;
 
             case 'P':
                 useDTLS = PR_TRUE;
                 if (!strcmp(optstate->value, "server")) {
                     actAsServer = 1;
                 } else {
                     if (strcmp(optstate->value, "client")) {
-                        Usage(progName);
+                        Usage();
                     }
                 }
                 break;
 
             case 'Q':
                 stopAfterHandshake = PR_TRUE;
                 break;
 
@@ -1763,35 +1762,35 @@ main(int argc, char **argv)
             case 'V':
                 versionString = PORT_Strdup(optstate->value);
                 break;
 
             case 'X':
                 if (!strcmp(optstate->value, "alt-server-hello")) {
                     enableAltServerHello = PR_TRUE;
                 } else {
-                    Usage(progName);
+                    Usage();
                 }
                 break;
             case 'Y':
-                PrintCipherUsage(progName);
+                PrintCipherUsage();
                 exit(0);
                 break;
 
             case 'Z':
                 enableZeroRtt = PR_TRUE;
                 break;
 
             case 'a':
                 if (!hs1SniHostName) {
                     hs1SniHostName = PORT_Strdup(optstate->value);
                 } else if (!hs2SniHostName) {
                     hs2SniHostName = PORT_Strdup(optstate->value);
                 } else {
-                    Usage(progName);
+                    Usage();
                 }
                 break;
 
             case 'b':
                 loadDefaultRootCAs = PR_TRUE;
                 break;
 
             case 'c':
@@ -1870,42 +1869,42 @@ main(int argc, char **argv)
                 enableCompression = 1;
                 break;
 
             case 'I':
                 rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
                 if (rv != SECSuccess) {
                     PL_DestroyOptState(optstate);
                     fprintf(stderr, "Bad group specified.\n");
-                    Usage(progName);
+                    Usage();
                 }
                 break;
         }
     }
     PL_DestroyOptState(optstate);
 
     SSL_VersionRangeGetSupported(useDTLS ? ssl_variant_datagram : ssl_variant_stream, &enabledVersions);
 
     if (versionString) {
         if (SECU_ParseSSLVersionRangeString(versionString,
                                             enabledVersions, &enabledVersions) !=
             SECSuccess) {
             fprintf(stderr, "Bad version specified.\n");
-            Usage(progName);
+            Usage();
         }
         PORT_Free(versionString);
     }
 
     if (optstatus == PL_OPT_BAD) {
-        Usage(progName);
+        Usage();
     }
 
     if (!host || !portno) {
         fprintf(stderr, "%s: parameters -h and -p are mandatory\n", progName);
-        Usage(progName);
+        Usage();
     }
 
     if (serverCertAuth.testFreshStatusFromSideChannel &&
         serverCertAuth.shouldPause) {
         fprintf(stderr, "%s: -F requires the use of -O\n", progName);
         exit(1);
     }
 
--- a/cmd/vfyserv/vfyserv.c
+++ b/cmd/vfyserv/vfyserv.c
@@ -322,19 +322,17 @@ do_connects(void *a, int connection)
         return secStatus;
     }
 
     PR_Close(sslSocket);
     return SECSuccess;
 }
 
 void
-client_main(unsigned short port,
-            int connections,
-            const char *hostName)
+client_main(int connections)
 {
     int i;
     SECStatus secStatus;
     PRStatus prStatus;
     PRInt32 rv;
     PRNetAddr addr;
     PRHostEnt hostEntry;
     char buffer[PR_NETDB_BUF_SIZE];
@@ -548,17 +546,17 @@ main(int argc, char **argv)
             if (cipher > 0) {
                 SSL_CipherPrefSetDefault(cipher, PR_TRUE);
             } else {
                 Usage(progName);
             }
         }
     }
 
-    client_main(port, connections, hostName);
+    client_main(connections);
 
 cleanup:
     if (doOcspCheck) {
         CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
         CERT_DisableOCSPDefaultResponder(handle);
         CERT_DisableOCSPChecking(handle);
     }
 
--- a/cmd/vfyserv/vfyutil.c
+++ b/cmd/vfyserv/vfyutil.c
@@ -305,23 +305,23 @@ myHandshakeCallback(PRFileDesc *socket, 
 **
 ** Routines for disabling SSL ciphers.
 **
 **************************************************************************/
 
 void
 disableAllSSLCiphers(void)
 {
-    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    const PRUint16 *allSuites = SSL_ImplementedCiphers;
     int i = SSL_NumImplementedCiphers;
     SECStatus rv;
 
     /* disable all the SSL3 cipher suites */
     while (--i >= 0) {
-        PRUint16 suite = cipherSuites[i];
+        PRUint16 suite = allSuites[i];
         rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
         if (rv != SECSuccess) {
             fprintf(stderr,
                     "SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
                     suite, i);
             errWarn("SSL_CipherPrefSetDefault");
             exit(2);
         }
--- a/coreconf/Werror.mk
+++ b/coreconf/Werror.mk
@@ -43,19 +43,21 @@ ifndef GCC_VERSION
 endif
 
 ifndef WARNING_CFLAGS
   ifneq (1,$(CC_IS_GCC))
     WARNING_CFLAGS = $(NULL)
   else
     # This tests to see if enabling the warning is possible before
     # setting an option to disable it.
-    disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1))
+    set_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -W$(2)$(1))
+    enable_warning = $(call set_warning,$(1),)
+    disable_warning = $(call set_warning,$(1),no-)
 
-    WARNING_CFLAGS = -Wall
+    WARNING_CFLAGS = -Wall $(call enable_warning,shadow)
     ifdef CC_IS_CLANG
       # -Qunused-arguments : clang objects to arguments that it doesn't understand
       #    and fixing this would require rearchitecture
       WARNING_CFLAGS += -Qunused-arguments
       # -Wno-parentheses-equality : because clang warns about macro expansions
       WARNING_CFLAGS += $(call disable_warning,parentheses-equality)
       ifdef BUILD_OPT
         # clang is unable to handle glib's expansion of strcmp and similar for optimized
--- a/coreconf/werror.py
+++ b/coreconf/werror.py
@@ -49,12 +49,12 @@ def main():
         # clang is unable to handle glib's expansion of strcmp and similar for
         # optimized builds, so disable the resulting errors.
         # See https://llvm.org/bugs/show_bug.cgi?id=20144
         for w in ['array-bounds', 'unevaluated-expression',
                   'parentheses-equality']:
             set_warning(w, 'no-')
         print('-Qunused-arguments')
 
-    # set_warning('shadow') # Bug 1309068
+    set_warning('shadow')
 
 if __name__ == '__main__':
     main()
--- a/cpputil/databuffer.cc
+++ b/cpputil/databuffer.cc
@@ -13,22 +13,22 @@
 #if defined(WIN32) || defined(WIN64)
 #include <winsock2.h>
 #else
 #include <arpa/inet.h>
 #endif
 
 namespace nss_test {
 
-void DataBuffer::Assign(const uint8_t* data, size_t len) {
-  if (data) {
-    Allocate(len);
-    memcpy(static_cast<void*>(data_), static_cast<const void*>(data), len);
+void DataBuffer::Assign(const uint8_t* d, size_t l) {
+  if (d) {
+    Allocate(l);
+    memcpy(static_cast<void*>(data_), static_cast<const void*>(d), l);
   } else {
-    assert(len == 0);
+    assert(l == 0);
     data_ = nullptr;
     len_ = 0;
   }
 }
 
 // Write will do a new allocation and expand the size of the buffer if needed.
 // Returns the offset of the end of the write.
 size_t DataBuffer::Write(size_t index, const uint8_t* val, size_t count) {
--- a/cpputil/databuffer.h
+++ b/cpputil/databuffer.h
@@ -12,42 +12,42 @@
 #include <iomanip>
 #include <iostream>
 
 namespace nss_test {
 
 class DataBuffer {
  public:
   DataBuffer() : data_(nullptr), len_(0) {}
-  DataBuffer(const uint8_t* data, size_t len) : data_(nullptr), len_(0) {
-    Assign(data, len);
+  DataBuffer(const uint8_t* d, size_t l) : data_(nullptr), len_(0) {
+    Assign(d, l);
   }
   DataBuffer(const DataBuffer& other) : data_(nullptr), len_(0) {
     Assign(other);
   }
   ~DataBuffer() { delete[] data_; }
 
   DataBuffer& operator=(const DataBuffer& other) {
     if (&other != this) {
       Assign(other);
     }
     return *this;
   }
 
-  void Allocate(size_t len) {
+  void Allocate(size_t l) {
     delete[] data_;
-    data_ = new uint8_t[len ? len : 1];  // Don't depend on new [0].
-    len_ = len;
+    data_ = new uint8_t[l ? l : 1];  // Don't depend on new [0].
+    len_ = l;
   }
 
-  void Truncate(size_t len) { len_ = (std::min)(len_, len); }
+  void Truncate(size_t l) { len_ = (std::min)(len_, l); }
 
   void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
 
-  void Assign(const uint8_t* data, size_t len);
+  void Assign(const uint8_t* d, size_t l);
 
   // Write will do a new allocation and expand the size of the buffer if needed.
   // Returns the offset of the end of the write.
   size_t Write(size_t index, const uint8_t* val, size_t count);
   size_t Write(size_t index, const DataBuffer& buf) {
     return Write(index, buf.data(), buf.len());
   }
 
--- a/fuzz/fuzz.gyp
+++ b/fuzz/fuzz.gyp
@@ -39,16 +39,19 @@
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/util/util.gyp:nssutil',
         '<(DEPTH)/lib/nss/nss.gyp:nss_static',
         '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
         # This is a static build of pk11wrap, softoken, and freebl.
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
       ],
+      'cflags_cc': [
+        '-Wno-error=shadow',
+      ],
       'conditions': [
         ['fuzz_oss==0', {
           'sources': [
             '<!@(ls <(DEPTH)/fuzz/libFuzzer/*.cpp)',
           ],
           'cflags/': [
             ['exclude', '-fsanitize-coverage'],
           ],
--- a/gtests/freebl_gtest/blake2b_unittest.cc
+++ b/gtests/freebl_gtest/blake2b_unittest.cc
@@ -45,17 +45,17 @@ TEST_P(Blake2BKATUnkeyed, Unkeyed) {
       BLAKE2B_HashBuf(values.data(), kat_data.data(), std::get<0>(GetParam()));
   ASSERT_EQ(SECSuccess, rv);
   EXPECT_EQ(values, std::get<1>(GetParam()));
 }
 
 TEST_P(Blake2BKATKeyed, Keyed) {
   std::vector<uint8_t> values(BLAKE2B512_LENGTH);
   SECStatus rv = BLAKE2B_MAC_HashBuf(values.data(), kat_data.data(),
-                                     std::get<0>(GetParam()), key.data(),
+                                     std::get<0>(GetParam()), kat_key.data(),
                                      BLAKE2B_KEY_SIZE);
   ASSERT_EQ(SECSuccess, rv);
   EXPECT_EQ(values, std::get<1>(GetParam()));
 }
 
 INSTANTIATE_TEST_CASE_P(UnkeyedKAT, Blake2BKATUnkeyed,
                         ::testing::ValuesIn(TestcasesUnkeyed));
 INSTANTIATE_TEST_CASE_P(KeyedKAT, Blake2BKATKeyed,
@@ -134,17 +134,17 @@ TEST_F(Blake2BTests, CloneTest) {
 
 TEST_F(Blake2BTests, NullTest) {
   std::vector<uint8_t> digest(BLAKE2B512_LENGTH);
   SECStatus rv = BLAKE2B_HashBuf(digest.data(), nullptr, 0);
   ASSERT_EQ(SECSuccess, rv);
   EXPECT_EQ(std::get<1>(TestcasesUnkeyed[0]), digest);
 
   digest = std::vector<uint8_t>(BLAKE2B512_LENGTH);
-  rv = BLAKE2B_MAC_HashBuf(digest.data(), nullptr, 0, key.data(),
+  rv = BLAKE2B_MAC_HashBuf(digest.data(), nullptr, 0, kat_key.data(),
                            BLAKE2B_KEY_SIZE);
   ASSERT_EQ(SECSuccess, rv);
   EXPECT_EQ(std::get<1>(TestcasesKeyed[0]), digest);
 }
 
 TEST_F(Blake2BTests, HashTest) {
   ScopedBLAKE2BContext ctx(BLAKE2B_NewContext());
   ASSERT_TRUE(ctx) << "BLAKE2B_NewContext failed!";
--- a/gtests/freebl_gtest/kat/blake2b_kat.h
+++ b/gtests/freebl_gtest/kat/blake2b_kat.h
@@ -2,17 +2,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* https://github.com/BLAKE2/BLAKE2/blob/master/testvectors/blake2b-kat.txt */
 
 #include <vector>
 #include <stdint.h>
 
-const std::vector<uint8_t> key = {
+const std::vector<uint8_t> kat_key = {
     0,  1,  2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15,
     16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
     32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
     48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63};
 
 const std::vector<uint8_t> kat_data = {
     0,   1,   2,   3,   4,   5,   6,   7,   8,   9,   10,  11,  12,  13,  14,
     15,  16,  17,  18,  19,  20,  21,  22,  23,  24,  25,  26,  27,  28,  29,
--- a/gtests/nss_bogo_shim/config.h
+++ b/gtests/nss_bogo_shim/config.h
@@ -18,18 +18,18 @@
 #include <memory>
 #include <queue>
 #include <string>
 #include <typeinfo>
 
 // Abstract base class for a given config flag.
 class ConfigEntryBase {
  public:
-  ConfigEntryBase(const std::string& name, const std::string& type)
-      : name_(name), type_(type) {}
+  ConfigEntryBase(const std::string& nm, const std::string& typ)
+      : name_(nm), type_(typ) {}
 
   virtual ~ConfigEntryBase() {}
 
   const std::string& type() const { return type_; }
   virtual bool Parse(std::queue<const char*>* args) = 0;
 
  protected:
   bool ParseInternal(std::queue<const char*>* args, std::string* out);
--- a/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -410,17 +410,17 @@ class TestAgent {
     if (rv != sizeof(block)) {
       std::cerr << "Write failure\n";
       PORT_SetError(SEC_ERROR_OUTPUT_LEN);
       return SECFailure;
     }
 
     size_t left = sizeof(block);
     while (left) {
-      int32_t rv = PR_Read(ssl_fd_, block, left);
+      rv = PR_Read(ssl_fd_, block, left);
       if (rv < 0) {
         std::cerr << "Failure reading\n";
         return SECFailure;
       }
       if (rv == 0) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
       }
--- a/gtests/pk11_gtest/pk11_signature_test.h
+++ b/gtests/pk11_gtest/pk11_signature_test.h
@@ -20,18 +20,18 @@ struct Pkcs11SignatureTestParams {
   const DataBuffer pkcs8_;
   const DataBuffer spki_;
   const DataBuffer data_;
   const DataBuffer signature_;
 };
 
 class Pk11SignatureTest : public ::testing::Test {
  protected:
-  Pk11SignatureTest(CK_MECHANISM_TYPE mechanism, SECOidTag hash_oid)
-      : mechanism_(mechanism), hash_oid_(hash_oid) {}
+  Pk11SignatureTest(CK_MECHANISM_TYPE mech, SECOidTag hash_oid)
+      : mechanism_(mech), hash_oid_(hash_oid) {}
 
   virtual const SECItem* parameters() const { return nullptr; }
   CK_MECHANISM_TYPE mechanism() const { return mechanism_; }
 
