Bug 1307958 - -Werror=sign-compare under ./security/nss directory draft
authorISHIKAWA, Chiaki <ishikawa@yk.rim.or.jp>
Sat, 09 Nov 2019 11:00:10 +0900
changeset 81071 5816efa090d438ceb394efc938be18ede0c93963
parent 81070 65df23be2f60eb1aac1359891d7a690b060532e9
child 81072 5a4d04240bdaa767d3637490270a58a9f1d1db9d
push id9744
push userishikawa@yk.rim.or.jp
push dateSat, 09 Nov 2019 02:01:06 +0000
treeherdertry-comm-central@56c83244ac0e [default view] [failures only]
bugs1307958
Bug 1307958 - -Werror=sign-compare under ./security/nss directory
mozilla-M-C-009-nss-security-sign-vs-unsigned-correction.patch
new file mode 100644
--- /dev/null
+++ b/mozilla-M-C-009-nss-security-sign-vs-unsigned-correction.patch
@@ -0,0 +1,2470 @@
+# HG changeset patch
+# User ISHIKAWA, Chiaki <ishikawa@yk.rim.or.jp>
+# Parent  8029e6aa4e2a6a9600d066d360b9c694cf7c300d
+Bug 1307958 - -Werror=sign-compare under ./security/nss directory
+* * *
+Fixing sign vs. unsigned comparison in security-related library.
+* * *
+/NREF-COMM-CENTRAL/mozilla/security/nss/lib/ssl/tls13esni.c:591:34: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
+     if ((ss->esniKeys->notBefore > now) || (ss->esniKeys->notAfter < now)) {
+                                  ^
+/NREF-COMM-CENTRAL/mozilla/security/nss/lib/ssl/tls13esni.c:591:68: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
+     if ((ss->esniKeys->notBefore > now) || (ss->esniKeys->notAfter < now)) {
+
+diff --git a/nsprpub/pr/include/prlog.h b/nsprpub/pr/include/prlog.h
+--- a/nsprpub/pr/include/prlog.h
++++ b/nsprpub/pr/include/prlog.h
+@@ -159,17 +159,17 @@ NSPR_API(void) PR_LogFlush(void);
+ 
+ NSPR_API(void) PR_Assert(const char *s, const char *file, PRIntn ln)
+ PR_PRETEND_NORETURN;
+ 
+ #if defined(DEBUG) || defined(FORCE_PR_LOG)
+ #define PR_LOGGING 1
+ 
+ #define PR_LOG_TEST(_module,_level) \
+-    ((_module)->level >= (_level))
++  (((int) (_module)->level) >= (_level))
+ 
+ /*
+ ** Log something.
+ **    "module" is the address of a PRLogModuleInfo structure
+ **    "level" is the desired logging level
+ **    "args" is a variable length list of arguments to print, in the following
+ **       format:  ("printf style format string", ...)
+ */
+diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c
+--- a/security/nss/cmd/lib/basicutil.c
++++ b/security/nss/cmd/lib/basicutil.c
+@@ -628,21 +628,21 @@ SECU_GetOptionArg(const secuCommand *cmd
+         return NULL;
+ }
+ 
+ void
+ SECU_PrintPRandOSError(const char *progName)
+ {
+     char buffer[513];
+     PRInt32 errLen = PR_GetErrorTextLength();
+-    if (errLen > 0 && errLen < sizeof buffer) {
++    if (errLen > 0 && (unsigned int) errLen < sizeof buffer) {
+         PR_GetErrorText(buffer);
+     }
+     SECU_PrintError(progName, "function failed");
+-    if (errLen > 0 && errLen < sizeof buffer) {
++    if (errLen > 0 && (unsigned int) errLen < sizeof buffer) {
+         PR_fprintf(PR_STDERR, "\t%s\n", buffer);
+     }
+ }
+ 
+ SECOidTag
+ SECU_StringToSignatureAlgTag(const char *alg)
+ {
+     SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
+diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
+--- a/security/nss/cmd/lib/secutil.c
++++ b/security/nss/cmd/lib/secutil.c
+@@ -3408,17 +3408,17 @@ SECU_StoreCRL(PK11SlotInfo *slot, SECIte
+     }
+ 
+     if (outFile != NULL) {
+         if (ascii) {
+             PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER,
+                        BTOA_DataToAscii(derCrl->data, derCrl->len),
+                        NS_CRL_TRAILER);
+         } else {
+-            if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) {
++            if (PR_Write(outFile, derCrl->data, derCrl->len) != (int) derCrl->len) {
+                 return SECFailure;
+             }
+         }
+     }
+     if (slot) {
+         CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url,
+                                                SEC_CRL_TYPE, NULL, 0, NULL, 0);
+         if (newCrl != NULL) {
+diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
+--- a/security/nss/lib/certdb/alg1485.c
++++ b/security/nss/lib/certdb/alg1485.c
+@@ -156,17 +156,17 @@ static const PRInt16 x2b[256] = {
+ int
+ cert_AVAOidTagToMaxLen(SECOidTag tag)
+ {
+     const NameToKind* n2k = name2kinds;
+ 
+     while (n2k->kind != tag && n2k->kind != SEC_OID_UNKNOWN) {
+         ++n2k;
+     }
+-    return (n2k->kind != SEC_OID_UNKNOWN) ? n2k->maxLen : -1;
++    return (n2k->kind != SEC_OID_UNKNOWN) ? (signed) n2k->maxLen : -1;
+ }
+ 
+ static PRBool
+ IsPrintable(unsigned char* data, unsigned len)
+ {
+     unsigned char ch, *end;
+ 
+     end = data + len;
+@@ -977,17 +977,17 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
+             if (unknownTag)
+                 PR_smprintf_free(unknownTag);
+             return SECFailure;
+         }
+     }
+ 
+     nameLen = strlen(tagName);
+     valueLen =
+-        (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen(
++            (useHex ? avaValue->len : (unsigned) cert_RFC1485_GetRequiredLen(
+                                       (char*)avaValue->data, avaValue->len, &mode));
+     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
+ 
+     maxName = nameLen;
+     maxValue = valueLen;
+     if (len <= sizeof(tmpBuf)) {
+         encodedAVA = tmpBuf;
+     } else if (strict != CERT_N2A_READABLE) {
+diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
+--- a/security/nss/lib/certhigh/certvfy.c
++++ b/security/nss/lib/certhigh/certvfy.c
+@@ -546,17 +546,17 @@ static const struct DataAndLength StartC
+ };
+ 
+ static PRBool
+ CertIsStartComOrWoSign(const CERTCertificate *cert)
+ {
+     int i;
+     const struct DataAndLength *dn = StartComAndWoSignDNs;
+ 
+-    for (i = 0; i < sizeof(StartComAndWoSignDNs) / sizeof(struct DataAndLength); ++i, dn++) {
++    for (i = 0; (unsigned) i < sizeof(StartComAndWoSignDNs) / sizeof(struct DataAndLength); ++i, dn++) {
+         if (cert->derSubject.len == dn->len &&
+             memcmp(cert->derSubject.data, dn->data, dn->len) == 0) {
+             return PR_TRUE;
+         }
+     }
+     return PR_FALSE;
+ }
+ 
+diff --git a/security/nss/lib/ckfw/builtins/bfind.c b/security/nss/lib/ckfw/builtins/bfind.c
+--- a/security/nss/lib/ckfw/builtins/bfind.c
++++ b/security/nss/lib/ckfw/builtins/bfind.c
+@@ -109,17 +109,17 @@ builtins_attrmatch(
+     if (a->ulValueLen != b->size) {
+         /* match a decoded serial number */
+         if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
+             int len;
+             unsigned char *data = NULL;
+ 
+             len = builtins_derUnwrapInt(b->data, b->size, &data);
+             if (data &&
+-                (len == a->ulValueLen) &&
++                ((unsigned) len == a->ulValueLen) &&
+                 nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+                 return CK_TRUE;
+             }
+         }
+         return CK_FALSE;
+     }
+ 
+     prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
+--- a/security/nss/lib/cryptohi/secsign.c
++++ b/security/nss/lib/cryptohi/secsign.c
+@@ -722,17 +722,17 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+     if (pssParams.saltLength.data) {
+         rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength,
+                                    &saltLength);
+         if (rv != SECSuccess) {
+             return NULL;
+         }
+ 
+         /* The specified salt length is too long */
+-        if (saltLength > modBytes - hashLength - 2) {
++        if (saltLength > (unsigned int) (modBytes - hashLength - 2)) {
+             PORT_SetError(SEC_ERROR_INVALID_ARGS);
+             return NULL;
+         }
+     } else if (defaultSHA1) {
+         saltLength = 20;
+     }
+ 
+     /* Fill in the parameters */
+diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c
+--- a/security/nss/lib/dev/ckhelper.c
++++ b/security/nss/lib/dev/ckhelper.c
+@@ -127,17 +127,17 @@ nssCKObject_GetAttributes(
+ 
+     if (count > 1 && ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) ||
+                       (ckrv == CKR_ATTRIBUTE_SENSITIVE))) {
+         /* old tokens would keep the length of '0' and not deal with any
+          * of the attributes we passed. For those tokens read them one at
+          * a time */
+         for (i = 0; i < count; i++) {
+             if ((obj_template[i].ulValueLen == 0) ||
+-                (obj_template[i].ulValueLen == -1)) {
++                (obj_template[i].ulValueLen == (CK_ULONG) -1)) {
+                 obj_template[i].ulValueLen = 0;
+                 (void)nssCKObject_GetAttributes(object, &obj_template[i], 1,
+                                                 arenaOpt, session, slot);
+             }
+         }
+     }
+     return PR_SUCCESS;
+ loser:
+@@ -437,17 +437,17 @@ nssCryptokiTrust_GetAttributes(
+                                            trust_template, trust_size,
+                                            NULL, session, slot);
+         nssSlot_Destroy(slot);
+         if (status != PR_SUCCESS) {
+             return status;
+         }
+     }
+ 
+-    if (sha1_hash_attr->ulValueLen == -1) {
++    if (sha1_hash_attr->ulValueLen == (unsigned) -1) {
+         /* The trust object does not have the CKA_CERT_SHA1_HASH attribute. */
+         sha1_hash_attr->ulValueLen = 0;
+     }
+     sha1_hash->size = sha1_hash_attr->ulValueLen;
+     *serverAuth = get_nss_trust(saTrust);
+     *clientAuth = get_nss_trust(caTrust);
+     *emailProtection = get_nss_trust(epTrust);
+     *codeSigning = get_nss_trust(csTrust);
+diff --git a/security/nss/lib/freebl/aes-x86.c b/security/nss/lib/freebl/aes-x86.c
+--- a/security/nss/lib/freebl/aes-x86.c
++++ b/security/nss/lib/freebl/aes-x86.c
+@@ -144,14 +144,14 @@ rijndael_native_key_expansion(AESContext
+ void
+ rijndael_native_encryptBlock(AESContext *cx,
+                              unsigned char *output,
+                              const unsigned char *input)
+ {
+     int i;
+     pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input);
+     m = _mm_xor_si128(m, cx->keySchedule[0]);
+-    for (i = 1; i < cx->Nr; ++i) {
++    for (i = 1; (unsigned) i < cx->Nr; ++i) {
+         m = _mm_aesenc_si128(m, cx->keySchedule[i]);
+     }
+     m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]);
+     _mm_storeu_si128((__m128i *)output, m);
+ }
+diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
+--- a/security/nss/lib/freebl/blapit.h
++++ b/security/nss/lib/freebl/blapit.h
+@@ -192,17 +192,17 @@ typedef int __BLAPI_DEPRECATED __attribu
+  */
+ #define PQG_PBITS_TO_INDEX(bits) \
+     (((bits) < 512 || (bits) > 1024 || (bits) % 64) ? -1 : (int)((bits)-512) / 64)
+ 
+ /*
+  * function takes index (0-8)
+  * returns number of bits in P for that index, or -1 if index is invalid.
+  */
+-#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (512 + 64 * (j)))
++#define PQG_INDEX_TO_PBITS(j) (((unsigned)(j) > 8) ? -1 : (signed) (512 + 64 * (j)))
+ 
+ /***************************************************************************
+ ** Opaque objects
+ */
+ 
+ struct DESContextStr;
+ struct RC2ContextStr;
+ struct RC4ContextStr;
+diff --git a/security/nss/lib/freebl/chacha20poly1305.c b/security/nss/lib/freebl/chacha20poly1305.c
+--- a/security/nss/lib/freebl/chacha20poly1305.c
++++ b/security/nss/lib/freebl/chacha20poly1305.c
+@@ -173,16 +173,18 @@ ChaCha20Xor(uint8_t *output, uint8_t *bl
+ SECStatus
+ ChaCha20_Xor(unsigned char *output, const unsigned char *block, unsigned int len,
+              const unsigned char *k, const unsigned char *nonce, PRUint32 ctr)
+ {
+ #ifdef NSS_DISABLE_CHACHAPOLY
+     return SECFailure;
+ #else
+     // ChaCha has a 64 octet block, with a 32-bit block counter.
