diff options
-rw-r--r-- | ssl/record/ssl3_record.c | 4 | ||||
-rw-r--r-- | ssl/s3_cbc.c | 2 | ||||
-rw-r--r-- | ssl/s3_enc.c | 2 | ||||
-rw-r--r-- | ssl/s3_lib.c | 10 | ||||
-rw-r--r-- | ssl/ssl_asn1.c | 2 | ||||
-rw-r--r-- | ssl/ssl_ciph.c | 2 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 57 | ||||
-rw-r--r-- | ssl/ssl_mcnf.c | 4 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 10 | ||||
-rw-r--r-- | ssl/ssl_txt.c | 3 | ||||
-rw-r--r-- | ssl/statem/statem_clnt.c | 36 | ||||
-rw-r--r-- | ssl/statem/statem_dtls.c | 7 | ||||
-rw-r--r-- | ssl/statem/statem_lib.c | 2 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 32 | ||||
-rw-r--r-- | ssl/t1_enc.c | 22 | ||||
-rw-r--r-- | ssl/t1_lib.c | 48 | ||||
-rw-r--r-- | ssl/t1_reneg.c | 6 |
17 files changed, 137 insertions, 112 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 240355bba1..7904447b73 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -1022,8 +1022,8 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send) header[8] = rec->type; header[9] = (unsigned char)(ssl->version >> 8); header[10] = (unsigned char)(ssl->version); - header[11] = (rec->length) >> 8; - header[12] = (rec->length) & 0xff; + header[11] = (unsigned char)(rec->length >> 8); + header[12] = (unsigned char)(rec->length & 0xff); if (!send && !SSL_USE_ETM(ssl) && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index e6b7f32639..29243f35a0 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -357,7 +357,7 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { - unsigned overhang; + size_t overhang; /* * The SSLv3 header is larger than a single block. overhang is diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 9283c74458..ba71bc14b4 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -439,7 +439,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, + (int)s->session->master_key_length, s->session->master_key) <= 0 || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index d6d7c46287..45824012ef 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3035,9 +3035,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: *(unsigned char **)parg = s->tlsext_ocsp_resp; - if (s->tlsext_ocsp_resplen == 0) + if (s->tlsext_ocsp_resplen == 0 + || s->tlsext_ocsp_resplen > LONG_MAX) return -1; - return s->tlsext_ocsp_resplen; + return (long)s->tlsext_ocsp_resplen; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: OPENSSL_free(s->tlsext_ocsp_resp); @@ -3955,9 +3956,10 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len) unsigned long Time = (unsigned long)time(NULL); unsigned char *p = result; l2n(Time, p); - return RAND_bytes(p, len - 4); + /* TODO(size_t): Convert this */ + return RAND_bytes(p, (int)(len - 4)); } else - return RAND_bytes(result, len); + return RAND_bytes(result, (int)len); } int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen, diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 9b6ea0a1f1..fd13f90c28 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -102,7 +102,7 @@ static void ssl_session_oinit(ASN1_OCTET_STRING **dest, ASN1_OCTET_STRING *os, unsigned char *data, size_t len) { os->data = data; - os->length = len; + os->length = (int)len; os->flags = 0; *dest = os; } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 478d9a9bd4..9d259c1a15 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -175,7 +175,7 @@ static int ssl_cipher_info_find(const ssl_cipher_table * table, size_t i; for (i = 0; i < table_cnt; i++, table++) { if (table->mask == mask) - return i; + return (int)i; } return -1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a869314bda..4e2369d52f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -80,7 +80,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { struct ssl_async_args { SSL *s; void *buf; - int num; + size_t num; enum { READFUNC, WRITEFUNC, OTHERFUNC } type; union { int (*func_read) (SSL *, void *, size_t, size_t *); @@ -318,14 +318,14 @@ static int dane_tlsa_add(SSL_DANE *dane, t->usage = usage; t->selector = selector; t->mtype = mtype; - t->data = OPENSSL_malloc(ilen); + t->data = OPENSSL_malloc(dlen); if (t->data == NULL) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, ERR_R_MALLOC_FAILURE); return -1; } - memcpy(t->data, data, ilen); - t->dlen = ilen; + memcpy(t->data, data, dlen); + t->dlen = dlen; /* Validate and cache full certificate or public key */ if (mtype == DANETLS_MATCHING_FULL) { @@ -335,7 +335,7 @@ static int dane_tlsa_add(SSL_DANE *dane, switch (selector) { case DANETLS_SELECTOR_CERT: - if (!d2i_X509(&cert, &p, dlen) || p < data || + if (!d2i_X509(&cert, &p, ilen) || p < data || dlen != (size_t)(p - data)) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_CERTIFICATE); @@ -370,7 +370,7 @@ static int dane_tlsa_add(SSL_DANE *dane, break; case DANETLS_SELECTOR_SPKI: - if (!d2i_PUBKEY(&pkey, &p, dlen) || p < data || + if (!d2i_PUBKEY(&pkey, &p, ilen) || p < data || dlen != (size_t)(p - data)) { tlsa_free(t); SSLerr(SSL_F_DANE_TLSA_ADD, SSL_R_DANE_TLSA_BAD_PUBLIC_KEY); @@ -1304,7 +1304,7 @@ int SSL_pending(const SSL *s) * SSL_pending also cannot work properly if the value >INT_MAX. In that case * we just return INT_MAX. */ - return pending < INT_MAX ? pending : INT_MAX; + return pending < INT_MAX ? (int)pending : INT_MAX; } int SSL_has_pending(const SSL *s) @@ -1382,7 +1382,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f) CRYPTO_atomic_add(&f->cert->references, 1, &i, f->cert->lock); ssl_cert_free(t->cert); t->cert = f->cert; - if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) { + if (!SSL_set_session_id_context(t, f->sid_ctx, (int)f->sid_ctx_length)) { return 0; } @@ -1513,7 +1513,7 @@ static int ssl_io_intern(void *vargs) struct ssl_async_args *args; SSL *s; void *buf; - int num; + size_t num; args = (struct ssl_async_args *)vargs; s = args->s; @@ -1767,11 +1767,13 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_CLEAR_MODE: return (s->mode &= ~larg); case SSL_CTRL_GET_MAX_CERT_LIST: - return (s->max_cert_list); + return (long)(s->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = s->max_cert_list; - s->max_cert_list = larg; - return (l); + if (larg < 0) + return 0; + l = (long)s->max_cert_list; + s->max_cert_list = (size_t)larg; + return l; case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return 0; @@ -1879,18 +1881,22 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return 1; case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->max_cert_list); + return (long)(ctx->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->max_cert_list; - ctx->max_cert_list = larg; - return (l); + if (larg < 0) + return 0; + l = (long)ctx->max_cert_list; + ctx->max_cert_list = (size_t)larg; + return l; case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->session_cache_size; - ctx->session_cache_size = larg; - return (l); + if (larg < 0) + return 0; + l = (long)ctx->session_cache_size; + ctx->session_cache_size = (size_t)larg; + return l; case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->session_cache_size); + return (long)(ctx->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: l = ctx->session_cache_mode; ctx->session_cache_mode = larg; @@ -2249,7 +2255,7 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, if (!*data) { *len = 0; } else { - *len = s->next_proto_negotiated_len; + *len = (unsigned int)s->next_proto_negotiated_len; } } @@ -2366,7 +2372,7 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, if (*data == NULL) *len = 0; else - *len = ssl->s3->alpn_selected_len; + *len = (unsigned int)ssl->s3->alpn_selected_len; } int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -3227,7 +3233,8 @@ SSL *SSL_dup(SSL *s) goto err; } - if (!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length)) + if (!SSL_set_session_id_context(ret, s->sid_ctx, + (int)s->sid_ctx_length)) goto err; } @@ -4068,7 +4075,7 @@ static int ct_extract_ocsp_response_scts(SSL *s) goto err; p = s->tlsext_ocsp_resp; - rsp = d2i_OCSP_RESPONSE(NULL, &p, s->tlsext_ocsp_resplen); + rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->tlsext_ocsp_resplen); if (rsp == NULL) goto err; diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c index c2d9dba64a..59674f3d39 100644 --- a/ssl/ssl_mcnf.c +++ b/ssl/ssl_mcnf.c @@ -73,7 +73,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) ssl_names_count = cnt; for (i = 0; i < ssl_names_count; i++) { struct ssl_conf_name *ssl_name = ssl_names + i; - CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, i); + CONF_VALUE *sect = sk_CONF_VALUE_value(cmd_lists, (int)i); STACK_OF(CONF_VALUE) *cmds = NCONF_get_section(cnf, sect->value); if (sk_CONF_VALUE_num(cmds) <= 0) { if (cmds == NULL) @@ -94,7 +94,7 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf) ssl_name->cmd_count = cnt; for (j = 0; j < cnt; j++) { const char *name; - CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, j); + CONF_VALUE *cmd_conf = sk_CONF_VALUE_value(cmds, (int)j); struct ssl_conf_cmd *cmd = ssl_name->cmds + j; /* Skip any initial dot in name */ name = strchr(cmd_conf->name, '.'); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index e0ec918c91..44101cbb0c 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -236,14 +236,14 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) { if (len) - *len = s->session_id_length; + *len = (unsigned int)s->session_id_length; return s->session_id; } const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, unsigned int *len) { if (len != NULL) - *len = s->sid_ctx_length; + *len = (unsigned int)s->sid_ctx_length; return s->sid_ctx; } @@ -369,7 +369,7 @@ int ssl_get_new_session(SSL *s, int session) CRYPTO_THREAD_unlock(s->lock); /* Choose a session ID */ memset(ss->session_id, 0, ss->session_id_length); - tmp = ss->session_id_length; + tmp = (int)ss->session_id_length; if (!cb(s, ss->session_id, &tmp)) { /* The callback failed */ SSLerr(SSL_F_SSL_GET_NEW_SESSION, @@ -391,7 +391,7 @@ int ssl_get_new_session(SSL *s, int session) ss->session_id_length = tmp; /* Finally, check for a conflict */ if (SSL_has_matching_session_id(s, ss->session_id, - ss->session_id_length)) { + (unsigned int)ss->session_id_length)) { SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_SSL_SESSION_ID_CONFLICT); SSL_SESSION_free(ss); return (0); @@ -502,7 +502,7 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) ret == NULL && s->session_ctx->get_session_cb != NULL) { int copy = 1; ret = s->session_ctx->get_session_cb(s, PACKET_data(session_id), - PACKET_remaining(session_id), + (int)PACKET_remaining(session_id), ©); if (ret != NULL) { diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index a7faf4889e..06ea6463ab 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -128,8 +128,9 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->tlsext_tick) { if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err; + /* TODO(size_t): Convert this call */ if (BIO_dump_indent - (bp, (const char *)x->tlsext_tick, x->tlsext_ticklen, 4) + (bp, (const char *)x->tlsext_tick, (int)x->tlsext_ticklen, 4) <= 0) goto err; } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 194243fc9d..bde5373fe7 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1358,18 +1358,19 @@ static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) return 0; } + /* TODO(size_t): Convert BN_bin2bn() calls */ if ((s->srp_ctx.N = BN_bin2bn(PACKET_data(&prime), - PACKET_remaining(&prime), NULL)) == NULL + (int)PACKET_remaining(&prime), NULL)) == NULL || (s->srp_ctx.g = BN_bin2bn(PACKET_data(&generator), - PACKET_remaining(&generator), NULL)) == NULL + (int)PACKET_remaining(&generator), NULL)) == NULL || (s->srp_ctx.s = BN_bin2bn(PACKET_data(&salt), - PACKET_remaining(&salt), NULL)) == NULL + (int)PACKET_remaining(&salt), NULL)) == NULL || (s->srp_ctx.B = BN_bin2bn(PACKET_data(&server_pub), - PACKET_remaining(&server_pub), NULL)) == NULL) { + (int)PACKET_remaining(&server_pub), NULL)) == NULL) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_SKE_SRP, ERR_R_BN_LIB); return 0; @@ -1419,10 +1420,12 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al) goto err; } - p = BN_bin2bn(PACKET_data(&prime), PACKET_remaining(&prime), NULL); - g = BN_bin2bn(PACKET_data(&generator), PACKET_remaining(&generator), NULL); - bnpub_key = BN_bin2bn(PACKET_data(&pub_key), PACKET_remaining(&pub_key), - NULL); + /* TODO(size_t): Convert these calls */ + p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL); + g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator), + NULL); + bnpub_key = BN_bin2bn(PACKET_data(&pub_key), + (int)PACKET_remaining(&pub_key), NULL); if (p == NULL || g == NULL || bnpub_key == NULL) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB); @@ -1710,8 +1713,10 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB); goto err; } + /* TODO(size_t): Convert this call */ if (EVP_VerifyFinal(md_ctx, PACKET_data(&signature), - PACKET_remaining(&signature), pkey) <= 0) { + (unsigned int)PACKET_remaining(&signature), + pkey) <= 0) { /* bad signature */ EVP_MD_CTX_free(md_ctx); al = SSL_AD_DECRYPT_ERROR; @@ -2193,7 +2198,8 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al) pms[0] = s->client_version >> 8; pms[1] = s->client_version & 0xff; - if (RAND_bytes(pms + 2, pmslen - 2) <= 0) { + /* TODO(size_t): Convert this function */ + if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) { goto err; } @@ -2283,7 +2289,7 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al) { #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; - int encoded_pt_len = 0; + size_t encoded_pt_len = 0; EVP_PKEY *ckey = NULL, *skey = NULL; int ret = 0; @@ -2375,8 +2381,10 @@ static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al) } if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 - /* Generate session key */ - || RAND_bytes(pms, pmslen) <= 0) { + /* Generate session key + * TODO(size_t): Convert this function + */ + || RAND_bytes(pms, (int)pmslen) <= 0) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; @@ -2617,7 +2625,7 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt) || !EVP_SignUpdate(mctx, hdata, hdatalen) || (s->version == SSL3_VERSION && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, + (int)s->session->master_key_length, s->session->master_key)) || !EVP_SignFinal(mctx, sig, &u, pkey)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB); diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 6053a58b9c..d2b5f877dc 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -390,11 +390,10 @@ int dtls_get_message(SSL *s, int *mt, size_t *len) * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but * may be greater if the maximum certificate list size requires it. */ -static unsigned long dtls1_max_handshake_message_len(const SSL *s) +static size_t dtls1_max_handshake_message_len(const SSL *s) { - unsigned long max_len = - DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - if (max_len < (unsigned long)s->max_cert_list) + size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; + if (max_len < s->max_cert_list) return s->max_cert_list; return max_len; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 30d674ef0f..1ce14ee640 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -155,7 +155,7 @@ static void ssl3_take_mac(SSL *s) MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) { int al; - long remain; + size_t remain; remain = PACKET_remaining(pkt); /* diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 83e698b999..6aa897bfd5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -888,7 +888,8 @@ int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { int i, al = SSL_AD_INTERNAL_ERROR; - unsigned int j, complen = 0; + unsigned int j; + size_t loop, complen = 0; unsigned long id; const SSL_CIPHER *c; #ifndef OPENSSL_NO_COMP @@ -1087,8 +1088,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), - PACKET_remaining(&cookie)) == - 0) { + (unsigned int)PACKET_remaining(&cookie)) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); @@ -1197,12 +1197,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } complen = PACKET_remaining(&compression); - for (j = 0; j < complen; j++) { - if (PACKET_data(&compression)[j] == 0) + for (loop = 0; loop < complen; loop++) { + if (PACKET_data(&compression)[loop] == 0) break; } - if (j >= complen) { + if (loop >= complen) { /* no compress */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); @@ -1576,7 +1576,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) #endif #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; - int encodedlen = 0; + size_t encodedlen = 0; int curve_id = 0; #endif EVP_PKEY *pkey; @@ -1909,7 +1909,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) int tls_construct_certificate_request(SSL *s, WPACKET *pkt) { - int i, nl; + int i; STACK_OF(X509_NAME) *sk = NULL; /* get the list of acceptable cert types */ @@ -1922,7 +1922,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; - nl = tls12_get_psigalgs(s, &psigs); + size_t nl = tls12_get_psigalgs(s, &psigs); if (!WPACKET_start_sub_packet_u16(pkt) || !tls12_copy_sigalgs(s, pkt, psigs, nl) || !WPACKET_close(pkt)) { @@ -2103,9 +2103,10 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * Decrypt with no padding. PKCS#1 padding will be removed as part of * the timing-sensitive code below. */ - decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster), - PACKET_data(&enc_premaster), - rsa_decrypt, rsa, RSA_NO_PADDING); + /* TODO(size_t): Convert this function */ + decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster), + PACKET_data(&enc_premaster), + rsa_decrypt, rsa, RSA_NO_PADDING); if (decrypt_len < 0) goto err; @@ -2386,7 +2387,7 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) unsigned long alg_a; int Ttag, Tclass; long Tlen; - long sess_key_len; + size_t sess_key_len; const unsigned char *data; int ret = 