   ScopedSECKEYPrivateKey ImportPrivateKey(const DataBuffer& pkcs8) {
     ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
     if (!slot) {
       ADD_FAILURE() << "No slot";
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -150,18 +150,18 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsa
   Connect();
   CheckKeys();
   CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
                  2048);
 }
 
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
  public:
-  TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& agent)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeCertificateRequest}) {}
+  TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}) {}
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     TlsParser parser(input);
     std::cerr << "Zeroing CertReq.supported_signature_algorithms" << std::endl;
 
     DataBuffer cert_types;
     if (!parser.ReadVariable(&cert_types, 1)) {
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -98,18 +98,18 @@ TEST_P(TlsConnectGenericPre13, ConnectFf
     ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
     client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
     server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
   }
 }
 
 class TlsDheServerKeyExchangeDamager : public TlsHandshakeFilter {
  public:
-  TlsDheServerKeyExchangeDamager(const std::shared_ptr<TlsAgent>& agent)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
+  TlsDheServerKeyExchangeDamager(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     // Damage the first octet of dh_p.  Anything other than the known prime will
     // be rejected as "weak" when we have SSL_REQUIRE_DH_NAMED_GROUPS enabled.
     *output = input;
     output->data()[3] ^= 73;
     return CHANGE;
@@ -136,19 +136,19 @@ class TlsDheSkeChangeY : public TlsHands
     kYZero,
     kYOne,
     kYPMinusOne,
     kYGreaterThanP,
     kYTooLarge,
     kYZeroPad
   };
 
-  TlsDheSkeChangeY(const std::shared_ptr<TlsAgent>& agent,
+  TlsDheSkeChangeY(const std::shared_ptr<TlsAgent>& a,
                    uint8_t handshake_type, ChangeYTo change)
-      : TlsHandshakeFilter(agent, {handshake_type}), change_Y_(change) {}
+      : TlsHandshakeFilter(a, {handshake_type}), change_Y_(change) {}
 
  protected:
   void ChangeY(const DataBuffer& input, DataBuffer* output, size_t offset,
                const DataBuffer& prime) {
     static const uint8_t kExtraZero = 0;
     static const uint8_t kTooLargeExtra = 1;
 
     uint32_t dh_Ys_len;
@@ -203,19 +203,19 @@ class TlsDheSkeChangeY : public TlsHands
   }
 
  private:
   ChangeYTo change_Y_;
 };
 
 class TlsDheSkeChangeYServer : public TlsDheSkeChangeY {
  public:
-  TlsDheSkeChangeYServer(const std::shared_ptr<TlsAgent>& agent,
+  TlsDheSkeChangeYServer(const std::shared_ptr<TlsAgent>& a,
                          ChangeYTo change, bool modify)
-      : TlsDheSkeChangeY(agent, kTlsHandshakeServerKeyExchange, change),
+      : TlsDheSkeChangeY(a, kTlsHandshakeServerKeyExchange, change),
         modify_(modify),
         p_() {}
 
   const DataBuffer& prime() const { return p_; }
 
  protected:
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
@@ -242,19 +242,19 @@ class TlsDheSkeChangeYServer : public Tl
  private:
   bool modify_;
   DataBuffer p_;
 };
 
 class TlsDheSkeChangeYClient : public TlsDheSkeChangeY {
  public:
   TlsDheSkeChangeYClient(
-      const std::shared_ptr<TlsAgent>& agent, ChangeYTo change,
+      const std::shared_ptr<TlsAgent>& a, ChangeYTo change,
       std::shared_ptr<const TlsDheSkeChangeYServer> server_filter)
-      : TlsDheSkeChangeY(agent, kTlsHandshakeClientKeyExchange, change),
+      : TlsDheSkeChangeY(a, kTlsHandshakeClientKeyExchange, change),
         server_filter_(server_filter) {}
 
  protected:
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) override {
     ChangeY(input, output, 0, server_filter_->prime());
     return CHANGE;
@@ -352,18 +352,18 @@ INSTANTIATE_TEST_CASE_P(
                        TlsConnectTestBase::kTlsV10ToV12, kAllY, kTrueFalse));
 INSTANTIATE_TEST_CASE_P(
     DamageYDatagram, TlsDamageDHYTest,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsDatagram,
                        TlsConnectTestBase::kTlsV11V12, kAllY, kTrueFalse));
 
 class TlsDheSkeMakePEven : public TlsHandshakeFilter {
  public:
-  TlsDheSkeMakePEven(const std::shared_ptr<TlsAgent>& agent)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
+  TlsDheSkeMakePEven(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
 
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     // Find the end of dh_p
     uint32_t dh_len = 0;
     EXPECT_TRUE(input.Read(0, 2, &dh_len));
     EXPECT_GT(input.len(), 2 + dh_len) << "enough space for dh_p";
@@ -385,18 +385,18 @@ TEST_P(TlsConnectGenericPre13, MakeDhePE
   ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
 
   client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_DHE_KEY_SHARE);
   server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
 
 class TlsDheSkeZeroPadP : public TlsHandshakeFilter {
  public:
-  TlsDheSkeZeroPadP(const std::shared_ptr<TlsAgent>& agent)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}) {}
+  TlsDheSkeZeroPadP(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}) {}
 
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     *output = input;
     uint32_t dh_len = 0;
     EXPECT_TRUE(input.Read(0, 2, &dh_len));
     static const uint8_t kZeroPad = 0;
@@ -541,19 +541,19 @@ TEST_P(TlsConnectTls13, ResumeFfdhe) {
   CheckKeys(ssl_kea_dh, ssl_grp_ffdhe_2048, ssl_auth_rsa_sign,
             ssl_sig_rsa_pss_rsae_sha256);
   ASSERT_LT(0UL, clientCapture->extension().len());
   ASSERT_LT(0UL, serverCapture->extension().len());
 }
 
 class TlsDheSkeChangeSignature : public TlsHandshakeFilter {
  public:
-  TlsDheSkeChangeSignature(const std::shared_ptr<TlsAgent>& agent,
+  TlsDheSkeChangeSignature(const std::shared_ptr<TlsAgent>& a,
                            uint16_t version, const uint8_t* data, size_t len)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}),
         version_(version),
         data_(data),
         len_(len) {}
 
  protected:
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -187,18 +187,18 @@ TEST_P(TlsConnectGenericPre13, P384Prior
   Connect();
 
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
             ssl_sig_rsa_pss_rsae_sha256);
 }
 
 class TlsKeyExchangeGroupCapture : public TlsHandshakeFilter {
  public:
-  TlsKeyExchangeGroupCapture(const std::shared_ptr<TlsAgent> &agent)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerKeyExchange}),
+  TlsKeyExchangeGroupCapture(const std::shared_ptr<TlsAgent> &a)
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerKeyExchange}),
         group_(ssl_grp_none) {}
 
   SSLNamedGroup group() const { return group_; }
 
  protected:
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
                                                const DataBuffer &input,
                                                DataBuffer *output) {
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -14,19 +14,19 @@
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
 
 namespace nss_test {
 
 class TlsExtensionTruncator : public TlsExtensionFilter {
  public:
-  TlsExtensionTruncator(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionTruncator(const std::shared_ptr<TlsAgent>& a,
                         uint16_t extension, size_t length)
-      : TlsExtensionFilter(agent), extension_(extension), length_(length) {}
+      : TlsExtensionFilter(a), extension_(extension), length_(length) {}
   virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     if (extension_type != extension_) {
       return KEEP;
     }
     if (input.len() <= length_) {
       return KEEP;
@@ -38,19 +38,19 @@ class TlsExtensionTruncator : public Tls
 
  private:
   uint16_t extension_;
   size_t length_;
 };
 
 class TlsExtensionDamager : public TlsExtensionFilter {
  public:
-  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a,
                       uint16_t extension, size_t index)
-      : TlsExtensionFilter(agent), extension_(extension), index_(index) {}
+      : TlsExtensionFilter(a), extension_(extension), index_(index) {}
   virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     if (extension_type != extension_) {
       return KEEP;
     }
 
     *output = input;
@@ -60,19 +60,19 @@ class TlsExtensionDamager : public TlsEx
 
  private:
   uint16_t extension_;
   size_t index_;
 };
 
 class TlsExtensionAppender : public TlsHandshakeFilter {
  public:
-  TlsExtensionAppender(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionAppender(const std::shared_ptr<TlsAgent>& a,
                        uint8_t handshake_type, uint16_t ext, DataBuffer& data)
-      : TlsHandshakeFilter(agent, {handshake_type}),
+      : TlsHandshakeFilter(a, {handshake_type}),
         extension_(ext),
         data_(data) {}
 
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     TlsParser parser(input);
     if (!TlsExtensionFilter::FindExtensions(&parser, header)) {
@@ -623,19 +623,19 @@ struct PskIdentity {
 
 class TlsPreSharedKeyReplacer;
 
 typedef std::function<void(TlsPreSharedKeyReplacer*)>
     TlsPreSharedKeyReplacerFunc;
 
 class TlsPreSharedKeyReplacer : public TlsExtensionFilter {
  public:
-  TlsPreSharedKeyReplacer(const std::shared_ptr<TlsAgent>& agent,
+  TlsPreSharedKeyReplacer(const std::shared_ptr<TlsAgent>& a,
                           TlsPreSharedKeyReplacerFunc function)
-      : TlsExtensionFilter(agent),
+      : TlsExtensionFilter(a),
         identities_(),
         binders_(),
         function_(function) {}
 
   static size_t CopyAndMaybeReplace(TlsParser* parser, size_t size,
                                     const std::unique_ptr<DataBuffer>& replace,
                                     size_t index, DataBuffer* output) {
     DataBuffer tmp;
--- a/gtests/ssl_gtest/ssl_fuzz_unittest.cc
+++ b/gtests/ssl_gtest/ssl_fuzz_unittest.cc
@@ -22,18 +22,18 @@ namespace nss_test {
 const uint8_t kShortEmptyFinished[8] = {0};
 const uint8_t kLongEmptyFinished[128] = {0};
 
 class TlsFuzzTest : public ::testing::Test {};
 
 // Record the application data stream.
 class TlsApplicationDataRecorder : public TlsRecordFilter {
  public:
-  TlsApplicationDataRecorder(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent), buffer_() {}
+  TlsApplicationDataRecorder(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a), buffer_() {}
 
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output) {
     if (header.content_type() == kTlsApplicationDataType) {
       buffer_.Append(input);
     }
 
--- a/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -64,18 +64,18 @@ TEST_P(TlsConnectTls13, HelloRetryReques
   EXPECT_FALSE(capture_early_data->captured());
 }
 
 // This filter only works for DTLS 1.3 where there is exactly one handshake
 // packet. If the record is split into two packets, or there are multiple
 // handshake packets, this will break.
 class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
  public:
-  CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent) {}
+  CorrectMessageSeqAfterHrrFilter(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a) {}
 
  protected:
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& record, size_t* offset,
                                     DataBuffer* output) {
     if (filtered_packets() > 0 || header.content_type() != content_handshake) {
       return KEEP;
     }
@@ -146,18 +146,18 @@ TEST_P(TlsConnectTls13, SecondClientHell
 
   ExpectAlert(server_, kTlsAlertUnsupportedExtension);
   Handshake();
   client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT);
 }
 
 class KeyShareReplayer : public TlsExtensionFilter {
  public:
-  KeyShareReplayer(const std::shared_ptr<TlsAgent>& agent)
-      : TlsExtensionFilter(agent) {}
+  KeyShareReplayer(const std::shared_ptr<TlsAgent>& a)
+      : TlsExtensionFilter(a) {}
 
   virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
                                                const DataBuffer& input,
                                                DataBuffer* output) {
     if (extension_type != ssl_tls13_key_share_xtn) {
       return KEEP;
     }
 
--- a/gtests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -51,18 +51,18 @@ TEST_P(TlsConnectGeneric, CipherSuiteMis
   }
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
   server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
 }
 
 class TlsAlertRecorder : public TlsRecordFilter {
  public:
-  TlsAlertRecorder(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent), level_(255), description_(255) {}
+  TlsAlertRecorder(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a), level_(255), description_(255) {}
 
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& input,
                                     DataBuffer* output) override {
     if (level_ != 255) {  // Already captured.
       return KEEP;
     }
     if (header.content_type() != kTlsAlertType) {
@@ -82,19 +82,19 @@ class TlsAlertRecorder : public TlsRecor
 
  private:
   uint8_t level_;
   uint8_t description_;
 };
 
 class HelloTruncator : public TlsHandshakeFilter {
  public:
-  HelloTruncator(const std::shared_ptr<TlsAgent>& agent)
+  HelloTruncator(const std::shared_ptr<TlsAgent>& a)
       : TlsHandshakeFilter(
-            agent, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
+            a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}) {}
   PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                        const DataBuffer& input,
                                        DataBuffer* output) override {
     output->Assign(input.data(), input.len() - 1);
     return CHANGE;
   }
 };
 
@@ -166,18 +166,18 @@ TEST_P(TlsConnectDatagram, ConnectSrtp) 
 
 TEST_P(TlsConnectGeneric, ConnectSendReceive) {
   Connect();
   SendReceive();
 }
 
 class SaveTlsRecord : public TlsRecordFilter {
  public:
-  SaveTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
-      : TlsRecordFilter(agent), index_(index), count_(0), contents_() {}
+  SaveTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index)
+      : TlsRecordFilter(a), index_(index), count_(0), contents_() {}
 
   const DataBuffer& contents() const { return contents_; }
 
  protected:
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& data,
                                     DataBuffer* changed) override {
     if (count_++ == index_) {
@@ -222,18 +222,18 @@ TEST_F(TlsConnectStreamTls13, DecryptRec
   static const uint8_t data[] = {0xde, 0xad, 0xd5};
   DataBuffer buf(data, sizeof(data));
   server_->SendBuffer(buf);
   EXPECT_EQ(buf, saved->contents());
 }
 
 class DropTlsRecord : public TlsRecordFilter {
  public:
-  DropTlsRecord(const std::shared_ptr<TlsAgent>& agent, size_t index)
-      : TlsRecordFilter(agent), index_(index), count_(0) {}
+  DropTlsRecord(const std::shared_ptr<TlsAgent>& a, size_t index)
+      : TlsRecordFilter(a), index_(index), count_(0) {}
 
  protected:
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& data,
                                     DataBuffer* changed) override {
     if (count_++ == index_) {
       return DROP;
     }
@@ -368,18 +368,18 @@ TEST_P(TlsHolddownTest, TestDtlsHolddown
   RunAllTimersDown();
   SendReceive();
   // One for send, one for receive.
   EXPECT_EQ(2, SSLInt_CountCipherSpecs(client_->ssl_fd()));
 }
 
 class TlsPreCCSHeaderInjector : public TlsRecordFilter {
  public:
-  TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent) {}
+  TlsPreCCSHeaderInjector(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a) {}
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
       size_t* offset, DataBuffer* output) override {
     if (record_header.content_type() != kTlsChangeCipherSpecType) return KEEP;
 
     std::cerr << "Injecting Finished header before CCS\n";
     const uint8_t hhdr[] = {kTlsHandshakeFinished, 0x00, 0x00, 0x0c};
     DataBuffer hhdr_buf(hhdr, sizeof(hhdr));
--- a/gtests/ssl_gtest/ssl_record_unittest.cc
+++ b/gtests/ssl_gtest/ssl_record_unittest.cc
@@ -98,18 +98,18 @@ TEST_P(TlsPaddingTest, LastByteOfPadWron
     plaintext_.Write(plaintext_.len() - 2,
                      plaintext_.data()[plaintext_.len() - 1] + 1, 1);
     Unpad(false);
   }
 }
 
 class RecordReplacer : public TlsRecordFilter {
  public:
-  RecordReplacer(const std::shared_ptr<TlsAgent>& agent, size_t size)
-      : TlsRecordFilter(agent), enabled_(false), size_(size) {}
+  RecordReplacer(const std::shared_ptr<TlsAgent>& a, size_t size)
+      : TlsRecordFilter(a), enabled_(false), size_(size) {}
 
