summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2016-10-19 16:11:24 +0200
committerMatt Caswell <matt@openssl.org>2016-11-04 13:09:46 +0100
commit348240c676a1b2beaebb865e8be0b62f88c10b7d (patch)
tree4ab53f4be6dee16b0a91113264047970c5cff1b9 /ssl
parentConvert the mac functions to just return 1 for success and 0 for failure (diff)
downloadopenssl-348240c676a1b2beaebb865e8be0b62f88c10b7d.tar.xz
openssl-348240c676a1b2beaebb865e8be0b62f88c10b7d.zip
Fix misc size_t issues causing Windows warnings in 64 bit
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r--ssl/record/ssl3_record.c4
-rw-r--r--ssl/s3_cbc.c2
-rw-r--r--ssl/s3_enc.c2
-rw-r--r--ssl/s3_lib.c10
-rw-r--r--ssl/ssl_asn1.c2
-rw-r--r--ssl/ssl_ciph.c2
-rw-r--r--ssl/ssl_lib.c57
-rw-r--r--ssl/ssl_mcnf.c4
-rw-r--r--ssl/ssl_sess.c10
-rw-r--r--ssl/ssl_txt.c3
-rw-r--r--ssl/statem/statem_clnt.c36
-rw-r--r--ssl/statem/statem_dtls.c7
-rw-r--r--ssl/statem/statem_lib.c2
-rw-r--r--ssl/statem/statem_srvr.c32
-rw-r--r--ssl/t1_enc.c22
-rw-r--r--ssl/t1_lib.c48
-rw-r--r--ssl/t1_reneg.c6
17 files changed, 137 insertions, 112 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 240355bba1..7904447b73 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1022,8 +1022,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
header[8] = rec->type;
header[9] = (unsigned char)(ssl->version >> 8);
header[10] = (unsigned char)(ssl->version);
- header[11] = (rec->length) >> 8;
- header[12] = (rec->length) & 0xff;
+ header[11] = (unsigned char)(rec->length >> 8);
+ header[12] = (unsigned char)(rec->length & 0xff);
if (!send && !SSL_USE_ETM(ssl) &&
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e6b7f32639..29243f35a0 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -357,7 +357,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
if (k > 0) {
if (is_sslv3) {
- unsigned overhang;
+ size_t overhang;
/*
* The SSLv3 header is larger than a single block. overhang is
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 9283c74458..ba71bc14b4 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -439,7 +439,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len,
if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0)
|| EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET,
- s->session->master_key_length,
+ (int)s->session->master_key_length,
s->session->master_key) <= 0
|| EVP_DigestFinal_ex(ctx, p, NULL) <= 0) {
SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index d6d7c46287..45824012ef 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3035,9 +3035,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
*(unsigned char **)parg = s->tlsext_ocsp_resp;
- if (s->tlsext_ocsp_resplen == 0)
+ if (s->tlsext_ocsp_resplen == 0
+ || s->tlsext_ocsp_resplen > LONG_MAX)
return -1;
- return s->tlsext_ocsp_resplen;
+ return (long)s->tlsext_ocsp_resplen;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
OPENSSL_free(s->tlsext_ocsp_resp);
@@ -3955,9 +3956,10 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len)
unsigned long Time = (unsigned long)time(NULL);
unsigned char *p = result;
l2n(Time, p);
- return RAND_bytes(p, len - 4);
+ /* TODO(size_t): Convert this */
+ return RAND_bytes(p, (int)(len - 4));
} else
- return RAND_bytes(result, len);
+ return RAND_bytes(result, (int)len);
}
int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 9b6ea0a1f1..fd13f90c28 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -102,7 +102,7 @@ static void ssl_session_oinit(ASN1_OCTET_STRING **dest, ASN1_OCTET_STRING *os,
unsigned char *data, size_t len)
{
os->data = data;
- os->length = len;
+ os->length = (int)len;
os->flags = 0;
*dest = os;
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 478d9a9bd4..9d259c1a15 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -175,7 +175,7 @@ static int ssl_cipher_info_find(const ssl_cipher_table * table,
size_t i;
for (i = 0; i < table_cnt; i++, table++) {
if (table->mask == mask)
- return i;
+ return (int)i;
}
return -1;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a869314bda..4e2369d52f 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -80,7 +80,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = {
struct ssl_async_args {
SSL *s;
void *buf;
- int num;
+ size_t num;
enum { READFUNC, WRITEFUNC, OTHERFUNC } type;
union {
int (*func_read) (SSL *, void *, size_t, size_t *);