++    // XXX the comparison always fails due to range limit.
++    // len is unsigned int.
+     if (sizeof(len) > 4 && len >= (1ULL << (6 + 32))) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+     ChaCha20Xor(output, (uint8_t *)block, len, (uint8_t *)k,
+                 (uint8_t *)nonce, ctr);
+     return SECSuccess;
+ #endif
+@@ -201,16 +203,18 @@ ChaCha20Poly1305_Seal(const ChaCha20Poly
+     unsigned char block[64];
+     unsigned char tag[16];
+ 
+     if (nonceLen != 12) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+     // ChaCha has a 64 octet block, with a 32-bit block counter.
++    // XXX the comparison always fails due to range limit.
++    // len is unsigned int.
+     if (sizeof(inputLen) > 4 && inputLen >= (1ULL << (6 + 32))) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+     if (maxOutputLen < inputLen + ctx->tagLen) {
+         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+         return SECFailure;
+     }
+diff --git a/security/nss/lib/freebl/cmac.c b/security/nss/lib/freebl/cmac.c
+--- a/security/nss/lib/freebl/cmac.c
++++ b/security/nss/lib/freebl/cmac.c
+@@ -63,17 +63,17 @@ cmac_Encrypt(CMACContext *ctx, unsigned 
+     if (ctx->cipherType == CMAC_AES) {
+         unsigned int tmpOutputLen;
+         SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
+                                    ctx->blockSize, input, inputLen);
+ 
+         /* Assumption: AES_Encrypt (when in ECB mode) always returns an
+          * output of length equal to blockSize (what was pass as the value
+          * of the maxOutputLen parameter). */
+-        PORT_Assert(tmpOutputLen == ctx->blockSize);
++        PORT_Assert(tmpOutputLen == (unsigned int) ctx->blockSize);
+         return rv;
+     }
+ 
+     return SECFailure;
+ }
+ 
+ /* NIST SP.800-38B, 6.1 Subkey Generation */
+ static SECStatus
+@@ -117,25 +117,25 @@ cmac_GenerateSubkeys(CMACContext *ctx)
+     /* Step 4: Return the values. */
+     return SECSuccess;
+ }
+ 
+ /* NIST SP.800-38B, 6.2 MAC Generation step 6 */
+ static SECStatus
+ cmac_UpdateState(CMACContext *ctx)
+ {
+-    if (ctx == NULL || ctx->partialIndex != ctx->blockSize) {
++        if (ctx == NULL || ctx->partialIndex != (unsigned int) ctx->blockSize) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+ 
+     /* Step 6: C_i = CIPHER(key, C_{i-1} ^ M_i)  for 1 <= i <= n, and
+      *         C_0 is defined as the empty string. */
+ 
+-    for (unsigned int index = 0; index < ctx->blockSize; index++) {
++      for (/*unsigned*/ int index = 0; index < ctx->blockSize; index++) {
+         ctx->partialBlock[index] ^= ctx->lastBlock[index];
+     }
+ 
+     return cmac_Encrypt(ctx, ctx->lastBlock, ctx->partialBlock, ctx->blockSize);
+ }
+ 
+ SECStatus
+ CMAC_Init(CMACContext *ctx, CMACCipher type,
+@@ -223,32 +223,33 @@ CMAC_Update(CMACContext *ctx, const unsi
+      * the maximum of the remaining data and the remaining space in
+      * ctx->partialBlock.
+      *
+      * Note that we swap the order (encrypt *then* copy) because the last
+      * block is different from the rest. If we end on an even multiple of
+      * the block size, we have to be able to XOR it with K1. But we won't know
+      * that it is the last until CMAC_Finish is called (and by then, CMAC_Update
+      * has already returned). */
+-    while (data_index < data_len) {
+-        if (ctx->partialIndex == ctx->blockSize) {
++    while ((unsigned int) data_index < data_len) {
++        if (ctx->partialIndex == (unsigned int) ctx->blockSize) {
+             if (cmac_UpdateState(ctx) != SECSuccess) {
+                 return SECFailure;
+             }
+ 
+             ctx->partialIndex = 0;
+         }
+ 
+         unsigned int copy_len = data_len - data_index;
+         if (copy_len > (ctx->blockSize - ctx->partialIndex)) {
+             copy_len = ctx->blockSize - ctx->partialIndex;
+         }
+ 
+         PORT_Memcpy(ctx->partialBlock + ctx->partialIndex, data + data_index, copy_len);
+         data_index += copy_len;
++        PORT_Assert(data_index >= 0); // check for overflow just in case.
+         ctx->partialIndex += copy_len;
+     }
+ 
+     return SECSuccess;
+ }
+ 
+ /* NIST SP.800-38B, 6.2 MAC Generation */
+ SECStatus
+@@ -256,39 +257,39 @@ CMAC_Finish(CMACContext *ctx, unsigned c
+             unsigned int *result_len,
+             unsigned int max_result_len)
+ {
+     if (ctx == NULL || result == NULL || max_result_len == 0) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+ 
+-    if (max_result_len > ctx->blockSize) {
++    if (max_result_len > (unsigned int) ctx->blockSize) {
+         /* This is a weird situation. The PKCS #11 soft tokencode passes
+          * sizeof(result) here, which is hard-coded as SFTK_MAX_MAC_LENGTH.
+          * This later gets truncated to min(SFTK_MAX_MAC_LENGTH, requested). */
+         max_result_len = ctx->blockSize;
+     }
+ 
+     /* Step 4: If M_n* is a complete block, M_n = K1 ^ M_n*. Else,
+      * M_n = K2 ^ (M_n* || 10^j). */
+-    if (ctx->partialIndex == ctx->blockSize) {
++    if (ctx->partialIndex == (unsigned int) ctx->blockSize) {
+         /* XOR in K1. */
+-        for (unsigned int index = 0; index < ctx->blockSize; index++) {
++        for (/*unsigned*/ int index = 0; index < ctx->blockSize; index++) {
+             ctx->partialBlock[index] ^= ctx->k1[index];
+         }
+     } else {
+         /* Use 10* padding on the partial block. */
+         ctx->partialBlock[ctx->partialIndex++] = 0x80;
+         PORT_Memset(ctx->partialBlock + ctx->partialIndex, 0,
+                     ctx->blockSize - ctx->partialIndex);
+         ctx->partialIndex = ctx->blockSize;
+ 
+         /* XOR in K2. */
+-        for (unsigned int index = 0; index < ctx->blockSize; index++) {
++        for (/*unsigned*/ int index = 0; index < ctx->blockSize; index++) {
+             ctx->partialBlock[index] ^= ctx->k2[index];
+         }
+     }
+ 
+     /* Encrypt the block. */
+     if (cmac_UpdateState(ctx) != SECSuccess) {
+         return SECFailure;
+     }
+diff --git a/security/nss/lib/freebl/ctr.c b/security/nss/lib/freebl/ctr.c
+--- a/security/nss/lib/freebl/ctr.c
++++ b/security/nss/lib/freebl/ctr.c
+@@ -125,17 +125,17 @@ CTR_Update(CTRContext *ctr, unsigned cha
+            const unsigned char *inbuf, unsigned int inlen,
+            unsigned int blocksize)
+ {
+     unsigned int tmp;
+     SECStatus rv;
+ 
+     // Limit block count to 2^counterBits - 2
+     if (ctr->counterBits < (sizeof(unsigned int) * 8) &&
+-        inlen > ((1 << ctr->counterBits) - 2) * AES_BLOCK_SIZE) {
++        inlen > ((unsigned int) (1 << ctr->counterBits) - 2) * AES_BLOCK_SIZE) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+     if (maxout < inlen) {
+         *outlen = inlen;
+         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+         return SECFailure;
+     }
+diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
+--- a/security/nss/lib/freebl/ec.c
++++ b/security/nss/lib/freebl/ec.c
+@@ -94,17 +94,17 @@ ec_points_mul(const ECParams *params, co
+         printf("\n");
+     }
+ #endif
+ 
+     /* NOTE: We only support uncompressed points for now */
+     len = (params->fieldID.size + 7) >> 3;
+     if (pointP != NULL) {
+         if ((pointP->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||
+-            (pointP->len != (2 * len + 1))) {
++            (pointP->len != (unsigned) (2 * len + 1))) {
+             PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
+             return SECFailure;
+         };
+     }
+ 
+     MP_DIGITS(&Px) = 0;
+     MP_DIGITS(&Py) = 0;
+     MP_DIGITS(&Qx) = 0;
+@@ -447,17 +447,17 @@ EC_ValidatePublicKey(ECParams *ecParams,
+         return method->validate(publicValue);
+     }
+ 
+     /* NOTE: We only support uncompressed points for now */
+     len = (ecParams->fieldID.size + 7) >> 3;
+     if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+         PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
+         return SECFailure;
+-    } else if (publicValue->len != (2 * len + 1)) {
++    } else if (publicValue->len != (unsigned) (2 * len + 1)) {
+         PORT_SetError(SEC_ERROR_BAD_KEY);
+         return SECFailure;
+     }
+ 
+     MP_DIGITS(&Px) = 0;
+     MP_DIGITS(&Py) = 0;
+     CHECK_MPI_OK(mp_init(&Px));
+     CHECK_MPI_OK(mp_init(&Py));
+diff --git a/security/nss/lib/freebl/ecl/ecp_25519.c b/security/nss/lib/freebl/ecl/ecp_25519.c
+--- a/security/nss/lib/freebl/ecl/ecp_25519.c
++++ b/security/nss/lib/freebl/ecl/ecp_25519.c
+@@ -80,17 +80,17 @@ ec_Curve25519_pt_validate(const SECItem 
+     };
+ 
+     if (px->len == 32) {
+         p = px->data;
+     } else {
+         return SECFailure;
+     }
+ 
+-    for (i = 0; i < PR_ARRAY_SIZE(forbiddenValues); ++i) {
++    for (i = 0; (unsigned) i < PR_ARRAY_SIZE(forbiddenValues); ++i) {
+         if (NSS_SecureMemcmp(p, forbiddenValues[i], px->len) == 0) {
+             return SECFailure;
+         }
+     }
+ 
+     return SECSuccess;
+ }
+ 
+diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
+--- a/security/nss/lib/freebl/mpi/mpi.c
++++ b/security/nss/lib/freebl/mpi/mpi.c
+@@ -2110,19 +2110,19 @@ s_mp_fixup_reciprocal(const mp_int *c, c
+     /* make sure x is large enough */
+     ix = MP_HOWMANY(k, MP_DIGIT_BIT) + MP_USED(p) + 1;
+     ix = MP_MAX(ix, MP_USED(x));
+     MP_CHECKOK(s_mp_pad(x, ix));
+ 
+     r = 0 - s_mp_invmod_radix(MP_DIGIT(p, 0));
+ 
+     for (ix = 0; k > 0; ix++) {
+-        int j = MP_MIN(k, MP_DIGIT_BIT);
++        int j = MP_MIN((unsigned int) k, MP_DIGIT_BIT);
+         mp_digit v = r * MP_DIGIT(x, ix);
+-        if (j < MP_DIGIT_BIT) {
++        if ((unsigned int) j < MP_DIGIT_BIT) {
+             v &= ((mp_digit)1 << j) - 1; /* v = v mod (2 ** j) */
+         }
+         s_mp_mul_d_add_offset(p, v, x, ix); /* x += p * v * (RADIX ** ix) */
+         k -= j;
+     }
+     s_mp_clamp(x);
+     s_mp_div_2d(x, k_orig);
+     res = MP_OKAY;
+@@ -4597,17 +4597,18 @@ s_mp_tovalue(char ch, int r)
+   expected to know what you're doing.