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& data,
                                     DataBuffer* changed) override {
     if (!enabled_) {
       return KEEP;
     }
 
--- a/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -479,19 +479,19 @@ TEST_P(TlsConnectStream, TestResumptionO
     server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
   } else {
     server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
   }
 }
 
 class SelectedVersionReplacer : public TlsHandshakeFilter {
  public:
-  SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& agent,
+  SelectedVersionReplacer(const std::shared_ptr<TlsAgent>& a,
                           uint16_t version)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerHello}),
         version_(version) {}
 
  protected:
   PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                        const DataBuffer& input,
                                        DataBuffer* output) override {
     *output = input;
     output->Write(0, static_cast<uint32_t>(version_), 2);
--- a/gtests/ssl_gtest/ssl_skip_unittest.cc
+++ b/gtests/ssl_gtest/ssl_skip_unittest.cc
@@ -17,19 +17,19 @@
  * See <https://www.smacktls.com/smack.pdf> for a description of the problems
  * that this sort of attack can enable.
  */
 namespace nss_test {
 
 class TlsHandshakeSkipFilter : public TlsRecordFilter {
  public:
   // A TLS record filter that skips handshake messages of the identified type.
-  TlsHandshakeSkipFilter(const std::shared_ptr<TlsAgent>& agent,
+  TlsHandshakeSkipFilter(const std::shared_ptr<TlsAgent>& a,
                          uint8_t handshake_type)
-      : TlsRecordFilter(agent),
+      : TlsRecordFilter(a),
         handshake_type_(handshake_type),
         skipped_(false) {}
 
  protected:
   // Takes a record; if it is a handshake record, it removes the first handshake
   // message that is of handshake_type_ type.
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
--- a/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+++ b/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
@@ -45,22 +45,22 @@ std::string GetSSLVersionString(uint16_t
 inline std::ostream& operator<<(std::ostream& stream,
                                 const SSLVersionRange& vr) {
   return stream << GetSSLVersionString(vr.min) << ","
                 << GetSSLVersionString(vr.max);
 }
 
 class VersionRangeWithLabel {
  public:
-  VersionRangeWithLabel(const std::string& label, const SSLVersionRange& vr)
-      : label_(label), vr_(vr) {}
-  VersionRangeWithLabel(const std::string& label, uint16_t min, uint16_t max)
-      : label_(label) {
-    vr_.min = min;
-    vr_.max = max;
+  VersionRangeWithLabel(const std::string& txt, const SSLVersionRange& vr)
+      : label_(txt), vr_(vr) {}
+  VersionRangeWithLabel(const std::string& txt, uint16_t start, uint16_t end)
+      : label_(txt) {
+    vr_.min = start;
+    vr_.max = end;
   }
   VersionRangeWithLabel(const std::string& label) : label_(label) {
     vr_.min = vr_.max = SSL_LIBRARY_VERSION_NONE;
   }
 
   void WriteStream(std::ostream& stream) const {
     stream << " " << label_ << ": " << vr_;
   }
--- a/gtests/ssl_gtest/test_io.cc
+++ b/gtests/ssl_gtest/test_io.cc
@@ -94,41 +94,41 @@ int32_t DummyPrSocket::Recv(PRFileDesc *
 }
 
 int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
   if (write_error_) {
     PR_SetError(write_error_, 0);
     return -1;
   }
 
-  auto peer = peer_.lock();
-  if (!peer) {
+  auto dst = peer_.lock();
+  if (!dst) {
     PR_SetError(PR_IO_ERROR, 0);
     return -1;
   }
 
   DataBuffer packet(static_cast<const uint8_t *>(buf),
                     static_cast<size_t>(length));
   DataBuffer filtered;
   PacketFilter::Action action = PacketFilter::KEEP;
   if (filter_) {
     action = filter_->Process(packet, &filtered);
   }
   switch (action) {
     case PacketFilter::CHANGE:
       LOG("Original packet: " << packet);
       LOG("Filtered packet: " << filtered);
-      peer->PacketReceived(filtered);
+      dst->PacketReceived(filtered);
       break;
     case PacketFilter::DROP:
       LOG("Droppped packet: " << packet);
       break;
     case PacketFilter::KEEP:
       LOGV("Packet: " << packet);
-      peer->PacketReceived(packet);
+      dst->PacketReceived(packet);
       break;
   }
   // libssl can't handle it if this reports something other than the length
   // of what was passed in (or less, but we're not doing partial writes).
   return static_cast<int32_t>(packet.len());
 }
 
 Poller *Poller::instance;
--- a/gtests/ssl_gtest/test_io.h
+++ b/gtests/ssl_gtest/test_io.h
@@ -54,31 +54,31 @@ class PacketFilter {
   virtual Action Filter(const DataBuffer& input, DataBuffer* output) = 0;
 
  private:
   bool enabled_;
 };
 
 class DummyPrSocket : public DummyIOLayerMethods {
  public:
-  DummyPrSocket(const std::string& name, SSLProtocolVariant variant)
+  DummyPrSocket(const std::string& name, SSLProtocolVariant var)
       : name_(name),
-        variant_(variant),
+        variant_(var),
         peer_(),
         input_(),
         filter_(nullptr),
         write_error_(0) {}
   virtual ~DummyPrSocket() {}
 
   // Create a file descriptor that will reference this object.  The fd must not
   // live longer than this adapter; call PR_Close() before.
   ScopedPRFileDesc CreateFD();
 
   std::weak_ptr<DummyPrSocket>& peer() { return peer_; }
-  void SetPeer(const std::shared_ptr<DummyPrSocket>& peer) { peer_ = peer; }
+  void SetPeer(const std::shared_ptr<DummyPrSocket>& p) { peer_ = p; }
   void SetPacketFilter(const std::shared_ptr<PacketFilter>& filter) {
     filter_ = filter;
   }
   // Drops peer, packet filter and any outstanding packets.
   void Reset();
 
   void PacketReceived(const DataBuffer& data);
   int32_t Read(PRFileDesc* f, void* data, int32_t len) override;
--- a/gtests/ssl_gtest/tls_agent.cc
+++ b/gtests/ssl_gtest/tls_agent.cc
@@ -39,23 +39,22 @@ const std::string TlsAgent::kServerRsaPs
 const std::string TlsAgent::kServerRsaDecrypt = "rsa_decrypt";
 const std::string TlsAgent::kServerEcdsa256 = "ecdsa256";
 const std::string TlsAgent::kServerEcdsa384 = "ecdsa384";
 const std::string TlsAgent::kServerEcdsa521 = "ecdsa521";
 const std::string TlsAgent::kServerEcdhRsa = "ecdh_rsa";
 const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
 const std::string TlsAgent::kServerDsa = "dsa";
 
-TlsAgent::TlsAgent(const std::string& name, Role role,
-                   SSLProtocolVariant variant)
-    : name_(name),
-      variant_(variant),
-      role_(role),
+TlsAgent::TlsAgent(const std::string& nm, Role rl, SSLProtocolVariant var)
+    : name_(nm),
+      variant_(var),
+      role_(rl),
       server_key_bits_(0),
-      adapter_(new DummyPrSocket(role_str(), variant)),
+      adapter_(new DummyPrSocket(role_str(), var)),
       ssl_fd_(nullptr),
       state_(STATE_INIT),
       timer_handle_(nullptr),
       falsestart_enabled_(false),
       expected_version_(0),
       expected_cipher_suite_(0),
       expect_resumption_(false),
       expect_client_auth_(false),
@@ -98,42 +97,42 @@ TlsAgent::~TlsAgent() {
     ADD_FAILURE() << "Wrong expected_received_alert status: " << role_str();
   }
   if (expected_sent_alert_ != kTlsAlertCloseNotify ||
       expected_sent_alert_level_ != kTlsAlertWarning) {
     ADD_FAILURE() << "Wrong expected_sent_alert status: " << role_str();
   }
 }
 
-void TlsAgent::SetState(State state) {
-  if (state_ == state) return;
+void TlsAgent::SetState(State s) {
+  if (state_ == s) return;
 
-  LOG("Changing state from " << state_ << " to " << state);
-  state_ = state;
+  LOG("Changing state from " << state_ << " to " << s);
+  state_ = s;
 }
 
 /*static*/ bool TlsAgent::LoadCertificate(const std::string& name,
                                           ScopedCERTCertificate* cert,
                                           ScopedSECKEYPrivateKey* priv) {
   cert->reset(PK11_FindCertFromNickname(name.c_str(), nullptr));
   EXPECT_NE(nullptr, cert->get());
   if (!cert->get()) return false;
 
   priv->reset(PK11_FindKeyByAnyCert(cert->get(), nullptr));
   EXPECT_NE(nullptr, priv->get());
   if (!priv->get()) return false;
 
   return true;
 }
 
-bool TlsAgent::ConfigServerCert(const std::string& name, bool updateKeyBits,
+bool TlsAgent::ConfigServerCert(const std::string& id, bool updateKeyBits,
                                 const SSLExtraServerCertData* serverCertData) {
   ScopedCERTCertificate cert;
   ScopedSECKEYPrivateKey priv;
-  if (!TlsAgent::LoadCertificate(name, &cert, &priv)) {
+  if (!TlsAgent::LoadCertificate(id, &cert, &priv)) {
     return false;
   }
 
   if (updateKeyBits) {
     ScopedSECKEYPublicKey pub(CERT_ExtractPublicKey(cert.get()));
     EXPECT_NE(nullptr, pub.get());
     if (!pub.get()) return false;
     server_key_bits_ = SECKEY_PublicKeyStrengthInBits(pub.get());
@@ -277,18 +276,18 @@ bool TlsAgent::GetPeerChainLength(size_t
     ++(*count);
   }
 
   CERT_DestroyCertList(chain);
 
   return true;
 }
 
-void TlsAgent::CheckCipherSuite(uint16_t cipher_suite) {
-  EXPECT_EQ(csinfo_.cipherSuite, cipher_suite);
+void TlsAgent::CheckCipherSuite(uint16_t suite) {
+  EXPECT_EQ(csinfo_.cipherSuite, suite);
 }
 
 void TlsAgent::RequestClientAuth(bool requireAuth) {
   ASSERT_EQ(SERVER, role_);
 
   SetOption(SSL_REQUEST_CERTIFICATE, PR_TRUE);
   SetOption(SSL_REQUIRE_CERTIFICATE, requireAuth ? PR_TRUE : PR_FALSE);
 
@@ -437,18 +436,18 @@ void TlsAgent::SetResumptionTokenCallbac
   EXPECT_EQ(SECSuccess, rv);
 }
 
 void TlsAgent::GetVersionRange(uint16_t* minver, uint16_t* maxver) {
   *minver = vrange_.min;
   *maxver = vrange_.max;
 }
 
-void TlsAgent::SetExpectedVersion(uint16_t version) {
-  expected_version_ = version;
+void TlsAgent::SetExpectedVersion(uint16_t ver) {
+  expected_version_ = ver;
 }
 
 void TlsAgent::SetServerKeyBits(uint16_t bits) { server_key_bits_ = bits; }
 
 void TlsAgent::ExpectReadWriteError() { expect_readwrite_error_ = true; }
 
 void TlsAgent::SkipVersionChecks() { skip_version_checks_ = true; }
 
@@ -486,20 +485,20 @@ void TlsAgent::SetSignatureSchemes(const
   for (unsigned int j = 0; j < count && i < configuredCount; ++j) {
     if (i < configuredCount && schemes[j] == configuredSchemes[i]) {
       ++i;
     }
   }
   EXPECT_EQ(i, configuredCount) << "schemes in use were all set";
 }
 
-void TlsAgent::CheckKEA(SSLKEAType kea_type, SSLNamedGroup kea_group,
+void TlsAgent::CheckKEA(SSLKEAType kea, SSLNamedGroup kea_group,
                         size_t kea_size) const {
   EXPECT_EQ(STATE_CONNECTED, state_);
-  EXPECT_EQ(kea_type, info_.keaType);
+  EXPECT_EQ(kea, info_.keaType);
   if (kea_size == 0) {
     switch (kea_group) {
       case ssl_grp_ec_curve25519:
         kea_size = 255;
         break;
       case ssl_grp_ec_secp256r1:
         kea_size = 256;
         break;
@@ -510,17 +509,17 @@ void TlsAgent::CheckKEA(SSLKEAType kea_t
         kea_size = 2048;
         break;
       case ssl_grp_ffdhe_3072:
         kea_size = 3072;
         break;
       case ssl_grp_ffdhe_custom:
         break;
       default:
-        if (kea_type == ssl_kea_rsa) {
+        if (kea == ssl_kea_rsa) {
           kea_size = server_key_bits_;
         } else {
           EXPECT_TRUE(false) << "need to update group sizes";
         }
     }
   }
   if (kea_group != ssl_grp_ffdhe_custom) {
     EXPECT_EQ(kea_size, info_.keaKeyBits);
@@ -529,23 +528,23 @@ void TlsAgent::CheckKEA(SSLKEAType kea_t
 }
 
 void TlsAgent::CheckOriginalKEA(SSLNamedGroup kea_group) const {
   if (kea_group != ssl_grp_ffdhe_custom) {
     EXPECT_EQ(kea_group, info_.originalKeaGroup);
   }
 }
 
-void TlsAgent::CheckAuthType(SSLAuthType auth_type,
+void TlsAgent::CheckAuthType(SSLAuthType auth,
                              SSLSignatureScheme sig_scheme) const {
   EXPECT_EQ(STATE_CONNECTED, state_);
-  EXPECT_EQ(auth_type, info_.authType);
+  EXPECT_EQ(auth, info_.authType);
   EXPECT_EQ(server_key_bits_, info_.authKeyBits);
   if (expected_version_ < SSL_LIBRARY_VERSION_TLS_1_2) {
-    switch (auth_type) {
+    switch (auth) {
       case ssl_auth_rsa_sign:
         sig_scheme = ssl_sig_rsa_pkcs1_sha1md5;
         break;
       case ssl_auth_ecdsa:
         sig_scheme = ssl_sig_ecdsa_sha1;
         break;
       default:
         break;
@@ -553,33 +552,32 @@ void TlsAgent::CheckAuthType(SSLAuthType
   }
   EXPECT_EQ(sig_scheme, info_.signatureScheme);
 
   if (info_.protocolVersion >= SSL_LIBRARY_VERSION_TLS_1_3) {
     return;
   }
 
   // Check authAlgorithm, which is the old value for authType.  This is a second
-  // switch
-  // statement because default label is different.
-  switch (auth_type) {
+  // switch statement because default label is different.
+  switch (auth) {
     case ssl_auth_rsa_sign:
       EXPECT_EQ(ssl_auth_rsa_decrypt, csinfo_.authAlgorithm)
           << "authAlgorithm for RSA is always decrypt";
       break;
     case ssl_auth_ecdh_rsa:
       EXPECT_EQ(ssl_auth_rsa_decrypt, csinfo_.authAlgorithm)
           << "authAlgorithm for ECDH_RSA is RSA decrypt (i.e., wrong)";
       break;
     case ssl_auth_ecdh_ecdsa:
       EXPECT_EQ(ssl_auth_ecdsa, csinfo_.authAlgorithm)
           << "authAlgorithm for ECDH_ECDSA is ECDSA (i.e., wrong)";
       break;
     default:
-      EXPECT_EQ(auth_type, csinfo_.authAlgorithm)
+      EXPECT_EQ(auth, csinfo_.authAlgorithm)
           << "authAlgorithm is (usually) the same as authType";
       break;
   }
 }
 
 void TlsAgent::EnableFalseStart() {
   EXPECT_TRUE(EnsureTlsSetup());
 