@@ -318,14 +318,14 @@ static int dane_tlsa_add(SSL_DANE *dane,
t->usage = usage;
t->selector = selector;
t->mtype = mtype;
- t->data = OPENSSL_malloc(ilen);
+ t->data = OPENSSL_malloc(dlen);
if (t->data == NULL) {
tlsa_free(t);
SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE);
return -1;
}
- memcpy(t->data, data, ilen);
- t->dlen = ilen;
+ memcpy(t->data, data, dlen);
+ t->dlen = dlen;
/* Validate and cache full certificate or public key */
if (mtype == DANETLS_MATCHING_FULL) {
@@ -335,7 +335,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
switch (selector) {
case DANETLS_SELECTOR_CERT:
- if (!d2i_X509(&cert, &p, dlen) || p < data ||
+ if (!d2i_X509(&cert, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
tlsa_free(t);
SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE);
@@ -370,7 +370,7 @@ static int dane_tlsa_add(SSL_DANE *dane,
break;
case DANETLS_SELECTOR_SPKI:
- if (!d2i_PUBKEY(&pkey, &p, dlen) || p < data ||
+ if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data ||
dlen != (size_t)(p - data)) {
tlsa_free(t);
SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY);
@@ -1304,7 +1304,7 @@ int SSL_pending(const SSL *s)
* SSL_pending also cannot work properly if the value >INT_MAX. In that case
* we just return INT_MAX.
*/
- return pending < INT_MAX ? pending : INT_MAX;
+ return pending < INT_MAX ? (int)pending : INT_MAX;
}
int SSL_has_pending(const SSL *s)
@@ -1382,7 +1382,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f)
CRYPTO_atomic_add(&f->cert->references, 1, &i, f->cert->lock);
ssl_cert_free(t->cert);
t->cert = f->cert;
- if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
+ if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) {
return 0;
}
@@ -1513,7 +1513,7 @@ static int ssl_io_intern(void *vargs)
struct ssl_async_args *args;
SSL *s;
void *buf;
- int num;
+ size_t num;
args = (struct ssl_async_args *)vargs;
s = args->s;
@@ -1767,11 +1767,13 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_CLEAR_MODE:
return (s->mode &= ~larg);
case SSL_CTRL_GET_MAX_CERT_LIST:
- return (s->max_cert_list);
+ return (long)(s->max_cert_list);
case SSL_CTRL_SET_MAX_CERT_LIST:
- l = s->max_cert_list;
- s->max_cert_list = larg;
- return (l);
+ if (larg < 0)
+ return 0;
+ l = (long)s->max_cert_list;
+ s->max_cert_list = (size_t)larg;
+ return l;
case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;
@@ -1879,18 +1881,22 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return 1;
case SSL_CTRL_GET_MAX_CERT_LIST:
- return (ctx->max_cert_list);
+ return (long)(ctx->max_cert_list);
case SSL_CTRL_SET_MAX_CERT_LIST:
- l = ctx->max_cert_list;
- ctx->max_cert_list = larg;
- return (l);
+ if (larg < 0)
+ return 0;
+ l = (long)ctx->max_cert_list;
+ ctx->max_cert_list = (size_t)larg;
+ return l;
case SSL_CTRL_SET_SESS_CACHE_SIZE:
- l = ctx->session_cache_size;
- ctx->session_cache_size = larg;
- return (l);
+ if (larg < 0)
+ return 0;
+ l = (long)ctx->session_cache_size;
+ ctx->session_cache_size = (size_t)larg;
+ return l;
case SSL_CTRL_GET_SESS_CACHE_SIZE:
- return (ctx->session_cache_size);
+ return (long)(ctx->session_cache_size);
case SSL_CTRL_SET_SESS_CACHE_MODE:
l = ctx->session_cache_mode;
ctx->session_cache_mode = larg;
@@ -2249,7 +2255,7 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
if (!*data) {
*len = 0;
} else {
- *len = s->next_proto_negotiated_len;
+ *len = (unsigned int)s->next_proto_negotiated_len;
}
}
@@ -2366,7 +2372,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
if (*data == NULL)
*len = 0;
else
- *len = ssl->s3->alpn_selected_len;
+ *len = (unsigned int)ssl->s3->alpn_selected_len;
}
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -3227,7 +3233,8 @@ SSL *SSL_dup(SSL *s)
goto err;
}
- if (!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length))
+ if (!SSL_set_session_id_context(ret, s->sid_ctx,
+ (int)s->sid_ctx_length))
goto err;
}
@@ -4068,7 +4075,7 @@ static int ct_extract_ocsp_response_scts(SSL *s)
goto err;
p = s->tlsext_ocsp_resp;
- rsp = d2i_OCSP_RESPONSE(NULL, &p, s->tlsext_ocsp_resplen);
+ rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->tlsext_ocsp_resplen);
if (rsp == NULL)
goto err;
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index c2d9dba64a..59674f3d39 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -73,7 +73,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
