cppcheck fixes

Fix checking of negative with unsigned variables.
Check digestSz for 0 in wc_SSH_KDF() so that no possibility of dividing
by zero.
Change XMEMCPY to XMEMSET in renesas_sce_util.c.
Fix test.c to free prvTmp and pubTmp on read error.
Remove unused variables.
XFREE checks for NULL so don't check before call.
Move variable declarations to reduce scope.

IDE/Espressif/ESP-IDF/test/test_wolfssl.c

@@ -1125,7 +1125,7 @@ TEST_CASE("wolfssl aes sha256 rsa multi-thread test ", "[wolfssl]")
     exit_loop = true;
 
     /* wait until rsa test finishes */
-    while(rsa_elapsedTime<=0){ vTaskDelay(1); }
+    while(rsa_elapsedTime==0){ vTaskDelay(1); }
 
     ESP_LOGI(TAG, "Waiting another %llu s. rsa test would take more time to finish.",
                (rsa_elapsedTime+3000)/portTICK_PERIOD_MS);

examples/benchmark/tls_bench.c

@@ -1269,12 +1269,10 @@ static int SocketWaitClient(info_t* info)
     int connd;
     struct sockaddr_in clientAddr;
     socklen_t size = sizeof(clientAddr);
-#ifdef WOLFSSL_DTLS
-    char msg[64];
-#endif
 
 #ifdef WOLFSSL_DTLS
     if (info->doDTLS) {
+        char msg[64];
 #ifdef HAVE_PTHREAD
         if (!info->clientOrserverOnly) {
             PTHREAD_CHECK_RET(pthread_mutex_lock(&info->dtls_mutex));

examples/client/client.c

@@ -782,8 +782,8 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
             err_sys("Client buffer malloc failed");
         }
 doExit:
-        if (tx_buffer) XFREE(tx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        if (rx_buffer) XFREE(rx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(tx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(rx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     }
     else {
         err_sys("wolfSSL_connect failed");
@@ -953,7 +953,6 @@ static int ClientWrite(WOLFSSL* ssl, const char* msg, int msgSz, const char* str
     int exitWithRet)
 {
     int ret, err;
-    char buffer[WOLFSSL_MAX_ERROR_SZ];
 
     do {
         err = 0; /* reset error */
@@ -974,6 +973,7 @@ static int ClientWrite(WOLFSSL* ssl, const char* msg, int msgSz, const char* str
     #endif
     );
     if (ret != msgSz) {
+        char buffer[WOLFSSL_MAX_ERROR_SZ];
         fprintf(stderr, "SSL_write%s msg error %d, %s\n", str, err,
                                         wolfSSL_ERR_error_string(err, buffer));
         if (!exitWithRet) {
@@ -4311,9 +4311,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 #if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \
         defined(HAVE_EXT_CACHE))
-        if (flatSession) {
-            XFREE(flatSession, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-        }
+        XFREE(flatSession, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
         wolfSSL_SESSION_free(session);
         session = NULL;

examples/echoserver/echoserver.c

@@ -298,7 +298,6 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
         CYASSL* ssl = NULL;
         CYASSL* write_ssl = NULL;   /* may have separate w/ HAVE_WRITE_DUP */
         char    command[SVR_COMMAND_SIZE+1];
-        int     echoSz = 0;
         int     clientfd;
         int     firstRead = 1;
         int     gotFirstG = 0;
@@ -374,6 +373,8 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
 #endif
 
         while (1) {
+            int echoSz;
+
             do {
                 err = 0; /* reset error */
                 ret = CyaSSL_read(ssl, command, sizeof(command)-1);

examples/server/server.c

@@ -269,7 +269,6 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx)
     WOLFSSL_TEST_DTLS_CTX* dtlsCtx = (WOLFSSL_TEST_DTLS_CTX*)ctx;
     int sd = dtlsCtx->wfd;
     int sent;
-    int err;
 
     (void)ssl;
 
@@ -291,7 +290,7 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx)
     sent = TranslateReturnCode(sent, sd);
 
     if (sent < 0) {
-        err = wolfSSL_LastError();
+        int err = wolfSSL_LastError();
         WOLFSSL_MSG("Embed Send To error");
 
         if (err == SOCKET_EWOULDBLOCK || err == SOCKET_EAGAIN) {
@@ -337,8 +336,6 @@ static int NonBlockingSSL_Accept(SSL* ssl)
             || error == WC_PENDING_E
         #endif
     )) {
-        int currTimeout = 1;
-
         if (error == WOLFSSL_ERROR_WANT_READ) {
             /* printf("... server would read block\n"); */
         }
@@ -354,6 +351,8 @@ static int NonBlockingSSL_Accept(SSL* ssl)
         else
     #endif
         {
+            int currTimeout = 1;
+
             if (error == WOLFSSL_ERROR_WANT_WRITE)
             {
                 select_ret = tcp_select_tx(sockfd, currTimeout);
@@ -408,7 +407,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
 {
     int ret = 0, err;
     double start = 0, rx_time = 0, tx_time = 0;
-    int select_ret, len, rx_pos;
+    int len, rx_pos;
     size_t xfer_bytes = 0;
     char* buffer;
 
@@ -420,7 +419,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block,
     while ((echoData && throughput == 0) ||
           (!echoData && xfer_bytes < throughput))
     {
-        select_ret = tcp_select(clientfd, 1); /* Timeout=1 second */
+        int select_ret = tcp_select(clientfd, 1); /* Timeout=1 second */
         if (select_ret == TEST_RECV_READY) {
 
             if (throughput)
@@ -611,7 +610,6 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
 static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
 {
     int ret, err;
-    char buffer[WOLFSSL_MAX_ERROR_SZ];
     int len;
 
 #ifdef OPENSSL_ALL
@@ -642,6 +640,7 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen)
         }
     } while (err == WC_PENDING_E || err == WOLFSSL_ERROR_WANT_WRITE);
     if (ret != outputLen) {
+        char buffer[WOLFSSL_MAX_ERROR_SZ];
         fprintf(stderr, "SSL_write msg error %d, %s\n", err,
                                                  ERR_error_string(err, buffer));
         err_sys_ex(runWithErrors, "SSL_write failed");
@@ -2193,10 +2192,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
             case 262: {
                 /* Note: this requires TSL1.3 (version >= 4) */
                 #ifdef HAVE_ECC
-                int idx = 0; /* ecc curve index */
                 int j = 0; /* our group index */
                 #endif
                 if (NULL == myoptarg) {
+                #ifdef HAVE_ECC
+                    int idx = 0; /* ecc curve index */
+                #endif
                     Usage();
                     if (lng_index == 1) {
                         /* TODO: Need Japanese translation */
@@ -3167,10 +3168,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #if defined(WOLFSSL_DTLS) && defined(USE_WOLFSSL_IO)
         if (doDTLS && dtlsUDP) {
             byte          b[1500];
-            int           n;
             int           isClientHello = 0;
 
             while (!isClientHello) {
+                int n;
+
                 client_len = sizeof client_addr;
 
                 /* For DTLS, peek at the next datagram so we can get the
@@ -3411,7 +3413,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #if defined(OPENSSL_EXTRA) || defined(HAVE_SECRET_CALLBACK)
     {
         byte*  rnd = NULL;
-        byte*  pt;
         size_t size;
 
         /* get size of buffer then print */
@@ -3438,6 +3439,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         }
 
         if (rnd) {
+            byte*  pt;
             printf("Server Random : ");
             for (pt = rnd; pt < rnd + size; pt++) printf("%02X", *pt);
             printf("\n");

src/bio.c

@@ -2057,11 +2057,10 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
     WOLFSSL_BIO *wolfSSL_BIO_new_connect(const char *str)
     {
         WOLFSSL_BIO *bio;
-        const char* port;
         WOLFSSL_ENTER("wolfSSL_BIO_new_connect");
         bio = wolfSSL_BIO_new(wolfSSL_BIO_s_socket());
         if (bio) {
-            port = XSTRSTR(str, ":");
+            const char* port = XSTRSTR(str, ":");
 
             if (port != NULL)
                 bio->port = (word16)XATOI(port + 1);
@@ -2261,8 +2260,6 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
 
     void wolfSSL_BIO_ssl_shutdown(WOLFSSL_BIO* b)
     {
-        int rc;
-
         WOLFSSL_ENTER("wolfSSL_BIO_ssl_shutdown");
 
         if (b == NULL) {
@@ -2279,7 +2276,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
         }
 
         if (b->ptr != NULL) {
-            rc = wolfSSL_shutdown((WOLFSSL*)b->ptr);
+            int rc = wolfSSL_shutdown((WOLFSSL*)b->ptr);
             if (rc == SSL_SHUTDOWN_NOT_DONE) {
                 /* In this case, call again to give us a chance to read the
                  * close notify alert from the other end. */
@@ -2386,7 +2383,6 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
 
     long wolfSSL_BIO_set_conn_hostname(WOLFSSL_BIO* b, char* name)
     {
-        size_t currLen = 0;
         size_t newLen = 0;
 
         WOLFSSL_ENTER("wolfSSL_BIO_set_conn_hostname");
@@ -2414,7 +2410,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
             }
         }
         else {
-            currLen = XSTRLEN(b->ip);
+            size_t currLen = XSTRLEN(b->ip);
             if (currLen != newLen) {
                 b->ip = (char*)XREALLOC(b->ip, newLen + 1, b->heap,
                     DYNAMIC_TYPE_OPENSSL);

src/conf.c

@@ -158,7 +158,6 @@ long wolfSSL_TXT_DB_write(WOLFSSL_BIO *out, WOLFSSL_TXT_DB *db)
     long totalLen = 0;
     char buf[512]; /* Should be more than enough for a single row */
     char* bufEnd = buf + sizeof(buf);
-    int sz;
     int i;
 
     WOLFSSL_ENTER("wolfSSL_TXT_DB_write");
@@ -172,6 +171,7 @@ long wolfSSL_TXT_DB_write(WOLFSSL_BIO *out, WOLFSSL_TXT_DB *db)
     while (data) {
         char** fields = (char**)data->data.string;
         char* idx = buf;
+        int sz;
 
         if (!fields) {
             WOLFSSL_MSG("Missing row");
@@ -1499,10 +1499,9 @@ static const conf_cmd_tbl* wolfssl_conf_find_cmd(WOLFSSL_CONF_CTX* cctx,
                                          const char* cmd)
 {
     size_t i = 0;
-    size_t cmdlen = 0;
 
     if (cctx->flags & WOLFSSL_CONF_FLAG_CMDLINE) {
-        cmdlen = XSTRLEN(cmd);
+        size_t cmdlen = XSTRLEN(cmd);
 
         if (cmdlen < 2) {
             WOLFSSL_MSG("bad cmdline command");

src/internal.c

@@ -1715,7 +1715,6 @@ int wolfSSL_session_import_internal(WOLFSSL* ssl, const unsigned char* buf,
     int ret = 0;
     int optSz = 0;
     int rc;
-    byte validProto = 0; /* did we find a valid protocol */
 
     WOLFSSL_ENTER("wolfSSL_session_import_internal");
     /* check at least enough room for protocol and length */
@@ -1725,6 +1724,8 @@ int wolfSSL_session_import_internal(WOLFSSL* ssl, const unsigned char* buf,
 
     /* Check if is TLS export protocol */
     if (ret == 0) {
+        byte validProto = 0; /* did we find a valid protocol */
+
         if (buf[idx]             ==  (byte)TLS_EXPORT_PRO &&
            (buf[idx + 1] & 0xF0) == ((byte)TLS_EXPORT_PRO & 0xF0)) {
             validProto = 1;
@@ -8902,7 +8903,6 @@ int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket)
 {
     int ret = 0;
     DtlsMsg* pool;
-    int epochOrder;
 
     WOLFSSL_ENTER("DtlsMsgPoolSend");
 
@@ -8926,6 +8926,8 @@ int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket)
         }
 
         while (pool != NULL) {
+            int epochOrder;
+
             if (pool->epoch == 0) {
                 DtlsRecordLayerHeader* dtls;
 
@@ -10447,9 +10449,6 @@ static int GetRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
                            RecordLayerHeader* rh, word16 *size)
 {
     byte tls12minor;
-#ifdef WOLFSSL_DTLS
-    int ret;
-#endif /* WOLFSSL_DTLS */
 
 #ifdef OPENSSL_ALL
     word32 start = *inOutIdx;
@@ -10469,7 +10468,7 @@ static int GetRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
     }
     else {
 #ifdef WOLFSSL_DTLS
-        ret = GetDtlsRecordHeader(ssl, inOutIdx, rh, size);
+        int ret = GetDtlsRecordHeader(ssl, inOutIdx, rh, size);
         if (ret != 0)
             return ret;
 #endif
@@ -11418,18 +11417,19 @@ static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
 int MatchDomainName(const char* pattern, int len, const char* str)
 {
     int ret = 0;
-    char p, s;
 
     if (pattern == NULL || str == NULL || len <= 0)
         return 0;
 
     while (len > 0) {
 
-        p = (char)XTOLOWER((unsigned char)*pattern++);
+        char p = (char)XTOLOWER((unsigned char)*pattern++);
         if (p == '\0')
             break;
 
         if (p == '*') {
+            char s;
+
             while (--len > 0 &&
                 (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*') {
             }
@@ -16263,14 +16263,14 @@ static WC_INLINE word32 UpdateHighwaterMark(word32 cur, word32 first,
  * expected sequence number. 0 is special where it is an overflow. */
 static void _DtlsUpdateWindowGTSeq(word32 diff, word32* window)
 {
-    word32 idx, temp, i;
     word32 oldWindow[WOLFSSL_DTLS_WINDOW_WORDS];
 
     if (diff == 0 || diff >= DTLS_SEQ_BITS)
         XMEMSET(window, 0, DTLS_SEQ_SZ);
     else {
-        temp = 0;
-        idx = diff / DTLS_WORD_BITS;
+        word32 i;
+        word32 temp = 0;
+        word32 idx = diff / DTLS_WORD_BITS;
         diff %= DTLS_WORD_BITS;
 
         XMEMCPY(oldWindow, window, sizeof(oldWindow));
@@ -18303,14 +18303,13 @@ static byte MaskPadding(const byte* data, int sz, int macSz)
     int i;
     int checkSz = sz - 1;
     byte paddingSz = data[sz - 1];
-    byte mask;
     byte good = ctMaskGT(paddingSz, sz - 1 - macSz);
 
     if (checkSz > TLS_MAX_PAD_SZ)
         checkSz = TLS_MAX_PAD_SZ;
 
     for (i = 0; i < checkSz; i++) {
-        mask = ctMaskLTE(i, paddingSz);
+        byte mask = ctMaskLTE(i, paddingSz);
         good |= mask & (data[sz - 1 - i] ^ paddingSz);
     }
 
@@ -18769,7 +18768,6 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
     byte level;
     byte code;
     word32 dataSz = (word32)ssl->curSize;
-    int ivExtra = 0;
 
     #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
         if (ssl->hsInfoOn)
@@ -18787,6 +18785,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
     #endif
 
     if (IsEncryptionOn(ssl, 0)) {
+        int ivExtra = 0;
 #ifndef WOLFSSL_AEAD_ONLY
         if (ssl->specs.cipher_type == block) {
             if (ssl->options.tls1_1)
@@ -18858,7 +18857,6 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
 
 static int GetInputData(WOLFSSL *ssl, word32 size)
 {
-    int in;
     int inSz;
     int maxLength;
     int usedLength;
@@ -18900,7 +18898,7 @@ static int GetInputData(WOLFSSL *ssl, word32 size)
 
