Also add a couple of negative checks.
Cherry-picked from #13489
Closes #13622
CURLcode result = CURLE_OK;
size_t size;
unsigned char ntlmbuf[NTLM_BUFSIZE];
- int lmrespoff;
+ unsigned int lmrespoff;
unsigned char lmresp[24]; /* fixed-size */
- int ntrespoff;
+ unsigned int ntrespoff;
unsigned int ntresplen = 24;
unsigned char ntresp[24]; /* fixed-size */
unsigned char *ptr_ntresp = &ntresp[0];
return result;
Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
- ntlm->flags &= ~NTLMFLAG_NEGOTIATE_NTLM2_KEY;
+ ntlm->flags &= ~(unsigned int)NTLMFLAG_NEGOTIATE_NTLM2_KEY;
/* A safer but less compatible alternative is:
* Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
if(!nego->output_token) {
/* Query the security package for Negotiate */
- nego->status = s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
- TEXT(SP_NAME_NEGOTIATE),
- &SecurityPackage);
+ nego->status = (DWORD)s_pSecFn->QuerySecurityPackageInfo((TCHAR *)
+ TEXT(SP_NAME_NEGOTIATE),
+ &SecurityPackage);
if(nego->status != SEC_E_OK) {
failf(data, "SSPI: couldn't get auth info");
return CURLE_AUTH_ERROR;
return CURLE_OUT_OF_MEMORY;
/* Acquire our credentials handle */
- nego->status =
+ nego->status = (DWORD)
s_pSecFn->AcquireCredentialsHandle(NULL,
(TCHAR *)TEXT(SP_NAME_NEGOTIATE),
SECPKG_CRED_OUTBOUND, NULL,
SEC_CHANNEL_BINDINGS channelBindings;
SecPkgContext_Bindings pkgBindings;
pkgBindings.Bindings = &channelBindings;
- nego->status = s_pSecFn->QueryContextAttributes(
+ nego->status = (DWORD)s_pSecFn->QueryContextAttributes(
nego->sslContext,
SECPKG_ATTR_ENDPOINT_BINDINGS,
&pkgBindings
resp_buf.cbBuffer = curlx_uztoul(nego->token_max);
/* Generate our challenge-response message */
- nego->status = s_pSecFn->InitializeSecurityContext(nego->credentials,
+ nego->status = (DWORD)s_pSecFn->InitializeSecurityContext(nego->credentials,
chlg ? nego->context :
NULL,
nego->spn,
if(GSS_ERROR(nego->status)) {
char buffer[STRERROR_LEN];
failf(data, "InitializeSecurityContext failed: %s",
- Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
+ Curl_sspi_strerror((int)nego->status, buffer, sizeof(buffer)));
if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
return CURLE_OUT_OF_MEMORY;
if(nego->status == SEC_I_COMPLETE_NEEDED ||
nego->status == SEC_I_COMPLETE_AND_CONTINUE) {
- nego->status = s_pSecFn->CompleteAuthToken(nego->context, &resp_desc);
+ nego->status = (DWORD)s_pSecFn->CompleteAuthToken(nego->context,
+ &resp_desc);
if(GSS_ERROR(nego->status)) {
char buffer[STRERROR_LEN];
failf(data, "CompleteAuthToken failed: %s",
- Curl_sspi_strerror(nego->status, buffer, sizeof(buffer)));
+ Curl_sspi_strerror((int)nego->status, buffer, sizeof(buffer)));
if(nego->status == (DWORD)SEC_E_INSUFFICIENT_MEMORY)
return CURLE_OUT_OF_MEMORY;
struct cf_ngtcp2_ctx *ctx = cf->ctx;
vquic_ctx_update_time(&ctx->q);
- pktx->ts = ctx->q.last_op.tv_sec * NGTCP2_SECONDS +
- ctx->q.last_op.tv_usec * NGTCP2_MICROSECONDS;
+ pktx->ts = (ngtcp2_tstamp)ctx->q.last_op.tv_sec * NGTCP2_SECONDS +
+ (ngtcp2_tstamp)ctx->q.last_op.tv_usec * NGTCP2_MICROSECONDS;
}
static void pktx_init(struct pkt_io_ctx *pktx,
}
}
-static int init_ngh3_conn(struct Curl_cfilter *cf);
+static CURLcode init_ngh3_conn(struct Curl_cfilter *cf);
static int cb_handshake_completed(ngtcp2_conn *tconn, void *user_data)
{
/* number of bytes inside buflen which consists of framing overhead
* including QPACK HEADERS. In other words, it does not consume payload of
* DATA frame. */
- ngtcp2_conn_extend_max_stream_offset(tconn, stream_id, nconsumed);
- ngtcp2_conn_extend_max_offset(tconn, nconsumed);