ssl_names_count = cnt;
for (i = 0; i < ssl_names_count; i++) {
struct ssl_conf_name *ssl_name = ssl_names + i;
- CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i);
+ CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i);
STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value);
if (sk_CONF_VALUE_num(cmds) <= 0) {
if (cmds == NULL)
@@ -94,7 +94,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
ssl_name->cmd_count = cnt;
for (j = 0; j < cnt; j++) {
const char *name;
- CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j);
+ CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j);
struct ssl_conf_cmd *cmd = ssl_name->cmds + j;
/* Skip any initial dot in name */
name = strchr(cmd_conf->name, '.');
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index e0ec918c91..44101cbb0c 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -236,14 +236,14 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
- *len = s->session_id_length;
+ *len = (unsigned int)s->session_id_length;
return s->session_id;
}
const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
unsigned int *len)
{
if (len != NULL)
- *len = s->sid_ctx_length;
+ *len = (unsigned int)s->sid_ctx_length;
return s->sid_ctx;
}
@@ -369,7 +369,7 @@ int ssl_get_new_session(SSL *s, int session)
CRYPTO_THREAD_unlock(s->lock);
/* Choose a session ID */
memset(ss->session_id, 0, ss->session_id_length);
- tmp = ss->session_id_length;
+ tmp = (int)ss->session_id_length;
if (!cb(s, ss->session_id, &tmp)) {
/* The callback failed */
SSLerr(SSL_F_SSL_GET_NEW_SESSION,
@@ -391,7 +391,7 @@ int ssl_get_new_session(SSL *s, int session)
ss->session_id_length = tmp;
/* Finally, check for a conflict */
if (SSL_has_matching_session_id(s, ss->session_id,
- ss->session_id_length)) {
+ (unsigned int)ss->session_id_length)) {
SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_CONFLICT);
SSL_SESSION_free(ss);
return (0);
@@ -502,7 +502,7 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
ret == NULL && s->session_ctx->get_session_cb != NULL) {
int copy = 1;
ret = s->session_ctx->get_session_cb(s, PACKET_data(session_id),
- PACKET_remaining(session_id),
+ (int)PACKET_remaining(session_id),
&copy);
if (ret != NULL) {
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index a7faf4889e..06ea6463ab 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -128,8 +128,9 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (x->tlsext_tick) {
if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0)
goto err;
+ /* TODO(size_t): Convert this call */
if (BIO_dump_indent
- (bp, (const char *)x->tlsext_tick, x->tlsext_ticklen, 4)
+ (bp, (const char *)x->tlsext_tick, (int)x->tlsext_ticklen, 4)
<= 0)
goto err;
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 194243fc9d..bde5373fe7 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1358,18 +1358,19 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
return 0;
}
+ /* TODO(size_t): Convert BN_bin2bn() calls */
if ((s->srp_ctx.N =
BN_bin2bn(PACKET_data(&prime),
- PACKET_remaining(&prime), NULL)) == NULL
+ (int)PACKET_remaining(&prime), NULL)) == NULL
|| (s->srp_ctx.g =
BN_bin2bn(PACKET_data(&generator),
- PACKET_remaining(&generator), NULL)) == NULL
+ (int)PACKET_remaining(&generator), NULL)) == NULL
|| (s->srp_ctx.s =
BN_bin2bn(PACKET_data(&salt),
- PACKET_remaining(&salt), NULL)) == NULL
+ (int)PACKET_remaining(&salt), NULL)) == NULL
|| (s->srp_ctx.B =
BN_bin2bn(PACKET_data(&server_pub),
- PACKET_remaining(&server_pub), NULL)) == NULL) {
+ (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB);
return 0;
@@ -1419,10 +1420,12 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
goto err;
}
- p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL);
- g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL);
- bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key),
- NULL);
+ /* TODO(size_t): Convert these calls */
+ p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
+ g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
+ NULL);
+ bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
+ (int)PACKET_remaining(&pub_key), NULL);
if (p == NULL || g == NULL || bnpub_key == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
@@ -1710,8 +1713,10 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
goto err;
}
+ /* TODO(size_t): Convert this call */