     /* read data from network */
     do {
-        in = wolfSSLReceive(ssl,
+        int in = wolfSSLReceive(ssl,
                      ssl->buffers.inputBuffer.buffer +
                      ssl->buffers.inputBuffer.length,
                      inSz);
@@ -18968,7 +18966,6 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
                             int content, word32* padSz)
 {
 #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
-    int    ivExtra = 0;
     int    ret;
     word32 pad     = 0;
     word32 padByte = 0;
@@ -18982,6 +18979,7 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
 
 
     if (ssl->specs.cipher_type == block) {
+        int ivExtra = 0;
         if (ssl->options.tls1_1)
             ivExtra = ssl->specs.block_size;
         pad = *(input + msgSz - ivExtra - 1);
@@ -23032,10 +23030,8 @@ int RetrySendAlert(WOLFSSL* ssl)
 /* send alert message */
 int SendAlert(WOLFSSL* ssl, int severity, int type)
 {
-    int ret;
-
     if (ssl->pendingAlert.level != alert_none) {
-        ret = RetrySendAlert(ssl);
+        int ret = RetrySendAlert(ssl);
         if (ret != 0) {
             if (ssl->pendingAlert.level == alert_none ||
                     (ssl->pendingAlert.level != alert_fatal &&
@@ -24740,13 +24736,13 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
     #endif /* OPENSSL_EXTRA */
 
         for (i = 0; i < suiteSz; i++) {
-            int j;
-
             if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
             #ifndef NO_ERROR_STRINGS
                 || XSTRNCMP(name, cipher_names[i].name_iana, sizeof(name)) == 0
             #endif
              ) {
+                int j;
+
             #ifdef WOLFSSL_DTLS
                 /* don't allow stream ciphers with DTLS */
                 if (ctx->method->version.major == DTLS_MAJOR) {
@@ -26929,10 +26925,11 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
             ssl->options.haveEMS = 0; /* If no extensions, no EMS */
 #else
         {
-            int allowExt = 0;
             byte pendingEMS = 0;
 
             if ( (i - begin) < helloSz) {
+                int allowExt = 0;
+
                 if (ssl->version.major == SSLv3_MAJOR &&
                     ssl->version.minor >= TLSv1_MINOR) {
 
@@ -36668,7 +36665,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
                     {
                         byte *tmpRsa;
                         byte mask;
-                        int i;
 
                         /* Add the signature length to idx */
                         args->idx += args->length;
@@ -36703,6 +36699,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
                         ctMaskCopy(~mask, (byte*)&args->output, (byte*)&tmpRsa,
                             sizeof(args->output));
                         if (args->output != NULL) {
+                            int i;
                             /* Use random secret on error */
                             for (i = VERSION_SZ; i < SECRET_LEN; i++) {
                                 ssl->arrays->preMasterSecret[i] =

src/keys.c

@@ -3326,7 +3326,7 @@ int DeriveKeys(WOLFSSL* ssl)
     int    length = 2 * ssl->specs.hash_size +
                     2 * ssl->specs.key_size  +
                     2 * ssl->specs.iv_size;
-    int    rounds = (length + WC_MD5_DIGEST_SIZE - 1 ) / WC_MD5_DIGEST_SIZE, i;
+    int    rounds = (length + WC_MD5_DIGEST_SIZE - 1 ) / WC_MD5_DIGEST_SIZE;
     int    ret = 0;
 
 #ifdef WOLFSSL_SMALL_STACK
@@ -3375,6 +3375,8 @@ int DeriveKeys(WOLFSSL* ssl)
         ret = wc_InitSha(sha);
     }
     if (ret == 0) {
+        int i;
+
         XMEMCPY(md5Input, ssl->arrays->masterSecret, SECRET_LEN);
 
         for (i = 0; i < rounds; ++i) {

src/ocsp.c

@@ -1260,9 +1260,6 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
   WOLFSSL_ASN1_OBJECT **pmd, WOLFSSL_ASN1_STRING **keyHash,
   WOLFSSL_ASN1_INTEGER **serial, WOLFSSL_OCSP_CERTID *cid)
 {
-    int i = 0;
-    WOLFSSL_ASN1_INTEGER* ser;
-
     WOLFSSL_ENTER("wolfSSL_OCSP_id_get0_info");
 
     if (cid == NULL)
@@ -1270,6 +1267,9 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
 
     /* build up ASN1_INTEGER for serial */
     if (serial != NULL) {
+        int i = 0;
+        WOLFSSL_ASN1_INTEGER* ser;
+
         ser = wolfSSL_ASN1_INTEGER_new();
         if (ser == NULL)
             return 0;

src/pk.c

@@ -584,7 +584,6 @@ static int wolfssl_print_value(WOLFSSL_BIO* bio, mp_int* value,
     int ret = 1;
     int len;
     char line[PRINT_NUM_MAX_VALUE_LINE + 1];
-    word32 v;
 
     /* Get the length of hex encoded value. */
     len = mp_unsigned_bin_size(value);
@@ -599,7 +598,7 @@ static int wolfssl_print_value(WOLFSSL_BIO* bio, mp_int* value,
     }
     if (ret == 1) {
         /* Get 32-bits of value. */
-        v = (word32)value->dp[0];
+        word32 v = (word32)value->dp[0];
         /* Print the line to the string. */
         len = (int)XSNPRINTF(line, sizeof(line), "%s %u (0x%x)\n", name, v,
             v);
@@ -2296,7 +2295,6 @@ int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int indent)
     int sz = 0;
     RsaKey* key = NULL;
     char line[RSA_PRINT_MAX_HEADER_LINE];
-    int len;
     int i = 0;
     mp_int *num = NULL;
     /* Header strings. */
@@ -2328,7 +2326,7 @@ int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int indent)
     }
     if (ret == 1) {
         /* Print header line. */
-        len = XSNPRINTF(line, sizeof(line), "\nRSA %s: (%d bit)\n",
+        int len = XSNPRINTF(line, sizeof(line), "\nRSA %s: (%d bit)\n",
             (!mp_iszero(&key->d)) ? "Private-Key" : "Public-Key", sz);
         if (len >= (int)sizeof(line)) {
             WOLFSSL_ERROR_MSG("Buffer overflow while formatting key preamble");
@@ -4577,7 +4575,6 @@ int wolfSSL_RSA_blinding_on(WOLFSSL_RSA* rsa, WOLFSSL_BN_CTX* bnCtx)
 int wolfSSL_DSA_print_fp(XFILE fp, WOLFSSL_DSA* dsa, int indent)
 {
     int ret = 1;
-    int pBits;
 
     WOLFSSL_ENTER("wolfSSL_DSA_print_fp");
 
@@ -4586,7 +4583,7 @@ int wolfSSL_DSA_print_fp(XFILE fp, WOLFSSL_DSA* dsa, int indent)
     }
 
     if (ret == 1 && dsa->p != NULL) {
-        pBits = wolfSSL_BN_num_bits(dsa->p);
+        int pBits = wolfSSL_BN_num_bits(dsa->p);
         if (pBits == 0) {
             ret = 0;
         }
@@ -9693,7 +9690,6 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 {
     static const char* hexDigit = "0123456789ABCDEF";
     char* hex = NULL;
-    int id;
     int i;
     int sz = 0;
     int len = 0;
@@ -9713,7 +9709,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 
     if (!err) {
         /* Get curve id to look up ordinate size. */
-        id = wc_ecc_get_curve_id(group->curve_idx);
+        int id = wc_ecc_get_curve_id(group->curve_idx);
         /* Get size of ordinate. */
         if ((sz = wc_ecc_get_curve_size_from_id(id)) < 0) {
             err = 1;
@@ -9808,7 +9804,6 @@ int wolfSSL_ECPoint_i2d(const WOLFSSL_EC_GROUP *group,
     const WOLFSSL_EC_POINT *point, unsigned char *out, unsigned int *len)
 {
     int res = 1;
-    int ret;
 
     WOLFSSL_ENTER("wolfSSL_ECPoint_i2d");
 
@@ -9830,7 +9825,7 @@ int wolfSSL_ECPoint_i2d(const WOLFSSL_EC_GROUP *group,
 
     if (res == 1) {
         /* DER encode point in uncompressed format. */
-        ret = wc_ecc_export_point_der(group->curve_idx,
+        int ret = wc_ecc_export_point_der(group->curve_idx,
             (ecc_point*)point->internal, out, len);
         /* Check return. When out is NULL, return will be length only error. */
         if ((ret != MP_OKAY) && ((out != NULL) || (ret != LENGTH_ONLY_E))) {
@@ -9965,8 +9960,6 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group,
     }
     /* Not infinity. */
     else if (!err) {
-        int ret;
-
         /* Validate format. */
         if (form != POINT_CONVERSION_UNCOMPRESSED
         #ifndef HAVE_SELFTEST
@@ -9977,23 +9970,18 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group,
             err = 1;
         }
 
-    #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
         if (!err) {
+            int ret;
+
+    #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
             /* Encode as compressed or uncompressed. */
             ret = wc_ecc_export_point_der_ex(group->curve_idx,
                 (ecc_point*)point->internal, buf, &enc_len, compressed);
-            /* Check return. When buf is NULL, return will be length only
-             * error.
-             */
-            if (ret != ((buf != NULL) ? MP_OKAY : LENGTH_ONLY_E)) {
-                err = 1;
-            }
-        }
     #else
-        if (!err) {
             /* Encode uncompressed point in DER format. */
             ret = wc_ecc_export_point_der(group->curve_idx,
                 (ecc_point*)point->internal, buf, &enc_len);
+    #endif /* !HAVE_SELFTEST */
             /* Check return. When buf is NULL, return will be length only
              * error.
              */
@@ -10001,7 +9989,6 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group,
                 err = 1;
             }
         }
-    #endif /* !HAVE_SELFTEST */
     }
 
     /* On error, return encoding length of 0. */
@@ -11747,7 +11734,8 @@ int wolfSSL_i2d_ECPrivateKey(const WOLFSSL_EC_KEY *key, unsigned char **out)
 
     /* Calculate the length of the private key DER encoding using internal EC
      * key. */
-    if ((!err) && ((len = wc_EccKeyDerSize((ecc_key*)key->internal, 0)) <= 0)) {
+    if ((!err) && ((int)(len = wc_EccKeyDerSize((ecc_key*)key->internal, 0)) <=
+           0)) {
         WOLFSSL_MSG("wc_EccKeyDerSize error");
         err = 1;
     }
@@ -13222,8 +13210,6 @@ WOLFSSL_ECDSA_SIG* wolfSSL_d2i_ECDSA_SIG(WOLFSSL_ECDSA_SIG** sig,
  */
 int wolfSSL_i2d_ECDSA_SIG(const WOLFSSL_ECDSA_SIG *sig, unsigned char **pp)
 {
-    word32 rLen;
-    word32 sLen;
     word32 len = 0;
 
     /* Validate parameter. */
@@ -13233,10 +13219,10 @@ int wolfSSL_i2d_ECDSA_SIG(const WOLFSSL_ECDSA_SIG *sig, unsigned char **pp)
          *   top bit set.
          */
         /* Get total length of r including any prepended zero. */
-        rLen = mp_leading_bit((mp_int*)sig->r->internal) +
+        word32 rLen = mp_leading_bit((mp_int*)sig->r->internal) +
                mp_unsigned_bin_size((mp_int*)sig->r->internal);
         /* Get total length of s including any prepended zero. */
-        sLen = mp_leading_bit((mp_int*)sig->s->internal) +
+        word32 sLen = mp_leading_bit((mp_int*)sig->s->internal) +
                mp_unsigned_bin_size((mp_int*)sig->s->internal);
         /* Calculate length of data in sequence. */
         len = 1 + ASN_LEN_SIZE(rLen) + rLen +
@@ -13629,7 +13615,6 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outLen,
     int err = 0;
     word32 len = 0;
     ecc_key* key = NULL;
-    int ret;
 #if defined(ECC_TIMING_RESISTANT) && !defined(HAVE_SELFTEST) && \
     (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,0))
     int setGlobalRNG = 0;
@@ -13658,6 +13643,8 @@ int wolfSSL_ECDH_compute_key(void *out, size_t outLen,
     }
 
     if (!err) {
+        int ret;
+
         /* Get the internal key. */
         key = (ecc_key*)privKey->internal;
         /* Set length into variable of type suitable for wolfSSL API. */

src/ssl.c

@@ -1817,14 +1817,13 @@ int wolfSSL_get_ciphers(char* buf, int len)
     const CipherSuiteInfo* ciphers = GetCipherNames();
     int ciphersSz = GetCipherNamesSize();
     int i;
-    int cipherNameSz;
 
     if (buf == NULL || len <= 0)
         return BAD_FUNC_ARG;
 
     /* Add each member to the buffer delimited by a : */
     for (i = 0; i < ciphersSz; i++) {
-        cipherNameSz = (int)XSTRLEN(ciphers[i].name);
+        int cipherNameSz = (int)XSTRLEN(ciphers[i].name);
         if (cipherNameSz + 1 < len) {
             XSTRNCPY(buf, ciphers[i].name, len);
             buf += cipherNameSz;
@@ -4563,14 +4562,13 @@ int wolfSSL_want_write(WOLFSSL* ssl)
 
 char* wolfSSL_ERR_error_string(unsigned long errNumber, char* data)
 {
-    static char tmp[WOLFSSL_MAX_ERROR_SZ] = {0};
-
     WOLFSSL_ENTER("wolfSSL_ERR_error_string");
     if (data) {
         SetErrorString((int)errNumber, data);
         return data;
     }
     else {
+        static char tmp[WOLFSSL_MAX_ERROR_SZ] = {0};
         SetErrorString((int)errNumber, tmp);
         return tmp;
     }
@@ -4583,10 +4581,9 @@ void wolfSSL_ERR_error_string_n(unsigned long e, char* buf, unsigned long len)
     if (len >= WOLFSSL_MAX_ERROR_SZ)
         wolfSSL_ERR_error_string(e, buf);
     else {
-        char tmp[WOLFSSL_MAX_ERROR_SZ];
-
         WOLFSSL_MSG("Error buffer too short, truncating");
         if (len) {
+            char tmp[WOLFSSL_MAX_ERROR_SZ];
             wolfSSL_ERR_error_string(e, tmp);
             XMEMCPY(buf, tmp, len-1);
             buf[len-1] = '\0';
@@ -5102,11 +5099,12 @@ WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void)
 
 void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
 {
-    int doFree = 0;
-    int ret;
     WOLFSSL_ENTER("wolfSSL_CertManagerFree");
 
     if (cm) {
+        int doFree = 0;
+        int ret;
+
         wolfSSL_RefDec(&cm->ref, &doFree, &ret);
     #ifdef WOLFSSL_REFCNT_ERROR_RETURN
         if (ret != 0) {
@@ -6495,9 +6493,6 @@ static int ProcessUserChain(WOLFSSL_CTX* ctx, const unsigned char* buff,
 {
     int ret = 0;
     void* heap = wolfSSL_CTX_GetHeap(ctx, ssl);
-#ifdef WOLFSSL_TLS13
-    int cnt = 0;
-#endif
 
     if ((type == CA_TYPE) && (ctx == NULL)) {
         WOLFSSL_MSG("Need context for CA load");
@@ -6517,6 +6512,9 @@ static int ProcessUserChain(WOLFSSL_CTX* ctx, const unsigned char* buff,
         long   consumed = info->consumed;
         word32 idx = 0;
         int    gotOne = 0;
+    #ifdef WOLFSSL_TLS13
+        int cnt = 0;
+    #endif
 
         /* Calculate max possible size, including max headers */
         bufferSz = (word32)(sz - consumed) + (CERT_HEADER_SZ * MAX_CHAIN_DEPTH);
@@ -8709,9 +8707,7 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
 {
     int ret = WOLFSSL_SUCCESS;
 #ifndef NO_WOLFSSL_DIR
-    int fileRet;
     int successCount = 0;
-    int failCount = 0;
 #endif
     int verify;
 
@@ -8743,6 +8739,8 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
     if (ret == WOLFSSL_SUCCESS && path) {
 #ifndef NO_WOLFSSL_DIR
         char* name = NULL;
+        int fileRet;
+        int failCount = 0;
     #ifdef WOLFSSL_SMALL_STACK
         ReadDirCtx* readCtx;
         readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap,
@@ -10099,7 +10097,6 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out,
         word32  keyIdx = 0;
         DhKey*  key = NULL;
         int ret;
-        int elements;
     #ifdef WOLFSSL_SMALL_STACK
         DhKey* dh = (DhKey*)XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_DH);
         if (dh == NULL)
@@ -10147,7 +10144,8 @@ static WOLFSSL_EVP_PKEY* d2iGenericKey(WOLFSSL_EVP_PKEY** out,
                 keyIdx = 0;
                 if (wc_DhKeyDecode(mem, &keyIdx, key, (word32)memSz) == 0)
                 {
-                    elements = ELEMENT_P | ELEMENT_G | ELEMENT_Q | ELEMENT_PUB;
+                    int elements = ELEMENT_P | ELEMENT_G | ELEMENT_Q |
+                                   ELEMENT_PUB;
                     if (priv)
                         elements |= ELEMENT_PRV;
                     if(SetDhExternal_ex(pkey->dh, elements)
@@ -10480,7 +10478,6 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** out,
 /* helper function to get raw pointer to DER buffer from WOLFSSL_EVP_PKEY */
 static int wolfSSL_EVP_PKEY_get_der(const WOLFSSL_EVP_PKEY* key, unsigned char** der)
 {
-    unsigned char* pt;
     int sz;
     word16 pkcs8HeaderSz;
 