@@ -595,25 +593,25 @@ void TlsAgent::EnableAlpn(const uint8_t*
   EXPECT_TRUE(EnsureTlsSetup());
 
   SetOption(SSL_ENABLE_ALPN, PR_TRUE);
   EXPECT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd(), val, len));
 }
 
 void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
                          const std::string& expected) const {
-  SSLNextProtoState state;
+  SSLNextProtoState npn_state;
   char chosen[10];
   unsigned int chosen_len;
-  SECStatus rv = SSL_GetNextProto(ssl_fd(), &state,
+  SECStatus rv = SSL_GetNextProto(ssl_fd(), &npn_state,
                                   reinterpret_cast<unsigned char*>(chosen),
                                   &chosen_len, sizeof(chosen));
   EXPECT_EQ(SECSuccess, rv);
-  EXPECT_EQ(expected_state, state);
-  if (state == SSL_NEXT_PROTO_NO_SUPPORT) {
+  EXPECT_EQ(expected_state, npn_state);
+  if (npn_state == SSL_NEXT_PROTO_NO_SUPPORT) {
     EXPECT_EQ("", expected);
   } else {
     EXPECT_NE("", expected);
     EXPECT_EQ(expected, std::string(chosen, chosen_len));
   }
 }
 
 void TlsAgent::EnableSrtp() {
@@ -835,20 +833,20 @@ void TlsAgent::CheckEarlyDataAccepted(bo
   ASSERT_EQ(expected, info_.earlyDataAccepted != PR_FALSE)
       << "unexpected early data state for " << name_;
 }
 
 void TlsAgent::CheckSecretsDestroyed() {
   ASSERT_EQ(PR_TRUE, SSLInt_CheckSecretsDestroyed(ssl_fd()));
 }
 
-void TlsAgent::SetDowngradeCheckVersion(uint16_t version) {
+void TlsAgent::SetDowngradeCheckVersion(uint16_t ver) {
   ASSERT_TRUE(EnsureTlsSetup());
 
-  SECStatus rv = SSL_SetDowngradeCheckVersion(ssl_fd(), version);
+  SECStatus rv = SSL_SetDowngradeCheckVersion(ssl_fd(), ver);
   ASSERT_EQ(SECSuccess, rv);
 }
 
 void TlsAgent::Handshake() {
   LOGV("Handshake");
   SECStatus rv = SSL_ForceHandshake(ssl_fd());
   if (rv == SECSuccess) {
     Connected();
--- a/gtests/ssl_gtest/tls_agent.h
+++ b/gtests/ssl_gtest/tls_agent.h
@@ -204,45 +204,45 @@ class TlsAgent : public PollTarget {
   uint16_t server_key_bits() const { return server_key_bits_; }
   uint16_t min_version() const { return vrange_.min; }
   uint16_t max_version() const { return vrange_.max; }
   uint16_t version() const {
     EXPECT_EQ(STATE_CONNECTED, state_);
     return info_.protocolVersion;
   }
 
-  bool cipher_suite(uint16_t* cipher_suite) const {
+  bool cipher_suite(uint16_t* suite) const {
     if (state_ != STATE_CONNECTED) return false;
 
-    *cipher_suite = info_.cipherSuite;
+    *suite = info_.cipherSuite;
     return true;
   }
 
   std::string cipher_suite_name() const {
     if (state_ != STATE_CONNECTED) return "UNKNOWN";
 
     return csinfo_.cipherSuiteName;
   }
 
   std::vector<uint8_t> session_id() const {
     return std::vector<uint8_t>(info_.sessionID,
                                 info_.sessionID + info_.sessionIDLength);
   }
 
-  bool auth_type(SSLAuthType* auth_type) const {
+  bool auth_type(SSLAuthType* a) const {
     if (state_ != STATE_CONNECTED) return false;
 
-    *auth_type = info_.authType;
+    *a = info_.authType;
     return true;
   }
 
-  bool kea_type(SSLKEAType* kea_type) const {
+  bool kea_type(SSLKEAType* k) const {
     if (state_ != STATE_CONNECTED) return false;
 
-    *kea_type = info_.keaType;
+    *k = info_.keaType;
     return true;
   }
 
   size_t received_bytes() const { return recv_ctr_; }
   PRErrorCode error_code() const { return error_code_; }
 
   bool can_falsestart_hook_called() const {
     return can_falsestart_hook_called_;
--- a/gtests/ssl_gtest/tls_filter.cc
+++ b/gtests/ssl_gtest/tls_filter.cc
@@ -174,41 +174,41 @@ PacketFilter::Action TlsRecordFilter::Fi
   EXPECT_TRUE(rv);
   if (!rv) {
     return KEEP;
   }
   *offset = out_header.Write(output, *offset, ciphertext);
   return CHANGE;
 }
 
-bool TlsRecordHeader::Parse(uint64_t sequence_number, TlsParser* parser,
+bool TlsRecordHeader::Parse(uint64_t seqno, TlsParser* parser,
                             DataBuffer* body) {
   if (!parser->Read(&content_type_)) {
     return false;
   }
 
-  uint32_t version;
-  if (!parser->Read(&version, 2)) {
+  uint32_t ver;
+  if (!parser->Read(&ver, 2)) {
     return false;
   }
-  version_ = version;
+  version_ = ver;
 
   // If this is DTLS, overwrite the sequence number.
-  if (IsDtls(version)) {
+  if (IsDtls(ver)) {
     uint32_t tmp;
     if (!parser->Read(&tmp, 4)) {
       return false;
     }
     sequence_number_ = static_cast<uint64_t>(tmp) << 32;
     if (!parser->Read(&tmp, 4)) {
       return false;
     }
     sequence_number_ |= static_cast<uint64_t>(tmp);
   } else {
-    sequence_number_ = sequence_number;
+    sequence_number_ = seqno;
   }
   return parser->ReadVariable(body, 2);
 }
 
 size_t TlsRecordHeader::Write(DataBuffer* buffer, size_t offset,
                               const DataBuffer& body) const {
   offset = buffer->Write(offset, content_type_, 1);
   offset = buffer->Write(offset, version_, 2);
@@ -483,19 +483,19 @@ PacketFilter::Action TlsRecordRecorder::
 PacketFilter::Action TlsConversationRecorder::FilterRecord(
     const TlsRecordHeader& header, const DataBuffer& input,
     DataBuffer* output) {
   buffer_.Append(input);
   return KEEP;
 }
 
 PacketFilter::Action TlsHeaderRecorder::FilterRecord(
-    const TlsRecordHeader& header, const DataBuffer& input,
+    const TlsRecordHeader& hdr, const DataBuffer& input,
     DataBuffer* output) {
-  headers_.push_back(header);
+  headers_.push_back(hdr);
   return KEEP;
 }
 
 const TlsRecordHeader* TlsHeaderRecorder::header(size_t index) {
   if (index > headers_.size() + 1) {
     return nullptr;
   }
   return &headers_[index];
--- a/gtests/ssl_gtest/tls_filter.h
+++ b/gtests/ssl_gtest/tls_filter.h
@@ -23,35 +23,34 @@ extern "C" {
 
 namespace nss_test {
 
 class TlsCipherSpec;
 
 class TlsVersioned {
  public:
   TlsVersioned() : version_(0) {}
-  explicit TlsVersioned(uint16_t version) : version_(version) {}
+  explicit TlsVersioned(uint16_t v) : version_(v) {}
 
   bool is_dtls() const { return IsDtls(version_); }
   uint16_t version() const { return version_; }
 
   void WriteStream(std::ostream& stream) const;
 
  protected:
   uint16_t version_;
 };
 
 class TlsRecordHeader : public TlsVersioned {
  public:
   TlsRecordHeader() : TlsVersioned(), content_type_(0), sequence_number_(0) {}
-  TlsRecordHeader(uint16_t version, uint8_t content_type,
-                  uint64_t sequence_number)
-      : TlsVersioned(version),
-        content_type_(content_type),
-        sequence_number_(sequence_number) {}
+  TlsRecordHeader(uint16_t ver, uint8_t ct, uint64_t seqno)
+      : TlsVersioned(ver),
+        content_type_(ct),
+        sequence_number_(seqno) {}
 
   uint8_t content_type() const { return content_type_; }
   uint64_t sequence_number() const { return sequence_number_; }
   uint16_t epoch() const {
     return static_cast<uint16_t>(sequence_number_ >> 48);
   }
   size_t header_length() const { return is_dtls() ? 13 : 5; }
 
@@ -78,18 +77,18 @@ inline std::shared_ptr<T> MakeTlsFilter(
   auto filter = std::make_shared<T>(agent, std::forward<Args>(args)...);
   agent->SetFilter(filter);
   return filter;
 }
 
 // Abstract filter that operates on entire (D)TLS records.
 class TlsRecordFilter : public PacketFilter {
  public:
-  TlsRecordFilter(const std::shared_ptr<TlsAgent>& agent)
-      : agent_(agent),
+  TlsRecordFilter(const std::shared_ptr<TlsAgent>& a)
+      : agent_(a),
         count_(0),
         cipher_spec_(),
         dropped_record_(false),
         in_sequence_number_(0),
         out_sequence_number_(0) {}
 
   std::shared_ptr<TlsAgent> agent() const { return agent_.lock(); }
 
@@ -178,21 +177,21 @@ inline std::ostream& operator<<(std::ost
   return stream << ' ' << std::hex << hdr.sequence_number() << std::dec;
 }
 
 // Abstract filter that operates on handshake messages rather than records.
 // This assumes that the handshake messages are written in a block as entire
 // records and that they don't span records or anything crazy like that.
 class TlsHandshakeFilter : public TlsRecordFilter {
  public:
-  TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent), handshake_types_(), preceding_fragment_() {}
-  TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& agent,
+  TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a), handshake_types_(), preceding_fragment_() {}
+  TlsHandshakeFilter(const std::shared_ptr<TlsAgent>& a,
                      const std::set<uint8_t>& types)
-      : TlsRecordFilter(agent),
+      : TlsRecordFilter(a),
         handshake_types_(types),
         preceding_fragment_() {}
 
   // This filter can be set to be selective based on handshake message type.  If
   // this function isn't used (or the set is empty), then all handshake messages
   // will be filtered.
   void SetHandshakeTypes(const std::set<uint8_t>& types) {
     handshake_types_ = types;
@@ -238,58 +237,58 @@ class TlsHandshakeFilter : public TlsRec
 
   std::set<uint8_t> handshake_types_;
   DataBuffer preceding_fragment_;
 };
 
 // Make a copy of the first instance of a handshake message.
 class TlsHandshakeRecorder : public TlsHandshakeFilter {
  public:
-  TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
+  TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& a,
                        uint8_t handshake_type)
-      : TlsHandshakeFilter(agent, {handshake_type}), buffer_() {}
-  TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& agent,
+      : TlsHandshakeFilter(a, {handshake_type}), buffer_() {}
+  TlsHandshakeRecorder(const std::shared_ptr<TlsAgent>& a,
                        const std::set<uint8_t>& handshake_types)
-      : TlsHandshakeFilter(agent, handshake_types), buffer_() {}
+      : TlsHandshakeFilter(a, handshake_types), buffer_() {}
 
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                                const DataBuffer& input,
                                                DataBuffer* output);
 
   void Reset() { buffer_.Truncate(0); }
 
   const DataBuffer& buffer() const { return buffer_; }
 
  private:
   DataBuffer buffer_;
 };
 
 // Replace all instances of a handshake message.
 class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
  public:
-  TlsInspectorReplaceHandshakeMessage(const std::shared_ptr<TlsAgent>& agent,
+  TlsInspectorReplaceHandshakeMessage(const std::shared_ptr<TlsAgent>& a,
                                       uint8_t handshake_type,
                                       const DataBuffer& replacement)
-      : TlsHandshakeFilter(agent, {handshake_type}), buffer_(replacement) {}
+      : TlsHandshakeFilter(a, {handshake_type}), buffer_(replacement) {}
 
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                                const DataBuffer& input,
                                                DataBuffer* output);
 
  private:
   DataBuffer buffer_;
 };
 
 // Make a copy of each record of a given type.
 class TlsRecordRecorder : public TlsRecordFilter {
  public:
-  TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent, uint8_t ct)
-      : TlsRecordFilter(agent), filter_(true), ct_(ct), records_() {}
-  TlsRecordRecorder(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent),
+  TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a, uint8_t ct)
+      : TlsRecordFilter(a), filter_(true), ct_(ct), records_() {}
+  TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a),
         filter_(false),
         ct_(content_handshake),  // dummy (<optional> is C++14)
         records_() {}
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output);
 
   size_t count() const { return records_.size(); }
@@ -301,33 +300,33 @@ class TlsRecordRecorder : public TlsReco
   bool filter_;
   uint8_t ct_;
   std::vector<TlsRecord> records_;
 };
 
 // Make a copy of the complete conversation.
 class TlsConversationRecorder : public TlsRecordFilter {
  public:
-  TlsConversationRecorder(const std::shared_ptr<TlsAgent>& agent,
+  TlsConversationRecorder(const std::shared_ptr<TlsAgent>& a,
                           DataBuffer& buffer)
-      : TlsRecordFilter(agent), buffer_(buffer) {}
+      : TlsRecordFilter(a), buffer_(buffer) {}
 
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output);
 
  private:
   DataBuffer buffer_;
 };
 
 // Make a copy of the records
 class TlsHeaderRecorder : public TlsRecordFilter {
  public:
-  TlsHeaderRecorder(const std::shared_ptr<TlsAgent>& agent)
-      : TlsRecordFilter(agent) {}
+  TlsHeaderRecorder(const std::shared_ptr<TlsAgent>& a)
+      : TlsRecordFilter(a) {}
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output);
   const TlsRecordHeader* header(size_t index);
 
  private:
   std::vector<TlsRecordHeader> headers_;
 };
@@ -354,25 +353,25 @@ class ChainedPacketFilter : public Packe
   std::vector<std::shared_ptr<PacketFilter>> filters_;
 };
 
 typedef std::function<bool(TlsParser* parser, const TlsVersioned& header)>
     TlsExtensionFinder;
 
 class TlsExtensionFilter : public TlsHandshakeFilter {
  public:
-  TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent)
-      : TlsHandshakeFilter(agent,
+  TlsExtensionFilter(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(a,
                            {kTlsHandshakeClientHello, kTlsHandshakeServerHello,
                             kTlsHandshakeHelloRetryRequest,
                             kTlsHandshakeEncryptedExtensions}) {}
 