+ ngtcp2_conn_extend_max_stream_offset(tconn, stream_id, (uint64_t)nconsumed);
+ ngtcp2_conn_extend_max_offset(tconn, (uint64_t)nconsumed);
return 0;
}
if(timeout % NGTCP2_MILLISECONDS) {
timeout += NGTCP2_MILLISECONDS;
}
- Curl_expire(data, timeout / NGTCP2_MILLISECONDS, EXPIRE_QUIC);
+ Curl_expire(data, (timediff_t)(timeout / NGTCP2_MILLISECONDS),
+ EXPIRE_QUIC);
}
}
return CURLE_OK;
NULL /* recv_settings */
};
-static int init_ngh3_conn(struct Curl_cfilter *cf)
+static CURLcode init_ngh3_conn(struct Curl_cfilter *cf)
{
struct cf_ngtcp2_ctx *ctx = cf->ctx;
CURLcode result;
++pktx->pkt_count;
ngtcp2_addr_init(&path.local, (struct sockaddr *)&ctx->q.local_addr,
- ctx->q.local_addrlen);
+ (socklen_t)ctx->q.local_addrlen);
ngtcp2_addr_init(&path.remote, (struct sockaddr *)remote_addr,
remote_addrlen);
pi.ecn = (uint8_t)ecn;
(struct sockaddr *)&ctx->q.local_addr,
ctx->q.local_addrlen);
ngtcp2_addr_init(&ctx->connected_path.remote,
- &sockaddr->sa_addr, sockaddr->addrlen);
+ &sockaddr->sa_addr, (socklen_t)sockaddr->addrlen);
rc = ngtcp2_conn_client_new(&ctx->qconn, &ctx->dcid, &ctx->scid,
&ctx->connected_path,
*pres1 = (max_streams > INT_MAX)? INT_MAX : (int)max_streams;
}
else /* transport params not arrived yet? take our default. */
- *pres1 = Curl_multi_max_concurrent_streams(data->multi);
+ *pres1 = (int)Curl_multi_max_concurrent_streams(data->multi);
CURL_TRC_CF(data, cf, "query conn[%" CURL_FORMAT_CURL_OFF_T "]: "
"MAX_CONCURRENT -> %d (%zu in use)",
cf->conn->connection_id, *pres1, CONN_INUSE(cf->conn));
if(!s->ssl) {
return CURLE_FAILED_INIT;
}
- s->id = SSL_get_stream_id(s->ssl);
+ s->id = (curl_int64_t)SSL_get_stream_id(s->ssl);
SSL_set_app_data(s->ssl, user_data);
return CURLE_OK;
}
struct Curl_easy *data)
{
struct cf_osslq_ctx *ctx = cf->ctx;
- int64_t stream_id = SSL_get_stream_id(stream_ssl);
+ curl_int64_t stream_id = (curl_int64_t)SSL_get_stream_id(stream_ssl);
if(h3->remote_ctrl_n >= ARRAYSIZE(h3->remote_ctrl)) {
/* rejected, we are full */
CURL_TRC_CF(data, cf, "[%" CURL_PRId64 "] rejecting remote stream",
- (curl_int64_t)stream_id);
+ stream_id);
SSL_free(stream_ssl);
return CURLE_FAILED_INIT;
}
nstream->ssl = stream_ssl;
Curl_bufq_initp(&nstream->recvbuf, &ctx->stream_bufcp, 1, BUFQ_OPT_NONE);
CURL_TRC_CF(data, cf, "[%" CURL_PRId64 "] accepted remote uni stream",
- (curl_int64_t)stream_id);
+ stream_id);
break;
}
default:
CURL_TRC_CF(data, cf, "[%" CURL_PRId64 "] reject remote non-uni-read"
- " stream", (curl_int64_t)stream_id);
+ " stream", stream_id);
SSL_free(stream_ssl);
return CURLE_FAILED_INIT;
}
if(alpn)
wolfSSL_set_alpn_protos(ctx->wssl.handle, (const unsigned char *)alpn,
- (int)alpn_len);
+ (unsigned int)alpn_len);
if(peer->sni) {
wolfSSL_UseSNI(ctx->wssl.handle, WOLFSSL_SNI_HOST_NAME,
break;
}
- sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
+ sshc->auth_methods =
+ (unsigned int)ssh_userauth_list(sshc->ssh_session, NULL);
if(sshc->auth_methods)
infof(data, "SSH authentication methods available: %s%s%s%s",
sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
nread = sftp_async_read(conn->proto.sshc.sftp_file,
mem, (uint32_t)len,
- conn->proto.sshc.sftp_file_index);
+ (uint32_t)conn->proto.sshc.sftp_file_index);
myssh_block2waitfor(conn, (nread == SSH_AGAIN)?TRUE:FALSE);
#define SCP_SEND(a,b,c,d) libssh2_scp_send_ex(a, b, (int)(c), (size_t)d, 0, 0)
#else
#define SCP_SEND(a,b,c,d) libssh2_scp_send64(a, b, (int)(c), \
- (libssh2_uint64_t)d, 0, 0)
+ (libssh2_int64_t)d, 0, 0)
#endif
/*
- * libssh2 1.2.8 fixed the problem with 32bit ints used for sockets on win64.