if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature),
- PACKET_remaining(&signature), pkey) <= 0) {
+ (unsigned int)PACKET_remaining(&signature),
+ pkey) <= 0) {
/* bad signature */
EVP_MD_CTX_free(md_ctx);
al = SSL_AD_DECRYPT_ERROR;
@@ -2193,7 +2198,8 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
- if (RAND_bytes(pms + 2, pmslen - 2) <= 0) {
+ /* TODO(size_t): Convert this function */
+ if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
goto err;
}
@@ -2283,7 +2289,7 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
- int encoded_pt_len = 0;
+ size_t encoded_pt_len = 0;
EVP_PKEY *ckey = NULL, *skey = NULL;
int ret = 0;
@@ -2375,8 +2381,10 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
}
if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
- /* Generate session key */
- || RAND_bytes(pms, pmslen) <= 0) {
+ /* Generate session key
+ * TODO(size_t): Convert this function
+ */
+ || RAND_bytes(pms, (int)pmslen) <= 0) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
@@ -2617,7 +2625,7 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt)
|| !EVP_SignUpdate(mctx, hdata, hdatalen)
|| (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- s->session->master_key_length,
+ (int)s->session->master_key_length,
s->session->master_key))
|| !EVP_SignFinal(mctx, sig, &u, pkey)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 6053a58b9c..d2b5f877dc 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -390,11 +390,10 @@ int dtls_get_message(SSL *s, int *mt, size_t *len)
* permitted in a DTLS handshake message for |s|. The minimum is 16KB, but
* may be greater if the maximum certificate list size requires it.
*/
-static unsigned long dtls1_max_handshake_message_len(const SSL *s)
+static size_t dtls1_max_handshake_message_len(const SSL *s)
{
- unsigned long max_len =
- DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
- if (max_len < (unsigned long)s->max_cert_list)
+ size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
+ if (max_len < s->max_cert_list)
return s->max_cert_list;
return max_len;
}
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 30d674ef0f..1ce14ee640 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -155,7 +155,7 @@ static void ssl3_take_mac(SSL *s)
MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
{
int al;
- long remain;
+ size_t remain;
remain = PACKET_remaining(pkt);
/*
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 83e698b999..6aa897bfd5 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -888,7 +888,8 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
{
int i, al = SSL_AD_INTERNAL_ERROR;
- unsigned int j, complen = 0;
+ unsigned int j;
+ size_t loop, complen = 0;
unsigned long id;
const SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
@@ -1087,8 +1088,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (s->ctx->app_verify_cookie_cb != NULL) {
if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
- PACKET_remaining(&cookie)) ==
- 0) {
+ (unsigned int)PACKET_remaining(&cookie)) == 0) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH);
@@ -1197,12 +1197,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
}
complen = PACKET_remaining(&compression);
- for (j = 0; j < complen; j++) {
- if (PACKET_data(&compression)[j] == 0)
+ for (loop = 0; loop < complen; loop++) {
+ if (PACKET_data(&compression)[loop] == 0)
break;
}
- if (j >= complen) {
+ if (loop >= complen) {
/* no compress */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
@@ -1576,7 +1576,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
#endif
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
- int encodedlen = 0;
+ size_t encodedlen = 0;
int curve_id = 0;
#endif
EVP_PKEY *pkey;
@@ -1909,7 +1909,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{
- int i, nl;
+ int i;
STACK_OF(X509_NAME) *sk = NULL;
/* get the list of acceptable cert types */
@@ -1922,7 +1922,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- nl = tls12_get_psigalgs(s, &psigs);
+ size_t nl = tls12_get_psigalgs(s, &psigs);
if (!WPACKET_start_sub_packet_u16(pkt)
|| !tls12_copy_sigalgs(s, pkt, psigs, nl)
|| !WPACKET_close(pkt)) {
@@ -2103,9 +2103,10 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
* Decrypt with no padding. PKCS#1 padding will be removed as part of
* the timing-sensitive code below.