+  */
+ 
+ char
+ s_mp_todigit(mp_digit val, int r, int low)
+ {
+     char ch;
+ 
+-    if (val >= r)
++    assert(r > 0);
++    if (val >= (unsigned int) r)
+         return 0;
+ 
+     ch = s_dmap_1[val];
+ 
+     if (r <= 36 && low)
+         ch = tolower(ch);
+ 
+     return ch;
+diff --git a/security/nss/lib/freebl/mpi/mplogic.c b/security/nss/lib/freebl/mpi/mplogic.c
+--- a/security/nss/lib/freebl/mpi/mplogic.c
++++ b/security/nss/lib/freebl/mpi/mplogic.c
+@@ -229,17 +229,17 @@ mpl_num_set(mp_int *a, int *num)
+     mp_digit cur;
+     unsigned char reg;
+ 
+     ARGCHK(a != NULL, MP_BADARG);
+ 
+     for (ix = 0; ix < USED(a); ix++) {
+         cur = DIGIT(a, ix);
+ 
+-        for (db = 0; db < sizeof(mp_digit); db++) {
++        for (db = 0; (unsigned int) db < sizeof(mp_digit); db++) {
+             reg = (unsigned char)(cur >> (CHAR_BIT * db));
+ 
+             nset += bitc[reg];
+         }
+     }
+ 
+     if (num)
+         *num = nset;
+@@ -260,17 +260,17 @@ mpl_num_clear(mp_int *a, int *num)
+     mp_digit cur;
+     unsigned char reg;
+ 
+     ARGCHK(a != NULL, MP_BADARG);
+ 
+     for (ix = 0; ix < USED(a); ix++) {
+         cur = DIGIT(a, ix);
+ 
+-        for (db = 0; db < sizeof(mp_digit); db++) {
++        for (db = 0; (unsigned int) db < sizeof(mp_digit); db++) {
+             reg = (unsigned char)(cur >> (CHAR_BIT * db));
+ 
+             nset += bitc[UCHAR_MAX - reg];
+         }
+     }
+ 
+     if (num)
+         *num = nset;
+diff --git a/security/nss/lib/freebl/pqg.c b/security/nss/lib/freebl/pqg.c
+--- a/security/nss/lib/freebl/pqg.c
++++ b/security/nss/lib/freebl/pqg.c
+@@ -1645,17 +1645,17 @@ PQG_VerifyParams(const PQGParams *params
+     /* always need at least p, q, and seed for any meaningful check */
+     if ((params->prime.len == 0) || (params->subPrime.len == 0) ||
+         (vfy->seed.len == 0)) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+     /* we want to either check PQ or G or both. If we don't have G, make
+      * sure we have count so we can check P. */
+-    if ((params->base.len == 0) && (vfy->counter == -1)) {
++    if ((params->base.len == 0) && (vfy->counter == (unsigned) -1)) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+ 
+     MP_DIGITS(&p0) = 0;
+     MP_DIGITS(&P) = 0;
+     MP_DIGITS(&Q) = 0;
+     MP_DIGITS(&G) = 0;
+@@ -1715,17 +1715,18 @@ PQG_VerifyParams(const PQGParams *params
+     /* This function checks all possible hash and generation types to
+      * find a Q_ which matches Q. */
+     g = vfy->seed.len * 8;
+     CHECKPARAM(findQfromSeed(L, N, g, &vfy->seed, &Q, &Q_, &qseed_len,
+                              &hashtype, &type, &qgen_counter_) == SECSuccess);
+     CHECKPARAM(mp_cmp(&Q, &Q_) == 0);
+     /* now we can do steps 7  & 8*/
+     if ((type == FIPS186_1_TYPE) || (type == FIPS186_3_TYPE)) {
+-        CHECKPARAM((vfy->counter == -1) || (vfy->counter < counter_max));
++            CHECKPARAM((vfy->counter == (unsigned int) -1) ||
++                       (vfy->counter < counter_max));
+         CHECKPARAM(g >= N && g < counter_max / 2);
+     }
+     if (type == FIPS186_3_ST_TYPE) {
+         SECItem qseed = { 0, 0, 0 };
+         SECItem pseed = { 0, 0, 0 };
+         unsigned int first_seed_len;
+         unsigned int pgen_counter_ = 0;
+         unsigned int qgen_counter = (vfy->counter >> 16) & 0xffff;
+@@ -1785,23 +1786,23 @@ PQG_VerifyParams(const PQGParams *params
+                     goto cleanup;
+                 }
+             }
+             pseed.data += extra;
+             pseed.len -= extra;
+             /* the rest is handled in the normal compare below */
+         }
+         CHECKPARAM(SECITEM_CompareItem(&pseed, &pseed_) == SECEqual);
+-        if (vfy->counter != -1) {
++        if (vfy->counter != (unsigned int) -1) {
+             CHECKPARAM(pgen_counter < counter_max);
+             CHECKPARAM(qgen_counter < counter_max);
+             CHECKPARAM((pgen_counter_ == pgen_counter));
+             CHECKPARAM((qgen_counter_ == qgen_counter));
+         }
+-    } else if (vfy->counter == -1) {
++    } else if (vfy->counter == (unsigned int) -1) {
+         /* If counter is set to -1, we are really only verifying G, skip
+          * the remainder of the checks for P */
+         CHECKPARAM(type != FIPS186_1_TYPE); /* we only do this for DSA2 */
+     } else {
+         /* 10. P generated from (L, counter, g, SEED, Q) matches P
+          * in PQGParams. */
+         outlen = HASH_ResultLen(hashtype) * PR_BITS_PER_BYTE;
+         PORT_Assert(outlen > 0);
+diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
+--- a/security/nss/lib/freebl/rsa.c
++++ b/security/nss/lib/freebl/rsa.c
+@@ -243,21 +243,21 @@ rsa_fips186_verify(mp_int *p, mp_int *q,
+     /* p & q are already known to be greater then sqrt(2)*2^(keySize/2-1) */
+     /* we also know that gcd(p-1,e) = 1 and gcd(q-1,e) = 1 because the
+      * mp_invmod() function will fail. */
+     /* now check p-q > 2^(keysize/2-100) */
+     MP_DIGITS(&pq_diff) = 0;
+     CHECK_MPI_OK(mp_init(&pq_diff));
+     /* NSS always has p > q, so we know pq_diff is positive */
+     CHECK_MPI_OK(mp_sub(p, q, &pq_diff));
+-    if ((unsigned)mpl_significant_bits(&pq_diff) < (keySizeInBits / 2 - 100)) {
++    if ((int) mpl_significant_bits(&pq_diff) < (keySizeInBits / 2 - 100)) {
+         goto cleanup;
+     }
+     /* now verify d is large enough*/
+-    if ((unsigned)mpl_significant_bits(d) < (keySizeInBits / 2)) {
++    if ((int) mpl_significant_bits(d) < (keySizeInBits / 2)) {
+         goto cleanup;
+     }
+     ret = PR_TRUE;
+ 
+ cleanup:
+     mp_clear(&pq_diff);
+     return ret;
+ }
+diff --git a/security/nss/lib/freebl/rsapkcs.c b/security/nss/lib/freebl/rsapkcs.c
+--- a/security/nss/lib/freebl/rsapkcs.c
++++ b/security/nss/lib/freebl/rsapkcs.c
+@@ -111,17 +111,17 @@ rsa_modulusBits(SECItem *modulus)
+ static unsigned char *
+ rsa_FormatOneBlock(unsigned modulusLen,
+                    RSA_BlockType blockType,
+                    SECItem *data)
+ {
+     unsigned char *block;
+     unsigned char *bp;
+     unsigned int padLen;
+-    int i, j;
++    unsigned int i, j;
+     SECStatus rv;
+ 
+     block = (unsigned char *)PORT_Alloc(modulusLen);
+     if (block == NULL)
+         return NULL;
+ 
+     bp = block;
+ 
+diff --git a/security/nss/lib/jar/jar.c b/security/nss/lib/jar/jar.c
+--- a/security/nss/lib/jar/jar.c
++++ b/security/nss/lib/jar/jar.c
+@@ -418,17 +418,17 @@ JAR_find_next(JAR_Context *ctx, JAR_Item
+         PORT_Assert(ctx->next != NULL);
+         if (ctx->next == NULL) {
+             *it = NULL;
+             return -1;
+         }
+         while (!ZZ_ListIterDone(list, ctx->next)) {
+             *it = ctx->next->thing;
+             ctx->next = ctx->next->next;
+-            if (!*it || (*it)->type != finding)
++            if (!*it || (*it)->type != (unsigned) finding)
+                 continue;
+             if (ctx->pattern && *ctx->pattern) {
+                 if (PORT_RegExpSearch((*it)->pathname, ctx->pattern))
+                     continue;
+             }
+             /* We have a valid match. If this is a jarTypeSign
+ 	       return the certificate instead.. */
+             if (ctx->finding == jarTypeSign) {
+@@ -457,17 +457,17 @@ jar_find_first_cert(JAR_Signer *signer, 
+     if (ZZ_ListEmpty(list)) {
+         /* empty list */
+         return JAR_ERR_PNF;
+     }
+ 
+     for (link = ZZ_ListHead(list);
+          !ZZ_ListIterDone(list, link);
+          link = link->next) {
+-        if (link->thing->type == type) {
++         if (link->thing->type == (unsigned) type) {
+             *it = link->thing;
+             status = 0;
+             break;
+         }
+     }
+     return status;
+ }
+ 
+diff --git a/security/nss/lib/jar/jarfile.c b/security/nss/lib/jar/jarfile.c
+--- a/security/nss/lib/jar/jarfile.c
++++ b/security/nss/lib/jar/jarfile.c
+@@ -319,17 +319,17 @@ jar_physical_inflate(JAR_FILE fp, char *
+         int status2 = 0;
+         unsigned long at = 0;
+ 
+         JAR_FSEEK(fp, offset, (PRSeekWhence)0);
+         while (at < length) {
+             unsigned long chunk = (at + ICHUNK <= length) ? ICHUNK : length - at;
+             unsigned long tin;
+ 
+-            if (JAR_FREAD(fp, inbuf, chunk) != chunk) {
++            if (JAR_FREAD(fp, inbuf, chunk) != (signed long) chunk) {
+                 /* incomplete read */
+                 JAR_FCLOSE(out);
+                 status = JAR_ERR_CORRUPT;
+                 break;
+             }
+             at += chunk;
+             if (at == length) {
+                 /* add an extra dummy byte at the end */
+@@ -580,17 +580,17 @@ jar_extract_mf(JAR *jar, jarArch format,
+             /* Read in the manifest and parse it */
+             /* Raw inflate in zlib 1.1.4 needs an extra dummy byte at the end */
+             manifest = (char *)PORT_ZAlloc(phy->length + 1);
+             if (!manifest)
+                 return JAR_ERR_MEMORY;
+ 
+             JAR_FSEEK(fp, phy->offset, (PRSeekWhence)0);
+             num = JAR_FREAD(fp, manifest, phy->length);
+-            if (num != phy->length) {
++            if (num != (signed long) phy->length) {
+                 /* corrupt archive file */
+                 PORT_Free(manifest);
+                 return JAR_ERR_CORRUPT;
+             }
+ 
+             if (phy->compression == 8) {
+                 length = phy->length;
+                 /* add an extra dummy byte at the end */
+@@ -704,17 +704,17 @@ jar_listzip(JAR *jar, JAR_FILE fp)
+             filename_len = x86ShortToUint32(Local->filename_len);
+             extra_len = x86ShortToUint32(Local->extrafield_len);
+             if (filename_len >= JAR_SIZE) {
+                 /* corrupt zip file */
+                 err = JAR_ERR_CORRUPT;
+                 goto loser;
+             }
+ 
+-            if (JAR_FREAD(fp, filename, filename_len) != filename_len) {
++            if (JAR_FREAD(fp, filename, filename_len) != (signed long) filename_len) {
+                 /* truncated archive file */
+                 err = JAR_ERR_CORRUPT;
+                 goto loser;
+             }
+             filename[filename_len] = 0;
+             /* Add this to our jar chain */
+             phy = PORT_ZNew(JAR_Physical);
+             if (phy == NULL) {
+@@ -770,17 +770,17 @@ jar_listzip(JAR *jar, JAR_FILE fp)
+                 /* we have to read the filename, again */
+                 filename_len = x86ShortToUint32(Central->filename_len);
+                 if (filename_len >= JAR_SIZE) {
+                     /* corrupt in central directory */
+                     err = JAR_ERR_CORRUPT;
+                     goto loser;
+                 }
+ 
+-                if (JAR_FREAD(fp, filename, filename_len) != filename_len) {
++                if (JAR_FREAD(fp, filename, filename_len) != (signed long) filename_len) {
+                     /* truncated in central directory */
+                     err = JAR_ERR_CORRUPT;
+                     goto loser;
+                 }
+                 filename[filename_len] = 0;
+ 
+                 /* look up this name again */
+                 phy = jar_get_physical(jar, filename);
+@@ -833,17 +833,17 @@ jar_listtar(JAR *jar, JAR_FILE fp)
+     JAR_Physical *phy;
+     long pos = 0L;
+     long sz;
+     union TarEntry tarball;
+ 
+     while (1) {
+         JAR_FSEEK(fp, pos, (PRSeekWhence)0);
+ 
+-        if (JAR_FREAD(fp, &tarball, sizeof tarball) < sizeof tarball)
++        if (JAR_FREAD(fp, &tarball, sizeof tarball) < (int) sizeof tarball)
+             break;
+ 
+         if (!*tarball.val.filename)
+             break;
+ 
+         sz = octalToLong(tarball.val.size);
+ 
+         /* Tag the end of filename */
+diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
+--- a/security/nss/lib/pk11wrap/pk11cert.c
++++ b/security/nss/lib/pk11wrap/pk11cert.c
+@@ -423,17 +423,17 @@ PK11_FindCertHandlesForKeyHandle(PK11Slo
+     const int idAttrCount = sizeof(idTemplate) / sizeof(idTemplate[0]);
+     CK_RV crv = PK11_GetAttributes(&arena.arena, slot, keyHandle, idTemplate, idAttrCount);
+     if (crv != CKR_OK) {
+         PORT_DestroyCheapArena(&arena);
+         PORT_SetError(PK11_MapError(crv));
+         return NULL;
+     }
+ 
+-    if ((idTemplate[0].ulValueLen == 0) || (idTemplate[0].ulValueLen == -1)) {
++    if ((idTemplate[0].ulValueLen == 0) || (idTemplate[0].ulValueLen == (CK_ULONG) -1)) {
+         PORT_DestroyCheapArena(&arena);
+         PORT_SetError(SEC_ERROR_BAD_KEY);
+         return NULL;
+     }
+ 
+     CK_OBJECT_CLASS searchClass = CKO_CERTIFICATE;
+     CK_ATTRIBUTE searchTemplate[] = {
+         idTemplate[0],
+diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
+--- a/security/nss/lib/pk11wrap/pk11kea.c
++++ b/security/nss/lib/pk11wrap/pk11kea.c
+@@ -32,17 +32,18 @@ pk11_FindRSAPubKey(PK11SlotInfo *slot)
+     int template_count = sizeof(theTemplate) / sizeof(theTemplate[0]);
+     CK_ATTRIBUTE *attrs = theTemplate;
+ 
+     PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type));
+     attrs++;
+     PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type));