0; @@ -2436,8 +2437,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; } + /* TODO(size_t): Convert this function */ if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, - &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED + &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); @@ -2739,7 +2741,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) if (s->version == SSL3_VERSION && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - s->session->master_key_length, + (int)s->session->master_key_length, s->session->master_key)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index f200040bac..16d3d3e816 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -64,18 +64,18 @@ static int tls1_PRF(SSL *s, pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0 - || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0) + || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0) goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0) + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0) goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0) + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0) goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0) + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0) goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0) + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0) goto err; - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0) + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0) goto err; if (EVP_PKEY_derive(pctx, out, &olen) <= 0) @@ -250,8 +250,9 @@ int tls1_change_cipher_state(SSL *s, int which) memcpy(mac_secret, ms, i); if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + /* TODO(size_t): Convert this function */ mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret, *mac_secret_size); + mac_secret, (int)*mac_secret_size); if (mac_key == NULL || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { EVP_PKEY_free(mac_key); @@ -271,7 +272,8 @@ int tls1_change_cipher_state(SSL *s, int which) if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) - || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) { + || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, + iv)) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } @@ -285,7 +287,7 @@ int tls1_change_cipher_state(SSL *s, int which) if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) - || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv) + || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; @@ -299,7 +301,7 @@ int tls1_change_cipher_state(SSL *s, int which) /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size, mac_secret)) { + (int)*mac_secret_size, mac_secret)) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 6a1386cb36..0523e54718 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -246,7 +246,7 @@ int tls1_ec_nid2curve_id(int nid) size_t i; for (i = 0; i < OSSL_NELEM(nid_list); i++) { if (nid_list[i].nid == nid) - return i + 1; + return (int)(i + 1); } return 0; } @@ -1151,7 +1151,7 @@ int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al) #endif /* OPENSSL_NO_EC */ if (tls_use_ticket(s)) { - int ticklen; + size_t ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; else if (s->session && s->tlsext_session_ticket && @@ -1663,7 +1663,7 @@ static int tls1_alpn_handle_client_hello_late(SSL *s, int *al) if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) { int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, s->s3->alpn_proposed, - s->s3->alpn_proposed_len, + (unsigned int)s->s3->alpn_proposed_len, s->ctx->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { @@ -1825,7 +1825,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, PACKET_data(&extension), - PACKET_remaining(&extension), + (int)PACKET_remaining(&extension), s->tlsext_debug_arg); if (type == TLSEXT_TYPE_renegotiate) { @@ -1977,7 +1977,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && !s->tls_session_ticket_ext_cb(s, PACKET_data(&extension), - PACKET_remaining(&extension), + (int)PACKET_remaining(&extension), s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; @@ -2039,8 +2039,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) } id_data = PACKET_data(&responder_id); + /* TODO(size_t): Convert d2i_* to size_t */ id = d2i_OCSP_RESPID(NULL, &id_data, - PACKET_remaining(&responder_id)); + (int)PACKET_remaining(&responder_id)); if (id == NULL) return 0; @@ -2066,7 +2067,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) X509_EXTENSION_free); s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &ext_data, - PACKET_remaining(&exts)); + (int)PACKET_remaining(&exts)); if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) { return 0; @@ -2961,7 +2962,8 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; - int slen, mlen, renew_ticket = 0, ret = -1; + int slen, renew_ticket = 0, ret = -1, declen; + size_t mlen; unsigned char tick_hmac[EVP_MAX_MD_SIZE]; HMAC_CTX *hctx = NULL; EVP_CIPHER_CTX *ctx; @@ -3009,14 +3011,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, * Attempt to process session ticket, first conduct sanity and integrity * checks on ticket. */ - /* TODO(size_t) : convert me */ mlen = HMAC_size(hctx); - if (mlen < 0) { + if (mlen == 0) { goto err; } /* Sanity check ticket length: must exceed keyname + IV + HMAC */ if (eticklen <= - TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + (size_t)mlen) { + TLSEXT_KEYNAME_LENGTH + EVP_CIPHER_CTX_iv_length(ctx) + mlen) { ret = 2; goto err; } @@ -3036,17 +3037,18 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, p = etick + 16 + EVP_CIPHER_CTX_iv_length(ctx); eticklen -= 16 + EVP_CIPHER_CTX_iv_length(ctx); sdec = OPENSSL_malloc(eticklen); - if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, eticklen) <= 0) { + if (sdec == NULL || EVP_DecryptUpdate(ctx, sdec, &slen, p, + (int)eticklen) <= 0) { EVP_CIPHER_CTX_free(ctx); OPENSSL_free(sdec); return -1; } - if (EVP_DecryptFinal(ctx, sdec + slen, &mlen) <= 0) { + if (EVP_DecryptFinal(ctx, sdec + slen, &declen) <= 0) { EVP_CIPHER_CTX_free(ctx); OPENSSL_free(sdec); return 2; } - slen += mlen; + slen += declen; EVP_CIPHER_CTX_free(ctx); ctx = NULL; p = sdec; @@ -3327,9 +3329,9 @@ int tls12_copy_sigalgs(SSL *s, WPACKET *pkt, } /* Given preference and allowed sigalgs set shared sigalgs */ -static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, - const unsigned char *pref, size_t preflen, - const unsigned char *allow, size_t allowlen) +static size_t tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig, + const unsigned char *pref, size_t preflen, + const unsigned char *allow, size_t allowlen) { const unsigned char *ptmp, *atmp; size_t i, j, nmatch = 0; @@ -3491,7 +3493,8 @@ int SSL_get_sigalgs(SSL *s, int idx, unsigned char *rsig, unsigned char *rhash) { const unsigned char *psig = s->s3->tmp.peer_sigalgs; - if (psig == NULL) + size_t numsigalgs = s->s3->tmp.peer_sigalgslen / 2; + if (psig == NULL || numsigalgs > INT_MAX) return 0; if (idx >= 0) { idx <<= 1; @@ -3504,7 +3507,7 @@ int SSL_get_sigalgs(SSL *s, int idx, *rsig = psig[1]; tls1_lookup_sigalg(phash, psign, psignhash, psig); } - return s->s3->tmp.peer_sigalgslen / 2; + return (int)numsigalgs; } int SSL_get_shared_sigalgs(SSL *s, int idx, @@ -3512,7 +3515,8 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, unsigned char *rsig, unsigned char *rhash) { TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs; - if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen) + if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen + || s->cert->shared_sigalgslen > INT_MAX) return 0; shsigalgs += idx; if (phash) @@ -3525,7 +3529,7 @@ int SSL_get_shared_sigalgs(SSL *s, int idx, *rsig = shsigalgs->rsign; if (rhash) *rhash = shsigalgs->rhash; - return s->cert->shared_sigalgslen; + return (int)s->cert->shared_sigalgslen; } #define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2) @@ -3698,7 +3702,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* idx == -2 means checking client certificate chains */ if (idx == -2) { cpk = c->key; - idx = cpk - c->pkeys; + idx = (int)(cpk - c->pkeys); } else cpk = c->pkeys + idx; pvalid = s->s3->tmp.valid_flags + idx; diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c index f3e01bb833..492386efe6 100644 --- a/ssl/t1_reneg.c +++ b/ssl/t1_reneg.c @@ -71,9 +71,9 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, WPACKET *pkt) */ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) { - unsigned int expected_len = s->s3->previous_client_finished_len + size_t expected_len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - unsigned int ilen; + size_t ilen; const unsigned char *data; /* Check for logic errors */ @@ -81,7 +81,7 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); /* Parse the length byte */ - if (!PACKET_get_1(pkt, &ilen)) { + if (!PACKET_get_1_len(pkt, &ilen)) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; |