-  TlsExtensionFilter(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionFilter(const std::shared_ptr<TlsAgent>& a,
                      const std::set<uint8_t>& types)
-      : TlsHandshakeFilter(agent, types) {}
+      : TlsHandshakeFilter(a, types) {}
 
   static bool FindExtensions(TlsParser* parser, const HandshakeHeader& header);
 
  protected:
   PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                        const DataBuffer& input,
                                        DataBuffer* output) override;
 
@@ -383,19 +382,19 @@ class TlsExtensionFilter : public TlsHan
  private:
   PacketFilter::Action FilterExtensions(TlsParser* parser,
                                         const DataBuffer& input,
                                         DataBuffer* output);
 };
 
 class TlsExtensionCapture : public TlsExtensionFilter {
  public:
-  TlsExtensionCapture(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
+  TlsExtensionCapture(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
                       bool last = false)
-      : TlsExtensionFilter(agent),
+      : TlsExtensionFilter(a),
         extension_(ext),
         captured_(false),
         last_(last),
         data_() {}
 
   const DataBuffer& extension() const { return data_; }
   bool captured() const { return captured_; }
 
@@ -408,57 +407,56 @@ class TlsExtensionCapture : public TlsEx
   const uint16_t extension_;
   bool captured_;
   bool last_;
   DataBuffer data_;
 };
 
 class TlsExtensionReplacer : public TlsExtensionFilter {
  public:
-  TlsExtensionReplacer(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionReplacer(const std::shared_ptr<TlsAgent>& a,
                        uint16_t extension, const DataBuffer& data)
-      : TlsExtensionFilter(agent), extension_(extension), data_(data) {}
+      : TlsExtensionFilter(a), extension_(extension), data_(data) {}
   PacketFilter::Action FilterExtension(uint16_t extension_type,
                                        const DataBuffer& input,
                                        DataBuffer* output) override;
 
  private:
   const uint16_t extension_;
   const DataBuffer data_;
 };
 
 class TlsExtensionDropper : public TlsExtensionFilter {
  public:
-  TlsExtensionDropper(const std::shared_ptr<TlsAgent>& agent,
+  TlsExtensionDropper(const std::shared_ptr<TlsAgent>& a,
                       uint16_t extension)
-      : TlsExtensionFilter(agent), extension_(extension) {}
+      : TlsExtensionFilter(a), extension_(extension) {}
   PacketFilter::Action FilterExtension(uint16_t extension_type,
                                        const DataBuffer&, DataBuffer*) override;
 
  private:
   uint16_t extension_;
 };
 
 class TlsExtensionInjector : public TlsHandshakeFilter {
  public:
-  TlsExtensionInjector(const std::shared_ptr<TlsAgent>& agent, uint16_t ext,
+  TlsExtensionInjector(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
                        const DataBuffer& data)
-      : TlsHandshakeFilter(agent), extension_(ext), data_(data) {}
+      : TlsHandshakeFilter(a), extension_(ext), data_(data) {}
 
  protected:
   PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                        const DataBuffer& input,
                                        DataBuffer* output) override;
 
  private:
   const uint16_t extension_;
   const DataBuffer data_;
 };
 
-class TlsAgent;
 typedef std::function<void(void)> VoidFunction;
 
 class AfterRecordN : public TlsRecordFilter {
  public:
   AfterRecordN(const std::shared_ptr<TlsAgent>& src,
                const std::shared_ptr<TlsAgent>& dest, unsigned int record,
                VoidFunction func)
       : TlsRecordFilter(src),
@@ -510,26 +508,26 @@ class SelectiveDropFilter : public Packe
   uint8_t counter_;
 };
 
 // This class selectively drops complete records. The difference from
 // SelectiveDropFilter is that if multiple DTLS records are in the same
 // datagram, we just drop one.
 class SelectiveRecordDropFilter : public TlsRecordFilter {
  public:
-  SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
+  SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& a,
                             uint32_t pattern, bool enabled = true)
-      : TlsRecordFilter(agent), pattern_(pattern), counter_(0) {
+      : TlsRecordFilter(a), pattern_(pattern), counter_(0) {
     if (!enabled) {
       Disable();
     }
   }
-  SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& agent,
+  SelectiveRecordDropFilter(const std::shared_ptr<TlsAgent>& a,
                             std::initializer_list<size_t> records)
-      : SelectiveRecordDropFilter(agent, ToPattern(records), true) {}
+      : SelectiveRecordDropFilter(a, ToPattern(records), true) {}
 
   void Reset(uint32_t pattern) {
     counter_ = 0;
     PacketFilter::Enable();
     pattern_ = pattern;
   }
 
   void Reset(std::initializer_list<size_t> records) {
@@ -546,34 +544,34 @@ class SelectiveRecordDropFilter : public
 
   uint32_t pattern_;
   uint8_t counter_;
 };
 
 // Set the version number in the ClientHello.
 class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
  public:
-  TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& agent,
+  TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
                               uint16_t version)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeClientHello}),
+      : TlsHandshakeFilter(a, {kTlsHandshakeClientHello}),
         version_(version) {}
 
   virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                                const DataBuffer& input,
                                                DataBuffer* output);
 
  private:
   uint16_t version_;
 };
 
 // Damages the last byte of a handshake message.
 class TlsLastByteDamager : public TlsHandshakeFilter {
  public:
-  TlsLastByteDamager(const std::shared_ptr<TlsAgent>& agent, uint8_t type)
-      : TlsHandshakeFilter(agent), type_(type) {}
+  TlsLastByteDamager(const std::shared_ptr<TlsAgent>& a, uint8_t type)
+      : TlsHandshakeFilter(a), type_(type) {}
   PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) override {
     if (header.handshake_type() != type_) {
       return KEEP;
     }
 
     *output = input;
@@ -583,19 +581,19 @@ class TlsLastByteDamager : public TlsHan
   }
 
  private:
   uint8_t type_;
 };
 
 class SelectedCipherSuiteReplacer : public TlsHandshakeFilter {
  public:
-  SelectedCipherSuiteReplacer(const std::shared_ptr<TlsAgent>& agent,
+  SelectedCipherSuiteReplacer(const std::shared_ptr<TlsAgent>& a,
                               uint16_t suite)
-      : TlsHandshakeFilter(agent, {kTlsHandshakeServerHello}),
+      : TlsHandshakeFilter(a, {kTlsHandshakeServerHello}),
         cipher_suite_(suite) {}
 
  protected:
   PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
                                        const DataBuffer& input,
                                        DataBuffer* output) override;
 
  private:
--- a/gtests/ssl_gtest/tls_protect.cc
+++ b/gtests/ssl_gtest/tls_protect.cc
@@ -86,19 +86,19 @@ bool AeadCipherChacha20Poly1305::Aead(bo
   aeadParams.ulAADLen = 0;
   aeadParams.ulTagLen = 16;
 
   FormatNonce(seq, nonce);
   return AeadInner(decrypt, (unsigned char *)&aeadParams, sizeof(aeadParams),
                    in, inlen, out, outlen, maxlen);
 }
 
-bool TlsCipherSpec::Init(uint16_t epoch, SSLCipherAlgorithm cipher,
+bool TlsCipherSpec::Init(uint16_t epoc, SSLCipherAlgorithm cipher,
                          PK11SymKey *key, const uint8_t *iv) {
-  epoch_ = epoch;
+  epoch_ = epoc;
   switch (cipher) {
     case ssl_calg_aes_gcm:
       aead_.reset(new AeadCipherAesGcm());
       break;
     case ssl_calg_chacha20:
       aead_.reset(new AeadCipherChacha20Poly1305());
       break;
     default:
--- a/lib/certdb/crl.c
+++ b/lib/certdb/crl.c
@@ -893,23 +893,23 @@ PreFreeEntry(void* pool, PLHashEntry* he
 }
 
 /* methods required for PL hash table functions */
 static PLHashAllocOps preAllocOps = { PreAllocTable, PreFreeTable,
                                       PreAllocEntry, PreFreeEntry };
 
 /* destructor for PreAllocator object */
 void
-PreAllocator_Destroy(PreAllocator* PreAllocator)
+PreAllocator_Destroy(PreAllocator* allocator)
 {
-    if (!PreAllocator) {
+    if (!allocator) {
         return;
     }
-    if (PreAllocator->arena) {
-        PORT_FreeArena(PreAllocator->arena, PR_TRUE);
+    if (allocator->arena) {
+        PORT_FreeArena(allocator->arena, PR_TRUE);
     }
 }
 
 /* constructor for PreAllocator object */
 PreAllocator*
 PreAllocator_Create(PRSize size)
 {
     PLArenaPool* arena = NULL;
--- a/lib/ckfw/session.c
+++ b/lib/ckfw/session.c
@@ -1414,19 +1414,18 @@ nssCKFWSession_CopyObject(
             }
         }
 
         return rv;
     } else {
         /* use create object */
         NSSArena *tmpArena;
         CK_ATTRIBUTE_PTR newTemplate;
-        CK_ULONG i, j, n, newLength, k;
+        CK_ULONG j, n, newLength, k;
         CK_ATTRIBUTE_TYPE_PTR oldTypes;
-        NSSCKFWObject *rv;
 
         n = nssCKFWObject_GetAttributeCount(fwObject, pError);
         if ((0 == n) && (CKR_OK != *pError)) {
             return (NSSCKFWObject *)NULL;
         }
 
         tmpArena = NSSArena_Create();
         if (!tmpArena) {
--- a/lib/freebl/loader.c
+++ b/lib/freebl/loader.c
@@ -2159,22 +2159,22 @@ BLAKE2B_NewContext(void)
 {
     if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) {
         return NULL;
     }
     return (vector->p_BLAKE2B_NewContext)();
 }
 
 void
-BLAKE2B_DestroyContext(BLAKE2BContext *BLAKE2BContext, PRBool freeit)
+BLAKE2B_DestroyContext(BLAKE2BContext *ctx, PRBool freeit)
 {
     if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) {
         return;
     }
-    (vector->p_BLAKE2B_DestroyContext)(BLAKE2BContext, freeit);
+    (vector->p_BLAKE2B_DestroyContext)(ctx, freeit);
 }
 
 SECStatus
 BLAKE2B_Begin(BLAKE2BContext *ctx)
 {
     if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) {
         return SECFailure;
     }
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -2652,20 +2652,20 @@ mp_toradix(mp_int *mp, char *str, int ra
             str[pos++] = '-';
 
         /* Add trailing NUL to end the string        */
         str[pos--] = '\0';
 
         /* Reverse the digits and sign indicator     */
         ix = 0;
         while (ix < pos) {
-            char tmp = str[ix];
+            char tmpc = str[ix];
 
             str[ix] = str[pos];
-            str[pos] = tmp;
+            str[pos] = tmpc;
             ++ix;
             --pos;
         }
 
         mp_clear(&tmp);
     }
 
     return MP_OKAY;
@@ -3308,23 +3308,24 @@ s_mp_div_d(mp_int *mp, mp_digit d, mp_di
     if (d == 1) {
         if (r)
             *r = 0;
         return MP_OKAY;
     }
     /* could check for power of 2 here, but mp_div_d does that. */
     if (MP_USED(mp) == 1) {
         mp_digit n = MP_DIGIT(mp, 0);
-        mp_digit rem;
+        mp_digit remdig;
 
         q = n / d;
-        rem = n % d;
+        remdig = n % d;
         MP_DIGIT(mp, 0) = q;
-        if (r)
-            *r = rem;
+        if (r) {
+            *r = remdig;
+        }
         return MP_OKAY;
     }
 
     MP_DIGITS(&rem) = 0;
     MP_DIGITS(&quot) = 0;
     /* Make room for the quotient */
     MP_CHECKOK(mp_init_size(&quot, USED(mp)));
 
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c
@@ -65,32 +65,32 @@ static const PKIX_UInt32 httpprotocolLen
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "bytesRead"
  *      The UInt32 number of bytes received in the latest read.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_HdrCheckComplete(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_UInt32 bytesRead,
         PKIX_Boolean *pKeepGoing,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_UInt32 alreadyScanned = 0;
         PKIX_UInt32 comp = 0;
         PKIX_UInt32 headerLength = 0;
         PKIX_Int32 contentLength = HTTP_UNKNOWN_CONTENT_LENGTH;
         char *eoh = NULL;
         char *statusLineEnd = NULL;
         char *space = NULL;
@@ -137,17 +137,17 @@ pkix_pl_HttpDefaultClient_HdrCheckComple
                 *pKeepGoing = PKIX_TRUE;
                 goto cleanup;
         }
 
         /* Yes. Calculate how many bytes in header (not counting eohMarker) */
         headerLength = (eoh - client->rcvBuf);
 
         /* allocate space to copy header (and for the NULL terminator) */
-        PKIX_CHECK(PKIX_PL_Malloc(headerLength + 1, (void **)&copy, plContext),
+        PKIX_CHECK(PKIX_PL_Malloc(headerLength + 1, (void **)&copy, plCtx),
                 PKIX_MALLOCFAILED);
 
         /* copy header data before we corrupt it (by storing NULLs) */
         PORT_Memcpy(copy, client->rcvBuf, headerLength);
 	/* Store the NULL terminator */
 	copy[headerLength] = '\0';
 	client->rcvHeaders = copy;
 
@@ -296,27 +296,27 @@ pkix_pl_HttpDefaultClient_HdrCheckComple
              } else {
                  client->connectStatus = HTTP_COMPLETE;
                  *pKeepGoing = PKIX_FALSE;
              }
          }
  
          if (contentLength > 0) {
              /* allocate a buffer of size contentLength  for the content */
-             PKIX_CHECK(PKIX_PL_Malloc(contentLength, (void **)&body, plContext),
+             PKIX_CHECK(PKIX_PL_Malloc(contentLength, (void **)&body, plCtx),
                         PKIX_MALLOCFAILED);
              
              /* copy any remaining bytes in current buffer into new buffer */
              if (client->filledupBytes > 0) {
                  PORT_Memcpy(body, &(client->rcvBuf[headerLength]),
                              client->filledupBytes);
              }
          }
  
-         PKIX_CHECK(PKIX_PL_Free(client->rcvBuf, plContext),
+         PKIX_CHECK(PKIX_PL_Free(client->rcvBuf, plCtx),
                     PKIX_FREEFAILED);
          client->rcvBuf = body;
 
 cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 }
 
@@ -335,44 +335,44 @@ cleanup:
  *  "host"
  *      The name of the server with which we hope to exchange messages. Must
  *      be non-NULL.
  *  "portnum"
  *      The port number to be used for our connection to the server.
  *  "pClient"
  *      The address at which the created HttpDefaultClient is to be stored.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in
  *      a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_Create(
         const char *host,
         PRUint16 portnum,
         PKIX_PL_HttpDefaultClient **pClient,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "PKIX_PL_HttpDefaultClient_Create");
         PKIX_NULLCHECK_TWO(pClient, host);
 
         /* allocate an HttpDefaultClient */
         PKIX_CHECK(PKIX_PL_Object_Alloc
                 (PKIX_HTTPDEFAULTCLIENT_TYPE,
                 sizeof (PKIX_PL_HttpDefaultClient),
                 (PKIX_PL_Object **)&client,
-                plContext),
+                plCtx),
                 PKIX_COULDNOTCREATEHTTPDEFAULTCLIENTOBJECT);
 
         /* Client timeout is overwritten in HttpDefaultClient_RequestCreate
          * function. Default value will be ignored. */
         client->timeout = 0;
         client->connectStatus = HTTP_NOT_CONNECTED;
         client->portnum = portnum;
         client->bytesToWrite = 0;
@@ -403,20 +403,20 @@ pkix_pl_HttpDefaultClient_Create(
         client->send_http_data = NULL;
         client->rcv_http_response_code = NULL;
         client->rcv_http_content_type = NULL;
         client->rcv_http_headers = NULL;
         client->rcv_http_data = NULL;
         client->socket = NULL;
 