+ * libssh2 1.2.8 fixed the problem with 32-bit ints used for sockets on win64.
*/
#ifdef HAVE_LIBSSH2_SESSION_HANDSHAKE
#define session_startup(x,y) libssh2_session_handshake(x, y)
#else
#define session_startup(x,y) libssh2_session_startup(x, (int)y)
#endif
-static int convert_ssh2_keytype(int sshkeytype)
+static enum curl_khtype convert_ssh2_keytype(int sshkeytype)
{
- int keytype = CURLKHTYPE_UNKNOWN;
+ enum curl_khtype keytype = CURLKHTYPE_UNKNOWN;
switch(sshkeytype) {
case LIBSSH2_HOSTKEY_TYPE_RSA:
keytype = CURLKHTYPE_RSA;
const char *remotekey = libssh2_session_hostkey(sshc->ssh_session,
&keylen, &sshkeytype);
if(remotekey) {
- int keytype = convert_ssh2_keytype(sshkeytype);
+ enum curl_khtype keytype = convert_ssh2_keytype(sshkeytype);
Curl_set_in_callback(data, true);
rc = data->set.ssh_hostkeyfunc(data->set.ssh_hostkeyfunc_userp,
- keytype, remotekey, keylen);
+ (int)keytype, remotekey, keylen);
Curl_set_in_callback(data, false);
if(rc!= CURLKHMATCH_OK) {
state(data, SSH_SESSION_FREE);
case SSH_SFTP_QUOTE_MKDIR:
rc = libssh2_sftp_mkdir_ex(sshc->sftp_session, sshc->quote_path1,
curlx_uztoui(strlen(sshc->quote_path1)),
- data->set.new_directory_perms);
+ (long)data->set.new_directory_perms);
if(rc == LIBSSH2_ERROR_EAGAIN) {
break;
}
break;
}
if(rc == 0) {
- data->info.filetime = attrs.mtime;
+ data->info.filetime = (time_t)attrs.mtime;
}
state(data, SSH_SFTP_TRANS_INIT);
sshc->sftp_handle =
libssh2_sftp_open_ex(sshc->sftp_session, sshp->path,
curlx_uztoui(strlen(sshp->path)),
- flags, data->set.new_file_perms,
+ flags, (long)data->set.new_file_perms,
LIBSSH2_SFTP_OPENFILE);
if(!sshc->sftp_handle) {
/* 'mode' - parameter is preliminary - default to 0644 */
rc = libssh2_sftp_mkdir_ex(sshc->sftp_session, sshp->path,
curlx_uztoui(strlen(sshp->path)),
- data->set.new_directory_perms);
+ (long)data->set.new_directory_perms);
if(rc == LIBSSH2_ERROR_EAGAIN) {
break;
}
rc =
libssh2_sftp_symlink_ex(sshc->sftp_session,
Curl_dyn_ptr(&sshp->readdir_link),
- (int)Curl_dyn_len(&sshp->readdir_link),
+ (unsigned int)
+ Curl_dyn_len(&sshp->readdir_link),
sshp->readdir_filename,
PATH_MAX, LIBSSH2_SFTP_READLINK);
if(rc == LIBSSH2_ERROR_EAGAIN) {
sshc->sftp_handle =
libssh2_sftp_open_ex(sshc->sftp_session, sshp->path,
curlx_uztoui(strlen(sshp->path)),
- LIBSSH2_FXF_READ, data->set.new_file_perms,
+ LIBSSH2_FXF_READ, (long)data->set.new_file_perms,
LIBSSH2_SFTP_OPENFILE);
if(!sshc->sftp_handle) {
if(libssh2_session_last_errno(sshc->ssh_session) ==
#if LIBSSH2_VERSION_NUM >= 0x010B00
if(data->set.server_response_timeout > 0) {
libssh2_session_set_read_timeout(sshc->ssh_session,
- data->set.server_response_timeout / 1000);
+ (long)(data->set.server_response_timeout / 1000));
}
#endif
unsigned kbd_state; /* 0 or 1 */
ssh_key privkey;
ssh_key pubkey;
- int auth_methods;
+ unsigned int auth_methods;
ssh_session ssh_session;
ssh_scp scp_session;
sftp_session sftp_session;
struct x509_context *x509 = (struct x509_context *)ctx;
if(!x509->verifypeer) {
- return br_x509_decoder_last_error(&x509->decoder);
+ return (unsigned)br_x509_decoder_last_error(&x509->decoder);
}
return x509->minimal.vtable->end_chain(&x509->minimal.vtable);
const char *strerr = NULL;
if(rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
- int alert = gnutls_alert_get(session);