*/
- decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
- PACKET_data(&enc_premaster),
- rsa_decrypt, rsa, RSA_NO_PADDING);
+ /* TODO(size_t): Convert this function */
+ decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
+ PACKET_data(&enc_premaster),
+ rsa_decrypt, rsa, RSA_NO_PADDING);
if (decrypt_len < 0)
goto err;
@@ -2386,7 +2387,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
unsigned long alg_a;
int Ttag, Tclass;
long Tlen;
- long sess_key_len;
+ size_t sess_key_len;
const unsigned char *data;
int ret = 0;
@@ -2436,8 +2437,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
}
+ /* TODO(size_t): Convert this function */
if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
- &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
+ &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
|| Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
@@ -2739,7 +2741,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
if (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- s->session->master_key_length,
+ (int)s->session->master_key_length,
s->session->master_key)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
al = SSL_AD_INTERNAL_ERROR;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index f200040bac..16d3d3e816 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -64,18 +64,18 @@ static int tls1_PRF(SSL *s,
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0
|| EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
- || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0)
+ || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0)
goto err;
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0)
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0)
goto err;
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0)
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0)
goto err;
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0)
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0)
goto err;
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0)
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0)
goto err;
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0)
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0)
goto err;
if (EVP_PKEY_derive(pctx, out, &olen) <= 0)
@@ -250,8 +250,9 @@ int tls1_change_cipher_state(SSL *s, int which)
memcpy(mac_secret, ms, i);
if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
+ /* TODO(size_t): Convert this function */
mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
- mac_secret, *mac_secret_size);
+ mac_secret, (int)*mac_secret_size);
if (mac_key == NULL
|| EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
EVP_PKEY_free(mac_key);
@@ -271,7 +272,8 @@ int tls1_change_cipher_state(SSL *s, int which)
if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
- || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) {
+ || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k,
+ iv)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err2;
}
@@ -285,7 +287,7 @@ int tls1_change_cipher_state(SSL *s, int which)
if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
|| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
- || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv)
+ || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv)
|| !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err2;
@@ -299,7 +301,7 @@ int tls1_change_cipher_state(SSL *s, int which)
/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
&& !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
- *mac_secret_size, mac_secret)) {
+ (int)*mac_secret_size, mac_secret)) {
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err2;
}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 6a1386cb36..0523e54718 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -246,7 +246,7 @@ int tls1_ec_nid2curve_id(int nid)
size_t i;
for (i = 0; i < OSSL_NELEM(nid_list); i++) {
if (nid_list[i].nid == nid)
- return i + 1;
+ return (int)(i + 1);
}
return 0;
}
@@ -1151,7 +1151,7 @@ int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
#endif /* OPENSSL_NO_EC */
if (tls_use_ticket(s)) {
- int ticklen;
+ size_t ticklen;
if (!s->new_session && s->session && s->session->tlsext_tick)
ticklen = s->session->tlsext_ticklen;
else if (s->session && s->tlsext_session_ticket &&
@@ -1663,7 +1663,7 @@ static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
s->s3->alpn_proposed,
- s->s3->alpn_proposed_len,
+ (unsigned int)s->s3->alpn_proposed_len,
s->ctx->alpn_select_cb_arg);
if (r == SSL_TLSEXT_ERR_OK) {
@@ -1825,7 +1825,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
if (s->tlsext_debug_cb)
s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension),
- PACKET_remaining(&extension),
+ (int)PACKET_remaining(&extension),
s->tlsext_debug_arg);
if (type == TLSEXT_TYPE_renegotiate) {
@@ -1977,7 +1977,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
else if (type == TLSEXT_TYPE_session_ticket) {
if (s->tls_session_ticket_ext_cb &&
!s->tls_session_ticket_ext_cb(s, PACKET_data(&extension),
- PACKET_remaining(&extension),
+ (int)PACKET_remaining(&extension),
s->tls_session_ticket_ext_cb_arg))
{
*al = TLS1_AD_INTERNAL_ERROR;
@@ -2039,8 +2039,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
}
id_data = PACKET_data(&responder_id);
+ /* TODO(size_t): Convert d2i_* to size_t */
id = d2i_OCSP_RESPID(NULL, &id_data,
- PACKET_remaining(&responder_id));
+ (int)PACKET_remaining(&responder_id));
if (id == NULL)
return 0;
@@ -2066,7 +2067,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
X509_EXTENSION_free);
s->tlsext_ocsp_exts =
d2i_X509_EXTENSIONS(NULL, &ext_data,
- PACKET_remaining(&exts));
+ (int)PACKET_remaining(&exts));
if (s->tlsext_ocsp_exts == NULL
|| ext_data != PACKET_end(&exts)) {
return 0;
@@ -2961,7 +2962,8 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
SSL_SESSION *sess;
unsigned char *sdec;
const unsigned char *p;
- int slen, mlen, renew_ticket = 0, ret = -1;
+ int slen, renew_ticket = 0, ret = -1, declen;
+ size_t mlen;
unsigned char tick_hmac[EVP_MAX_MD_SIZE];
HMAC_CTX *hctx = NULL;
EVP_CIPHER_CTX *ctx;
@@ -3009,14 +3011,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
* Attempt to process session ticket, first conduct sanity and integrity
* checks on ticket.