         /*
-         * The HttpClient API does not include a plContext argument in its
+         * The HttpClient API does not include a plCtx argument in its
          * function calls. Save it here.
          */
-        client->plContext = plContext;
+        client->plContext = plCtx;
 
         *pClient = client;
 
 cleanup:
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(client);
         }
 
@@ -425,47 +425,47 @@ cleanup:
 
 /*
  * FUNCTION: pkix_pl_HttpDefaultClient_Destroy
  * (see comments for PKIX_PL_DestructorCallback in pkix_pl_system.h)
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_Destroy(
         PKIX_PL_Object *object,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Destroy");
         PKIX_NULLCHECK_ONE(object);
 
         PKIX_CHECK(pkix_CheckType
-                    (object, PKIX_HTTPDEFAULTCLIENT_TYPE, plContext),
+                    (object, PKIX_HTTPDEFAULTCLIENT_TYPE, plCtx),
                     PKIX_OBJECTNOTANHTTPDEFAULTCLIENT);
 
         client = (PKIX_PL_HttpDefaultClient *)object;
 
         if (client->rcvHeaders) {
-            PKIX_PL_Free(client->rcvHeaders, plContext);
+            PKIX_PL_Free(client->rcvHeaders, plCtx);
             client->rcvHeaders = NULL;
         }
         if (client->rcvContentType) {
             PORT_Free(client->rcvContentType);
             client->rcvContentType = NULL;
         }
         if (client->GETBuf != NULL) {
                 PR_smprintf_free(client->GETBuf);
                 client->GETBuf = NULL;
         }
         if (client->POSTBuf != NULL) {
-                PKIX_PL_Free(client->POSTBuf, plContext);
+                PKIX_PL_Free(client->POSTBuf, plCtx);
                 client->POSTBuf = NULL;
         }
         if (client->rcvBuf != NULL) {
-                PKIX_PL_Free(client->rcvBuf, plContext);
+                PKIX_PL_Free(client->rcvBuf, plCtx);
                 client->rcvBuf = NULL;
         }
         if (client->host) {
                 PORT_Free(client->host);
                 client->host = NULL;
         }
         if (client->path) {
                 PORT_Free(client->path);
@@ -488,17 +488,17 @@ cleanup:
  * THREAD SAFETY:
  *  Not Thread Safe - for performance and complexity reasons
  *
  *  Since this function is only called by PKIX_PL_Initialize, which should
  *  only be called once, it is acceptable that this function is not
  *  thread-safe.
  */
 PKIX_Error *
-pkix_pl_HttpDefaultClient_RegisterSelf(void *plContext)
+pkix_pl_HttpDefaultClient_RegisterSelf(void *plCtx)
 {
         extern pkix_ClassTable_Entry systemClasses[PKIX_NUMTYPES];
         pkix_ClassTable_Entry *entry =
             &systemClasses[PKIX_HTTPDEFAULTCLIENT_TYPE];
 
         PKIX_ENTER(HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_RegisterSelf");
 
@@ -524,45 +524,45 @@ pkix_pl_HttpDefaultClient_RegisterSelf(v
  *
  * PARAMETERS:
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_ConnectContinue(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
-        void *plContext)
+        void *plCtx)
 {
         PRErrorCode status;
         PKIX_Boolean keepGoing = PKIX_FALSE;
         PKIX_PL_Socket_Callback *callbackList = NULL;
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_ConnectContinue");
         PKIX_NULLCHECK_ONE(client);
 
         callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
 
         PKIX_CHECK(callbackList->connectcontinueCallback
-                (client->socket, &status, plContext),
+                (client->socket, &status, plCtx),
                 PKIX_SOCKETCONNECTCONTINUEFAILED);
 
         if (status == 0) {
                 client->connectStatus = HTTP_CONNECTED;
                 keepGoing = PKIX_TRUE;
         } else if (status != PR_IN_PROGRESS_ERROR) {
                 PKIX_ERROR(PKIX_UNEXPECTEDERRORINESTABLISHINGCONNECTION);
         }
@@ -590,32 +590,32 @@ cleanup:
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
  *  "pBytesTransferred"
  *      The address at which the number of bytes sent is stored. Must be
  *      non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_Send(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
         PKIX_UInt32 *pBytesTransferred,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_Int32 bytesWritten = 0;
         PKIX_Int32 lenToWrite = 0;
         PKIX_PL_Socket_Callback *callbackList = NULL;
         char *dataToWrite = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Send");
         PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
@@ -635,17 +635,17 @@ pkix_pl_HttpDefaultClient_Send(
 
                 callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
 
                 PKIX_CHECK(callbackList->sendCallback
                         (client->socket,
                         dataToWrite,
                         lenToWrite,
                         &bytesWritten,
-                        plContext),
+                        plCtx),
                         PKIX_SOCKETSENDFAILED);
 
                 client->rcvBuf = NULL;
                 client->capacity = 0;
                 client->filledupBytes = 0;
 
                 /*
                  * If the send completed we can proceed to try for the
@@ -685,45 +685,45 @@ cleanup:
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
  *  "pBytesTransferred"
  *      The address at which the number of bytes sent is stored. Must be
  *      non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_SendContinue(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
         PKIX_UInt32 *pBytesTransferred,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_Int32 bytesWritten = 0;
         PKIX_PL_Socket_Callback *callbackList = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_SendContinue");
         PKIX_NULLCHECK_THREE(client, pKeepGoing, pBytesTransferred);
 
         *pKeepGoing = PKIX_FALSE;
 
         callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
 
         PKIX_CHECK(callbackList->pollCallback
-                (client->socket, &bytesWritten, NULL, plContext),
+                (client->socket, &bytesWritten, NULL, plCtx),
                 PKIX_SOCKETPOLLFAILED);
 
         /*
          * If the send completed we can proceed to try for the
          * response. If the send did not complete we will have
          * continue to poll.
          */
         if (bytesWritten >= 0) {
@@ -747,31 +747,31 @@ cleanup:
  *
  * PARAMETERS:
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_RecvHdr(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_UInt32 bytesToRead = 0;
         PKIX_Int32 bytesRead = 0;
         PKIX_PL_Socket_Callback *callbackList = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RecvHdr");
         PKIX_NULLCHECK_TWO(client, pKeepGoing);
 
@@ -782,38 +782,38 @@ pkix_pl_HttpDefaultClient_RecvHdr(
          * reading again if necessary, until we have read the end-of-header
          * marker, "\r\n\r\n", or have reached our maximum.
          */
         client->capacity += HTTP_HEADER_BUFSIZE;
         PKIX_CHECK(PKIX_PL_Realloc
                 (client->rcvBuf,
                 client->capacity,
                 (void **)&(client->rcvBuf),
-                plContext),
+                plCtx),
                 PKIX_REALLOCFAILED);
 
         bytesToRead = client->capacity - client->filledupBytes;
 
         callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
 
         PKIX_CHECK(callbackList->recvCallback
                 (client->socket,
                 (void *)&(client->rcvBuf[client->filledupBytes]),
                 bytesToRead,
                 &bytesRead,
-                plContext),
+                plCtx),
                 PKIX_SOCKETRECVFAILED);
 
         if (bytesRead > 0) {
             /* client->filledupBytes will be adjusted by
              * pkix_pl_HttpDefaultClient_HdrCheckComplete */
             PKIX_CHECK(
                 pkix_pl_HttpDefaultClient_HdrCheckComplete(client, bytesRead,
                                                            pKeepGoing,
-                                                           plContext),
+                                                           plCtx),
                        PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
         } else {
             client->connectStatus = HTTP_RECV_HDR_PENDING;
             *pKeepGoing = PKIX_FALSE;
         }
 
 cleanup:
         PKIX_RETURN(HTTPDEFAULTCLIENT);
@@ -829,51 +829,51 @@ cleanup:
  *
  * PARAMETERS:
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_RecvHdrContinue(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_Int32 bytesRead = 0;
         PKIX_PL_Socket_Callback *callbackList = NULL;
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_RecvHdrContinue");
         PKIX_NULLCHECK_TWO(client, pKeepGoing);
 
         callbackList = (PKIX_PL_Socket_Callback *)client->callbackList;
 
         PKIX_CHECK(callbackList->pollCallback
-                (client->socket, NULL, &bytesRead, plContext),
+                (client->socket, NULL, &bytesRead, plCtx),
                 PKIX_SOCKETPOLLFAILED);
 
         if (bytesRead > 0) {
                 client->filledupBytes += bytesRead;
 
                 PKIX_CHECK(pkix_pl_HttpDefaultClient_HdrCheckComplete
-                        (client, bytesRead, pKeepGoing, plContext),
+                        (client, bytesRead, pKeepGoing, plCtx),
                         PKIX_HTTPDEFAULTCLIENTHDRCHECKCOMPLETEFAILED);
 
         } else {
 
                 *pKeepGoing = PKIX_FALSE;
 
         }
 
@@ -892,31 +892,31 @@ cleanup:
  *
  * PARAMETERS:
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
  *  "pKeepGoing"
  *      The address at which the Boolean state machine flag is stored to
  *      indicate whether processing can continue without further input.
  *      Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_RecvBody(
         PKIX_PL_HttpDefaultClient *client,
         PKIX_Boolean *pKeepGoing,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_Int32 bytesRead = 0;
         PKIX_Int32 bytesToRead = 0;
         PKIX_PL_Socket_Callback *callbackList = NULL;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RecvBody");
         PKIX_NULLCHECK_TWO(client, pKeepGoing);
 
@@ -947,37 +947,37 @@ pkix_pl_HttpDefaultClient_RecvBody(
                     client->connectStatus = HTTP_ERROR;
                     *pKeepGoing = PKIX_FALSE;
                     goto cleanup;
                 }
                 if (client->capacity < newLength) {
                     client->capacity = newLength;
                     PKIX_CHECK(
                         PKIX_PL_Realloc(client->rcvBuf, newLength,
-                                        (void**)&client->rcvBuf, plContext),
+                                        (void**)&client->rcvBuf, plCtx),
                         PKIX_REALLOCFAILED);
                     freeBuffSize = client->capacity -
                         client->filledupBytes;
                 }
             }
             bytesToRead = freeBuffSize;
         }
 
         /* Use poll callback if waiting on non-blocking IO */
         if (client->connectStatus == HTTP_RECV_BODY_PENDING) {
             PKIX_CHECK(callbackList->pollCallback
-                       (client->socket, NULL, &bytesRead, plContext),
+                       (client->socket, NULL, &bytesRead, plCtx),
                        PKIX_SOCKETPOLLFAILED);
         } else {
             PKIX_CHECK(callbackList->recvCallback
                        (client->socket,
                         (void *)&(client->rcvBuf[client->filledupBytes]),
                         bytesToRead,
                         &bytesRead,
-                        plContext),
+                        plCtx),
                        PKIX_SOCKETRECVFAILED);
         }
 
         /* If bytesRead < 0, an error will be thrown by recvCallback, so
          * need to handle >= 0 cases. */
 
         /* bytesRead == 0 - IO was blocked. */
         if (bytesRead == 0) {
@@ -1021,68 +1021,68 @@ cleanup:
  *
  *  This function is the state machine dispatcher for the HttpDefaultClient
  *  pointed to by "client". Results are returned by changes to various fields
  *  in the context.
  *
  * PARAMETERS:
  *  "client"
  *      The address of the HttpDefaultClient object. Must be non-NULL.
- *  "plContext"
+ *  "plCtx"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a HttpDefaultClient Error if the function fails in a
  *      non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_HttpDefaultClient_Dispatch(
         PKIX_PL_HttpDefaultClient *client,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_UInt32 bytesTransferred = 0;
         PKIX_Boolean keepGoing = PKIX_TRUE;
 
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Dispatch");
         PKIX_NULLCHECK_ONE(client);
 
         while (keepGoing) {
                 switch (client->connectStatus) {
                 case HTTP_CONNECT_PENDING:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_ConnectContinue
-                        (client, &keepGoing, plContext),
+                        (client, &keepGoing, plCtx),
                         PKIX_HTTPDEFAULTCLIENTCONNECTCONTINUEFAILED);
                     break;
                 case HTTP_CONNECTED:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_Send
-                        (client, &keepGoing, &bytesTransferred, plContext),
+                        (client, &keepGoing, &bytesTransferred, plCtx),
                         PKIX_HTTPDEFAULTCLIENTSENDFAILED);
                     break;
                 case HTTP_SEND_PENDING:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_SendContinue
-                        (client, &keepGoing, &bytesTransferred, plContext),
+                        (client, &keepGoing, &bytesTransferred, plCtx),
                         PKIX_HTTPDEFAULTCLIENTSENDCONTINUEFAILED);
                     break;
                 case HTTP_RECV_HDR:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdr
-                        (client, &keepGoing, plContext),
+                        (client, &keepGoing, plCtx),
                         PKIX_HTTPDEFAULTCLIENTRECVHDRFAILED);
                     break;
                 case HTTP_RECV_HDR_PENDING:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvHdrContinue
-                        (client, &keepGoing, plContext),
+                        (client, &keepGoing, plCtx),
                         PKIX_HTTPDEFAULTCLIENTRECVHDRCONTINUEFAILED);
                     break;
                 case HTTP_RECV_BODY:
                 case HTTP_RECV_BODY_PENDING:
                     PKIX_CHECK(pkix_pl_HttpDefaultClient_RecvBody
-                        (client, &keepGoing, plContext),
+                        (client, &keepGoing, plCtx),
                         PKIX_HTTPDEFAULTCLIENTRECVBODYFAILED);
                     break;
                 case HTTP_ERROR:
                 case HTTP_COMPLETE:
                     keepGoing = PKIX_FALSE;
                     break;
                 case HTTP_NOT_CONNECTED:
                 default:
@@ -1101,51 +1101,51 @@ cleanup:
  * The functions that return PKIX_Error* are the libpkix implementations.
  */
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_CreateSession(
         const char *host,
         PRUint16 portnum,
         SEC_HTTP_SERVER_SESSION *pSession,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_CreateSession");
         PKIX_NULLCHECK_TWO(host, pSession);
 
         PKIX_CHECK(pkix_pl_HttpDefaultClient_Create
-                (host, portnum, &client, plContext),
+                (host, portnum, &client, plCtx),
                 PKIX_HTTPDEFAULTCLIENTCREATEFAILED);
 
         *pSession = (SEC_HTTP_SERVER_SESSION)client;
 
 cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
 }
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_KeepAliveSession(
         SEC_HTTP_SERVER_SESSION session,
         PRPollDesc **pPollDesc,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_KeepAliveSession");
         PKIX_NULLCHECK_TWO(session, pPollDesc);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)session,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
-                plContext),
+                plCtx),
                 PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
 
         /* XXX Not implemented */
 
 cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
@@ -1154,32 +1154,32 @@ cleanup:
 PKIX_Error *
 pkix_pl_HttpDefaultClient_RequestCreate(
         SEC_HTTP_SERVER_SESSION session,
         const char *http_protocol_variant, /* usually "http" */
         const char *path_and_query_string,
         const char *http_request_method, 
         const PRIntervalTime timeout, 
         SEC_HTTP_REQUEST_SESSION *pRequest,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
         PKIX_PL_Socket *socket = NULL;
         PKIX_PL_Socket_Callback *callbackList = NULL;
         PRFileDesc *fileDesc = NULL;
         PRErrorCode status = 0;
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_RequestCreate");
         PKIX_NULLCHECK_TWO(session, pRequest);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)session,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
-                plContext),
+                plCtx),
                 PKIX_SESSIONNOTANHTTPDEFAULTCLIENT);
 
         client = (PKIX_PL_HttpDefaultClient *)session;
 