+ gnutls_alert_description_t alert = gnutls_alert_get(session);
strerr = gnutls_alert_get_name(alert);
}
const char *strerr = NULL;
if(rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
- int alert = gnutls_alert_get(session);
+ gnutls_alert_description_t alert = gnutls_alert_get(session);
strerr = gnutls_alert_get_name(alert);
}
CURLcode result = CURLE_OK;
#ifndef CURL_DISABLE_VERBOSE_STRINGS
const char *ptr;
- unsigned int algo;
+ int algo;
unsigned int bits;
gnutls_protocol_t version = gnutls_protocol_get_version(session);
#endif
if(data->set.ssl.certinfo && chainp) {
unsigned int i;
- result = Curl_ssl_init_certinfo(data, cert_list_size);
+ result = Curl_ssl_init_certinfo(data, (int)cert_list_size);
if(result)
return result;
const char *beg = (const char *) chainp[i].data;
const char *end = beg + chainp[i].size;
- result = Curl_extract_certinfo(data, i, beg, end);
+ result = Curl_extract_certinfo(data, (int)i, beg, end);
if(result)
return result;
}
gnutls_x509_crt_init(&x509_issuer);
issuerp = load_file(config->issuercert);
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
- rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
+ rc = (int)gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
gnutls_x509_crt_deinit(x509_issuer);
unload_file(issuerp);
if(rc <= 0) {
in RFC2818 (HTTPS), which takes into account wildcards, and the subject
alternative name PKIX extension. Returns non zero on success, and zero on
failure. */
- rc = gnutls_x509_crt_check_hostname(x509_cert, peer->hostname);
+ rc = (int)gnutls_x509_crt_check_hostname(x509_cert, peer->hostname);
#if GNUTLS_VERSION_NUMBER < 0x030306
/* Before 3.3.6, gnutls_x509_crt_check_hostname() didn't check IP
addresses. */
/* public key algorithm's parameters */
algo = gnutls_x509_crt_get_pk_algorithm(x509_cert, &bits);
infof(data, " certificate public key: %s",
- gnutls_pk_algorithm_get_name(algo));
+ gnutls_pk_algorithm_get_name((gnutls_pk_algorithm_t)algo));
/* version of the X.509 certificate. */
infof(data, " certificate version: #%d",
bool *done)
{
struct ssl_connect_data *connssl = cf->ctx;
- int rc;
+ CURLcode rc;
CURLcode result = CURLE_OK;
/* Initiate the connection, if not already done */
NULL /* rev_timeout() */);
if(conn_config->cipher_list) {
- ret = mbed_set_selected_ciphers(data, backend, conn_config->cipher_list);
- if(ret) {
+ CURLcode result = mbed_set_selected_ciphers(data, backend,
+ conn_config->cipher_list);
+ if(result != CURLE_OK) {
failf(data, "mbedTLS: failed to set cipher suites");
- return ret;
+ return result;
}
}
else {
/* give application a chance to interfere with mbedTLS set up. */
if(data->set.ssl.fsslctx) {
- ret = (*data->set.ssl.fsslctx)(data, &backend->config,
- data->set.ssl.fsslctxp);
- if(ret) {
+ CURLcode result = (*data->set.ssl.fsslctx)(data, &backend->config,
+ data->set.ssl.fsslctxp);
+ if(result != CURLE_OK) {
failf(data, "error signaled by ssl ctx callback");
- return ret;
+ return result;
}
}
#endif
#endif
+#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+typedef size_t numcert_t;
+#else
+typedef int numcert_t;
+#endif
+#define ossl_valsize_t numcert_t
+
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
/* up2date versions of OpenSSL maintain reasonably secure defaults without
* breaking compatibility, so it is better not to override the defaults in curl