+     attrs++;
+     template_count = attrs - theTemplate;
+-    PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
++    PR_ASSERT(template_count >= 0);
++    PR_ASSERT((unsigned int) template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+     return pk11_FindObjectByTemplate(slot, theTemplate, template_count);
+ }
+ 
+ PK11SymKey *
+ pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+                  CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags,
+                  PRBool isPerm, PK11SymKey *symKey)
+diff --git a/security/nss/lib/pk11wrap/pk11merge.c b/security/nss/lib/pk11wrap/pk11merge.c
+--- a/security/nss/lib/pk11wrap/pk11merge.c
++++ b/security/nss/lib/pk11wrap/pk11merge.c
+@@ -70,18 +70,18 @@ pk11_copyAttributes(PLArenaPool *arena,
+     if (crv == CKR_ATTRIBUTE_TYPE_INVALID) {
+         CK_ULONG i, j;
+         newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount);
+         if (!newTemplate) {
+             return SECFailure;
+         }
+         /* remove the unknown attributes. If we don't have enough attributes
+          * PK11_CreateNewObject() will fail */
+-        for (i = 0, j = 0; i < copyTemplateCount; i++) {
+-            if (copyTemplate[i].ulValueLen != -1) {
++        for (i = 0, j = 0; (unsigned) i < copyTemplateCount; i++) {
++                if (copyTemplate[i].ulValueLen != (unsigned) -1) {
+                 newTemplate[j] = copyTemplate[i];
+                 j++;
+             }
+         }
+         copyTemplate = newTemplate;
+         copyTemplateCount = j;
+         crv = PK11_GetAttributes(arena, sourceSlot, sourceID,
+                                  copyTemplate, copyTemplateCount);
+@@ -120,17 +120,17 @@ pk11_matchAcrossTokens(PLArenaPool *aren
+     *peer = CK_INVALID_HANDLE;
+ 
+     crv = PK11_GetAttributes(arena, sourceSlot, id, template, tsize);
+     if (crv != CKR_OK) {
+         PORT_SetError(PK11_MapError(crv));
+         goto loser;
+     }
+ 
+-    if (template[0].ulValueLen == -1) {
++    if (template[0].ulValueLen == (unsigned) -1) {
+         crv = CKR_ATTRIBUTE_TYPE_INVALID;
+         PORT_SetError(PK11_MapError(crv));
+         goto loser;
+     }
+ 
+     *peer = pk11_FindObjectByTemplate(targetSlot, template, tsize);
+     return SECSuccess;
+ 
+diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
+--- a/security/nss/lib/pk11wrap/pk11obj.c
++++ b/security/nss/lib/pk11wrap/pk11obj.c
+@@ -1244,17 +1244,17 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, P
+ 
+     if (PK11_IsInternal(slot)) {
+         PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data,
+                       idValue->len);
+         attrs++;
+     }
+ 
+     templateCount = attrs - keyTemplate;
+-    PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)));
++    PR_ASSERT((unsigned) templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)));
+ 
+     mechanism.mechanism = wrapType;
+     if (!param)
+         param = param_free = PK11_ParamFromIV(wrapType, NULL);
+     if (param) {
+         mechanism.pParameter = param->data;
+         mechanism.ulParameterLen = param->len;
+     } else {
+@@ -1923,17 +1923,17 @@ PK11_FindRawCertsWithSubject(PK11SlotInf
+         return SECSuccess;
+     }
+     PORT_Assert(handleCount > 0);
+     if (handleCount <= 0) {
+         PORT_Free(handles);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         return SECFailure;
+     }
+-    if (handleCount > INT_MAX / sizeof(SECItem)) {
++    if ((unsigned) handleCount > INT_MAX / sizeof(SECItem)) {
+         PORT_Free(handles);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         return SECFailure;
+     }
+     PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+     if (!arena) {
+         PORT_Free(handles);
+         return SECFailure;
+@@ -2000,17 +2000,17 @@ PK11_MatchItem(PK11SlotInfo *slot, CK_OB
+ 
+     crv = PK11_GetAttributes(&tmpArena.arena, slot, searchID, theTemplate, tsize);
+     if (crv != CKR_OK) {
+         PORT_DestroyCheapArena(&tmpArena);
+         PORT_SetError(PK11_MapError(crv));
+         return CK_INVALID_HANDLE;
+     }
+ 
+-    if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) {
++    if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == (unsigned) -1)) {
+         PORT_DestroyCheapArena(&tmpArena);
+         if (matchclass == CKO_CERTIFICATE)
+             PORT_SetError(SEC_ERROR_BAD_KEY);
+         else
+             PORT_SetError(SEC_ERROR_NO_KEY);
+         return CK_INVALID_HANDLE;
+     }
+ 
+diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
+--- a/security/nss/lib/pk11wrap/pk11pars.c
++++ b/security/nss/lib/pk11wrap/pk11pars.c
+@@ -490,20 +490,20 @@ secmod_parsePolicyValue(const char *poli
+                                       currentString < policyFlags + policyLength;) {
+         int length;
+         PRBool unknown = PR_TRUE;
+         flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
+                                      &currentString);
+         if (length == 0) {
+             continue;
+         }
+-        for (i = 0; i < PR_ARRAY_SIZE(policyFlagList); i++) {
++        for (i = 0; (unsigned) i < PR_ARRAY_SIZE(policyFlagList); i++) {
+             const policyFlagDef *policy = &policyFlagList[i];
+             unsigned name_size = policy->name_size;
+-            if ((policy->name_size == length) &&
++            if ((policy->name_size == (unsigned) length) &&
+                 PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
+                 flags |= policy->flag;
+                 unknown = PR_FALSE;
+                 break;
+             }
+         }
+         if (unknown && printPolicyFeedback) {
+             PR_SetEnv("NSS_POLICY_FAIL=1");
+@@ -522,18 +522,18 @@ secmod_getPolicyOptValue(const char *pol
+ {
+     PRInt32 val = atoi(policyValue);
+     int i;
+ 
+     if ((val != 0) || (*policyValue == '0')) {
+         *result = val;
+         return SECSuccess;
+     }
+-    for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
+-        if (policyValueLength == sslOptList[i].name_size &&
++    for (i = 0; (unsigned) i < PR_ARRAY_SIZE(sslOptList); i++) {
++        if ((unsigned) policyValueLength == sslOptList[i].name_size &&
+             PORT_Strncasecmp(sslOptList[i].name, policyValue,
+                              sslOptList[i].name_size) == 0) {
+             *result = sslOptList[i].option;
+             return SECSuccess;
+         }
+     }
+     return SECFailure;
+ }
+@@ -592,20 +592,20 @@ secmod_applyCryptoPolicy(const char *pol
+ 
+         for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+             const algListsDef *algOptList = &algOptLists[i];
+             for (j = 0; j < algOptList->entries; j++) {
+                 const oidValDef *algOpt = &algOptList->list[j];
+                 unsigned name_size = algOpt->name_size;
+                 PRBool newOption = PR_FALSE;
+ 
+-                if ((length >= name_size) && (cipher[name_size] == '/')) {
++                if (((unsigned) length >= name_size) && (cipher[name_size] == '/')) {
+                     newOption = PR_TRUE;
+                 }
+-                if ((newOption || algOpt->name_size == length) &&
++                if ((newOption || algOpt->name_size == (unsigned) length) &&
+                     PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
+                     PRUint32 value = algOpt->val;
+                     PRUint32 enable, disable;
+                     if (newOption) {
+                         value = secmod_parsePolicyValue(&cipher[name_size] + 1,
+                                                         length - name_size - 1,
+                                                         printPolicyFeedback);
+                     }
+@@ -630,17 +630,17 @@ secmod_applyCryptoPolicy(const char *pol
+         if (!unknown) {
+             continue;
+         }
+ 
+         for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) {
+             const optionFreeDef *freeOpt = &freeOptList[i];
+             unsigned name_size = freeOpt->name_size;
+ 
+-            if ((length > name_size) && cipher[name_size] == '=' &&
++            if (((unsigned) length > name_size) && cipher[name_size] == '=' &&
+                 PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) {
+                 PRInt32 val;
+                 const char *policyValue = &cipher[name_size + 1];
+                 int policyValueLength = length - name_size - 1;
+                 rv = secmod_getPolicyOptValue(policyValue, policyValueLength,
+                                               &val);
+                 if (rv != SECSuccess) {
+                     if (printPolicyFeedback) {
+@@ -1569,17 +1569,17 @@ secmod_MkAppendTokensList(PLArenaPool *a
+         length += secmod_getChildLength(oldChildren[i], oldIds[i]);
+     }
+ 
+     /* add the new token */
+     length += secmod_getChildLength(newToken, newID);
+ 
+     /* and it's new children */
+     for (i = 0; children && children[i]; i++) {
+-        if (ids[i] == -1) {
++        if (ids[i] == (unsigned) -1) {
+             continue;
+         }
+         length += secmod_getChildLength(children[i], ids[i]);
+     }
+ 
+     /* now allocate and build the string */
+     mark = PORT_ArenaMark(arena);
+     if (!mark) {
+@@ -1606,17 +1606,17 @@ secmod_MkAppendTokensList(PLArenaPool *a
+     }
+ 
+     rv = secmod_mkTokenChild(&nextParam, &length, newToken, newID);
+     if (rv != SECSuccess) {
+         goto loser;
+     }
+ 
+     for (i = 0; children && children[i]; i++) {
+-        if (ids[i] == -1) {
++        if (ids[i] == (unsigned) -1) {
+             continue;
+         }
+         rv = secmod_mkTokenChild(&nextParam, &length, children[i], ids[i]);
+         if (rv != SECSuccess) {
+             goto loser;
+         }
+     }
+ 
+diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
+--- a/security/nss/lib/pk11wrap/pk11pk12.c
++++ b/security/nss/lib/pk11wrap/pk11pk12.c
+@@ -517,17 +517,17 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
+                           lpk->u.ec.publicValue.len);
+             attrs++;
+             break;
+         default:
+             PORT_SetError(SEC_ERROR_BAD_KEY);
+             goto loser;
+     }
+     templateCount = attrs - theTemplate;
+-    PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
++    PORT_Assert((unsigned) templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
+     if (lpk->keyType != ecKey) {
+         PORT_Assert(signedattr);
+         signedcount = attrs - signedattr;
+         for (ap = signedattr; signedcount; ap++, signedcount--) {
+             pk11_SignedToUnsigned(ap);
+         }
+     }
+ 
+diff --git a/security/nss/lib/pk11wrap/pk11pqg.c b/security/nss/lib/pk11wrap/pk11pqg.c
+--- a/security/nss/lib/pk11wrap/pk11pqg.c
++++ b/security/nss/lib/pk11wrap/pk11pqg.c
+@@ -84,17 +84,17 @@ PK11_PQG_ParamGenV2(unsigned int L, unsi
+         attrs++;
+     }
+     if (seedBits != 0) {
+         PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS,
+                       &seedBits, sizeof(seedBits));
+         attrs++;
+     }
+     count = attrs - genTemplate;
+-    PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE));
++    PR_ASSERT((unsigned) count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+     slot = PK11_GetInternalSlot();
+     if (slot == NULL) {
+         /* set error */
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); /* shouldn't happen */
+         goto loser;
+     }
+ 
+@@ -294,34 +294,34 @@ PK11_PQG_VerifyParams(const PQGParams *p
+     attrs++;
+     if (params->base.len) {
+         PK11_SETATTRS(attrs, CKA_BASE, params->base.data, params->base.len);
+         attrs++;
+     }
+     PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse));
+     attrs++;
+     if (vfy) {
+-        if (vfy->counter != -1) {
++        if (vfy->counter != (unsigned) -1) {
+             counter = vfy->counter;
+             PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER,
+                           &counter, sizeof(counter));
+             attrs++;
+         }
+         PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED,
+                       vfy->seed.data, vfy->seed.len);
+         attrs++;
+         if (vfy->h.len) {
+             PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H,
+                           vfy->h.data, vfy->h.len);
+             attrs++;
+         }
+     }
+ 
+     keyCount = attrs - keyTempl;
+-    PORT_Assert(keyCount <= sizeof(keyTempl) / sizeof(keyTempl[0]));
++    PORT_Assert((unsigned) keyCount <= sizeof(keyTempl) / sizeof(keyTempl[0]));
+ 
+     slot = PK11_GetInternalSlot();
+     if (slot == NULL) {
+         return SECFailure;
+     }
+ 
+     PK11_EnterSlotMonitor(slot);
+     crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount,
+diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
+--- a/security/nss/lib/pk11wrap/pk11skey.c
++++ b/security/nss/lib/pk11wrap/pk11skey.c
+@@ -396,17 +396,18 @@ PK11_GetWrapKey(PK11SlotInfo *slot, int 
+  *
+  * Either way, using this function is inadvisable.  It's provided for ABI
+  * compatibility only.