@@ -10494,7 +10491,7 @@ static int wolfSSL_EVP_PKEY_get_der(const WOLFSSL_EVP_PKEY* key, unsigned char**
         pkcs8HeaderSz = key->pkcs8HeaderSz;
     sz = key->pkey_sz - pkcs8HeaderSz;
     if (der) {
-        pt = (unsigned char*)key->pkey.ptr;
+        unsigned char* pt = (unsigned char*)key->pkey.ptr;
         if (*der) {
             /* since this function signature has no size value passed in it is
              * assumed that the user has allocated a large enough buffer */
@@ -15014,7 +15011,7 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI
                             word16 useTicket)
 {
     int error = -1;
-    word32 clientRow = 0, clientIdx = 0, sessionIDHash = 0;
+    word32 clientRow = 0, clientIdx = 0;
     (void)useTicket;
     if (side == WOLFSSL_CLIENT_END
             && row != INVALID_SESSION_ROW
@@ -15046,7 +15043,8 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI
                 ClientCache[clientRow].Clients[clientIdx].serverIdx =
                                                                 (word16)idx;
                 if (sessionID != NULL) {
-                    sessionIDHash = HashObject(sessionID, ID_LEN, &error);
+                    word32 sessionIDHash = HashObject(sessionID, ID_LEN,
+                                                      &error);
                     if (error == 0) {
                         ClientCache[clientRow].Clients[clientIdx].sessionIDHash
                             = sessionIDHash;
@@ -15477,9 +15475,6 @@ void AddSession(WOLFSSL* ssl)
     const byte* id = NULL;
     byte idSz = 0;
     WOLFSSL_SESSION* session = ssl->session;
-#ifdef HAVE_EXT_CACHE
-    int cbRet = 0;
-#endif
 
     (void)error;
 
@@ -15592,6 +15587,7 @@ void AddSession(WOLFSSL* ssl)
 
 #ifdef HAVE_EXT_CACHE
     if (error == 0 && ssl->ctx->new_sess_cb != NULL) {
+        int cbRet = 0;
         wolfSSL_SESSION_up_ref(session);
         cbRet = ssl->ctx->new_sess_cb(ssl, session);
         if (cbRet == 0)
@@ -21312,8 +21308,6 @@ WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session)
 
 void wolfSSL_FreeSession(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session)
 {
-    int isZero;
-
     session = ClientSessionToSession(session);
     if (session == NULL)
         return;
@@ -21322,6 +21316,7 @@ void wolfSSL_FreeSession(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session)
 
     if (session->ref.count > 0) {
         int ret;
+        int isZero;
         wolfSSL_RefDec(&session->ref, &isZero, &ret);
         (void)ret;
         if (!isZero) {
@@ -21851,7 +21846,6 @@ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher)
         {NULL,      NID_undef}
     };
 
-    const struct authnid* sa;
     const char* authStr;
     char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}};
 
@@ -21863,6 +21857,7 @@ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher)
     authStr = GetCipherAuthStr(n);
 
     if (authStr != NULL) {
+        const struct authnid* sa;
         for(sa = authnid_tbl; sa->alg_name != NULL; sa++) {
             if (XSTRCMP(sa->alg_name, authStr) == 0) {
                 return sa->nid;
@@ -21896,7 +21891,6 @@ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher)
         {NULL,                      NID_undef}
     };
 
-    const struct ciphernid* c;
     const char* encStr;
     char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}};
 
@@ -21910,6 +21904,7 @@ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher)
     encStr = GetCipherEncStr(n);
 
     if (encStr != NULL) {
+        const struct ciphernid* c;
         for(c = ciphernid_tbl; c->alg_name != NULL; c++) {
             if (XSTRCMP(c->alg_name, encStr) == 0) {
                 return c->nid;
@@ -21935,7 +21930,6 @@ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher)
         {NULL,      NID_undef}
     };
 
-    const struct macnid* mc;
     const char* name;
     const char* macStr;
     char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}};
@@ -21956,6 +21950,7 @@ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher)
     macStr = GetCipherMacStr(n);
 
     if (macStr != NULL) {
+        const struct macnid* mc;
         for(mc = macnid_tbl; mc->alg_name != NULL; mc++) {
             if (XSTRCMP(mc->alg_name, macStr) == 0) {
                 return mc->nid;
@@ -21986,7 +21981,6 @@ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher)
         {NULL,        NID_undef}
     };
 
-    const struct kxnid* k;
     const char* keaStr;
     char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}};
 
@@ -22005,6 +21999,7 @@ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher)
     keaStr = GetCipherKeaStr(n);
 
     if (keaStr != NULL) {
+        const struct kxnid* k;
         for(k = kxnid_table; k->name != NULL; k++) {
             if (XSTRCMP(k->name, keaStr) == 0) {
                 return k->nid;
@@ -22558,7 +22553,7 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der)
     word32 inOutIdx = 0;
 #endif
     word32 pub_derSz = 0;
-    int ret = 0;
+    int ret;
     int key_type = 0;
 
     if (key == NULL) {
@@ -22567,7 +22562,7 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der)
 
     key_type = key->type;
     if ((key_type != EVP_PKEY_EC) && (key_type != EVP_PKEY_RSA)) {
-        ret = WOLFSSL_FATAL_ERROR;
+        return WOLFSSL_FATAL_ERROR;
     }
 
 #ifndef NO_RSA
@@ -22583,20 +22578,18 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der)
     /* We need to get the DER, then convert it to a public key. But what we get
      * might be a buffered private key so we need to decode it and then encode
      * the public part. */
-    if (ret == 0) {
-        ret = wolfSSL_EVP_PKEY_get_der(key, &local_der);
-        if (ret <= 0) {
-            /* In this case, there was no buffered DER at all. This could be the
-             * case where the key that was passed in was generated. So now we
-             * have to create the local DER. */
-            local_derSz = wolfSSL_i2d_ECPrivateKey(key->ecc, &local_der);
-            if (local_derSz == 0) {
-                ret = WOLFSSL_FATAL_ERROR;
-            }
-        } else {
-            local_derSz = ret;
-            ret = 0;
+    ret = wolfSSL_EVP_PKEY_get_der(key, &local_der);
+    if (ret <= 0) {
+        /* In this case, there was no buffered DER at all. This could be the
+         * case where the key that was passed in was generated. So now we
+         * have to create the local DER. */
+        local_derSz = wolfSSL_i2d_ECPrivateKey(key->ecc, &local_der);
+        if (local_derSz == 0) {
+            ret = WOLFSSL_FATAL_ERROR;
         }
+    } else {
+        local_derSz = ret;
+        ret = 0;
     }
 
     if (ret == 0) {
@@ -22621,7 +22614,7 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der)
 
     if (ret == 0) {
         pub_derSz = wc_EccPublicKeyDerSize(eccKey, 0);
-        if (pub_derSz <= 0) {
+        if ((int)pub_derSz <= 0) {
             ret = WOLFSSL_FAILURE;
         }
     }
@@ -22637,7 +22630,7 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der)
 
     if (ret == 0) {
         pub_derSz = wc_EccPublicKeyToDer(eccKey, pub_der, pub_derSz, 0);
-        if (pub_derSz <= 0) {
+        if ((int)pub_derSz <= 0) {
             ret = WOLFSSL_FATAL_ERROR;
         }
     }
@@ -23234,13 +23227,12 @@ const char* wolfSSL_state_string_long(const WOLFSSL* ssl)
  */
 int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key)
 {
-    int sz;
     (void)w;
     WOLFSSL_ENTER("wolfSSL_PEM_def_callback");
 
     /* We assume that the user passes a default password as userdata */
     if (key) {
-        sz = (int)XSTRLEN((const char*)key);
+        int sz = (int)XSTRLEN((const char*)key);
         sz = (sz > num) ? num : sz;
         XMEMCPY(name, key, sz);
         return sz;
@@ -23891,11 +23883,9 @@ long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx)
 long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
 {
     byte* chain = NULL;
-    long  chainSz = 0;
     int   derSz;
     const byte* der;
     int   ret;
-    int   idx = 0;
     DerBuffer *derBuffer = NULL;
 
     WOLFSSL_ENTER("wolfSSL_CTX_add_extra_chain_cert");
@@ -23923,6 +23913,9 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
         }
     }
     else {
+        long chainSz = 0;
+        int  idx = 0;
+
         /* TODO: Do this elsewhere. */
         ret = AllocDer(&derBuffer, derSz, CERT_TYPE, ctx->heap);
         if (ret != 0) {
@@ -25187,7 +25180,6 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
 #ifdef SESSION_CERTS
     int i;
 #endif
-    unsigned char *data;
 
     WOLFSSL_ENTER("wolfSSL_i2d_SSL_SESSION");
 
@@ -25256,6 +25248,8 @@ int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p)
 #endif
 
     if (p != NULL) {
+        unsigned char *data;
+
         if (*p == NULL)
             *p = (unsigned char*)XMALLOC(size, NULL, DYNAMIC_TYPE_OPENSSL);
         if (*p == NULL)
@@ -26562,8 +26556,6 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen,
 int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data,
                     int len)
 {
-    int hmac_error = 0;
-
     WOLFSSL_MSG("wolfSSL_HMAC_Update");
 
     if (ctx == NULL) {
@@ -26572,6 +26564,8 @@ int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data,
     }
 
     if (data) {
+        int hmac_error = 0;
+
         WOLFSSL_MSG("updating hmac");
         hmac_error = wc_HmacUpdate(&ctx->hmac, data, (word32)len);
         if (hmac_error < 0){
@@ -27392,7 +27386,6 @@ int wolfSSL_get_signature_nid(WOLFSSL *ssl, int* nid)
 static int populate_groups(int* groups, int max_count, char *list)
 {
     char *end;
-    int len;
     int count = 0;
     const WOLF_EC_NIST_NAME* nist_name;
 
@@ -27401,6 +27394,8 @@ static int populate_groups(int* groups, int max_count, char *list)
     }
 
     for (end = list; ; list = ++end) {
+        int len;
+
         if (count > max_count) {
             WOLFSSL_MSG("Too many curves in list");
             return -1;
@@ -27476,7 +27471,6 @@ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio,
     WOLFSSL_EVP_PKEY* pkey = NULL;
     DerBuffer*         der = NULL;
     int             keyFormat = 0;
-    int                 type = -1;
 
     WOLFSSL_ENTER("wolfSSL_PEM_read_bio_PrivateKey");
 
@@ -27486,6 +27480,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio,
     if (pem_read_bio_key(bio, cb, pass, PRIVATEKEY_TYPE, &keyFormat, &der)
             >= 0) {
         const unsigned char* ptr = der->buffer;
+        int                  type = -1;
 
         if (keyFormat) {
             /* keyFormat is Key_Sum enum */
@@ -28418,13 +28413,13 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
         WOLFSSL_EVP_PKEY* pkey = NULL;
         DerBuffer*         der = NULL;
         int             keyFormat = 0;
-        int                 type = -1;
 
         WOLFSSL_ENTER("wolfSSL_PEM_read_PrivateKey");
 
         if (pem_read_file_key(fp, cb, pass, PRIVATEKEY_TYPE, &keyFormat,
                                                                    &der) >= 0) {
             const unsigned char* ptr = der->buffer;
+            int                  type = -1;
 
             if (keyFormat) {
                 /* keyFormat is Key_Sum enum */
@@ -28490,7 +28485,6 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
         char* nameStr = NULL;
         int nameLen = 0;
         char* headerStr = NULL;
-        int headerLen;
         int headerFound = 0;
         unsigned char* der = NULL;
         word32 derLen = 0;
@@ -28528,6 +28522,8 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
                 ret = WOLFSSL_FAILURE;
         }
         if (ret == WOLFSSL_SUCCESS) {
+            int headerLen;
+
             XSTRNCPY(nameStr, pem + PEM_BEGIN_SZ, nameLen);
             nameStr[nameLen] = '\0';
 
@@ -29461,7 +29457,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
     int wolfSSL_OBJ_ln2nid(const char *ln)
     {
         const WOLFSSL_ObjectInfo *obj_info = wolfssl_object_info;
-        size_t i, lnlen;
+        size_t lnlen;
         WOLFSSL_ENTER("wolfSSL_OBJ_ln2nid");
         if (ln && (lnlen = XSTRLEN(ln)) > 0) {
             /* Accept input like "/commonName=" */
@@ -29470,6 +29466,8 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
                 lnlen--;
             }
             if (lnlen) {
+                size_t i;
+
                 if (ln[lnlen-1] == '=') {
                     lnlen--;
                 }
@@ -30465,10 +30463,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_bio(WOLFSSL_BIO* bio,
     unsigned char* mem = NULL;
     int memSz = 0;
     WOLFSSL_EVP_PKEY* key = NULL;
-    int i = 0, j = 0;
     unsigned char* extraBioMem = NULL;
-    int extraBioMemSz = 0;
-    int derLength = 0;
 
     WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey_bio");
 
@@ -30490,6 +30485,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_bio(WOLFSSL_BIO* bio,
     }
 
     if (wolfSSL_BIO_read(bio, (unsigned char*)mem, memSz) == memSz) {
+        int extraBioMemSz;
+        int derLength;
+
         /* Determines key type and returns the new private EVP_PKEY object */
         if ((key = wolfSSL_d2i_PrivateKey_EVP(NULL, &mem, (long)memSz)) == NULL) {
             WOLFSSL_MSG("wolfSSL_d2i_PrivateKey_EVP() failure");
@@ -30501,6 +30499,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_bio(WOLFSSL_BIO* bio,
         derLength = key->pkey_sz;
         extraBioMemSz = (memSz - derLength);
         if (extraBioMemSz > 0) {
+            int i;
+            int j = 0;
+
             extraBioMem = (unsigned char *)XMALLOC(extraBioMemSz, NULL,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
             if (extraBioMem == NULL) {
@@ -30589,7 +30590,6 @@ static void SESSION_ex_data_cache_update(WOLFSSL_SESSION* session, int idx,
     int i;
     int error = 0;
     SessionRow* sessRow = NULL;
-    WOLFSSL_SESSION* cacheSession = NULL;
     const byte* id;
     byte foundCache = 0;
 
@@ -30619,6 +30619,7 @@ static void SESSION_ex_data_cache_update(WOLFSSL_SESSION* session, int idx,
     }
 
     for (i = 0; i < SESSIONS_PER_ROW && i < sessRow->totalCount; i++) {
+        WOLFSSL_SESSION* cacheSession;
 #ifdef SESSION_CACHE_DYNAMIC_MEM
         cacheSession = sessRow->Sessions[i];
 #else
@@ -34411,10 +34412,8 @@ int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio,
     byte* pem = NULL;
     int pemSz = 0;
     int type = PKCS8_PRIVATEKEY_TYPE;
-    int algId;
     const byte* curveOid;
     word32 oidSz;
-    int encAlgId = 0;
 
     if (bio == NULL || pkey == NULL)
         return -1;
@@ -34435,6 +34434,7 @@ int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio,
         WC_RNG rng;
         ret = wc_InitRng(&rng);
         if (ret == 0) {
+            int encAlgId = 0;
         #ifndef NO_DES3
             if (enc == EVP_DES_CBC)
                 encAlgId = DESb;
@@ -34465,6 +34465,7 @@ int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio,
         type = PKCS8_ENC_PRIVATEKEY_TYPE;
     }
     if (ret == 0 && enc == NULL) {
+        int algId;
         type = PKCS8_PRIVATEKEY_TYPE;
     #ifdef HAVE_ECC
         if (pkey->type == EVP_PKEY_EC) {
@@ -34627,9 +34628,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(WOLFSSL_EVP_PKEY** pkey,
     const byte* der = *pp;
     word32 idx = 0;
     int len = 0;
-    word32 end = 0;
     int cnt = 0;
-    int type;
     word32 algId;
     word32 keyLen = (word32)length;
 