         /* We only know how to do http */
         if (PORT_Strncasecmp(http_protocol_variant, "http", 4) != 0) {
                 PKIX_ERROR(PKIX_UNRECOGNIZEDPROTOCOLREQUESTED);
         }
@@ -1207,39 +1207,39 @@ pkix_pl_HttpDefaultClient_RequestCreate(
 
 #if 0
 	PKIX_CHECK(pkix_HttpCertStore_FindSocketConnection
                 (timeout,
                 "variation.red.iplanet.com", /* (char *)client->host, */
                 2001,   /* client->portnum, */
                 &status,
                 &socket,
-                plContext),
+                plCtx),
 		PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
 #else
 	PKIX_CHECK(pkix_HttpCertStore_FindSocketConnection
                 (timeout,
                 (char *)client->host,
                 client->portnum,
                 &status,
                 &socket,
-                plContext),
+                plCtx),
 		PKIX_HTTPCERTSTOREFINDSOCKETCONNECTIONFAILED);
 #endif
 
         client->socket = socket;
 
         PKIX_CHECK(pkix_pl_Socket_GetCallbackList
-                (socket, &callbackList, plContext),
+                (socket, &callbackList, plCtx),
                 PKIX_SOCKETGETCALLBACKLISTFAILED);
 
         client->callbackList = (void *)callbackList;
 
         PKIX_CHECK(pkix_pl_Socket_GetPRFileDesc
-                (socket, &fileDesc, plContext),
+                (socket, &fileDesc, plCtx),
                 PKIX_SOCKETGETPRFILEDESCFAILED);
 
         client->pollDesc.fd = fileDesc;
         client->pollDesc.in_flags = 0;
         client->pollDesc.out_flags = 0;
 
         client->send_http_data = NULL;
         client->send_http_data_len = 0;
@@ -1259,29 +1259,29 @@ cleanup:
 }
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_SetPostData(
         SEC_HTTP_REQUEST_SESSION request,
         const char *http_data, 
         const PRUint32 http_data_len,
         const char *http_content_type,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_SetPostData");
         PKIX_NULLCHECK_ONE(request);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)request,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
-                plContext),
+                plCtx),
                 PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
 
         client = (PKIX_PL_HttpDefaultClient *)request;
 
         client->send_http_data = http_data;
         client->send_http_data_len = http_data_len;
         client->send_http_content_type = http_content_type;
 
@@ -1302,34 +1302,34 @@ pkix_pl_HttpDefaultClient_TrySendAndRece
         SEC_HTTP_REQUEST_SESSION request,
         PRUint16 *http_response_code, 
         const char **http_response_content_type, 
         const char **http_response_headers, 
         const char **http_response_data, 
         PRUint32 *http_response_data_len, 
         PRPollDesc **pPollDesc,
         SECStatus *pSECReturn,
-        void *plContext)        
+        void *plCtx)        
 {
         PKIX_PL_HttpDefaultClient *client = NULL;
         PKIX_UInt32 postLen = 0;
         PRPollDesc *pollDesc = NULL;
         char *sendbuf = NULL;
         char portstr[16];
 
         PKIX_ENTER
                 (HTTPDEFAULTCLIENT,
                 "pkix_pl_HttpDefaultClient_TrySendAndReceive");
 
         PKIX_NULLCHECK_ONE(request);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)request,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
-                plContext),
+                plCtx),
                 PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
 
         client = (PKIX_PL_HttpDefaultClient *)request;
 
         if (!pPollDesc && client->timeout == 0) {
             PKIX_ERROR_FATAL(PKIX_NULLARGUMENT);
         }
 
@@ -1375,17 +1375,17 @@ pkix_pl_HttpDefaultClient_TrySendAndRece
                         postLen = PORT_Strlen(sendbuf);
                             
                         client->POSTLen = postLen + client->send_http_data_len;
 
                         /* allocate postBuffer big enough for header + data */
                         PKIX_CHECK(PKIX_PL_Malloc
                                 (client->POSTLen,
                                 (void **)&(client->POSTBuf),
-                                plContext),
+                                plCtx),
                                 PKIX_MALLOCFAILED);
 
                         /* copy header into postBuffer */
                         PORT_Memcpy(client->POSTBuf, sendbuf, postLen);
 
                         /* append data after header */
                         PORT_Memcpy(&client->POSTBuf[postLen],
                                     client->send_http_data,
@@ -1402,17 +1402,17 @@ pkix_pl_HttpDefaultClient_TrySendAndRece
                             client->host,
                             portstr);
                         client->GETLen = PORT_Strlen(client->GETBuf);
                 }
 
         }
 
         /* continue according to state */
-        PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plContext),
+        PKIX_CHECK(pkix_pl_HttpDefaultClient_Dispatch(client, plCtx),
                 PKIX_HTTPDEFAULTCLIENTDISPATCHFAILED);
 
         switch (client->connectStatus) {
                 case HTTP_CONNECT_PENDING:
                 case HTTP_SEND_PENDING:
                 case HTTP_RECV_HDR_PENDING:
                 case HTTP_RECV_BODY_PENDING:
                         pollDesc = &(client->pollDesc);
@@ -1473,25 +1473,25 @@ cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
 }
 
 PKIX_Error *
 pkix_pl_HttpDefaultClient_Cancel(
         SEC_HTTP_REQUEST_SESSION request,
-        void *plContext)
+        void *plCtx)
 {
         PKIX_ENTER(HTTPDEFAULTCLIENT, "pkix_pl_HttpDefaultClient_Cancel");
         PKIX_NULLCHECK_ONE(request);
 
         PKIX_CHECK(pkix_CheckType
                 ((PKIX_PL_Object *)request,
                 PKIX_HTTPDEFAULTCLIENT_TYPE,
-                plContext),
+                plCtx),
                 PKIX_REQUESTNOTANHTTPDEFAULTCLIENT);
 
         /* XXX Not implemented */
 
 cleanup:
 
         PKIX_RETURN(HTTPDEFAULTCLIENT);
 
--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
+++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c
@@ -18,53 +18,53 @@
  *
  *  This function creates an InfoAccess from the method provided in "method" and
  *  the GeneralName provided in "generalName" and stores the result at
  *  "pInfoAccess".
  *
  * PARAMETERS
  *  "method"
  *      The UInt32 value to be stored as the method field of the InfoAccess.
- *  "generalName"
- *      The GeneralName to be stored as the generalName field of the InfoAccess.
+ *  "gName"
+ *      The GeneralName to be stored as the gName field of the InfoAccess.
  *      Must be non-NULL.
  *  "pInfoAccess"
  *      Address where the result is stored. Must be non-NULL.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 static PKIX_Error *
 pkix_pl_InfoAccess_Create(
         PKIX_UInt32 method,
-        PKIX_PL_GeneralName *generalName,
+        PKIX_PL_GeneralName *gName,
         PKIX_PL_InfoAccess **pInfoAccess,
         void *plContext)
 {
 
         PKIX_PL_InfoAccess *infoAccess = NULL;
 
         PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_Create");
-        PKIX_NULLCHECK_TWO(generalName, pInfoAccess);
+        PKIX_NULLCHECK_TWO(gName, pInfoAccess);
 
         PKIX_CHECK(PKIX_PL_Object_Alloc
                 (PKIX_INFOACCESS_TYPE,
                 sizeof (PKIX_PL_InfoAccess),
                 (PKIX_PL_Object **)&infoAccess,
                 plContext),
                 PKIX_COULDNOTCREATEINFOACCESSOBJECT);
 
         infoAccess->method = method;
 
-        PKIX_INCREF(generalName);
-        infoAccess->location = generalName;
+        PKIX_INCREF(gName);
+        infoAccess->location = gName;
 
         *pInfoAccess = infoAccess;
         infoAccess = NULL;
 
 cleanup:
         PKIX_DECREF(infoAccess);
 
         PKIX_RETURN(INFOACCESS);
@@ -673,17 +673,17 @@ pkix_pl_UnescapeURL(
  *
  *  ldap://<ldap-server-site>/[cn=<cname>][,o=<org>][,c=<country>]?
  *  [caCertificate|crossCertificatPair|certificateRevocationList];
  *  [binary|<other-type>]
  *  [[,caCertificate|crossCertificatPair|certificateRevocationList]
  *   [binary|<other-type>]]*
  *
  * PARAMETERS
- *  "generalName"
+ *  "gName"
  *      Address of the GeneralName whose LDAPLocation is to be parsed. Must be
  *      non-NULL.
  *  "arena"
  *      Address of PLArenaPool to be used for the domainName and for components
  *      of the LDAPRequest. Must be non-NULL.
  *  "request"
  *      Address of the LDAPRequestParams into which request components are
  *      stored. Must be non-NULL.
@@ -695,17 +695,17 @@ pkix_pl_UnescapeURL(
  *  Thread Safe (see Thread Safety Definitions in Programmer's Guide)
  * RETURNS:
  *  Returns NULL if the function succeeds.
  *  Returns an InfoAccess Error if the function fails in a non-fatal way.
  *  Returns a Fatal Error if the function fails in an unrecoverable way.
  */
 PKIX_Error *
 pkix_pl_InfoAccess_ParseLocation(
-        PKIX_PL_GeneralName *generalName,
+        PKIX_PL_GeneralName *gName,
         PLArenaPool *arena,
         LDAPRequestParams *request,
         char **pDomainName,
         void *plContext)
 {
         PKIX_PL_String *locationString = NULL;
         PKIX_UInt32 len = 0;
         PKIX_UInt32 ncIndex = 0;
@@ -717,19 +717,19 @@ pkix_pl_InfoAccess_ParseLocation(
         char *startPos = NULL;
         char *endPos = NULL;
         char *avaPtr = NULL;
         LdapAttrMask attrBit = 0;
         LDAPNameComponent **setOfNameComponent = NULL;
         LDAPNameComponent *nameComponent = NULL;
 
         PKIX_ENTER(INFOACCESS, "pkix_pl_InfoAccess_ParseLocation");
-        PKIX_NULLCHECK_FOUR(generalName, arena, request, pDomainName);
+        PKIX_NULLCHECK_FOUR(gName, arena, request, pDomainName);
 
-        PKIX_TOSTRING(generalName, &locationString, plContext,
+        PKIX_TOSTRING(gName, &locationString, plContext,
                 PKIX_GENERALNAMETOSTRINGFAILED);
 
         PKIX_CHECK(PKIX_PL_String_GetEncoded
                 (locationString,
                 PKIX_ESCASCII,
                 (void **)&locationAscii,
                 &len,
                 plContext),
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -542,26 +542,26 @@ secmod_applyCryptoPolicy(const char *pol
                 NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
             }
             continue;
         }
 
         for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
             const oidValDef *algOpt = &algOptList[i];
             unsigned name_size = algOpt->name_size;
-            PRBool newValue = PR_FALSE;
+            PRBool newOption = PR_FALSE;
 
             if ((length >= name_size) && (cipher[name_size] == '/')) {
-                newValue = PR_TRUE;
+                newOption = PR_TRUE;
             }
-            if ((newValue || algOpt->name_size == length) &&
+            if ((newOption || algOpt->name_size == length) &&
                 PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
                 PRUint32 value = algOpt->val;
                 PRUint32 enable, disable;
-                if (newValue) {
+                if (newOption) {
                     value = secmod_parsePolicyValue(&cipher[name_size] + 1,
                                                     length - name_size - 1);
                 }
                 if (allow) {
                     enable = value;
                     disable = 0;
                 } else {
                     enable = 0;
--- a/lib/pkcs7/p7decode.c
+++ b/lib/pkcs7/p7decode.c
@@ -1585,17 +1585,16 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont
                                                 encoded_attrs.len,
                                                 publickey, &(signerinfo->encDigest),
                                                 encTag, digestTag, NULL,
                                                 cinfo->pwfn_arg) == SECSuccess);
         PORT_Free(encoded_attrs.data);
     } else {
         SECItem *sig;
         SECItem holder;
-        SECStatus rv;
 
         /*
          * No authenticated attributes.
          * The signature is based on the plain message digest.
          */
 
         sig = &(signerinfo->encDigest);
         if (sig->len == 0) { /* bad signature */
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -1138,18 +1138,18 @@ STAN_ChangeCertTrust(CERTCertificate *cc
     nssTrust->serverAuth = get_stan_trust(trust->sslFlags, PR_FALSE);
     nssTrust->clientAuth = get_stan_trust(trust->sslFlags, PR_TRUE);
     nssTrust->emailProtection = get_stan_trust(trust->emailFlags, PR_FALSE);
     nssTrust->codeSigning = get_stan_trust(trust->objectSigningFlags, PR_FALSE);
     nssTrust->stepUpApproved =
         (PRBool)(trust->sslFlags & CERTDB_GOVT_APPROVED_CA);
     if (c->object.cryptoContext != NULL) {
         /* The cert is in a context, set the trust there */
-        NSSCryptoContext *cc = c->object.cryptoContext;
-        nssrv = nssCryptoContext_ImportTrust(cc, nssTrust);
+        NSSCryptoContext *cctx = c->object.cryptoContext;
+        nssrv = nssCryptoContext_ImportTrust(cctx, nssTrust);
         if (nssrv != PR_SUCCESS) {
             goto done;
         }
         if (c->object.numInstances == 0) {
             /* The context is the only instance, finished */
             goto done;
         }
     }
--- a/lib/smime/cmsrecinfo.c
+++ b/lib/smime/cmsrecinfo.c
@@ -77,17 +77,17 @@ nss_cmsrecipientinfo_create(NSSCMSMessag
     if (ri == NULL)
         goto loser;
 
     ri->cmsg = cmsg;
 
     if (DERinput) {
         /* decode everything from DER */
         SECItem newinput;
-        SECStatus rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
+        rv = SECITEM_CopyItem(poolp, &newinput, DERinput);
         if (SECSuccess != rv)
             goto loser;
         rv = SEC_QuickDERDecodeItem(poolp, ri, NSSCMSRecipientInfoTemplate, &newinput);
         if (SECSuccess != rv)
             goto loser;
     }
 
     switch (type) {
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -1068,25 +1068,25 @@ sec_pkcs5_rc2(SECItem *key, SECItem *iv,
     }
 
     dup_src = SECITEM_DupItem(src);
     if (dup_src == NULL) {
         return NULL;
     }
 
     if (encrypt != PR_FALSE) {
-        void *dummy;
+        void *v;
 
-        dummy = CBC_PadBuffer(NULL, dup_src->data,
-                              dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
-        if (dummy == NULL) {
+        v = CBC_PadBuffer(NULL, dup_src->data,
+                          dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
+        if (v == NULL) {
             SECITEM_FreeItem(dup_src, PR_TRUE);
             return NULL;
         }
-        dup_src->data = (unsigned char *)dummy;
+        dup_src->data = (unsigned char *)v;
     }
 
     dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
     if (dest != NULL) {
         dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
         if (dest->data != NULL) {
             RC2Context *ctxt;
 