+  */
+ void
+ PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey)
+ {
+     PK11_EnterSlotMonitor(slot);
+-    if (wrap < PR_ARRAY_SIZE(slot->refKeys) &&
++    PORT_Assert(wrap >= 0);
++    if ((unsigned) wrap < PR_ARRAY_SIZE(slot->refKeys) &&
+         slot->refKeys[wrap] == CK_INVALID_HANDLE) {
+         /* save the handle and mechanism for the wrapping key */
+         /* mark the key and session as not owned by us so they don't get freed
+          * when the key goes way... that lets us reuse the key later */
+         slot->refKeys[wrap] = wrapKey->objectID;
+         wrapKey->owner = PR_FALSE;
+         wrapKey->sessionOwner = PR_FALSE;
+         slot->wrapMechanism = wrapKey->type;
+@@ -554,17 +555,17 @@ PK11_FindFixedKey(PK11SlotInfo *slot, CK
+     attrs++;
+     PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue));
+     attrs++;
+     if (keyID) {
+         PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len);
+         attrs++;
+     }
+     tsize = attrs - findTemp;
+-    PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
++    PORT_Assert((unsigned) tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
+ 
+     key_id = pk11_FindObjectByTemplate(slot, findTemp, tsize);
+     if (key_id == CK_INVALID_HANDLE) {
+         return NULL;
+     }
+     return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id,
+                                  PR_FALSE, wincx);
+ }
+@@ -589,17 +590,17 @@ PK11_ListFixedKeysInSlot(PK11SlotInfo *s
+     PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue));
+     attrs++;
+     if (nickname) {
+         len = PORT_Strlen(nickname);
+         PK11_SETATTRS(attrs, CKA_LABEL, nickname, len);
+         attrs++;
+     }
+     tsize = attrs - findTemp;
+-    PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
++    PORT_Assert((unsigned) tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
+ 
+     key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount);
+     if (key_ids == NULL) {
+         return NULL;
+     }
+ 
+     for (i = 0; i < objCount; i++) {
+         SECItem typeData;
+@@ -976,32 +977,32 @@ pk11_TokenKeyGenWithFlagsAndKeyType(PK11
+     if ((keySize != 0) && (type != CKM_DES3_CBC) &&
+         (type != CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) {
+         ck_key_size = keySize; /* Convert to PK11 type */
+ 
+         PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size));
+         attrs++;
+     }
+ 
+-    if (keyType != -1) {
++    if (keyType != (unsigned) -1) {
+         PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE));
+         attrs++;
+     }
+ 
+     /* Include key id value if provided */
+     if (keyid) {
+         PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len);
+         attrs++;
+     }
+ 
+     attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse);
+     attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue);
+ 
+     count = attrs - genTemplate;
+-    PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE));
++    PR_ASSERT((unsigned) count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+     keyGenType = PK11_GetKeyGenWithSize(type, keySize);
+     if (keyGenType == CKM_FAKE_RANDOM) {
+         PORT_SetError(SEC_ERROR_NO_MODULE);
+         return NULL;
+     }
+     symKey = PK11_KeyGenWithTemplate(slot, type, keyGenType,
+                                      param, genTemplate, count, wincx);
+@@ -1553,17 +1554,17 @@ PK11_DeriveWithTemplate(PK11SymKey *base
+     }
+     if ((operation != CKA_FLAGS_ONLY) &&
+         !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) {
+         PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue);
+         attrs++;
+     }
+ 
+     templateCount = attrs - keyTemplate;
+-    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
++    PR_ASSERT((unsigned) templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+     /* move the key to a slot that can do the function */
+     if (!PK11_DoesMechanism(slot, derive)) {
+         /* get a new base key & slot */
+         PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx);
+ 
+         if (newSlot == NULL)
+             return NULL;
+@@ -1974,17 +1975,17 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
+             attrs++;
+             PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+             attrs++;
+             PK11_SETATTRS(attrs, operation, &cktrue, 1);
+             attrs++;
+             PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
+             attrs++;
+             templateCount = attrs - keyTemplate;
+-            PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
++            PR_ASSERT((unsigned) templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+             keyType = PK11_GetKeyType(target, keySize);
+             key_size = keySize;
+             symKey->size = keySize;
+             if (key_size == 0)
+                 templateCount--;
+ 
+             mechanism.mechanism = derive;
+@@ -2022,17 +2023,17 @@ PK11_PubDerive(SECKEYPrivateKey *privKey
+             attrs++;
+             PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+             attrs++;
+             PK11_SETATTRS(attrs, operation, &cktrue, 1);
+             attrs++;
+             PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
+             attrs++;
+             templateCount = attrs - keyTemplate;
+-            PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
++            PR_ASSERT((unsigned) templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+             keyType = PK11_GetKeyType(target, keySize);
+             key_size = keySize;
+             if (key_size == 0) {
+                 if ((key_size = pk11_GetPredefinedKeyLength(keyType))) {
+                     templateCount--;
+                 } else {
+                     /* sigh, some tokens can't figure this out and require
+@@ -2191,17 +2192,17 @@ pk11_PubDeriveECKeyWithKDF(
+     attrs++;
+     PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+     attrs++;
+     PK11_SETATTRS(attrs, operation, &cktrue, 1);
+     attrs++;
+     PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size));
+     attrs++;
+     templateCount = attrs - keyTemplate;
+-    PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
++    PR_ASSERT((unsigned) templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE));
+ 
+     keyType = PK11_GetKeyType(target, keySize);
+     key_size = keySize;
+     if (key_size == 0) {
+         if ((key_size = pk11_GetPredefinedKeyLength(keyType))) {
+             templateCount--;
+         } else {
+             /* sigh, some tokens can't figure this out and require
+@@ -2442,17 +2443,17 @@ pk11_HandUnwrap(PK11SlotInfo *slot, CK_O
+     if (crv != CKR_OK) {
+         PORT_Free(outKey.data);
+         PORT_SetError(PK11_MapError(crv));
+         if (crvp)
+             *crvp = crv;
+         return NULL;
+     }
+ 
+-    outKey.len = (key_size == 0) ? len : key_size;
++    outKey.len = (key_size == 0) ? (unsigned) len : (unsigned) key_size;
+     outKey.type = siBuffer;
+ 
+     if (PK11_DoesMechanism(slot, target)) {
+         symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap,
+                                             isPerm, keyTemplate,
+                                             templateCount, &outKey, wincx);
+     } else {
+         slot = PK11_GetBestSlot(target, wincx);
+diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
+--- a/security/nss/lib/pk11wrap/pk11slot.c
++++ b/security/nss/lib/pk11wrap/pk11slot.c
+@@ -1103,17 +1103,17 @@ pk11_MatchString(const char *string,
+ 
+     for (i = (staticStringLen - 1); i >= 0; i--) {
+         if (staticString[i] != ' ')
+             break;
+     }
+     /* move i to point to the last space */
+     i++;
+ 
+-    if (strlen(string) == i && memcmp(string, staticString, i) == 0) {
++    if (strlen(string) == (size_t) i && memcmp(string, staticString, i) == 0) {
+         return PR_TRUE;
+     }
+ 
+     return PR_FALSE;
+ }
+ 
+ /*
+  * Reads in the slots mechanism list for later use
+@@ -1406,17 +1406,17 @@ pk11_isRootSlot(PK11SlotInfo *slot)
+     CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+     int tsize;
+     CK_OBJECT_HANDLE handle;
+ 
+     attrs = findTemp;
+     PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass));
+     attrs++;
+     tsize = attrs - findTemp;
+-    PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
++    PORT_Assert((unsigned) tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE));
+ 
+     handle = pk11_FindObjectByTemplate(slot, findTemp, tsize);
+     if (handle == CK_INVALID_HANDLE) {
+         return PR_FALSE;
+     }
+     return PR_TRUE;
+ }
+ 
+@@ -2535,22 +2535,22 @@ SECStatus
+ PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
+ {
+     unsigned char tokenName[32];
+     int tokenNameLen;
+     CK_RV crv;
+ 
+     /* reconstruct the token name */
+     tokenNameLen = PORT_Strlen(slot->token_name);
+-    if (tokenNameLen > sizeof(tokenName)) {
++    if ((unsigned) tokenNameLen > sizeof(tokenName)) {
+         tokenNameLen = sizeof(tokenName);
+     }
+ 
+     PORT_Memcpy(tokenName, slot->token_name, tokenNameLen);
+-    if (tokenNameLen < sizeof(tokenName)) {
++    if ((unsigned) tokenNameLen < sizeof(tokenName)) {
+         PORT_Memset(&tokenName[tokenNameLen], ' ',
+                     sizeof(tokenName) - tokenNameLen);
+     }
+ 
+     /* initialize the token */
+     PK11_EnterSlotMonitor(slot);
+ 
+     /* first shutdown the token. Existing sessions will get closed here */
+diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c
+--- a/security/nss/lib/pk11wrap/pk11util.c
++++ b/security/nss/lib/pk11wrap/pk11util.c
+@@ -1024,17 +1024,17 @@ SECMOD_UpdateSlotList(SECMODModule *mod)
+     /* see if the number of slots have changed */
+     crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count);
+     if (crv != CKR_OK) {
+         PORT_SetError(PK11_MapError(crv));
+         goto loser;
+     }
+     /* nothing new, blow out early, we want this function to be quick
+      * and cheap in the normal case  */
+-    if (count == mod->slotCount) {
++    if (count == (CK_ULONG) mod->slotCount) {
+         PZ_Unlock(mod->refLock);
+         return SECSuccess;
+     }
+     if (count < (CK_ULONG)mod->slotCount) {
+         /* shouldn't happen with a properly functioning PKCS #11 module */
+         PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11);
+         goto loser;
+     }
+@@ -1509,17 +1509,17 @@ SECMOD_OpenNewSlot(SECMODModule *mod, co
+ 
+ /*
+  * given a module spec, find the slot in the module for it.