@@ -34645,7 +34644,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(WOLFSSL_EVP_PKEY** pkey,
      */
     ret = GetSequence(der, &idx, &len, keyLen);
     if (ret >= 0) {
-        end = idx + len;
+        word32 end = idx + len;
         while (ret >= 0 && idx < end) {
             /* Skip type */
             idx++;
@@ -34664,6 +34663,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(WOLFSSL_EVP_PKEY** pkey,
     }
 
     if (ret >= 0) {
+        int type;
         /* ECC includes version, private[, curve][, public key] */
         if (cnt >= 2 && cnt <= 4)
             type = EVP_PKEY_EC;
@@ -35917,7 +35917,6 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
     WC_RNG  tmpRNG[1];
 #endif
     int initTmpRng = 0;
-    int blockCount = 0;
 #ifdef HAVE_GLOBAL_RNG
     int used_global = 0;
 #endif
@@ -35964,7 +35963,7 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
     }
     if (rng) {
         /* handles size greater than RNG_MAX_BLOCK_LEN */
-        blockCount = num / RNG_MAX_BLOCK_LEN;
+        int blockCount = num / RNG_MAX_BLOCK_LEN;
 
         while (blockCount--) {
             ret = wc_RNG_GenerateBlock(rng, buf, RNG_MAX_BLOCK_LEN);
@@ -38087,13 +38086,14 @@ WC_PKCS12* wolfSSL_PKCS12_create(char* pass, char* name, WOLFSSL_EVP_PKEY* pkey,
     }
 
     if (ca != NULL) {
-        WC_DerCertList* cur;
         unsigned long numCerts = ca->num;
-        byte* curDer;
-        int   curDerSz = 0;
         WOLFSSL_STACK* sk = ca;
 
         while (numCerts > 0 && sk != NULL) {
+            byte* curDer;
+            WC_DerCertList* cur;
+            int   curDerSz = 0;
+
             cur = (WC_DerCertList*)XMALLOC(sizeof(WC_DerCertList), NULL,
                     DYNAMIC_TYPE_PKCS);
             if (cur == NULL) {

src/ssl_bn.c

@@ -1273,7 +1273,6 @@ static int wolfssl_bn_add_word_int(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w,
     int sub)
 {
     int ret = 1;
-    int rc = 0;
 #if DIGIT_BIT < (SIZEOF_LONG * CHAR_BIT)
 #ifdef WOLFSSL_SMALL_STACK
     mp_int* w_mp = NULL;
@@ -1304,6 +1303,7 @@ static int wolfssl_bn_add_word_int(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w,
     }
 
     if (ret == 1) {
+        int rc = 0;
 #if DIGIT_BIT < (SIZEOF_LONG * CHAR_BIT)
         if (w > (WOLFSSL_BN_ULONG)MP_MASK) {
             /* Initialize temporary MP integer. */

src/tls.c

@@ -1030,7 +1030,7 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
     byte       dummy[WC_MAX_BLOCK_SIZE] = {0};
     int        ret;
     word32     msgSz, blockSz, macSz, padSz, maxSz, realSz;
-    word32     currSz, offset = 0;
+    word32     offset = 0;
     int        msgBlocks, blocks, blockBits;
     int        i;
 
@@ -1102,7 +1102,7 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
     ret = wc_HmacUpdate(hmac, header, WOLFSSL_TLS_HMAC_INNER_SZ);
     if (ret == 0) {
         /* Fill the rest of the block with any available data. */
-        currSz = ctMaskLT(msgSz, blockSz) & msgSz;
+        word32 currSz = ctMaskLT(msgSz, blockSz) & msgSz;
         currSz |= ctMaskGTE(msgSz, blockSz) & blockSz;
         currSz -= WOLFSSL_TLS_HMAC_INNER_SZ;
         currSz &= ~(0 - (currSz >> 31));
@@ -2027,7 +2027,6 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     int cacheOnly = 0;
     SNI *sni = NULL;
     byte type;
-    int matchStat;
     byte matched;
 #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
     WOLFSSL_ECH* ech = NULL;
@@ -2144,6 +2143,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
 #endif
 
     if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) {
+        int matchStat;
         int r = TLSX_UseSNI(&ssl->extensions, type, input + offset, size,
                                                                      ssl->heap);
         if (r != WOLFSSL_SUCCESS)
@@ -4443,7 +4443,6 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
     TLSX* ext = NULL;
     TLSX* extension;
     SupportedCurve* clientGroup;
-    SupportedCurve* serverGroup;
     SupportedCurve* group;
     int found = 0;
 
@@ -4476,6 +4475,8 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
 
     ret = TLSX_PopulateSupportedGroups(ssl, &priority);
     if (ret == WOLFSSL_SUCCESS) {
+        SupportedCurve* serverGroup;
+
         ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
         serverGroup = (SupportedCurve*)ext->data;
 
@@ -5933,8 +5934,6 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
                                         byte msgType, word16* pSz)
 {
     WOLFSSL* ssl = (WOLFSSL*)data;
-    byte major;
-    byte* cnt;
     byte tls13minor, tls12minor, tls11minor, isDtls = 0;
 
     tls13minor = (byte)TLSv1_3_MINOR;
@@ -5955,9 +5954,9 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
 #endif /* WOLFSSL_DTLS13 */
 
     if (msgType == client_hello) {
-        major = ssl->ctx->method->version.major;
+        byte major = ssl->ctx->method->version.major;
 
-        cnt = output++;
+        byte* cnt = output++;
         *cnt = 0;
 
         if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13minor)
@@ -6049,11 +6048,8 @@ int TLSX_SupportedVersions_Parse(const WOLFSSL* ssl, const byte* input,
         word16 length, byte msgType, ProtocolVersion* pv, Options* opts,
         TLSX** exts)
 {
-    int i;
-    int len;
     /* The client's greatest minor version that we support */
     byte clientGreatestMinor = SSLv3_MINOR;
-    int set = 0;
     int ret;
     byte major, minor;
     byte tls13minor, tls12minor;
@@ -6072,6 +6068,10 @@ int TLSX_SupportedVersions_Parse(const WOLFSSL* ssl, const byte* input,
 #endif /* WOLFSSL_DTLS13 */
 
     if (msgType == client_hello) {
+        int i;
+        int len;
+        int set = 0;
+
         /* Must contain a length and at least one version. */
         if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1)
             return BUFFER_ERROR;
@@ -9655,8 +9655,6 @@ int TLSX_PreSharedKey_Parse_ClientHello(TLSX** extensions, const byte* input,
 static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
                                    word16 length, byte msgType)
 {
-    TLSX*         extension;
-    PreSharedKey* list;
 
     if (msgType == client_hello) {
         return TLSX_PreSharedKey_Parse_ClientHello(&ssl->extensions, input,
@@ -9665,6 +9663,8 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
 
     if (msgType == server_hello) {
         word16 idx;
+        PreSharedKey* list;
+        TLSX*         extension;
 
         /* Index of identity chosen by server. */
         if (length != OPAQUE16_LEN)

src/tls13.c

@@ -7702,7 +7702,6 @@ static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
     int    ret = 0;
     byte   sigData[MAX_SIG_DATA_SZ];
     word16 sigDataSz;
-    word32 sigSz;
 
     ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
     if (ret != 0)
@@ -7710,6 +7709,7 @@ static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
 
     if (sigAlgo == rsa_pss_sa_algo) {
         enum wc_HashType hashType = WC_HASH_TYPE_NONE;
+        word32 sigSz;
 
         ret = ConvertHashPss(hashAlgo, &hashType, NULL);
         if (ret < 0)
@@ -9411,7 +9411,6 @@ int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
  */
 static int SendTls13Finished(WOLFSSL* ssl)
 {
-    int   sendSz;
     int   finishedSz = ssl->specs.hash_size;
     byte* input;
     byte* output;
@@ -9519,26 +9518,26 @@ static int SendTls13Finished(WOLFSSL* ssl)
     } else
 #endif /* WOLFSSL_DTLS13 */
     {
-    /* This message is always encrypted. */
-    sendSz = BuildTls13Message(ssl, output, outputSz, input,
-                               headerSz + finishedSz, handshake, 1, 0, 0);
-    if (sendSz < 0) {
-        WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
-        return BUILD_MSG_ERROR;
-    }
-
-    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
-        if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
-        if (ssl->toInfoOn) {
-            ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
-                          WRITE_PROTO, 0, ssl->heap);
-            if (ret != 0)
-                return ret;
+        /* This message is always encrypted. */
+        int sendSz = BuildTls13Message(ssl, output, outputSz, input,
+                                   headerSz + finishedSz, handshake, 1, 0, 0);
+        if (sendSz < 0) {
+            WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
+            return BUILD_MSG_ERROR;
         }
-    #endif
 
-    ssl->buffers.outputBuffer.length += sendSz;
-    ssl->options.buildingMsg = 0;
+        #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
+            if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
+            if (ssl->toInfoOn) {
+                ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
+                              WRITE_PROTO, 0, ssl->heap);
+                if (ret != 0)
+                    return ret;
+            }
+        #endif
+
+        ssl->buffers.outputBuffer.length += sendSz;
+        ssl->options.buildingMsg = 0;
     }
 
     if (ssl->options.side == WOLFSSL_SERVER_END) {
@@ -9679,7 +9678,6 @@ static int SendTls13Finished(WOLFSSL* ssl)
  */
 static int SendTls13KeyUpdate(WOLFSSL* ssl)
 {
-    int    sendSz;
     byte*  input;
     byte*  output;
     int    ret;
@@ -9733,7 +9731,7 @@ static int SendTls13KeyUpdate(WOLFSSL* ssl)
 #endif /* WOLFSSL_DTLS13 */
     {
         /* This message is always encrypted. */
-        sendSz = BuildTls13Message(ssl, output, outputSz, input,
+        int sendSz = BuildTls13Message(ssl, output, outputSz, input,
                                    headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
         if (sendSz < 0)
             return BUILD_MSG_ERROR;
@@ -12535,7 +12533,6 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
 #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
     word16 havePSK = 0;
 #endif
-    int advanceState;
     int ret = 0;
 
     WOLFSSL_ENTER("wolfSSL_accept_TLSv13");
@@ -12647,7 +12644,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
         /* fragOffset is non-zero when sending fragments. On the last
          * fragment, fragOffset is zero again, and the state can be
          * advanced. */
-        advanceState =
+        int advanceState =
             (ssl->options.acceptState == TLS13_ACCEPT_CLIENT_HELLO_DONE ||
                 ssl->options.acceptState ==
                     TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE ||

src/wolfio.c

@@ -2647,13 +2647,12 @@ void wolfSSL_SetIO_Mynewt(WOLFSSL* ssl, struct mn_socket* mnSocket, struct mn_so
 int uIPSend(WOLFSSL* ssl, char* buf, int sz, void* _ctx)
 {
     uip_wolfssl_ctx *ctx = (struct uip_wolfssl_ctx *)_ctx;
-    int ret;
-    unsigned int max_sendlen;
     int total_written = 0;
     (void)ssl;
     do {
+        int ret;
         unsigned int bytes_left = sz - total_written;
-        max_sendlen = tcp_socket_max_sendlen(&ctx->conn.tcp);
+        unsigned int max_sendlen = tcp_socket_max_sendlen(&ctx->conn.tcp);
         if (bytes_left > max_sendlen) {
             fprintf(stderr, "uIPSend: Send limited by buffer\r\n");
             bytes_left = max_sendlen;

src/x509.c

@@ -12114,7 +12114,6 @@ static int wolfSSL_EscapeString_RFC2253(char* in, word32 inSz,
 {
     word32 inIdx = 0;
     word32 outIdx = 0;
-    char c = 0;
 
     if (in == NULL || out == NULL || inSz == 0 || outSz == 0) {
         return BAD_FUNC_ARG;
@@ -12122,7 +12121,7 @@ static int wolfSSL_EscapeString_RFC2253(char* in, word32 inSz,
 
     for (inIdx = 0; inIdx < inSz; inIdx++) {
 
-        c = in[inIdx];
+        char c = in[inIdx];
 
         if (((inIdx == 0) && (c == ' ' || c == '#')) ||
             ((inIdx == (inSz-1)) && (c == ' ')) ||
@@ -12169,7 +12168,7 @@ static int wolfSSL_EscapeString_RFC2253(char* in, word32 inSz,
 int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name,
                 int indent, unsigned long flags)
 {
-    int i, count = 0, len = 0, tmpSz = 0, nameStrSz = 0, escapeSz = 0;
+    int i, count = 0, nameStrSz = 0, escapeSz = 0;
     char* tmp = NULL;
     char* nameStr = NULL;
     const char *buf = NULL;
@@ -12190,6 +12189,9 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name,
     count = wolfSSL_X509_NAME_entry_count(name);
 
     for (i = 0; i < count; i++) {
+        int len;
+        int tmpSz;
+
         /* reverse name order for RFC2253 and DN_REV */
         if ((flags & XN_FLAG_RFC2253) || (flags & XN_FLAG_DN_REV)) {
             ne = wolfSSL_X509_NAME_get_entry(name, count - i - 1);
@@ -12913,7 +12915,6 @@ int wolfSSL_sk_X509_OBJECT_push(WOLFSSL_STACK* sk, WOLFSSL_X509_OBJECT* obj)
 int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to)
 {
     int i;
-    WOLFSSL_X509_NAME_ENTRY* ne;
 
     WOLFSSL_ENTER("wolfSSL_X509_NAME_copy");
 
@@ -12943,7 +12944,7 @@ int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to)
     to->sz = from->sz;
 
     for (i = 0; i < MAX_NAME_ENTRIES; i++) {
-        ne = wolfSSL_X509_NAME_get_entry(from, i);
+        WOLFSSL_X509_NAME_ENTRY* ne = wolfSSL_X509_NAME_get_entry(from, i);
         if (ne != NULL)
             wolfSSL_X509_NAME_add_entry(to, ne, i, 1);
     }

src/x509_str.c

@@ -61,7 +61,6 @@ WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void)
 int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx,
      WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, WOLF_STACK_OF(WOLFSSL_X509)* sk)
 {
-    WOLFSSL_X509* x509_cert;
     int ret = 0;
     (void)sk;
     WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_init");
@@ -83,7 +82,7 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx,
         ctx->chain  = sk;
         /* Add intermediate certificates from stack to store */
         while (sk != NULL) {
-            x509_cert = sk->data.x509;
+            WOLFSSL_X509* x509_cert = sk->data.x509;
             if (x509_cert != NULL && x509_cert->isCa) {
                 ret = wolfSSL_X509_STORE_add_cert(store, x509_cert);
                 if (ret < 0) {
@@ -195,22 +194,21 @@ int GetX509Error(int e)
  */
 int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 {
-    int ret = 0;
-    int depth = 0;
-    int error;
-#ifndef NO_ASN_TIME
-    byte *afterDate, *beforeDate;
-#endif
-
     WOLFSSL_ENTER("wolfSSL_X509_verify_cert");
 
     if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
          && ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) {
-            ret = wolfSSL_CertManagerVerifyBuffer(ctx->store->cm,
-                    ctx->current_cert->derCert->buffer,
-                    ctx->current_cert->derCert->length,
-                    WOLFSSL_FILETYPE_ASN1);
+        int ret = 0;
+        int depth = 0;
+        int error;
+    #ifndef NO_ASN_TIME
+        byte *afterDate, *beforeDate;
+    #endif
 
+        ret = wolfSSL_CertManagerVerifyBuffer(ctx->store->cm,
+                ctx->current_cert->derCert->buffer,
+                ctx->current_cert->derCert->length,
+                WOLFSSL_FILETYPE_ASN1);
         /* If there was an error, process it and add it to CTX */
         if (ret < 0) {
             /* Get corresponding X509 error */
@@ -1000,7 +998,6 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
     WOLFSSL_CTX* ctx;
     char *name = NULL;
     int ret = WOLFSSL_SUCCESS;
-    int successes = 0;
 #ifdef WOLFSSL_SMALL_STACK
     ReadDirCtx* readCtx = NULL;
 #else
@@ -1044,6 +1041,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
 