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -1338,17 +1338,16 @@ sftk_handleSecretKeyObject(SFTKSession *
     crv = validateSecretKey(session, object, key_type, isFIPS);
     if (crv != CKR_OK)
         goto loser;
 
     /* If the object is a TOKEN object, store in the database */
     if (sftk_isTrue(object, CKA_TOKEN)) {
         SFTKSlot *slot = session->slot;
         SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
-        CK_RV crv;
 
         if (keyHandle == NULL) {
             return CKR_TOKEN_WRITE_PROTECTED;
         }
 
         crv = sftkdb_write(keyHandle, object, &object->handle);
         sftk_freeDB(keyHandle);
         return crv;
@@ -3802,22 +3801,22 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, C
     /* Now update our local copy of the pin */
     if (rv == SECSuccess) {
         PZ_Lock(slot->slotLock);
         slot->needLogin = (PRBool)(ulNewLen != 0);
         slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess);
         PZ_Unlock(slot->slotLock);
         /* Reset login flags. */
         if (ulNewLen == 0) {
-            PRBool tokenRemoved = PR_FALSE;
             PZ_Lock(slot->slotLock);
             slot->isLoggedIn = PR_FALSE;
             slot->ssoLoggedIn = PR_FALSE;
             PZ_Unlock(slot->slotLock);
 
+            tokenRemoved = PR_FALSE;
             rv = sftkdb_CheckPassword(handle, "", &tokenRemoved);
             if (tokenRemoved) {
                 sftk_CloseAllSessions(slot, PR_FALSE);
             }
         }
         sftk_update_all_states(slot);
         sftk_freeDB(handle);
         return CKR_OK;
@@ -4417,16 +4416,54 @@ NSC_GetObjectSize(CK_SESSION_HANDLE hSes
                   CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize)
 {
     CHECK_FORK();
 
     *pulSize = 0;
     return CKR_OK;
 }
 
+static CK_RV
+nsc_GetTokenAttributeValue(SFTKSession *session, CK_OBJECT_HANDLE hObject,
+                           CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+    SFTKSlot *slot = sftk_SlotFromSession(session);
+    SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
+    SFTKDBHandle *keydb = NULL;
+    CK_RV crv;
+
+    if (dbHandle == NULL) {
+        return CKR_OBJECT_HANDLE_INVALID;
+    }
+
+    crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
+
+    /* make sure we don't export any sensitive information */
+    keydb = sftk_getKeyDB(slot);
+    if (dbHandle == keydb) {
+        CK_ULONG i;
+        for (i = 0; i < ulCount; i++) {
+            if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
+                crv = CKR_ATTRIBUTE_SENSITIVE;
+                if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
+                    PORT_Memset(pTemplate[i].pValue, 0,
+                                pTemplate[i].ulValueLen);
+                }
+                pTemplate[i].ulValueLen = -1;
+            }
+        }
+    }
+
+    sftk_freeDB(dbHandle);
+    if (keydb) {
+        sftk_freeDB(keydb);
+    }
+    return crv;
+}
+
 /* NSC_GetAttributeValue obtains the value of one or more object attributes. */
 CK_RV
 NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
                       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
 {
     SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
     SFTKSession *session;
     SFTKObject *object;
@@ -4445,47 +4482,18 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE 
      */
     session = sftk_SessionFromHandle(hSession);
     if (session == NULL) {
         return CKR_SESSION_HANDLE_INVALID;
     }
 
     /* short circuit everything for token objects */
     if (sftk_isToken(hObject)) {
-        SFTKSlot *slot = sftk_SlotFromSession(session);
-        SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
-        SFTKDBHandle *keydb = NULL;
-
-        if (dbHandle == NULL) {
-            sftk_FreeSession(session);
-            return CKR_OBJECT_HANDLE_INVALID;
-        }
-
-        crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
-
-        /* make sure we don't export any sensitive information */
-        keydb = sftk_getKeyDB(slot);
-        if (dbHandle == keydb) {
-            for (i = 0; i < (int)ulCount; i++) {
-                if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
-                    crv = CKR_ATTRIBUTE_SENSITIVE;
-                    if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
-                        PORT_Memset(pTemplate[i].pValue, 0,
-                                    pTemplate[i].ulValueLen);
-                    }
-                    pTemplate[i].ulValueLen = -1;
-                }
-            }
-        }
-
+        crv = nsc_GetTokenAttributeValue(session, hObject, pTemplate, ulCount);
         sftk_FreeSession(session);
-        sftk_freeDB(dbHandle);
-        if (keydb) {
-            sftk_freeDB(keydb);
-        }
         return crv;
     }
 
     /* handle the session object */
     object = sftk_ObjectFromHandle(hObject, session);
     sftk_FreeSession(session);
     if (object == NULL) {
         return CKR_OBJECT_HANDLE_INVALID;
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -7570,23 +7570,23 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
         case CKM_NSS_HKDF_SHA512:
             hashType = HASH_AlgSHA512;
             goto hkdf;
         hkdf : {
             const CK_NSS_HKDFParams *params =
                 (const CK_NSS_HKDFParams *)pMechanism->pParameter;
             const SECHashObject *rawHash;
             unsigned hashLen;
-            CK_BYTE buf[HASH_LENGTH_MAX];
+            CK_BYTE hashbuf[HASH_LENGTH_MAX];
             CK_BYTE *prk; /* psuedo-random key */
             CK_ULONG prkLen;
             CK_BYTE *okm; /* output keying material */
 
             rawHash = HASH_GetRawHashObject(hashType);
-            if (rawHash == NULL || rawHash->length > sizeof buf) {
+            if (rawHash == NULL || rawHash->length > sizeof(hashbuf)) {
                 crv = CKR_FUNCTION_FAILED;
                 break;
             }
             hashLen = rawHash->length;
 
             if (pMechanism->ulParameterLen != sizeof(CK_NSS_HKDFParams) ||
                 !params || (!params->bExpand && !params->bExtract) ||
                 (params->bExtract && params->ulSaltLen > 0 && !params->pSalt) ||
@@ -7610,65 +7610,65 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                 CK_ULONG saltLen;
                 HMACContext *hmac;
                 unsigned int bufLen;
 
                 salt = params->pSalt;
                 saltLen = params->ulSaltLen;
                 if (salt == NULL) {
                     saltLen = hashLen;
-                    salt = buf;
+                    salt = hashbuf;
                     memset(salt, 0, saltLen);
                 }
                 hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
                 if (!hmac) {
                     crv = CKR_HOST_MEMORY;
                     break;
                 }
                 HMAC_Begin(hmac);
                 HMAC_Update(hmac, (const unsigned char *)att->attrib.pValue,
                             att->attrib.ulValueLen);
-                HMAC_Finish(hmac, buf, &bufLen, sizeof(buf));
+                HMAC_Finish(hmac, hashbuf, &bufLen, sizeof(hashbuf));
                 HMAC_Destroy(hmac, PR_TRUE);
                 PORT_Assert(bufLen == rawHash->length);
-                prk = buf;
+                prk = hashbuf;
                 prkLen = bufLen;
             } else {
                 /* PRK = base key value */
                 prk = (CK_BYTE *)att->attrib.pValue;
                 prkLen = att->attrib.ulValueLen;
             }
 
             /* HKDF-Expand */
             if (!params->bExpand) {
                 okm = prk;
             } else {
                 /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
                  * T(n) = HMAC-Hash(prk, T(n-1) | info | n
                  * key material = T(1) | ... | T(n)
                  */
                 HMACContext *hmac;
-                CK_BYTE i;
+                CK_BYTE bi;
                 unsigned iterations = PR_ROUNDUP(keySize, hashLen) / hashLen;
                 hmac = HMAC_Create(rawHash, prk, prkLen, isFIPS);
                 if (hmac == NULL) {
                     crv = CKR_HOST_MEMORY;
                     break;
                 }
-                for (i = 1; i <= iterations; ++i) {
+                for (bi = 1; bi <= iterations; ++bi) {
                     unsigned len;
                     HMAC_Begin(hmac);
-                    if (i > 1) {
-                        HMAC_Update(hmac, key_block + ((i - 2) * hashLen), hashLen);
+                    if (bi > 1) {
+                        HMAC_Update(hmac, key_block + ((bi - 2) * hashLen), hashLen);
                     }
                     if (params->ulInfoLen != 0) {
                         HMAC_Update(hmac, params->pInfo, params->ulInfoLen);
                     }
-                    HMAC_Update(hmac, &i, 1);
-                    HMAC_Finish(hmac, key_block + ((i - 1) * hashLen), &len,
+                    HMAC_Update(hmac, &bi, 1);
+                    HMAC_Finish(hmac, key_block + ((bi - 1) * hashLen), &len,
                                 hashLen);
                     PORT_Assert(len == hashLen);
                 }
                 HMAC_Destroy(hmac, PR_TRUE);
                 okm = key_block;
             }
             /* key material = prk */
             crv = sftk_forceAttribute(key, CKA_VALUE, okm, keySize);
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1188,17 +1188,17 @@ sftk_DeleteObject(SFTKSession *session, 
 {
     SFTKSlot *slot = sftk_SlotFromSession(session);
     SFTKSessionObject *so = sftk_narrowToSessionObject(object);
     CK_RV crv = CKR_OK;
     PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize);
 
     /* Handle Token case */
     if (so && so->session) {
-        SFTKSession *session = so->session;
+        session = so->session;
         PZ_Lock(session->objectLock);
         sftkqueue_delete(&so->sessionList, 0, session->objects, 0);
         PZ_Unlock(session->objectLock);
         PZ_Lock(slot->objectLock);
         sftkqueue_delete2(object, object->handle, index, slot->sessObjHashTable);
         PZ_Unlock(slot->objectLock);
         sftkqueue_clear_deleted_element(object);
         sftk_FreeObject(object); /* free the reference owned by the queue */
--- a/lib/softoken/sftkpars.c
+++ b/lib/softoken/sftkpars.c
@@ -157,50 +157,50 @@ sftk_parseParameters(char *param, sftk_p
         NSSUTIL_HANDLE_STRING_ARG(index, tmp, "flags=",
                                   if (tmp) { sftk_parseFlags(param,parsed); PORT_Free(tmp); tmp = NULL; })
         NSSUTIL_HANDLE_STRING_ARG(index, tmp, "tokens=",
                                   if (tmp) { sftk_parseTokens(tmp,parsed); PORT_Free(tmp); tmp = NULL; })
         NSSUTIL_HANDLE_FINAL_ARG(index)
     }
     if (parsed->tokens == NULL) {
         int count = isFIPS ? 1 : 2;
-        int index = count - 1;
+        int i = count - 1;
         sftk_token_parameters *tokens = NULL;
 
         tokens = (sftk_token_parameters *)
             PORT_ZAlloc(count * sizeof(sftk_token_parameters));
         if (tokens == NULL) {
             goto loser;
         }
         parsed->tokens = tokens;
         parsed->token_count = count;
-        tokens[index].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
-        tokens[index].certPrefix = certPrefix;
-        tokens[index].keyPrefix = keyPrefix;
-        tokens[index].minPW = minPW ? atoi(minPW) : 0;
-        tokens[index].readOnly = parsed->readOnly;
-        tokens[index].noCertDB = parsed->noCertDB;
-        tokens[index].noKeyDB = parsed->noCertDB;
-        tokens[index].forceOpen = parsed->forceOpen;
-        tokens[index].pwRequired = parsed->pwRequired;
-        tokens[index].optimizeSpace = parsed->optimizeSpace;
+        tokens[i].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+        tokens[i].certPrefix = certPrefix;
+        tokens[i].keyPrefix = keyPrefix;
+        tokens[i].minPW = minPW ? atoi(minPW) : 0;
+        tokens[i].readOnly = parsed->readOnly;
+        tokens[i].noCertDB = parsed->noCertDB;
+        tokens[i].noKeyDB = parsed->noCertDB;
+        tokens[i].forceOpen = parsed->forceOpen;
+        tokens[i].pwRequired = parsed->pwRequired;
+        tokens[i].optimizeSpace = parsed->optimizeSpace;
         tokens[0].optimizeSpace = parsed->optimizeSpace;
         certPrefix = NULL;
         keyPrefix = NULL;
         if (isFIPS) {
-            tokens[index].tokdes = ftokdes;
-            tokens[index].updtokdes = pupdtokdes;
-            tokens[index].slotdes = fslotdes;
+            tokens[i].tokdes = ftokdes;
+            tokens[i].updtokdes = pupdtokdes;
+            tokens[i].slotdes = fslotdes;
             fslotdes = NULL;
             ftokdes = NULL;
             pupdtokdes = NULL;
         } else {
-            tokens[index].tokdes = ptokdes;
-            tokens[index].updtokdes = pupdtokdes;
-            tokens[index].slotdes = pslotdes;
+            tokens[i].tokdes = ptokdes;
+            tokens[i].updtokdes = pupdtokdes;
+            tokens[i].slotdes = pslotdes;
             tokens[0].slotID = NETSCAPE_SLOT_ID;
             tokens[0].tokdes = tokdes;
             tokens[0].slotdes = slotdes;
             tokens[0].noCertDB = PR_TRUE;
             tokens[0].noKeyDB = PR_TRUE;
             pupdtokdes = NULL;
             ptokdes = NULL;
             pslotdes = NULL;
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -3029,17 +3029,16 @@ ssl3_SendChangeCipherSpecsInt(sslSocket 
     if (!IS_DTLS(ss)) {
         PRInt32 sent;
         sent = ssl3_SendRecord(ss, NULL, content_change_cipher_spec,
                                &change, 1, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
         if (sent < 0) {
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
     } else {
-        SECStatus rv;
         rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
         if (rv != SECSuccess) {
             return SECFailure;
         }
     }
     return SECSuccess;
 }
 
@@ -11703,17 +11702,17 @@ ssl_RemoveTLSCBCPadding(sslBuffer *plain
      * amount of padding possible. (Again, the length of the record is
      * public information so we can use it.) */
     toCheck = 256; /* maximum amount of padding + 1. */
     if (toCheck > plaintext->len) {
         toCheck = plaintext->len;
     }
 
     for (i = 0; i < toCheck; i++) {
-        unsigned int t = paddingLength - i;
+        t = paddingLength - i;
         /* If i <= paddingLength then the MSB of t is zero and mask is
          * 0xff.  Otherwise, mask is 0. */
         unsigned char mask = DUPLICATE_MSB_TO_ALL(~t);
         unsigned char b = plaintext->buf[plaintext->len - 1 - i];
         /* The final |paddingLength+1| bytes should all have the value
          * |paddingLength|. Therefore the XOR should be zero. */
         good &= ~(mask & (paddingLength ^ b));
     }
--- a/nss-tool/enc/enctool.cc
+++ b/nss-tool/enc/enctool.cc
@@ -266,17 +266,16 @@ bool EncTool::DoCipher(std::string file_
     buf = std::cout.rdbuf();
   }
   std::ostream output(buf);
 
   // Read from stdin.
   if (file_name.empty()) {
     std::vector<uint8_t> data = ReadInputData("");
     std::vector<uint8_t> out(data.size() + 16);
-    SECStatus rv;
     if (encrypt) {
       rv = PK11_Encrypt(symKey.get(), cipher_mech_, params.get(), out.data(),
                         &outLen, data.size() + 16, data.data(), data.size());
     } else {
       rv = PK11_Decrypt(symKey.get(), cipher_mech_, params.get(), out.data(),
                         &outLen, data.size() + 16, data.data(), data.size());
     }
     if (rv != SECSuccess) {