+  */
+ PK11SlotInfo *
+ secmod_FindSlotFromModuleSpec(const char *moduleSpec, SECMODModule *module)
+ {
+     CK_SLOT_ID slot_id = secmod_GetSlotIDFromModuleSpec(moduleSpec, module);
+-    if (slot_id == -1) {
++    if (slot_id == (CK_SLOT_ID) -1) {
+         return NULL;
+     }
+ 
+     return SECMOD_FindSlotByID(module, slot_id);
+ }
+ 
+ /*
+  * Open a new database using the softoken. The caller is responsible for making
+diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c
+--- a/security/nss/lib/pkcs7/certread.c
++++ b/security/nss/lib/pkcs7/certread.c
+@@ -313,18 +313,18 @@ CERT_DecodeCertPackage(char *certbuf,
+         } else {
+             seqLenLen = 0;
+             seqLen = *cp;
+             cp++;
+         }
+ 
+         /* check entire length if definite length */
+         if (seqLen || seqLenLen) {
+-            if (certlen != (seqLen + seqLenLen + 2L)) {
+-                if (certlen > (seqLen + seqLenLen + 2L))
++            if ((unsigned) certlen != (seqLen + seqLenLen + 2L)) {
++                if ((unsigned) certlen > (seqLen + seqLenLen + 2L))
+                     PORT_SetError(SEC_ERROR_EXTRA_INPUT);
+                 else
+                     PORT_SetError(SEC_ERROR_INPUT_LEN);
+                 goto notder;
+             }
+         }
+ 
+         /* check the type oid */
+@@ -397,17 +397,17 @@ notder : {
+             *pc++ = '\n';
+         }
+     }
+ 
+     cp = (unsigned char *)ascCert;
+     cl = certlen;
+ 
+     /* find the beginning marker */
+-    while (cl > NS_CERT_HEADER_LEN) {
++    while ((unsigned) cl > NS_CERT_HEADER_LEN) {
+         int found = 0;
+         if (!PORT_Strncasecmp((char *)cp, NS_CERT_HEADER,
+                               NS_CERT_HEADER_LEN)) {
+             cl -= NS_CERT_HEADER_LEN;
+             cp += NS_CERT_HEADER_LEN;
+             found = 1;
+         }
+ 
+@@ -425,17 +425,17 @@ notder : {
+         if (cl && found) {
+             certbegin = cp;
+             break;
+         }
+     }
+ 
+     if (certbegin) {
+         /* find the ending marker */
+-        while (cl >= NS_CERT_TRAILER_LEN) {
++        while ((unsigned) cl >= NS_CERT_TRAILER_LEN) {
+             if (!PORT_Strncasecmp((char *)cp, NS_CERT_TRAILER,
+                                   NS_CERT_TRAILER_LEN)) {
+                 certend = cp;
+                 break;
+             }
+ 
+             /* skip to next eol */
+             while (cl && (*cp != '\n')) {
+diff --git a/security/nss/lib/pkcs7/p7local.c b/security/nss/lib/pkcs7/p7local.c
+--- a/security/nss/lib/pkcs7/p7local.c
++++ b/security/nss/lib/pkcs7/p7local.c
+@@ -658,17 +658,17 @@ sec_PKCS7Encrypt(sec_PKCS7CipherObject *
+             if (rv != SECSuccess)
+                 return rv;
+ 
+             /*
+              * For now anyway, all of our ciphers have the same number of
+              * bytes of output as they do input.  If this ever becomes untrue,
+              * then sec_PKCS7EncryptLength needs to be made smarter!
+              */
+-            PORT_Assert(ofraglen == pcount);
++            PORT_Assert(ofraglen == (unsigned) pcount);
+ 
+             /*
+              * Account for the bytes now in output.
+              */
+             max_output_len -= ofraglen;
+             output_len += ofraglen;
+             output += ofraglen;
+ 
+@@ -718,17 +718,17 @@ sec_PKCS7Encrypt(sec_PKCS7CipherObject *
+         if (rv != SECSuccess)
+             return rv;
+ 
+         /*
+          * For now anyway, all of our ciphers have the same number of
+          * bytes of output as they do input.  If this ever becomes untrue,
+          * then sec_PKCS7EncryptLength needs to be made smarter!
+          */
+-        PORT_Assert(ofraglen == (pcount + padlen));
++        PORT_Assert(ofraglen == (unsigned) (pcount + padlen));
+         output_len += ofraglen;
+     } else {
+         obj->pending_count = pcount;
+     }
+ 
+     PORT_Assert(output_len_p != NULL || output_len == 0);
+     if (output_len_p != NULL)
+         *output_len_p = output_len;
+diff --git a/security/nss/lib/smime/cmscipher.c b/security/nss/lib/smime/cmscipher.c
+--- a/security/nss/lib/smime/cmscipher.c
++++ b/security/nss/lib/smime/cmscipher.c
+@@ -643,17 +643,17 @@ NSS_CMSCipherContext_Encrypt(NSSCMSCiphe
+             if (rv != SECSuccess)
+                 return rv;
+ 
+             /*
+              * For now anyway, all of our ciphers have the same number of
+              * bytes of output as they do input.  If this ever becomes untrue,
+              * then sec_PKCS7EncryptLength needs to be made smarter!
+              */
+-            PORT_Assert(ofraglen == pcount);
++            PORT_Assert(ofraglen == (unsigned) pcount);
+ 
+             /*
+              * Account for the bytes now in output.
+              */
+             max_output_len -= ofraglen;
+             output_len += ofraglen;
+             output += ofraglen;
+ 
+@@ -703,17 +703,17 @@ NSS_CMSCipherContext_Encrypt(NSSCMSCiphe
+         if (rv != SECSuccess)
+             return rv;
+ 
+         /*
+          * For now anyway, all of our ciphers have the same number of
+          * bytes of output as they do input.  If this ever becomes untrue,
+          * then sec_PKCS7EncryptLength needs to be made smarter!
+          */
+-        PORT_Assert(ofraglen == (pcount + padlen));
++        PORT_Assert(ofraglen == (unsigned) (pcount + padlen));
+         output_len += ofraglen;
+     } else {
+         cc->pending_count = pcount;
+     }
+ 
+     PORT_Assert(output_len_p != NULL || output_len == 0);
+     if (output_len_p != NULL)
+         *output_len_p = output_len;
+diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c
+--- a/security/nss/lib/softoken/legacydb/lgfind.c
++++ b/security/nss/lib/softoken/legacydb/lgfind.c
+@@ -882,17 +882,17 @@ lg_FindObjects(SDB *sdb, SDBFind *search
+                CK_OBJECT_HANDLE *phObject, CK_ULONG ulMaxObjectCount,
+                CK_ULONG *pulObjectCount)
+ {
+     int transfer;
+     int left;
+ 
+     *pulObjectCount = 0;
+     left = search->size - search->index;
+-    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
++    transfer = ((int)ulMaxObjectCount > left) ? (unsigned) left : ulMaxObjectCount;
+     if (transfer > 0) {
+         PORT_Memcpy(phObject, &search->handles[search->index],
+                     transfer * sizeof(CK_OBJECT_HANDLE));
+     } else {
+         *phObject = CK_INVALID_HANDLE;
+     }
+ 
+     search->index += transfer;
+diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
+--- a/security/nss/lib/softoken/legacydb/pcertdb.c
++++ b/security/nss/lib/softoken/legacydb/pcertdb.c
+@@ -4847,17 +4847,17 @@ nsslowcert_FindTrustByIssuerAndSN(NSSLOW
+             data_len = sn->len;
+             index = 0;
+         }
+     }
+ 
+     certKey.type = 0;
+     certKey.len = data_len + issuer->len;
+     len = sn->len + issuer->len;
+-    if (len > sizeof(keyBuf)) {
++    if ((unsigned) len > sizeof(keyBuf)) {
+         certKey.data = (unsigned char *)PORT_Alloc(len);
+     } else {
+         certKey.data = keyBuf;
+     }
+ 
+     if (certKey.data == NULL) {
+         return (0);
+     }
+diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c
+--- a/security/nss/lib/softoken/lgglue.c
++++ b/security/nss/lib/softoken/lgglue.c
+@@ -36,17 +36,17 @@ sftkdb_resolvePath(const char *orig)
+ {
+     int count = 0;
+     int len = 0;
+     int ret = -1;
+     char *resolved = NULL;
+     char *source = NULL;
+ 
+     len = 1025; /* MAX PATH +1*/
+-    if (strlen(orig) + 1 > len) {
++    if (strlen(orig) + 1 > (unsigned) len) {
+         /* PATH TOO LONG */
+         return NULL;
+     }
+     resolved = PORT_Alloc(len);
+     if (!resolved) {
+         return NULL;
+     }
+     source = PORT_Alloc(len);
+diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
+--- a/security/nss/lib/softoken/pkcs11.c
++++ b/security/nss/lib/softoken/pkcs11.c
+@@ -2516,17 +2516,17 @@ static CK_RV
+ sftk_RegisterSlot(SFTKSlot *slot, int moduleIndex)
+ {
+     PLHashEntry *entry;
+     unsigned int index;
+ 
+     index = sftk_GetModuleIndex(slot->slotID);
+ 
+     /* make sure the slotID for this module is valid */
+-    if (moduleIndex != index) {
++    if ((unsigned) moduleIndex != index) {
+         return CKR_SLOT_ID_INVALID;
+     }
+ 
+     if (nscSlotList[index] == NULL) {
+         nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE;
+         nscSlotList[index] = (CK_SLOT_ID *)
+             PORT_ZAlloc(nscSlotListSize[index] * sizeof(CK_SLOT_ID));
+         if (nscSlotList[index] == NULL) {
+@@ -4572,17 +4572,17 @@ nsc_GetTokenAttributeValue(SFTKSession *
+ 
+     /* make sure we don't export any sensitive information */
+     keydb = sftk_getKeyDB(slot);
+     if (dbHandle == keydb) {
+         CK_ULONG i;
+         for (i = 0; i < ulCount; i++) {
+             if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
+                 crv = CKR_ATTRIBUTE_SENSITIVE;
+-                if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
++                if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != (unsigned) -1)) {
+                     PORT_Memset(pTemplate[i].pValue, 0,
+                                 pTemplate[i].ulValueLen);
+                 }
+                 pTemplate[i].ulValueLen = -1;
+             }
+         }
+     }
+ 
+@@ -5032,17 +5032,17 @@ NSC_FindObjects(CK_SESSION_HANDLE hSessi
+     if (session == NULL)
+         return CKR_SESSION_HANDLE_INVALID;
+     if (session->search == NULL) {
+         sftk_FreeSession(session);
+         return CKR_OK;
+     }
+     search = session->search;
+     left = session->search->size - session->search->index;
+-    transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
++    transfer = ((int)ulMaxObjectCount > left) ? (unsigned) left : ulMaxObjectCount;
+     if (transfer > 0) {
+         PORT_Memcpy(phObject, &search->handles[search->index],
+                     transfer * sizeof(CK_OBJECT_HANDLE));
+     } else {
+         *phObject = CK_INVALID_HANDLE;
+     }
+ 
+     search->index += transfer;
+diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
+--- a/security/nss/lib/softoken/pkcs11c.c
++++ b/security/nss/lib/softoken/pkcs11c.c
+@@ -7337,17 +7337,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+                 /*
+                 ** server_write_IV[CipherSpec.IV_size]
+                 */
+                 if (IVSize > 0) {
+                     PORT_Memcpy(ssl3_keys_out->pIVServer,
+                                 &key_block[i], IVSize);
+                     i += IVSize;
+                 }
+-                PORT_Assert(i <= sizeof key_block);
++                PORT_Assert((unsigned) i <= sizeof key_block);
+             }
+ 
+             crv = CKR_OK;
+ 
+             if (0) {
+             key_and_mac_derive_fail:
+                 if (crv == CKR_OK)
+                     crv = CKR_FUNCTION_FAILED;
+diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
+--- a/security/nss/lib/softoken/sftkdb.c
++++ b/security/nss/lib/softoken/sftkdb.c
+@@ -336,17 +336,17 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te
+                     PORT_Memcpy(template[i].pValue, &value, sizeof(CK_ULONG));
+                 }
+                 template[i].ulValueLen = sizeof(CK_ULONG);
+             }
+         }
+ 
+         /* if no data was retrieved, no need to process encrypted or signed
+          * attributes */
+-        if ((template[i].pValue == NULL) || (template[i].ulValueLen == -1)) {
++        if ((template[i].pValue == NULL) || ((signed) template[i].ulValueLen == -1)) {
+             continue;
+         }
+ 
+         /* fixup private attributes */
+         if (checkEnc && sftkdb_isPrivateAttribute(ntemplate[i].type)) {
+             /* we have a private attribute */
+             /* This code depends on the fact that the cipherText is bigger
+              * than the plain text */
+@@ -1618,17 +1618,17 @@ sftkdb_GetObjectTemplate(SDB *source, CK
+     crv = (*source->sdb_GetAttributeValue)(source, id,
+                                            ptemplate, known_attributes_size);
+ 
+     if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) {
+         return crv;
+     }
+ 
+     for (i = 0, j = 0; i < known_attributes_size; i++, j++) {
+-        while (i < known_attributes_size && (ptemplate[i].ulValueLen == -1)) {
++            while (i < known_attributes_size && ((signed) ptemplate[i].ulValueLen == -1)) {
+             i++;
+         }
+         if (i >= known_attributes_size) {
+             break;
+         }
+         /* cheap optimization */
+         if (i == j) {
+             continue;
+diff --git a/security/nss/lib/softoken/sftkike.c b/security/nss/lib/softoken/sftkike.c
+--- a/security/nss/lib/softoken/sftkike.c
++++ b/security/nss/lib/softoken/sftkike.c
+@@ -188,17 +188,17 @@ fail:
+ }
+ 
+ /* encode the final pad block of aes xcbc, padBuf is modified */
+ CK_RV
+ sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen, int blockSize,
+                   const unsigned char *k2, const unsigned char *k3)
+ {
+     int i;
+-    if (bufLen == blockSize) {
++    if (bufLen == (unsigned) blockSize) {
+         for (i = 0; i < blockSize; i++) {
+             padBuf[i] ^= k2[i];
+         }
+     } else {
+         padBuf[bufLen++] = 0x80;
+         for (i = bufLen; i < blockSize; i++) {
+             padBuf[i] = 0x00;
+         }
+diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
+--- a/security/nss/lib/softoken/sftkpwd.c
++++ b/security/nss/lib/softoken/sftkpwd.c
+@@ -893,28 +893,28 @@ sftk_updateMacs(PLArenaPool *arena, SFTK
+     // time.