     /* Load files in dir */
     if (dir && ret == WOLFSSL_SUCCESS) {
+        int successes = 0;
+
         #ifdef WOLFSSL_SMALL_STACK
             readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
@@ -1094,7 +1093,6 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
 
 int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store)
 {
-    int i = 0;
     int cnt_ret = 0;
     Signer **table;
 
@@ -1107,6 +1105,7 @@ int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store)
     table = store->cm->caTable;
     if (table){
         if (wc_LockMutex(&store->cm->caLock) == 0){
+            int i = 0;
             for (i = 0; i < CA_TABLE_SIZE; i++) {
                 Signer* signer = table[i];
                 while (signer) {

wolfcrypt/benchmark/benchmark.c

@@ -1621,10 +1621,9 @@ typedef enum bench_stat_type {
     void bench_stats_print(void)
     {
         int i;
-        bench_stats_t* bstat;
 
         for (i=0; i<gStatsCount; i++) {
-            bstat = &gStats[i];
+            bench_stats_t* bstat = &gStats[i];
             if (bstat->type == BENCH_STAT_SYM) {
                 printf("%-16s %8.3f %s/s\n", bstat->desc, bstat->perfsec,
                     base2 ? "MB" : "mB");
@@ -6209,7 +6208,7 @@ exit:
 
 void bench_rsaKeyGen(int useDeviceID)
 {
-    int    k, keySz;
+    int    k;
 #if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
     const int  keySizes[2] = {1024, 2048};
 #else
@@ -6217,7 +6216,7 @@ void bench_rsaKeyGen(int useDeviceID)
 #endif
 
     for (k = 0; k < (int)(sizeof(keySizes)/sizeof(int)); k++) {
-        keySz = keySizes[k];
+        int keySz = keySizes[k];
         bench_rsaKeyGen_helper(useDeviceID, keySz);
     }
 }

wolfcrypt/src/asn.c

@@ -241,11 +241,13 @@ static word32 BytePrecision(word32 value)
  */
 WOLFSSL_LOCAL word32 SetASNLength(word32 length, byte* output)
 {
-    word32 i = 0, j;
+    word32 i = 0;
 
     if (length < ASN_LONG_LENGTH)
         output[i++] = (byte)length;
     else {
+        word32 j;
+
         output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH);
 
         for (j = BytePrecision(length); j; --j) {
@@ -2901,7 +2903,6 @@ static int SetASNIntMP(mp_int* n, int maxSz, byte* output)
     int idx = 0;
     int leadingBit;
     int length;
-    int err;
 
     leadingBit = mp_leading_bit(n);
     length = mp_unsigned_bin_size(n);
@@ -2912,7 +2913,7 @@ static int SetASNIntMP(mp_int* n, int maxSz, byte* output)
         return BUFFER_E;
 
     if (output) {
-        err = mp_to_unsigned_bin(n, output + idx);
+        int err = mp_to_unsigned_bin(n, output + idx);
         if (err != MP_OKAY)
             return MP_TO_E;
     }
@@ -2939,7 +2940,6 @@ static int SetASNIntRSA(void* n, byte* output)
     int idx = 0;
     int leadingBit;
     int length;
-    int err;
 
     leadingBit = wc_Rsa_leading_bit(n);
     length = wc_Rsa_unsigned_bin_size(n);
@@ -2948,7 +2948,7 @@ static int SetASNIntRSA(void* n, byte* output)
         return BUFFER_E;
 
     if (output) {
-        err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
+        int err = wc_Rsa_to_unsigned_bin(n, output + idx, length);
         if (err != MP_OKAY)
             return MP_TO_E;
     }
@@ -6432,7 +6432,6 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
 #else
     DECL_ASNGETDATA(dataASN, rsaKeyASN_Length);
     int        ret = 0;
-    int        i;
     byte       version = (byte)-1;
 #if defined(HAVE_PKCS8) || defined(HAVE_PKCS12)
     word32 algId = 0;
@@ -6455,6 +6454,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
     CALLOC_ASNGETDATA(dataASN, rsaKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
+        int i;
         /* Register variable to hold version field. */
         GetASN_Int8Bit(&dataASN[RSAKEYASN_IDX_VER], &version);
         /* Setup data to store INTEGER data in mp_int's in RSA object. */
@@ -8065,7 +8065,6 @@ int wc_EncryptPKCS8Key(byte* key, word32 keySz, byte* out, word32* outSz,
     int encOidSz = 0;
     word32 padSz = 0;
     word32 innerLen = 0;
-    word32 outerLen = 0;
     const byte* pbeOidBuf = NULL;
     word32 pbeOidBufSz = 0;
     word32 pbeLen = 0;
@@ -8119,7 +8118,7 @@ int wc_EncryptPKCS8Key(byte* key, word32 keySz, byte* out, word32* outSz,
     if (ret == 0) {
         /* outerLen = length of PBE encoding + octet string data */
         /* Plus 2 for tag and length for pbe */
-        outerLen = 2 + pbeLen;
+        word32 outerLen = 2 + pbeLen;
         /* Octet string tag, length */
         outerLen += 1 + SetLength(keySz + padSz, NULL);
         /* Octet string bytes */
@@ -8679,13 +8678,14 @@ int ToTraditionalEnc(byte* input, word32 sz, const char* password,
 #define PKCS8_MIN_BLOCK_SIZE 8
 static int Pkcs8Pad(byte* buf, int sz, int blockSz)
 {
-    int i, padSz;
+    int padSz;
 
     /* calculate pad size */
     padSz = blockSz - (sz & (blockSz - 1));
 
     /* pad with padSz value */
     if (buf) {
+        int i;
         for (i = 0; i < padSz; i++) {
             buf[sz+i] = (byte)(padSz & 0xFF);
         }
@@ -8946,9 +8946,7 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
     int version;
     int id;
     int blockSz = 0;
-    byte* pkcs8;
     word32 pkcs8Sz = 0;
-    byte cbcIv[MAX_IV_SIZE];
 
     (void)heap;
 
@@ -9017,8 +9015,10 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz,
         }
     }
     if (ret == 0) {
+        byte cbcIv[MAX_IV_SIZE];
         /* Store PKCS#8 key in output buffer. */
-        pkcs8 = (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCDATA].data.buffer.data;
+        byte* pkcs8 =
+            (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCDATA].data.buffer.data;
         XMEMCPY(pkcs8, input, inputSz);
         Pkcs8Pad(pkcs8, inputSz, blockSz);
 
@@ -10254,7 +10254,6 @@ int wc_DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     /* dsaPubKeyASN is longer than dsaPublicKeyASN. */
     DECL_ASNGETDATA(dataASN, dsaPubKeyASN_Length);
     int ret = 0;
-    int i;
 
     /* Validated parameters. */
     if ((input == NULL) || (inOutIdx == NULL) || (key == NULL)) {
@@ -10264,6 +10263,8 @@ int wc_DsaPublicKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     ALLOC_ASNGETDATA(dataASN, dsaPubKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
+        int i;
+
         /* Clear dynamic data items. */
         XMEMSET(dataASN, 0, sizeof(ASNGetData) * dsaPublicKeyASN_Length);
         /* seq
@@ -10450,7 +10451,6 @@ int wc_DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     /* dsaKeyASN is longer than dsaKeyOctASN. */
     DECL_ASNGETDATA(dataASN, dsaKeyASN_Length);
     int ret = 0;
-    int i;
     byte version = 0;
 
     /* Sanity checks on input */
@@ -10461,6 +10461,8 @@ int wc_DsaPrivateKeyDecode(const byte* input, word32* inOutIdx, DsaKey* key,
     CALLOC_ASNGETDATA(dataASN, dsaKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
+        int i;
+
         /* Try dsaKeyOctASN */
         /* Initialize key data and set mp_ints for params */
         for (i = 0; i < DSA_INTS - 2; i++) {
@@ -10787,9 +10789,9 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen,
                            int ints, int includeVersion)
 {
 #ifndef WOLFSSL_ASN_TEMPLATE
-    word32 seqSz = 0, verSz = 0, rawLen, intTotalLen = 0;
+    word32 seqSz = 0, verSz = 0, intTotalLen = 0;
     word32 sizes[DSA_INTS];
-    int    i, j, outLen, ret = 0, mpSz;
+    int    i, j, outLen, ret = 0;
 
     byte  seq[MAX_SEQ_SZ];
     byte  ver[MAX_VERSION_SZ];
@@ -10804,9 +10806,10 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen,
 
     /* write all big ints from key to DER tmps */
     for (i = 0; i < ints; i++) {
+        int mpSz;
         mp_int* keyInt = GetDsaInt(key, i);
+        word32 rawLen = mp_unsigned_bin_size(keyInt) + 1;
 
-        rawLen = mp_unsigned_bin_size(keyInt) + 1;
         tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
                                                               DYNAMIC_TYPE_DSA);
         if (tmps[i] == NULL) {
@@ -10861,7 +10864,6 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen,
 #else
     DECL_ASNSETDATA(dataASN, dsaKeyASN_Length);
     int ret = 0;
-    int i;
     int sz = 0;
 
     (void)ints;
@@ -10876,6 +10878,8 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen,
     CALLOC_ASNSETDATA(dataASN, dsaKeyASN_Length, ret, key->heap);
 
     if (ret == 0) {
+        int i;
+
         if (includeVersion) {
             /* Set the version. */
             SetASN_Int8Bit(&dataASN[DSAKEYASN_IDX_VER], 0);
@@ -13378,8 +13382,6 @@ int GetName(DecodedCert* cert, int nameType, int maxIdx)
     ASNGetData dataASN[certNameASN_Length];
     word32 idx = cert->srcIdx;
     int    ret = 0;
-    char*  full;
-    byte*  hash;
 
     WOLFSSL_MSG("Getting Name");
 
@@ -13389,6 +13391,9 @@ int GetName(DecodedCert* cert, int nameType, int maxIdx)
     ret = GetASN_Items(certNameASN, dataASN, certNameASN_Length, 0,
                        cert->source, &idx, maxIdx);
     if (ret == 0) {
+        char* full;
+        byte* hash;
+
         /* Store offset of SEQUENCE that is start of name. */
         cert->srcIdx = dataASN[CERTNAMEASN_IDX_NAME].offset;
 
@@ -13589,7 +13594,7 @@ int GetAsnTimeString(void* currTime, byte* buf, word32 len)
     XMEMSET(uf_time, 0, sizeof(uf_time));
     /* GetFormattedTime returns length with null terminator */
     data_len = GetFormattedTime(currTime, uf_time, (word32)sizeof(uf_time));
-    if (data_len <= 0) {
+    if ((int)data_len <= 0) {
         return ASN_TIME_E;
     }
     /* ensure room to add 2 bytes (ASN type and length) before proceeding */
@@ -13757,7 +13762,6 @@ int wc_ValidateDate(const byte* date, byte format, int dateType)
     int    i = 0;
     int    timeDiff = 0;
     int    diffHH = 0, diffMM = 0;
-    int    diffSign = 0;
 
 #if defined(NEED_TMP_TIME)
     struct tm tmpTimeStorage;
@@ -13795,6 +13799,8 @@ int wc_ValidateDate(const byte* date, byte format, int dateType)
     }
 
     if ((date[i] == '+') || (date[i] == '-')) {
+        int diffSign;
+
         WOLFSSL_MSG("Using time differential, not Zulu") ;
         diffSign = date[i++] == '+' ? 1 : -1 ;
         if (GetTime(&diffHH, date, &i) != 0)
@@ -13946,7 +13952,6 @@ static int GetDateInfo(const byte* source, word32* idx, const byte** pDate,
     return 0;
 #else
     ASNGetData dataASN[dateASN_Length];
-    int i;
     int ret = 0;
 
     if ((source == NULL) || (idx == NULL)) {
@@ -13961,8 +13966,8 @@ static int GetDateInfo(const byte* source, word32* idx, const byte** pDate,
     }
     if (ret == 0) {
         /* Determine which tag was seen. */
-        i = (dataASN[DATEASN_IDX_UTC].tag != 0) ? DATEASN_IDX_UTC
-                                                : DATEASN_IDX_GT;
+        int i = (dataASN[DATEASN_IDX_UTC].tag != 0) ? DATEASN_IDX_UTC
+                                                    : DATEASN_IDX_GT;
         /* Return data from seen item. */
         if (pFormat != NULL) {
             *pFormat = dataASN[i].tag;
@@ -17870,7 +17875,6 @@ static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
 
     while ((ret == 0) && (idx < (word32)sz) && (count < MAX_AIA_SZ)) {
         ASNGetData dataASN[accessDescASN_Length];
-        word32 sz32;
 
         /* Clear dynamic data and retrieve OID and name. */
         XMEMSET(dataASN, 0, sizeof(dataASN));
@@ -17880,6 +17884,8 @@ static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
         ret = GetASN_Items(accessDescASN, dataASN, accessDescASN_Length, 0,
                            input, &idx, sz);
         if (ret == 0) {
+            word32 sz32;
+
             /* Check we have OCSP and URI. */
             if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == AIA_OCSP_OID) &&
                     (dataASN[ACCESSDESCASN_IDX_LOC].tag == GENERALNAME_URI)) {
@@ -19874,7 +19880,6 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
     DECL_ASNGETDATA(dataASN, x509CertASN_Length);
     int ret = 0;
     int badDate = 0;
-    int i;
     byte version;
     word32 idx;
     word32 serialSz;
@@ -19908,6 +19913,8 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         ret = ASN_PARSE_E;
     }
     if (ret == 0) {
+        int i;
+
         /* Set fields extracted from data. */
         cert->version = version;
         cert->serialSz = serialSz;
@@ -21263,8 +21270,6 @@ int CheckCertSignature(const byte* cert, word32 certSz, void* heap, void* cm)
 int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
 {
     int    ret = 0;
-    int    checkPathLen = 0;
-    int    decrementMaxPathLen = 0;
 #ifndef WOLFSSL_ASN_TEMPLATE
     word32 confirmOID = 0;
 #ifdef WOLFSSL_CERT_REQ
@@ -21631,6 +21636,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
              */
 
             if (cert->ca && cert->pathLengthSet) {
+                int checkPathLen = 0;
+                int decrementMaxPathLen = 0;
                 cert->maxPathLen = cert->pathLength;
                 if (cert->isCA) {
                     WOLFSSL_MSG("\tCA boolean set");
@@ -22514,12 +22521,6 @@ int wc_EncryptedInfoParse(EncryptedInfo* info, const char** pBuffer,
     const char* bufferStart;
     const char* bufferEnd;
     char*       line;
-    word32      lineSz;
-    char*       finish;
-    word32      finishSz;
-    char*       start = NULL;
-    word32      startSz;
-    const char* newline = NULL;
 
     if (info == NULL || pBuffer == NULL || bufSz == 0)
         return BAD_FUNC_ARG;
@@ -22531,6 +22532,13 @@ int wc_EncryptedInfoParse(EncryptedInfo* info, const char** pBuffer,
     line = XSTRNSTR(bufferStart, kProcTypeHeader,
                     min((word32)bufSz, PEM_LINE_LEN));
     if (line != NULL) {
+        word32      lineSz;
+        char*       finish;
+        word32      finishSz;
+        char*       start;
+        word32      startSz;
+        const char* newline = NULL;
+
         if (line >= bufferEnd) {
             return BUFFER_E;
         }
@@ -22802,14 +22810,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
     DerBuffer*  der;
     word32      algId = 0;
     word32      idx;
-#if defined(WOLFSSL_ENCRYPTED_KEYS)
-    #if ((defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3)) || \
-         (!defined(NO_AES) && defined(HAVE_AES_CBC) && \
-          defined(HAVE_AES_DECRYPT))) && \
-        !defined(NO_WOLFSSL_SKIP_TRAILING_PAD)
-        int     padVal = 0;
-    #endif
-#endif
 #ifdef OPENSSL_EXTRA
     char        beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */
     char        endBuf[PEM_LINE_LEN + 1];   /* add 1 for null terminator */
@@ -22903,11 +22903,12 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
     if (!headerEnd) {
 #ifdef OPENSSL_EXTRA
         if (type == PRIVATEKEY_TYPE) {
-            const char* beginEnd;
-            int endLen;
             /* see if there is a -----BEGIN * PRIVATE KEY----- header */
             headerEnd = XSTRNSTR((char*)buff, PRIV_KEY_SUFFIX, sz);
             if (headerEnd) {
+                const char* beginEnd;
+                int endLen;
+
                 beginEnd = headerEnd + XSTR_SIZEOF(PRIV_KEY_SUFFIX);
                 if (beginEnd >= (char*)buff + sz) {
                     return BUFFER_E;
@@ -23140,6 +23141,13 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
                     ret = NO_PASSWORD;
                 }
                 else {
+                #if ((defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_DES3)) || \
+                         (!defined(NO_AES) && defined(HAVE_AES_CBC) && \
+                          defined(HAVE_AES_DECRYPT))) && \
+                        !defined(NO_WOLFSSL_SKIP_TRAILING_PAD)
+                    int     padVal = 0;
+                #endif
+
                     ret = wc_BufferKeyDecrypt(info, der->buffer, der->length,
                         (byte*)password, passwordSz, WC_MD5);
 