*/
- /* TODO(size_t) : convert me */
mlen = HMAC_size(hctx);
- if (mlen < 0) {
+ if (mlen == 0) {
goto err;
}
/* Sanity check ticket length: must exceed keyname + IV + HMAC */
if (eticklen <=
- TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + (size_t)mlen) {
+ TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) {
ret = 2;
goto err;
}
@@ -3036,17 +3037,18 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx);
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx);
sdec = OPENSSL_malloc(eticklen);
- if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) {
+ if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p,
+ (int)eticklen) <= 0) {
EVP_CIPHER_CTX_free(ctx);
OPENSSL_free(sdec);
return -1;
}
- if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) {
+ if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) {
EVP_CIPHER_CTX_free(ctx);
OPENSSL_free(sdec);
return 2;
}
- slen += mlen;
+ slen += declen;
EVP_CIPHER_CTX_free(ctx);
ctx = NULL;
p = sdec;
@@ -3327,9 +3329,9 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
}
/* Given preference and allowed sigalgs set shared sigalgs */
-static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
- const unsigned char *pref, size_t preflen,
- const unsigned char *allow, size_t allowlen)
+static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
+ const unsigned char *pref, size_t preflen,
+ const unsigned char *allow, size_t allowlen)
{
const unsigned char *ptmp, *atmp;
size_t i, j, nmatch = 0;
@@ -3491,7 +3493,8 @@ int SSL_get_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
const unsigned char *psig = s->s3->tmp.peer_sigalgs;
- if (psig == NULL)
+ size_t numsigalgs = s->s3->tmp.peer_sigalgslen / 2;
+ if (psig == NULL || numsigalgs > INT_MAX)
return 0;
if (idx >= 0) {
idx <<= 1;
@@ -3504,7 +3507,7 @@ int SSL_get_sigalgs(SSL *s, int idx,
*rsig = psig[1];
tls1_lookup_sigalg(phash, psign, psignhash, psig);
}
- return s->s3->tmp.peer_sigalgslen / 2;
+ return (int)numsigalgs;
}
int SSL_get_shared_sigalgs(SSL *s, int idx,
@@ -3512,7 +3515,8 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
unsigned char *rsig, unsigned char *rhash)
{
TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
- if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
+ if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen
+ || s->cert->shared_sigalgslen > INT_MAX)
return 0;
shsigalgs += idx;
if (phash)
@@ -3525,7 +3529,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx,
*rsig = shsigalgs->rsign;
if (rhash)
*rhash = shsigalgs->rhash;
- return s->cert->shared_sigalgslen;
+ return (int)s->cert->shared_sigalgslen;
}
#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
@@ -3698,7 +3702,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
/* idx == -2 means checking client certificate chains */
if (idx == -2) {
cpk = c->key;
- idx = cpk - c->pkeys;
+ idx = (int)(cpk - c->pkeys);
} else
cpk = c->pkeys + idx;
pvalid = s->s3->tmp.valid_flags + idx;
diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index f3e01bb833..492386efe6 100644
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -71,9 +71,9 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, WPACKET *pkt)
*/
int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
{
- unsigned int expected_len = s->s3->previous_client_finished_len
+ size_t expected_len = s->s3->previous_client_finished_len
+ s->s3->previous_server_finished_len;
- unsigned int ilen;
+ size_t ilen;
const unsigned char *data;
/* Check for logic errors */
@@ -81,7 +81,7 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len);
/* Parse the length byte */
- if (!PACKET_get_1(pkt, &ilen)) {
+ if (!PACKET_get_1_len(pkt, &ilen)) {
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,
SSL_R_RENEGOTIATION_ENCODING_ERR);
*al = SSL_AD_ILLEGAL_PARAMETER;