+     unsigned int i;
+     for (i = 0; i < authAttrTypeCount; i++) {
+         CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
+         CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+         if (rv != CKR_OK) {
+             continue;
+         }
+-        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
++        if (((signed) authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+             continue;
+         }
+         authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
+         if (authAttr.pValue == NULL) {
+             return CKR_HOST_MEMORY;
+         }
+         rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+         if (rv != CKR_OK) {
+             return rv;
+         }
+-        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
++        if (((signed) authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+             return CKR_GENERAL_ERROR;
+         }
+         // GetAttributeValue just verified the old macs, so it is safe to write
+         // them out now.
+         if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
+             sftkdb_isULONGAttribute(authAttr.type)) {
+             CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
+             sftk_ULong2SDBULong(authAttr.pValue, value);
+@@ -957,28 +957,28 @@ sftk_updateEncrypted(PLArenaPool *arena,
+     unsigned int i;
+     for (i = 0; i < privAttrCount; i++) {
+         // Read the old attribute in the clear.
+         CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+         CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+         if (crv != CKR_OK) {
+             continue;
+         }
+-        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
++        if (((signed) privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+             continue;
+         }
+         privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
+         if (privAttr.pValue == NULL) {
+             return CKR_HOST_MEMORY;
+         }
+         crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+         if (crv != CKR_OK) {
+             return crv;
+         }
+-        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
++        if (((signed) privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+             return CKR_GENERAL_ERROR;
+         }
+         SECItem plainText;
+         SECItem *result;
+         plainText.data = privAttr.pValue;
+         plainText.len = privAttr.ulValueLen;
+         if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
+             return CKR_GENERAL_ERROR;
+diff --git a/security/nss/lib/ssl/dtls13con.c b/security/nss/lib/ssl/dtls13con.c
+--- a/security/nss/lib/ssl/dtls13con.c
++++ b/security/nss/lib/ssl/dtls13con.c
+@@ -145,17 +145,17 @@ dtls13_SendAck(sslSocket *ss)
+     if (rv != SECSuccess) {
+         goto loser;
+     }
+ 
+     ssl_GetXmitBufLock(ss);
+     sent = ssl3_SendRecord(ss, NULL, ssl_ct_ack,
+                            buf.buf, buf.len, 0);
+     ssl_ReleaseXmitBufLock(ss);
+-    if (sent != buf.len) {
++    if (sent != (int) buf.len) {
+         rv = SECFailure;
+         if (sent != -1) {
+             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         }
+     }
+ 
+ loser:
+     sslBuffer_Clear(&buf);
+diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
+--- a/security/nss/lib/ssl/dtlscon.c
++++ b/security/nss/lib/ssl/dtlscon.c
+@@ -442,17 +442,17 @@ dtls_HandleHandshake(sslSocket *ss, DTLS
+                  */
+                 if (fragment_offset <= (unsigned int)ss->ssl3.hs.recvdHighWater) {
+                     /* Either this is the adjacent fragment or an overlapping
+                      * fragment */
+                     if (end > ss->ssl3.hs.recvdHighWater) {
+                         ss->ssl3.hs.recvdHighWater = end;
+                     }
+                 } else {
+-                    for (offset = fragment_offset; offset < end; offset++) {
++                    for (offset = fragment_offset; offset < (unsigned) end; offset++) {
+                         ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] |=
+                             OFFSET_MASK(offset);
+                     }
+                 }
+ 
+                 /* Now figure out the new high water mark if appropriate */
+                 for (offset = ss->ssl3.hs.recvdHighWater;
+                      offset < ss->ssl3.hs.msg_len; offset++) {
+@@ -463,17 +463,17 @@ dtls_HandleHandshake(sslSocket *ss, DTLS
+                         OFFSET_MASK(offset)) {
+                         ss->ssl3.hs.recvdHighWater++;
+                     } else {
+                         break;
+                     }
+                 }
+ 
+                 /* If we have all the bytes, then we are good to go */
+-                if (ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) {
++                if ((unsigned) ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) {
+                     rv = dtls_HandleHandshakeMessage(ss, ss->ssl3.hs.msg_body.buf,
+                                                      buf.len == fragment_length);
+ 
+                     if (rv == SECFailure) {
+                         goto loser;
+                     }
+                 }
+             }
+@@ -653,17 +653,17 @@ dtls_SendFragment(sslSocket *ss, DTLSQue
+                   unsigned int len)
+ {
+     PRInt32 sent;
+     SECStatus rv;
+ 
+     PRINT_BUF(40, (ss, "dtls_SendFragment", data, len));
+     sent = ssl3_SendRecord(ss, msg->cwSpec, msg->type, data, len,
+                            ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+-    if (sent != len) {
++    if ((unsigned) sent != len) {
+         if (sent != -1) {
+             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         }
+         return SECFailure;
+     }
+ 
+     /* If another fragment won't fit, flush. */
+     if (ss->ssl3.mtu < ss->pendingBuf.len + DTLS_MIN_FRAGMENT) {
+@@ -719,17 +719,17 @@ dtls_FragmentHandshake(sslSocket *ss, DT
+ 
+         /* Cut down to the data we have available. */
+         PORT_Assert(fragmentOffset <= contentLen);
+         PORT_Assert(fragmentOffset <= end);
+         PORT_Assert(end <= contentLen);
+         fragmentLen = PR_MIN(end, contentLen) - fragmentOffset;
+ 
+         /* Limit further by the record size limit.  Account for the header. */
+-        fragmentLen = PR_MIN(fragmentLen,
++        fragmentLen = PR_MIN((PRInt32) fragmentLen,
+                              msg->cwSpec->recordSizeLimit - DTLS_HS_HDR_LEN);
+ 
+         /* Reduce to the space remaining in the MTU. */
+         fragmentLen = PR_MIN(fragmentLen,
+                              ss->ssl3.mtu -           /* MTU estimate. */
+                                  ss->pendingBuf.len - /* Less any unsent records. */
+                                  DTLS_MAX_EXPANSION - /* Allow for expansion. */
+                                  DTLS_HS_HDR_LEN);    /* And the handshake header. */
+@@ -909,17 +909,17 @@ dtls_InitTimers(sslSocket *ss)
+         &ss->ssl3.hs.ackTimer,
+         &ss->ssl3.hs.hdTimer
+     };
+     static const char *timerLabels[] = {
+         "retransmit", "ack", "holddown"
+     };
+ 
+     PORT_Assert(PR_ARRAY_SIZE(timers) == PR_ARRAY_SIZE(timerLabels));
+-    for (i = 0; i < PR_ARRAY_SIZE(ss->ssl3.hs.timers); ++i) {
++    for (i = 0; (unsigned) i < PR_ARRAY_SIZE(ss->ssl3.hs.timers); ++i) {
+         *timers[i] = &ss->ssl3.hs.timers[i];
+         ss->ssl3.hs.timers[i].label = timerLabels[i];
+     }
+ }
+ 
+ SECStatus
+ dtls_StartTimer(sslSocket *ss, dtlsTimer *timer, PRUint32 time, DTLSTimerCb cb)
+ {
+@@ -1082,17 +1082,17 @@ dtls_SetMTU(sslSocket *ss, PRUint16 adve
+     int i;
+ 
+     if (advertised == 0) {
+         ss->ssl3.mtu = COMMON_MTU_VALUES[0];
+         SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu));
+         return;
+     }
+ 
+-    for (i = 0; i < PR_ARRAY_SIZE(COMMON_MTU_VALUES); i++) {
++    for (i = 0; (unsigned) i < PR_ARRAY_SIZE(COMMON_MTU_VALUES); i++) {
+         if (COMMON_MTU_VALUES[i] <= advertised) {
+             ss->ssl3.mtu = COMMON_MTU_VALUES[i];
+             SSL_TRC(30, ("Resetting MTU to %d", ss->ssl3.mtu));
+             return;
+         }
+     }
+ 
+     /* Fallback */
+diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
+--- a/security/nss/lib/ssl/ssl3con.c
++++ b/security/nss/lib/ssl/ssl3con.c
+@@ -1629,17 +1629,17 @@ ssl3_AESGCM(const ssl3KeyMaterial *keys,
+      * nonce is formed. */
+     memcpy(nonce, keys->iv, 4);
+     if (doDecrypt) {
+         memcpy(nonce + 4, in, explicitNonceLen);
+         in += explicitNonceLen;
+         inlen -= explicitNonceLen;
+         *outlen = 0;
+     } else {
+-        if (maxout < explicitNonceLen) {
++        if ((signed) maxout < explicitNonceLen) {
+             PORT_SetError(SEC_ERROR_INPUT_LEN);
+             return SECFailure;
+         }
+         /* Use the 64-bit sequence number as the explicit nonce. */
+         memcpy(nonce + 4, additionalData, explicitNonceLen);
+         memcpy(out, additionalData, explicitNonceLen);
+         out += explicitNonceLen;
+         maxout -= explicitNonceLen;
+@@ -2453,17 +2453,18 @@ ssl3_SendRecord(sslSocket *ss,
+         ssl_ReleaseSpecReadLock(ss);
+         if (rv != SECSuccess) {
+             goto loser;
+         }
+ 
+         PORT_Assert(written > 0);
+         /* DTLS should not fragment non-application data here. */
+         if (IS_DTLS(ss) && ct != ssl_ct_application_data) {
+-            PORT_Assert(written == nIn);
++            PORT_Assert( nIn >= 0 );
++            PORT_Assert( written == (unsigned) nIn);
+         }
+ 
+         pIn += written;
+         nIn -= written;
+         PORT_Assert(nIn >= 0);
+ 
+         /* If there's still some previously saved ciphertext,
+          * or the caller doesn't want us to send the data yet,
+@@ -12742,24 +12743,26 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+         ssl_ReleaseSpecReadLock(ss); /*****************************/
+         SSL_TRC(3, ("%d: SSL[%d]: read sequence number at limit 0x%0llx",
+                     SSL_GETPID(), ss->fd, cText->seqNum));
+         PORT_SetError(SSL_ERROR_TOO_MANY_RECORDS);
+         return SECFailure;
+     }
+ 
+     recordSizeLimit = spec->recordSizeLimit;
+-    if (cText->buf->len > recordSizeLimit + MAX_EXPANSION) {
++    // recordSizeLimit is 16-bit, PRUint16.
++    // cText->buf->len is unsigned int.