@@ -23390,9 +23398,7 @@ int wc_PemCertToDer_ex(const char* fileName, DerBuffer** der)
     byte   staticBuffer[FILE_BUFFER_SIZE];
 #endif
     byte*  fileBuf = staticBuffer;
-    int    dynamic = 0;
     int    ret     = 0;
-    long   sz      = 0;
     XFILE  file    = NULL;
 
     WOLFSSL_ENTER("wc_PemCertToDer");
@@ -23408,6 +23414,9 @@ int wc_PemCertToDer_ex(const char* fileName, DerBuffer** der)
     }
 
     if (ret == 0) {
+        int  dynamic = 0;
+        long sz      = 0;
+
         if (XFSEEK(file, 0, XSEEK_END) != 0) {
             ret = BUFFER_E;
         }
@@ -30546,7 +30555,7 @@ int wc_SetDatesBuffer(Cert* cert, const byte* der, int derSz)
 /* Encode OID string representation to ITU-T X.690 format */
 int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
 {
-    word32 val, idx = 0, nb_val;
+    word32 idx = 0, nb_val;
     char *token, *str, *ptr;
     word32 len;
 
@@ -30568,7 +30577,7 @@ int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
     token = XSTRTOK(str, ".", &ptr);
     while (token != NULL)
     {
-        val = (word32)XATOI(token);
+        word32 val = (word32)XATOI(token);
 
         if (nb_val == 0) {
             if (val > 2) {
@@ -30592,12 +30601,12 @@ int EncodePolicyOID(byte *out, word32 *outSz, const char *in, void* heap)
             out[idx++] += (byte)val;
         }
         else {
-            word32  tb = 0, x;
+            word32  tb = 0;
             int     i = 0;
             byte    oid[MAX_OID_SZ];
 
             while (val >= 128) {
-                x = val % 128;
+                word32 x = val % 128;
                 val /= 128;
                 oid[i++] = (byte) (((tb++) ? 0x80 : 0) | x);
             }

wolfcrypt/src/coding.c

@@ -558,7 +558,6 @@ int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
 {
     word32 outIdx = 0;
     word32 i;
-    byte   hb, lb;
 
     if (in == NULL || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
@@ -567,8 +566,8 @@ int Base16_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
         return BAD_FUNC_ARG;
 
     for (i = 0; i < inLen; i++) {
-        hb = in[i] >> 4;
-        lb = in[i] & 0x0f;
+        byte hb = in[i] >> 4;
+        byte lb = in[i] & 0x0f;
 
         /* ASCII value */
         hb += '0';

wolfcrypt/src/curve25519.c

@@ -83,8 +83,8 @@ static WC_INLINE int curve25519_priv_clamp_check(const byte* priv)
 static WC_INLINE void curve25519_copy_point(byte* out, const byte* point,
     int endian)
 {
-    int i;
     if (endian == EC25519_BIG_ENDIAN) {
+        int i;
         /* put shared secret key in Big Endian format */
         for (i = 0; i < CURVE25519_KEYSIZE; i++) {
             out[i] = point[CURVE25519_KEYSIZE - i -1];

wolfcrypt/src/curve448.c

@@ -236,7 +236,6 @@ int wc_curve448_export_public_ex(curve448_key* key, byte* out, word32* outLen,
                                  int endian)
 {
     int ret = 0;
-    int i;
 
     if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
         ret = BAD_FUNC_ARG;
@@ -258,6 +257,7 @@ int wc_curve448_export_public_ex(curve448_key* key, byte* out, word32* outLen,
     if (ret == 0) {
         *outLen = CURVE448_PUB_KEY_SIZE;
         if (endian == EC448_BIG_ENDIAN) {
+            int i;
             /* read keys in Big Endian format */
             for (i = 0; i < CURVE448_PUB_KEY_SIZE; i++) {
                 out[i] = key->p[CURVE448_PUB_KEY_SIZE - i - 1];
@@ -304,7 +304,6 @@ int wc_curve448_import_public_ex(const byte* in, word32 inLen,
                                  curve448_key* key, int endian)
 {
     int ret = 0;
-    int i;
 
     /* sanity check */
     if ((key == NULL) || (in == NULL)) {
@@ -318,6 +317,7 @@ int wc_curve448_import_public_ex(const byte* in, word32 inLen,
 
     if (ret == 0) {
         if (endian == EC448_BIG_ENDIAN) {
+            int i;
             /* read keys in Big Endian format */
             for (i = 0; i < CURVE448_PUB_KEY_SIZE; i++) {
                 key->p[i] = in[CURVE448_PUB_KEY_SIZE - i - 1];
@@ -345,7 +345,6 @@ int wc_curve448_import_public_ex(const byte* in, word32 inLen,
 int wc_curve448_check_public(const byte* pub, word32 pubSz, int endian)
 {
     int ret = 0;
-    word32 i;
 
     if (pub == NULL) {
         ret = BAD_FUNC_ARG;
@@ -362,6 +361,8 @@ int wc_curve448_check_public(const byte* pub, word32 pubSz, int endian)
     }
 
     if (ret == 0) {
+        word32 i;
+
         if (endian == EC448_LITTLE_ENDIAN) {
             /* Check for value of zero or one */
             for (i = CURVE448_PUB_KEY_SIZE - 1; i > 0; i--) {
@@ -465,7 +466,6 @@ int wc_curve448_export_private_raw_ex(curve448_key* key, byte* out,
                                       word32* outLen, int endian)
 {
     int ret = 0;
-    int i;
 
     /* sanity check */
     if ((key == NULL) || (out == NULL) || (outLen == NULL)) {
@@ -481,6 +481,7 @@ int wc_curve448_export_private_raw_ex(curve448_key* key, byte* out,
         *outLen = CURVE448_KEY_SIZE;
 
         if (endian == EC448_BIG_ENDIAN) {
+            int i;
             /* put the key in Big Endian format */
             for (i = 0; i < CURVE448_KEY_SIZE; i++) {
                 out[i] = key->k[CURVE448_KEY_SIZE - i - 1];
@@ -630,7 +631,6 @@ int wc_curve448_import_private_ex(const byte* priv, word32 privSz,
                                   curve448_key* key, int endian)
 {
     int ret = 0;
-    int i;
 
     /* sanity check */
     if ((key == NULL) || (priv == NULL)) {
@@ -644,6 +644,7 @@ int wc_curve448_import_private_ex(const byte* priv, word32 privSz,
 
     if (ret == 0) {
         if (endian == EC448_BIG_ENDIAN) {
+            int i;
             /* read the key in Big Endian format */
             for (i = 0; i < CURVE448_KEY_SIZE; i++) {
                 key->k[i] = priv[CURVE448_KEY_SIZE - i - 1];

wolfcrypt/src/dh.c

@@ -2375,14 +2375,13 @@ int wc_DhExportKeyPair(DhKey* key, byte* priv, word32* pPrivSz,
     byte* pub, word32* pPubSz)
 {
     int ret = 0;
-    word32 pubSz, privSz;
 
     if (key == NULL || (priv && pPrivSz == NULL) || (pub && pPubSz == NULL)) {
         return BAD_FUNC_ARG;
     }
 
     if (priv) {
-        privSz = mp_unsigned_bin_size(&key->priv);
+        word32 privSz = mp_unsigned_bin_size(&key->priv);
         if (privSz > *pPrivSz) {
             return BUFFER_E;
         }
@@ -2391,7 +2390,7 @@ int wc_DhExportKeyPair(DhKey* key, byte* priv, word32* pPrivSz,
     }
 
     if (pub) {
-        pubSz = mp_unsigned_bin_size(&key->pub);
+        word32 pubSz = mp_unsigned_bin_size(&key->pub);
         if (pubSz > *pPubSz) {
             return BUFFER_E;
         }

wolfcrypt/src/evp.c

@@ -438,9 +438,9 @@ int wolfSSL_EVP_DigestInit_ex(WOLFSSL_EVP_MD_CTX* ctx,
 
 static int fillBuff(WOLFSSL_EVP_CIPHER_CTX *ctx, const unsigned char *in, int sz)
 {
-    int fill;
-
     if (sz > 0) {
+        int fill;
+
         if ((sz+ctx->bufUsed) > ctx->block_size) {
             fill = ctx->block_size - ctx->bufUsed;
         } else {
@@ -736,7 +736,6 @@ int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx,
                                    const unsigned char *in, int inl)
 {
     int blocks;
-    int fill;
 
     WOLFSSL_ENTER("wolfSSL_EVP_CipherUpdate");
     if ((ctx == NULL) || (outl == NULL)) {
@@ -820,7 +819,7 @@ int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx,
         return WOLFSSL_SUCCESS;
     }
     if (ctx->bufUsed > 0) { /* concatenate them if there is anything */
-        fill = fillBuff(ctx, in, inl);
+        int fill = fillBuff(ctx, in, inl);
         inl -= fill;
         in  += fill;
     }
@@ -946,13 +945,7 @@ static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz)
 int wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out,
                             int *outl)
 {
-    int fl;
     int ret = WOLFSSL_SUCCESS;
-#if (defined(HAVE_AESGCM) || defined(HAVE_AESCCM)) && \
-        ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) \
-            || FIPS_VERSION_GE(2,0))
-    byte tmp = 0;
-#endif
 
     if (!ctx || !outl)
         return WOLFSSL_FAILURE;
@@ -1149,6 +1142,7 @@ int wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out,
                     ret = WOLFSSL_FAILURE;
                 }
                 else if (ctx->lastUsed) {
+                    int fl;
                     PRINT_BUF(ctx->lastBlock, ctx->block_size);
                     if ((fl = checkPad(ctx, ctx->lastBlock)) >= 0) {
                         XMEMCPY(out, ctx->lastBlock, fl);
@@ -1177,6 +1171,8 @@ int wolfSSL_EVP_CipherFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out,
 #if (defined(HAVE_AESGCM) || defined(HAVE_AESCCM)) && \
         ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) \
             || FIPS_VERSION_GE(2,0))
+        byte tmp = 0;
+
         /*
          * This flag needs to retain its value between wolfSSL_EVP_CipherFinal
          * calls. wolfSSL_EVP_CipherInit will clear it, so we save and restore
@@ -1907,7 +1903,6 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
     int len;
 #ifdef HAVE_HKDF
     enum wc_HashType hkdfHashType;
-    int hkdfHashSz;
 #endif
 
     WOLFSSL_ENTER("wolfSSL_EVP_PKEY_derive");
@@ -2045,7 +2040,7 @@ int wolfSSL_EVP_PKEY_derive(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *key, size_
                 return WOLFSSL_FAILURE;
             }
             else {
-                hkdfHashSz = wolfSSL_EVP_MD_size(ctx->pkey->hkdfMd);
+                int hkdfHashSz = wolfSSL_EVP_MD_size(ctx->pkey->hkdfMd);
                 if (hkdfHashSz <= 0) {
                     WOLFSSL_MSG("Failed to get block size for HKDF hash.");
                     return WOLFSSL_FAILURE;
@@ -2502,9 +2497,9 @@ int wolfSSL_EVP_PKEY_sign(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *sig,
     switch (ctx->pkey->type) {
 #if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
     case EVP_PKEY_RSA: {
-        int len;
         unsigned int usiglen = (unsigned int)*siglen;
         if (!sig) {
+            int len;
             if (!ctx->pkey->rsa)
                 return WOLFSSL_FAILURE;
             len = wc_RsaEncryptSize((RsaKey*)ctx->pkey->rsa->internal);
@@ -3418,9 +3413,8 @@ static const struct s_ent {
 
 static enum wc_HashType EvpMd2MacType(const WOLFSSL_EVP_MD *md)
 {
-    const struct s_ent *ent ;
-
     if (md != NULL) {
+        const struct s_ent *ent;
         for (ent = md_tbl; ent->name != NULL; ent++) {
             if (XSTRCMP((const char *)md, ent->name) == 0) {
                 return ent->macType;
@@ -3714,7 +3708,6 @@ static int wolfSSL_evp_digest_pk_init(WOLFSSL_EVP_MD_CTX *ctx,
 
     if (pkey->type == EVP_PKEY_HMAC) {
         int                  hashType;
-        const unsigned char* key;
 
     #ifndef NO_SHA256
         if (XSTRCMP(type, "SHA256") == 0) {
@@ -3772,6 +3765,7 @@ static int wolfSSL_evp_digest_pk_init(WOLFSSL_EVP_MD_CTX *ctx,
 
         {
             size_t keySz = 0;
+            const unsigned char* key;
 
             key = wolfSSL_EVP_PKEY_get0_hmac(pkey, &keySz);
 
@@ -5043,11 +5037,11 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
     /* returns the NID of message digest used by the ctx */
     int wolfSSL_EVP_MD_CTX_type(const WOLFSSL_EVP_MD_CTX *ctx)
     {
-        const struct s_ent *ent;
-
         WOLFSSL_ENTER("EVP_MD_CTX_type");
 
         if (ctx) {
+            const struct s_ent *ent;
+
             if (ctx->isHMAC) {
                 return NID_hmac;
             }
@@ -5084,11 +5078,12 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
     static int wolfSSL_EVP_MD_Copy_Hasher(WOLFSSL_EVP_MD_CTX* des,
             const WOLFSSL_EVP_MD_CTX* src)
     {
-        int ret;
         if (src->isHMAC) {
             return wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
         }
         else {
+            int ret;
+
             switch (src->macType) {
                 case WC_HASH_TYPE_MD5:
             #ifndef NO_MD5
@@ -5792,8 +5787,10 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type)
                                     int arg, void *ptr)
     {
         int ret = WOLFSSL_FAILURE;
+#if defined(HAVE_AESGCM) || (defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
 #ifndef WC_NO_RNG
         WC_RNG rng;
+#endif
 #endif
         if (ctx == NULL)
             return WOLFSSL_FAILURE;
@@ -9760,8 +9757,6 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     word32 eSz;             /* size of public exponent */
     const byte*  n   = NULL;
     const byte*  e   = NULL; /* pointer to modulus/exponent */
-    int idx;
-    int wsz;
     word32 i;
     unsigned long exponent = 0;
 #ifdef WOLFSSL_SMALL_STACK
@@ -9794,6 +9789,9 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     }
 
     do {
+        int idx;
+        int wsz;
+
         /* parse key to get modulus and exponent */
         if (wc_RsaPublicKeyDecode_ex(pkey, &inOutIdx, pkeySz,
                                                 &n, &nSz, &e, &eSz) != 0) {
@@ -9916,7 +9914,6 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     word32  oidSz = 0;
     const char* OIDName = NULL;
     const char* nistCurveName = NULL;
-    int     nid;
     int idx = 0;
     int wsz = 0;
 #ifdef WOLFSSL_SMALL_STACK
@@ -9982,7 +9979,7 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
 