++    if (cText->buf->len > (unsigned int) recordSizeLimit + MAX_EXPANSION) {
+         ssl_ReleaseSpecReadLock(ss); /*****************************/
+         SSL3_SendAlert(ss, alert_fatal, record_overflow);
+         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+         return SECFailure;
+     }
+ 
+-    if (plaintext->space < recordSizeLimit + MAX_EXPANSION) {
++    if (plaintext->space < (unsigned int) recordSizeLimit + MAX_EXPANSION) {
+         rv = sslBuffer_Grow(plaintext, recordSizeLimit + MAX_EXPANSION);
+         if (rv != SECSuccess) {
+             ssl_ReleaseSpecReadLock(ss); /*************************/
+             SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
+                      SSL_GETPID(), ss->fd, recordSizeLimit + MAX_EXPANSION));
+             /* sslBuffer_Grow has set a memory error code. */
+             /* Perhaps we should send an alert. (but we have no memory!) */
+             return SECFailure;
+diff --git a/security/nss/lib/ssl/sslencode.c b/security/nss/lib/ssl/sslencode.c
+--- a/security/nss/lib/ssl/sslencode.c
++++ b/security/nss/lib/ssl/sslencode.c
+@@ -250,32 +250,33 @@ ssl3_AppendHandshake(sslSocket *ss, cons
+     unsigned char *src = (unsigned char *)void_src;
+     int room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+     SECStatus rv;
+ 
+     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); /* protects sendBuf. */
+ 
+     if (!bytes)
+         return SECSuccess;
+-    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && room < bytes) {
++    PORT_Assert(room >= 0);
++    if (ss->sec.ci.sendBuf.space < MAX_SEND_BUF_LENGTH && (unsigned) room < bytes) {
+         rv = sslBuffer_Grow(&ss->sec.ci.sendBuf, PR_MAX(MIN_SEND_BUF_LENGTH,
+                                                         PR_MIN(MAX_SEND_BUF_LENGTH, ss->sec.ci.sendBuf.len + bytes)));
+         if (rv != SECSuccess)
+             return SECFailure; /* sslBuffer_Grow sets a memory error code. */
+         room = ss->sec.ci.sendBuf.space - ss->sec.ci.sendBuf.len;
+     }
+ 
+     PRINT_BUF(60, (ss, "Append to Handshake", (unsigned char *)void_src, bytes));
+     if (!ss->firstHsDone || ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+         rv = ssl3_UpdateHandshakeHashes(ss, src, bytes);
+         if (rv != SECSuccess)
+             return SECFailure; /* error code set by ssl3_UpdateHandshakeHashes */
+     }
+ 
+-    while (bytes > room) {
++    while (bytes > (unsigned) room) {
+         if (room > 0)
+             PORT_Memcpy(ss->sec.ci.sendBuf.buf + ss->sec.ci.sendBuf.len, src,
+                         room);
+         ss->sec.ci.sendBuf.len += room;
+         rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+         if (rv != SECSuccess) {
+             return SECFailure; /* error code set by ssl3_FlushHandshake */
+         }
+diff --git a/security/nss/lib/ssl/sslprimitive.c b/security/nss/lib/ssl/sslprimitive.c
+--- a/security/nss/lib/ssl/sslprimitive.c
++++ b/security/nss/lib/ssl/sslprimitive.c
+@@ -142,17 +142,17 @@ ssl_AeadInner(const SSLAeadContext *ctx,
+     PRUint8 nonce[12] = { 0 };
+     sslBuffer nonceBuf = SSL_BUFFER_FIXED(nonce + sizeof(nonce) - sizeof(counter),
+                                           sizeof(counter));
+     SECStatus rv = sslBuffer_AppendNumber(&nonceBuf, counter, sizeof(counter));
+     if (rv != SECSuccess) {
+         PORT_Assert(0);
+         return SECFailure;
+     }
+-    for (int i = 0; i < sizeof(nonce); ++i) {
++    for (int i = 0; (unsigned) i < sizeof(nonce); ++i) {
+         nonce[i] ^= ctx->keys.iv[i];
+     }
+ 
+     // Build AEAD parameters.
+     CK_GCM_PARAMS gcmParams = { 0 };
+     CK_NSS_AEAD_PARAMS aeadParams = { 0 };
+     unsigned char *params;
+     unsigned int paramsLen;
+diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c
+--- a/security/nss/lib/ssl/sslsnce.c
++++ b/security/nss/lib/ssl/sslsnce.c
+@@ -1857,17 +1857,17 @@ getSvrWrappingKey(unsigned int symWrapMe
+     }
+     if (!lockTime) {
+         now = LockSidCacheLock(cache->keyCacheLock, 0);
+         if (!now) {
+             return SECFailure;
+         }
+     }
+     if (pwswk->wrapKeyIndex == wrapKeyIndex &&
+-        pwswk->wrapMechIndex == symWrapMechIndex &&
++        pwswk->wrapMechIndex == (signed) symWrapMechIndex &&
+         pwswk->wrappedSymKeyLen != 0) {
+         *wswk = *pwswk;
+         rv = SECSuccess;
+     }
+     if (now) {
+         UnlockSidCacheLock(cache->keyCacheLock);
+     }
+     return rv;
+diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
+--- a/security/nss/lib/ssl/sslsock.c
++++ b/security/nss/lib/ssl/sslsock.c
+@@ -1760,17 +1760,17 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd, cons
+         if (ss->namedGroupPreferences[i] &&
+             ss->namedGroupPreferences[i]->keaType != ssl_kea_dh) {
+             enabled[k++] = ss->namedGroupPreferences[i];
+         }
+         ss->namedGroupPreferences[i] = NULL;
+     }
+ 
+     ss->ssl3.dhePreferredGroup = NULL;
+-    for (i = 0; i < count; ++i) {
++    for (i = 0; (unsigned) i < count; ++i) {
+         PRBool duplicate = PR_FALSE;
+         SSLNamedGroup name;
+         const sslNamedGroupDef *groupDef;
+         switch (list[i]) {
+             case ssl_ff_dhe_2048_group:
+                 name = ssl_grp_ffdhe_2048;
+                 break;
+             case ssl_ff_dhe_3072_group:
+@@ -3499,30 +3499,32 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec
+         SEND(buf, bufLen);
+     }
+ 
+     while (vectors || myIov.iov_len) {
+         PRInt32 addLen;
+         if (!myIov.iov_len) {
+             GET_VECTOR;
+         }
+-        while (myIov.iov_len >= K16) {
++        PORT_Assert(myIov.iov_len >= 0);
++        while ((unsigned) myIov.iov_len >= K16) {
+             SEND(myIov.iov_base, K16);
+             myIov.iov_base += K16;
+             myIov.iov_len -= K16;
+         }
+         if (!myIov.iov_len)
+             continue;
+ 
+         if (!vectors || myIov.iov_len > limit) {
+             addLen = 0;
+         } else if ((addLen = iov->iov_len % K16) + myIov.iov_len <= limit) {
+             /* Addlen is already computed. */;
+         } else if (vectors > 1 &&
+-                   iov[1].iov_len % K16 + addLen + myIov.iov_len <= 2 * limit) {
++                   iov[1].iov_len % K16 + addLen + myIov.iov_len
++                   <= (2 * limit)) {
+             addLen = limit - myIov.iov_len;
+         } else
+             addLen = 0;
+ 
+         if (!addLen) {
+             SEND(myIov.iov_base, myIov.iov_len);
+             myIov.iov_len = 0;
+             continue;
+@@ -3534,22 +3536,23 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec
+             PORT_Memcpy(buf + bufLen, myIov.iov_base, addLen);
+             myIov.iov_base += addLen;
+             myIov.iov_len -= addLen;
+             bufLen += addLen;
+ 
+             left = PR_MIN(limit, K16 - bufLen);
+             if (!vectors             /* no more left */
+                 || myIov.iov_len > 0 /* we didn't use that one all up */
+-                || bufLen >= K16 /* it's full. */) {
++                || (unsigned) bufLen >= K16 /* it's full. */) {
+                 addLen = 0;
+             } else if ((addLen = iov->iov_len % K16) <= left) {
+                 /* Addlen is already computed. */;
+             } else if (vectors > 1 &&
+-                       iov[1].iov_len % K16 + addLen <= left + limit) {
++                       iov[1].iov_len % K16 + addLen
++                       <= (left + limit)) {
+                 addLen = left;
+             } else
+                 addLen = 0;
+ 
+         } while (addLen);
+         SEND(buf, bufLen);
+     }
+     return sent;
+diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c
+--- a/security/nss/lib/ssl/tls13con.c
++++ b/security/nss/lib/ssl/tls13con.c
+@@ -5291,29 +5291,30 @@ tls13_FormatAdditionalData(
+     return SECSuccess;
+ }
+ 
+ PRInt32
+ tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend)
+ {
+     PRInt32 reduced;
+ 
++    PORT_Assert(toSend >= 0);
+     PORT_Assert(type == ssl_ct_application_data);
+     PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
+     PORT_Assert(!ss->firstHsDone);
+     if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) {
+         return toSend;
+     }
+ 
+-    if (IS_DTLS(ss) && toSend > ss->ssl3.cwSpec->earlyDataRemaining) {
++    if (IS_DTLS(ss) && (PRUint32) toSend > ss->ssl3.cwSpec->earlyDataRemaining) {
+         /* Don't split application data records in DTLS. */
+         return 0;
+     }
+ 
+-    reduced = PR_MIN(toSend, ss->ssl3.cwSpec->earlyDataRemaining);
++    reduced = PR_MIN((PRUint32) toSend, ss->ssl3.cwSpec->earlyDataRemaining);
+     ss->ssl3.cwSpec->earlyDataRemaining -= reduced;
+     return reduced;
+ }
+ 
+ SECStatus
+ tls13_ProtectRecord(sslSocket *ss,
+                     ssl3CipherSpec *cwSpec,
+                     SSLContentType type,
+@@ -5484,17 +5485,17 @@ tls13_UnprotectRecord(sslSocket *ss,
+         PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+         return SECFailure;
+     }
+ 
+     /* There is a similar test in ssl3_HandleRecord, but this test is needed to
+      * account for padding.  It's safe to do this here (including the alert),
+      * because it only confirms that the record exceeded the size limit, which
+      * is apparent from the size of the ciphertext. */
+-    if (plaintext->len > spec->recordSizeLimit + 1) {
++    if (plaintext->len > (unsigned) spec->recordSizeLimit + 1) {
+         SSL3_SendAlert(ss, alert_fatal, record_overflow);
+         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+         return SECFailure;
+     }
+ 
+     /* The record is right-padded with 0s, followed by the true
+      * content type, so read from the right until we receive a
+      * nonzero byte. */
+@@ -5623,24 +5624,25 @@ tls13_MaybeDo0RTTHandshake(sslSocket *ss
+     }
+ 
+     return SECSuccess;
+ }
+ 
+ PRInt32
+ tls13_Read0RttData(sslSocket *ss, PRUint8 *buf, PRInt32 len)
+ {
++    PORT_Assert(len >= 0);
+     PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData));
+     PRInt32 offset = 0;
+     while (!PR_CLIST_IS_EMPTY(&ss->ssl3.hs.bufferedEarlyData)) {
+         TLS13EarlyData *msg =
+             (TLS13EarlyData *)PR_NEXT_LINK(&ss->ssl3.hs.bufferedEarlyData);
+         unsigned int tocpy = msg->data.len - msg->consumed;
+ 
+-        if (tocpy > (len - offset)) {
++        if (tocpy > (unsigned) (len - offset)) {
+             if (IS_DTLS(ss)) {
+                 /* In DTLS, we only return entire records.
+                  * So offset and consumed are always zero. */
+                 PORT_Assert(offset == 0);
+                 PORT_Assert(msg->consumed == 0);
+                 PORT_SetError(SSL_ERROR_RX_SHORT_DTLS_READ);
+                 return -1;
+             }
+diff --git a/security/nss/lib/ssl/tls13esni.c b/security/nss/lib/ssl/tls13esni.c
+--- a/security/nss/lib/ssl/tls13esni.c
++++ b/security/nss/lib/ssl/tls13esni.c
+@@ -585,17 +585,18 @@ tls13_ClientSetupESNI(sslSocket *ss)
+     PRTime now = PR_Now() / PR_USEC_PER_SEC;
+ 
+     PORT_Assert(!ss->xtnData.esniPrivateKey);
+ 
+     if (!ss->esniKeys) {
+         return SECSuccess;
+     }
+ 
+-    if ((ss->esniKeys->notBefore > now) || (ss->esniKeys->notAfter < now)) {
++    if (((PRTime) ss->esniKeys->notBefore > now) ||
++        ((PRTime) ss->esniKeys->notAfter < now)) {
+         return SECSuccess;
+     }
+ 
+     /* If we're not sending SNI, don't send ESNI. */
+     if (!ssl_ShouldSendSNIExtension(ss, ss->url)) {
+         return SECSuccess;
+     }
+ 
+diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
+--- a/security/nss/lib/util/secoid.c
++++ b/security/nss/lib/util/secoid.c
+@@ -2102,17 +2102,17 @@ SECOID_Init(void)
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         PORT_Assert(0); /*This function should never fail. */
+         return (SECFailure);
+     }
+ 
+     for (i = 0; i < SEC_OID_TOTAL; i++) {
+         oid = &oids[i];
+ 
+-        PORT_Assert(oid->offset == i);
++        PORT_Assert(oid->offset == (unsigned) i);
+ 
+         entry = PL_HashTableAdd(oidhash, &oid->oid, (void *)oid);
+         if (entry == NULL) {
+             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+             PORT_Assert(0); /*This function should never fail. */
+             return (SECFailure);
+         }
+ 
+diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c
+--- a/security/nss/lib/util/utilpars.c
++++ b/security/nss/lib/util/utilpars.c
+@@ -180,17 +180,17 @@ NSSUTIL_ArgGetParamValue(const char *par
+     char searchValue[256];
+     int paramLen = strlen(paramName);
+     char *returnValue = NULL;
+     int next;
+ 
+     if ((parameters == NULL) || (*parameters == 0))
+         return NULL;
+ 
+-    PORT_Assert(paramLen + 2 < sizeof(searchValue));
++    PORT_Assert((size_t) (paramLen + 2) < sizeof(searchValue));
+ 
+     PORT_Strcpy(searchValue, paramName);
+     PORT_Strcat(searchValue, "=");
+     while (*parameters) {
+         if (PORT_Strncasecmp(parameters, searchValue, paramLen + 1) == 0) {
+             parameters += paramLen + 1;
+             returnValue = NSSUTIL_ArgFetchValue(parameters, &next);
+             break;