     /* get NIST curve name */
     if (res == WOLFSSL_SUCCESS) {
-        nid = EccEnumToNID(curveId);
+        int nid = EccEnumToNID(curveId);
         if (nid != -1) {
             /* look up object name and nist curve name*/
             OIDName = wolfSSL_OBJ_nid2sn(nid);
@@ -10111,10 +10108,6 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     word32  inOutIdx = 0;
     word32  oid;
     byte    tagFound;
-    byte    *p = NULL, * q = NULL, * g = NULL, * y = NULL;
-    int     pSz, qSz, gSz, ySz;
-    int idx;
-    int wsz;
 #ifdef WOLFSSL_SMALL_STACK
     mp_int* a = NULL;
 #else
@@ -10147,6 +10140,11 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     }
 
     do {
+        byte *p = NULL, * q = NULL, * g = NULL, * y = NULL;
+        int pSz, qSz, gSz, ySz;
+        int idx;
+        int wsz;
+
         if (GetSequence(pkey, &inOutIdx, &length, pkeySz) < 0) {
             break;
         }
@@ -10329,12 +10327,8 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     word32  oid;
     byte    tagFound;
     byte*   prime = NULL;
-    int     primeSz;
     byte    generator;
     byte*   publicKey = NULL;
-    int     publicKeySz;
-    int     idx;
-    int     wsz;
     word32  outSz;
     byte    outHex[3];
 #ifdef WOLFSSL_SMALL_STACK
@@ -10369,6 +10363,11 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     }
 
     do {
+        int primeSz;
+        int publicKeySz;
+        int idx;
+        int wsz;
+
         if (GetSequence(pkey, &inOutIdx, (int*)&length, pkeySz) < 0) {
             break;
         }
@@ -10835,7 +10834,6 @@ void wolfSSL_EVP_EncodeInit(WOLFSSL_EVP_ENCODE_CTX* ctx)
 int  wolfSSL_EVP_EncodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
             unsigned char* out, int* outl, const unsigned char* in, int inl)
 {
-    int cpysz;
     int res;
     word32 outsz = 0;
 
@@ -10850,7 +10848,7 @@ int  wolfSSL_EVP_EncodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
      * to create a block(48bytes) for encoding
      */
     if (ctx->remaining > 0 && inl > 0) {
-        cpysz = min((BASE64_ENCODE_BLOCK_SIZE - ctx->remaining), inl);
+        int cpysz = min((BASE64_ENCODE_BLOCK_SIZE - ctx->remaining), inl);
         XMEMCPY(ctx->data + ctx->remaining, in, cpysz);
         ctx->remaining += cpysz;
         in             += cpysz;
@@ -10968,7 +10966,6 @@ int  wolfSSL_EVP_DecodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
     int    res;
     int    pad = 0;
     int    i;
-    int cpySz;
     unsigned char c;
     int pad3 = 0;
     int pad4 = 0;
@@ -10996,7 +10993,7 @@ int  wolfSSL_EVP_DecodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
     a block(4bytes) for decoding*/
     if ( ctx->remaining > 0 && inl > 0) {
 
-        cpySz = min((BASE64_DECODE_BLOCK_SIZE - ctx->remaining), inl);
+        int cpySz = min((BASE64_DECODE_BLOCK_SIZE - ctx->remaining), inl);
 
         for ( i = 0; cpySz > 0 && inLen > 0; i++) {
             if (Base64_SkipNewline(in, &inLen, &j) == ASN_INPUT_E) {
@@ -11165,7 +11162,6 @@ int  wolfSSL_EVP_DecodeFinal(WOLFSSL_EVP_ENCODE_CTX* ctx,
     word32 outsz = 0;
     word32 inLen;
     word32 j = 0;
-    int res;
 
     WOLFSSL_ENTER("wolfSSL_EVP_DecodeFinal");
 
@@ -11178,6 +11174,8 @@ int  wolfSSL_EVP_DecodeFinal(WOLFSSL_EVP_ENCODE_CTX* ctx,
     }
 
     if (ctx->remaining > 0) {
+        int res;
+
         inLen = ctx->remaining;
         if ((res = Base64_SkipNewline(ctx->data, &inLen, &j)) != 0) {
             *outl = 0;

wolfcrypt/src/kdf.c

@@ -767,7 +767,7 @@ int wc_SSH_KDF(byte hashId, byte keyId, byte* key, word32 keySz,
     }
 
     digestSz = wc_HmacSizeByType(enmhashId);
-    if (digestSz < 0) {
+    if (digestSz <= 0) {
         return BAD_FUNC_ARG;
     }
 

wolfcrypt/src/logging.c

@@ -358,7 +358,7 @@ void WOLFSSL_MSG(const char* msg)
 #endif
 void WOLFSSL_BUFFER(const byte* buffer, word32 length)
 {
-    int i, buflen = (int)length, bufidx;
+    int i, buflen = (int)length;
     char line[(LINE_LEN * 4) + 3]; /* \t00..0F | chars...chars\0 */
 
     if (!loggingEnabled) {
@@ -371,7 +371,7 @@ void WOLFSSL_BUFFER(const byte* buffer, word32 length)
     }
 
     while (buflen > 0) {
-        bufidx = 0;
+        int bufidx = 0;
         XSNPRINTF(&line[bufidx], sizeof(line)-bufidx, "\t");
         bufidx++;
 
@@ -621,10 +621,10 @@ int wc_AddErrorNode(int error, int line, char* reason, char* file)
  */
 void wc_RemoveErrorNode(int relative_idx)
 {
-    int last_idx, abs_idx = get_abs_idx(relative_idx);
-    size_t move_count;
+    int abs_idx = get_abs_idx(relative_idx);
 
     if (abs_idx >= 0) {
+        size_t move_count;
         if (abs_idx >= (int)wc_errors.head_idx) {
             /* removed entry sits "above" head (or is head),
              * move entries below it "up" */
@@ -640,7 +640,7 @@ void wc_RemoveErrorNode(int relative_idx)
         else {
             /* removed entry sits "below" head (wrap around),
              * move entries above it "down" */
-            last_idx = get_abs_idx(-1);
+            int last_idx = get_abs_idx(-1);
             if (last_idx >= abs_idx) {  /* this SHOULD always be true */
                 move_count = (last_idx - abs_idx);
                 if (move_count > 0) {
@@ -693,8 +693,6 @@ unsigned long wc_PeekErrorNodeLineData(const char **file, int *line,
                                        const char **data, int *flags,
                                        int (*ignore_err)(int err))
 {
-    int ret = 0;
-
     WOLFSSL_ENTER("wc_PeekErrorNodeLineData");
 
     /* No data or flags stored - error display only in Nginx. */
@@ -706,7 +704,7 @@ unsigned long wc_PeekErrorNodeLineData(const char **file, int *line,
     }
 
     while (1) {
-        ret = wc_PeekErrorNode(0, file, NULL, line);
+        int ret = wc_PeekErrorNode(0, file, NULL, line);
         if (ret == BAD_STATE_E) {
             WOLFSSL_MSG("Issue peeking at error node in queue");
             return 0;
@@ -757,7 +755,6 @@ unsigned long wc_GetErrorNodeErr(void)
 void wc_ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
                             void *u)
 {
-    struct wc_error_entry *entry;
     size_t i;
 
     WOLFSSL_ENTER("wc_ERR_print_errors_cb");
@@ -768,7 +765,7 @@ void wc_ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
     }
 
     for (i = 0; i < wc_errors.count; ++i) {
-        entry = get_entry((int)i);
+        struct wc_error_entry *entry = get_entry((int)i);
         if (entry == NULL)
             break;
         cb(entry->reason, XSTRLEN(entry->reason), u);
@@ -1200,7 +1197,6 @@ unsigned long wc_PeekErrorNodeLineData(const char **file, int *line,
                                        const char **data, int *flags,
                                        int (*ignore_err)(int err))
 {
-    int ret = 0;
     int idx;
 
     WOLFSSL_ENTER("wc_PeekErrorNodeLineData");
@@ -1220,7 +1216,7 @@ unsigned long wc_PeekErrorNodeLineData(const char **file, int *line,
 
     idx = getErrorNodeCurrentIdx();
     while (1) {
-        ret = peekErrorNode(idx, file, NULL, line);
+        int ret = peekErrorNode(idx, file, NULL, line);
         if (ret == BAD_MUTEX_E || ret == BAD_FUNC_ARG || ret == BAD_STATE_E) {
             WOLFSSL_MSG("Issue peeking at error node in queue");
             return 0;

wolfcrypt/src/memory.c

@@ -242,7 +242,6 @@ void wc_MemZero_Check(void* addr, size_t len)
                     memZero[i].name, memZero[i].addr, j);
                 fprintf(stderr, "[MEM_ZERO] Checking %p:%ld\n", addr, len);
                 abort();
-                break;
             }
         }
         /* Update next index to write to. */
@@ -602,7 +601,6 @@ int wolfSSL_load_static_memory(byte* buffer, word32 sz, int flag,
 
     /* divide into chunks of memory and add them to available list */
     while (ava >= (heap->sizeList[0] + padSz + memSz)) {
-        int i;
         /* creating only IO buffers from memory passed in, max TLS is 16k */
         if (flag & WOLFMEM_IO_POOL || flag & WOLFMEM_IO_POOL_FIXED) {
             if ((ret = create_memory_buckets(pt, ava,
@@ -622,6 +620,7 @@ int wolfSSL_load_static_memory(byte* buffer, word32 sz, int flag,
             ava -= ret;
         }
         else {
+            int i;
             /* start at largest and move to smaller buckets */
             for (i = (WOLFMEM_MAX_BUCKETS - 1); i >= 0; i--) {
                 if ((heap->sizeList[i] + padSz + memSz) <= ava) {
@@ -1054,7 +1053,6 @@ void* wolfSSL_Realloc(void *ptr, size_t size, void* heap, int type)
 {
     void* res = 0;
     wc_Memory* pt = NULL;
-    word32 prvSz;
     int    i;
 
     /* check for testing heap hint was set */
@@ -1120,7 +1118,7 @@ void* wolfSSL_Realloc(void *ptr, size_t size, void* heap, int type)
                 res = pt->buffer;
 
                 /* copy over original information and free ptr */
-                prvSz = ((wc_Memory*)((byte*)ptr - padSz -
+                word32 prvSz = ((wc_Memory*)((byte*)ptr - padSz -
                                                sizeof(wc_Memory)))->sz;
                 prvSz = (prvSz > pt->sz)? pt->sz: prvSz;
                 XMEMCPY(pt->buffer, ptr, prvSz);

wolfcrypt/src/misc.c

@@ -181,18 +181,18 @@ WC_MISC_STATIC WC_INLINE word32 ByteReverseWord32(word32 value)
 WC_MISC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
                                     word32 byteCount)
 {
-    word32 count, i;
+    word32 i;
 
 #ifdef WOLFSSL_USE_ALIGN
     if ((((size_t)in & 0x3) == 0) &&
         (((size_t)out & 0x3) == 0))
-    {
 #endif
-        count = byteCount/(word32)sizeof(word32);
+    {
+        word32 count = byteCount/(word32)sizeof(word32);
         for (i = 0; i < count; i++)
             out[i] = ByteReverseWord32(in[i]);
-#ifdef WOLFSSL_USE_ALIGN
     }
+#ifdef WOLFSSL_USE_ALIGN
     else {
         byte *in_bytes = (byte *)in;
         byte *out_bytes = (byte *)out;

wolfcrypt/src/port/Renesas/renesas_sce_util.c

@@ -291,7 +291,7 @@ WOLFSSL_LOCAL int wc_SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig,
         return MEMORY_E;
     }
     /* initialization */
-    XMEMCPY(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE);
+    XMEMSET(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE);
 
     /* r */
     if (sig[offset] == 0x20) {
@@ -945,7 +945,7 @@ WOLFSSL_LOCAL int wc_sce_tls_CertVerify(
         return MEMORY_E;
       }
       /* initialization */
-      XMEMCPY(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE);
+      XMEMSET(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE);
 
       if (signature[offset] == 0x20) {
         XMEMCPY(sigforSCE, &signature[offset+1], rs_size);

wolfcrypt/src/port/caam/caam_aes.c

@@ -58,7 +58,6 @@ int  wc_AesSetKey(Aes* aes, const byte* key, word32 len,
     if (len > 32) {
         byte out[32]; /* max AES key size */
         word32 outSz;
-        int ret;
 
         if (len != 64 && len != 72 && len != 80) {
             return BAD_FUNC_ARG;

wolfcrypt/src/port/caam/caam_driver.c

@@ -1163,7 +1163,7 @@ int caamECDSAMake(DESCSTRUCT* desc, CAAM_BUFFER* buf, unsigned int args[4])
 
         /* create secure partition for private key out */
         part = caamFindUnusedPartition();
-        if (part < 0) {
+        if ((int)part < 0) {
             WOLFSSL_MSG("error finding an unused partition for new key");
             return -1;
         }

wolfcrypt/src/port/cypress/psoc6_crypto.c

@@ -101,7 +101,6 @@ int wc_Sha512GetHash(wc_Sha512* sha, byte* hash)
 
 int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst)
 {
-    cy_en_crypto_status_t res;
     if ((!dst) || (!src))
         return BAD_FUNC_ARG;
     Cy_Crypto_Core_MemCpy(crypto_base, dst, src, sizeof(wc_Sha512));
@@ -158,7 +157,6 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
 
 int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
 {
-    cy_en_crypto_status_t res;
     if ((!dst) || (!src))
         return BAD_FUNC_ARG;
     Cy_Crypto_Core_MemCpy(crypto_base, dst, src, sizeof(wc_Sha256));

wolfcrypt/src/port/xilinx/xil-sha3.c

@@ -202,7 +202,9 @@ void wc_Sha3_384_Free(wc_Sha3* sha)
  */
 int wc_Sha3_384_GetHash(wc_Sha3* sha, byte* out)
 {
+#ifdef WOLFSSL_XILINX_CRYPTO_OLD
     wc_Sha3 s;
+#endif
 
     if (sha == NULL || out == NULL) {
         return BAD_FUNC_ARG;

wolfcrypt/src/pwdbased.c

@@ -51,7 +51,7 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
 {
     int  err;
     int  keyLeft, ivLeft, i;
-    int  digestLeft, store;
+    int  store;
     int  keyOutput = 0;
     int  diestLen;
     byte digest[WC_MAX_DIGEST_SIZE];
@@ -96,7 +96,7 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     keyLeft = keyLen;
     ivLeft  = ivLen;
     while (keyOutput < (keyLen + ivLen)) {
-        digestLeft = diestLen;
+        int digestLeft = diestLen;
         /* D_(i - 1) */
         if (keyOutput) { /* first time D_0 is empty */
             err = wc_HashUpdate(hash, hashT, digest, diestLen);
@@ -176,9 +176,8 @@ int wc_PBKDF1(byte* output, const byte* passwd, int pLen, const byte* salt,
 int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
            int sLen, int iterations, int kLen, int hashType, void* heap, int devId)
 {
-    word32 i = 1;
     int    hLen;
-    int    j, ret;
+    int    ret;
 #ifdef WOLFSSL_SMALL_STACK
     byte*  buffer;
     Hmac*  hmac;
@@ -213,11 +212,13 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
 
     ret = wc_HmacInit(hmac, heap, devId);
     if (ret == 0) {
+        word32 i = 1;
         /* use int hashType here, since HMAC FIPS uses the old unique value */
         ret = wc_HmacSetKey(hmac, hashType, passwd, pLen);
 
         while (ret == 0 && kLen) {
             int currentLen;
+            int j;
 
             ret = wc_HmacUpdate(hmac, salt, sLen);
             if (ret != 0)

wolfcrypt/src/random.c

@@ -617,10 +617,9 @@ static int Hash_gen(DRBG_internal* drbg, byte* out, word32 outSz, const byte* V)
 
 static WC_INLINE void array_add(byte* d, word32 dLen, const byte* s, word32 sLen)
 {
-    word16 carry = 0;
-
     if (dLen > 0 && sLen > 0 && dLen >= sLen) {
         int sIdx, dIdx;
+        word16 carry = 0;
 
         dIdx = dLen - 1;
         for (sIdx = sLen - 1; sIdx >= 0; sIdx--) {
@@ -3164,7 +3163,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     #include "nrf_drv_rng.h"
     int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
     {
-        int remaining = sz, length, pos = 0;
+        int remaining = sz, pos = 0;
         word32 err_code;
         byte available;
         static byte initialized = 0;
@@ -3185,6 +3184,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         }
 
         while (remaining > 0) {
+            int length;
             available = 0;
             nrf_drv_rng_bytes_available(&available); /* void func */
             length = (remaining < available) ? remaining : available;
@@ -3798,14 +3798,13 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 int wc_hwrng_generate_block(byte *output, word32 sz)
 {
     int fd;
-    int len;
     int ret = 0;
     fd = open("/dev/hwrng", O_RDONLY);
     if (fd == -1)
         return OPEN_RAN_E;
     while(sz)
     {
-        len = (int)read(fd, output, sz);
+        int len = (int)read(fd, output, sz);
         if (len == -1)
         {
             ret = READ_RAN_E;

wolfcrypt/src/rsa.c

@@ -1888,9 +1888,6 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
 {
     int    ret = BAD_FUNC_ARG;
     word16 i;
-#ifndef WOLFSSL_RSA_VERIFY_ONLY
-    byte   invalid = 0;
-#endif
 
     if (output == NULL || pkcsBlockLen < 2 || pkcsBlockLen > 0xFFFF) {
         return BAD_FUNC_ARG;
@@ -1923,6 +1920,7 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
     else {
         unsigned int j;
         word16 pastSep = 0;
+        byte   invalid = 0;
 
         i = 0;
         /* Decrypted with private key - unpad must be constant time. */
@@ -3579,11 +3577,6 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
         if (rsa_type == RSA_PUBLIC_DECRYPT && ret > (int)outLen)
             ret = RSA_BUFFER_E;
         else if (ret >= 0 && pad != NULL) {
-#if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
-    !defined(WOLFSSL_NO_MALLOC)
-            signed char c;
-#endif
-
             /* only copy output if not inline */
             if (outPtr == NULL) {
 #if !defined(WOLFSSL_RSA_VERIFY_ONLY) && !defined(WOLFSSL_RSA_VERIFY_INLINE) && \
@@ -3594,6 +3587,7 @@ static int RsaPrivateDecryptEx(const byte* in, word32 inLen, byte* out,
                     int start = (int)((size_t)pad - (size_t)key->data);
 
                     for (j = 0; j < key->dataLen; j++) {
+                        signed char c;
                         out[i] = key->data[j];
                         c  = ctMaskGTE(j, start);
                         c &= ctMaskLT(i, outLen);

wolfcrypt/src/sha3.c

@@ -641,12 +641,11 @@ static int InitSha3(wc_Sha3* sha3)
 static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p)
 {
     word32 i;
-    byte l;
-    byte *t;
     word32 blocks;
 
     if (sha3->i > 0) {
-        l = p * 8 - sha3->i;
+        byte *t;
+        byte l = p * 8 - sha3->i;
         if (l > len) {
             l = (byte)len;
         }
@@ -1300,10 +1299,10 @@ int wc_Shake128_Final(wc_Shake* shake, byte* hash, word32 hashLen)
 int wc_Shake128_Absorb(wc_Shake* shake, const byte* data, word32 len)
 {
     int ret;
-    byte hash[1];
 
     ret = Sha3Update(shake, data, len, WC_SHA3_128_COUNT);
     if (ret == 0) {
+        byte hash[1];
         ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_128_COUNT, 0);
     }
     /* No partial data. */
@@ -1429,10 +1428,10 @@ int wc_Shake256_Final(wc_Shake* shake, byte* hash, word32 hashLen)
 int wc_Shake256_Absorb(wc_Shake* shake, const byte* data, word32 len)
 {
     int ret;
-    byte hash[1];
 
     ret = Sha3Update(shake, data, len, WC_SHA3_256_COUNT);
     if (ret == 0) {
+        byte hash[1];
         ret = Sha3Final(shake, 0x1f, hash, WC_SHA3_256_COUNT, 0);
     }
     /* No partial data. */

wolfcrypt/src/wolfmath.c

@@ -76,7 +76,6 @@
 void mp_reverse(unsigned char *s, int len)
 {
     int ix, iy;
-    unsigned char t;
 
     if (s == NULL)
         return;
@@ -84,7 +83,7 @@ void mp_reverse(unsigned char *s, int len)
     ix = 0;
     iy = len - 1;
     while (ix < iy) {
-        t = s[ix];
+        unsigned char t = s[ix];
         s[ix] = s[iy];
         s[iy] = t;
         ++ix;
@@ -120,11 +119,6 @@ mp_digit get_digit(const mp_int* a, int n)
 int mp_cond_copy(mp_int* a, int copy, mp_int* b)
 {
     int err = MP_OKAY;
-#if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
-    unsigned int i;
-#else
-    int i;
-#endif
 #if defined(SP_WORD_SIZE) && SP_WORD_SIZE == 8
     unsigned int mask = (unsigned int)0 - copy;
 #else
@@ -138,6 +132,11 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b)
     if (err == MP_OKAY)
         err = mp_grow(b, a->used + 1);
     if (err == MP_OKAY) {
+    #if defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)
+        unsigned int i;
+    #else
+        int i;
+    #endif
         /* When mask 0, b is unchanged2
          * When mask all set, b ^ b ^ a = a
          */
@@ -173,9 +172,6 @@ int mp_rand(mp_int* a, int digits, WC_RNG* rng)
 {
     int ret = 0;
     int cnt = digits * sizeof(mp_digit);
-#ifdef USE_INTEGER_HEAP_MATH
-    int i;
-#endif
 
     if (rng == NULL) {
         ret = MISSING_RNG_E;
@@ -208,6 +204,7 @@ int mp_rand(mp_int* a, int digits, WC_RNG* rng)
     }
     if (ret == MP_OKAY) {
 #ifdef USE_INTEGER_HEAP_MATH
+        int i;
         /* Mask down each digit to only bits used */
         for (i = 0; i < a->used; i++) {
             a->dp[i] &= MP_MASK;
@@ -374,7 +371,7 @@ void wc_bigint_free(WC_BIGINT* a)
 int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz)
 {
     int err;
-    word32 x, y;
+    word32 x;
 
     if (src == NULL || dst == NULL)
         return BAD_FUNC_ARG;
@@ -388,7 +385,7 @@ int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz)
     err = wc_bigint_alloc(dst, sz);
     if (err == MP_OKAY && sz > 0) {
         /* leading zero pad */
-        y = sz - x;
+        word32 y = sz - x;
         XMEMSET(dst->buf, 0, y);
 
         /* export src as unsigned bin to destination buf */

wolfcrypt/test/test.c

@@ -19981,7 +19981,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
     EVP_MD_CTX_cleanup(&md_ctx);
     if (ret != WOLFSSL_SUCCESS)
         return WC_TEST_RET_ENC_NC;
-    if (XMEMCMP(hash, b.output, WC_SHA_DIGEST_SIZE) != 0)
+    if (XMEMCMP(hash, b.output, b.outLen) != 0)
         return WC_TEST_RET_ENC_NC;
 #endif /* NO_SHA */
 
@@ -20001,8 +20001,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, e.output, WC_SHA224_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, e.output, e.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* WOLFSSL_SHA224 */
@@ -20023,8 +20022,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, d.output, WC_SHA256_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, d.output, d.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* !NO_SHA256 */
@@ -20047,8 +20045,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, e.output, WC_SHA384_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, e.output, e.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* WOLFSSL_SHA384 */
@@ -20072,8 +20069,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, f.output, WC_SHA512_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, f.output, f.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 
@@ -20095,8 +20091,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, f.output, WC_SHA512_224_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, f.output, f.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */
@@ -20119,8 +20114,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, f.output, WC_SHA512_256_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, f.output, f.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */
@@ -20143,8 +20137,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, e.output, WC_SHA3_224_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, e.output, e.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* WOLFSSL_NOSHA3_224 */
@@ -20166,8 +20159,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, d.output, WC_SHA3_256_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, d.output, d.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* WOLFSSL_NOSHA3_256 */
@@ -20189,8 +20181,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
             ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
-    if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, e.output, WC_SHA3_384_DIGEST_SIZE) != 0) {
+    if (ret != WOLFSSL_SUCCESS || XMEMCMP(hash, e.output, e.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 
@@ -20214,7 +20205,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
     }
     EVP_MD_CTX_cleanup(&md_ctx);
     if (ret != WOLFSSL_SUCCESS ||
-            XMEMCMP(hash, f.output, WC_SHA3_512_DIGEST_SIZE) != 0) {
+            XMEMCMP(hash, f.output, f.outLen) != 0) {
         return WC_TEST_RET_ENC_NC;
     }
 #endif /* WOLFSSL_NOSHA3_512 */
@@ -20239,7 +20230,7 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
 #else
     if (HMAC(EVP_md5(), "JefeJefeJefeJefe", 16, (byte*)c.input, (int)c.inLen,
             hash, 0) == NULL ||
-        XMEMCMP(hash, c.output, WC_MD5_DIGEST_SIZE) != 0)
+        XMEMCMP(hash, c.output, c.outLen) != 0)
 #endif
     {
         return WC_TEST_RET_ENC_NC;
@@ -21238,8 +21229,11 @@ WOLFSSL_TEST_SUBROUTINE int openssl_pkey0_test(void)
     }
     prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
     XFCLOSE(keyFile);
-    if (prvBytes == 0)
+    if (prvBytes == 0) {
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WC_TEST_RET_ENC_ERRNO;
+    }
     keypubFile = XFOPEN(cliKeypub, "rb");
     if (!keypubFile) {
         XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -21250,8 +21244,11 @@ WOLFSSL_TEST_SUBROUTINE int openssl_pkey0_test(void)
     }
     pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
     XFCLOSE(keypubFile);
-    if (pubBytes == 0)
+    if (pubBytes == 0) {
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WC_TEST_RET_ENC_ERRNO;
+    }
 #endif /* USE_CERT_BUFFERS */
 
         prvRsa = wolfSSL_RSA_new();
@@ -21657,8 +21654,11 @@ WOLFSSL_TEST_SUBROUTINE int openssl_evpSig_test(void)
     }
     prvBytes = (int)XFREAD(prvTmp, 1, (int)FOURK_BUFF, keyFile);
     XFCLOSE(keyFile);
-    if (prvBytes == 0)
+    if (prvBytes == 0) {
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WC_TEST_RET_ENC_ERRNO;
+    }
     keypubFile = XFOPEN(cliKeypub, "rb");
     if (!keypubFile) {
         XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -21669,8 +21669,11 @@ WOLFSSL_TEST_SUBROUTINE int openssl_evpSig_test(void)
     }
     pubBytes = (int)XFREAD(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
     XFCLOSE(keypubFile);
-    if (pubBytes == 0)
+    if (pubBytes == 0) {
+        XFREE(prvTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WC_TEST_RET_ENC_ERRNO;
+    }
     #endif /* USE_CERT_BUFFERS */
 
     prvRsa = wolfSSL_RSA_new();
@@ -24737,7 +24740,9 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
     WC_DECLARE_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT);
 #endif
     word32  x = 0;
-#if defined(HAVE_ECC_SIGN) && !defined(WOLFSSL_KCAPI_ECC)
+#if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && \
+    !defined(WC_NO_RNG) && !defined(WOLFSSL_KCAPI_ECC)) && \
+    defined(HAVE_ECC_SIGN)
     WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
     WC_DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
     int     i;
@@ -24771,7 +24776,9 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
         ERROR_OUT(WC_TEST_RET_ENC_ERRNO, done);
 #endif
 
-#if defined(HAVE_ECC_SIGN) && !defined(WOLFSSL_KCAPI_ECC)
+#if !defined(ECC_TIMING_RESISTANT) || (defined(ECC_TIMING_RESISTANT) && \
+    !defined(WC_NO_RNG) && !defined(WOLFSSL_KCAPI_ECC)) && \
+    defined(HAVE_ECC_SIGN)
     if (sig == NULL || digest == NULL)
         ERROR_OUT(WC_TEST_RET_ENC_ERRNO, done);
 #endif
@@ -44228,11 +44235,13 @@ static int ecc_onlycb_test(myCryptoDevCtx *ctx)
     #ifdef OPENSSL_EXTRA
     EVP_PKEY* privKey = NULL;
     EVP_PKEY* pubKey = NULL;
+    #ifdef USE_CERT_BUFFERS_256
     ecc_key* pkey;
+    const unsigned char* cp;
+    #endif
     EVP_MD_CTX mdCtx;
     const char testData[] = "Hi There";
     size_t checkSz = -1;
-    const unsigned char* cp;
     const unsigned char* p;
     const unsigned char check_v[256] = {
         0x30,0x45,0x02,0x20,0x1b,0x5c,0x2a,0xf0,0x18,0x09,

wolfssl/test.h

@@ -1219,7 +1219,6 @@ static WC_INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer,
         if ((XSTRCMP(peer, "localhost") != 0) &&
             (XSTRCMP(peer, "127.0.0.1") != 0)) {
             FILE* fp;
-            char host_out[100];
             char cmd[100];
 
             XSTRNCPY(cmd, "host ", 6);
@@ -1227,6 +1226,7 @@ static WC_INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer,
             found = 0;
             fp = popen(cmd, "r");
             if (fp != NULL) {
+                char host_out[100];
                 while (fgets(host_out, sizeof(host_out), fp) != NULL) {
                     int i;
                     int j = 0;
@@ -2455,7 +2455,6 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl,
 #if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \
        !defined(NO_FILESYSTEM)
     int i;
-    int b = 0x01;
     WOLFSSL_SESSION* lsess;
     char buf[256];
     const char* cipher_id = "TLS13-AES128-GCM-SHA256";
@@ -2486,8 +2485,9 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl,
     }
 
     if (i != numCiphers) {
+        int b = 0x01;
         SSL_SESSION_set_cipher(lsess, cipher);
-            for (i = 0; i < 32; i++, b += 0x22) {
+        for (i = 0; i < 32; i++, b += 0x22) {
             if (b >= 0x100)
                 b = 0x01;
             local_psk[i] = b;
@@ -2857,7 +2857,6 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
     WOLFSSL_BIO* bio = NULL;
     WOLFSSL_STACK* sk = NULL;
     X509* x509 = NULL;
-    int i = 0;
 #endif
 #endif
 
@@ -2900,6 +2899,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 #if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
         /* avoid printing duplicate certs */
         if (store->depth == 1) {
+            int i;
             /* retrieve x509 certs and display them on stdout */
             sk = wolfSSL_X509_STORE_GetCerts(store);
 
@@ -3074,10 +3074,10 @@ static WC_INLINE void CaCb(unsigned char* der, int sz, int type)
     {
         #if !defined(NO_FILESYSTEM) || defined(FORCE_BUFFER_TEST) && \
             !defined(NETOS)
-            int depth, res;
-            XFILE keyFile;
+            int depth;
             for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) {
-                keyFile = XFOPEN(dhParamFile, "rb");
+                int res;
+                XFILE keyFile = XFOPEN(dhParamFile, "rb");
                 if (keyFile != NULL) {
                     fclose(keyFile);
                     return depth;
@@ -4814,13 +4814,13 @@ static WC_INLINE int SimulateWantWriteIOSendCb(WOLFSSL *ssl, char *buf, int sz,
 {
     static int wantWriteFlag = 1;
 
-    int sent;
     int sd = *(int*)ctx;
 
     (void)ssl;
 
     if (!wantWriteFlag)
     {
+        int sent;
         wantWriteFlag = 1;
 
         sent = wolfIO_Send(sd, buf, sz, 0);
@@ -5164,7 +5164,6 @@ static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl)
 static WC_INLINE int process_handshake_messages(WOLFSSL* ssl, int blocking,
     int* zero_return)
 {
-    int timeout = DEFAULT_TIMEOUT_SEC;
     char foo[1];
     int ret = 0;
     int dtls;
@@ -5177,6 +5176,8 @@ static WC_INLINE int process_handshake_messages(WOLFSSL* ssl, int blocking,
     *zero_return = 0;
 
     if (!blocking) {
+        int timeout = DEFAULT_TIMEOUT_SEC;
+
 #ifdef WOLFSSL_DTLS
         if (dtls) {
             timeout = wolfSSL_dtls_get_current_timeout(ssl);