for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
- X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+ X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, (ossl_valsize_t)i);
BUF_MEM *biomem;
char namebuf[128];
BIO *bio_out = BIO_new(BIO_s_mem());
}
}
-#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-typedef size_t numcert_t;
-#else
-typedef int numcert_t;
-#endif
-
CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl)
{
CURLcode result;
for(i = 0; i < (int)numcerts; i++) {
ASN1_INTEGER *num;
- X509 *x = sk_X509_value(sk, i);
+ X509 *x = sk_X509_value(sk, (ossl_valsize_t)i);
EVP_PKEY *pubkey = NULL;
int j;
char *ptr;
CURLcode result = CURLE_SEND_ERROR;
DEBUGASSERT(data);
- nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result);
+ if(blen < 0)
+ return 0;
+
+ nwritten = Curl_conn_cf_send(cf->next, data, buf, (size_t)blen, &result);
CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, err=%d",
blen, (int)nwritten, result);
BIO_clear_retry_flags(bio);
/* OpenSSL catches this case, so should we. */
if(!buf)
return 0;
+ if(blen < 0)
+ return 0;
- nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result);
+ nread = Curl_conn_cf_recv(cf->next, data, buf, (size_t)blen, &result);
CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, err=%d",
blen, (int)nread, result);
BIO_clear_retry_flags(bio);
{
DEBUGASSERT(0 == encrypting);
- if(!encrypting) {
+ if(!encrypting && num >= 0) {
int klen = curlx_uztosi(strlen((char *)global_passwd));
if(num > klen) {
memcpy(buf, global_passwd, klen + 1);
for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
struct curltime tv = Curl_now();
Curl_wait_ms(1);
- tv.tv_sec *= i + 1;
- tv.tv_usec *= (unsigned int)i + 2;
- tv.tv_sec ^= ((Curl_now().tv_sec + Curl_now().tv_usec) *
- (i + 3)) << 8;
- tv.tv_usec ^= (unsigned int) ((Curl_now().tv_sec +
- Curl_now().tv_usec) *
- (i + 4)) << 16;
+ tv.tv_sec *= (time_t)i + 1;
+ tv.tv_usec *= (int)i + 2;
+ tv.tv_sec ^= ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
+ (time_t)(i + 3)) << 8;
+ tv.tv_usec ^= (int) ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
+ (time_t)(i + 4)) << 16;
memcpy(&randb[i * sizeof(struct curltime)], &tv,
sizeof(struct curltime));
}
if(cf->next && cf->next->connected && !connssl->peer_closed) {
char buf[1024];
int nread, err;
- long sslerr;
+ unsigned long sslerr;
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
DEBUGASSERT(octx);
- len = SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
+ len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
if(!status) {
failf(data, "No OCSP response received");
}
for(i = 0; i < (int)sk_X509_num(ch); i++) {
- X509 *issuer = sk_X509_value(ch, i);
+ X509 *issuer = sk_X509_value(ch, (ossl_valsize_t)i);
if(X509_check_issued(issuer, cert) == X509_V_OK) {
id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
break;
}
/* ... then, TLS max version */
- curl_ssl_version_max = conn_config->version_max;
+ curl_ssl_version_max = (long)conn_config->version_max;
/* convert curl max SSL version option to OpenSSL constant */
switch(curl_ssl_version_max) {
typedef uint32_t ctx_option_t;
#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
typedef uint64_t ctx_option_t;
+#elif OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(LIBRESSL_VERSION_NUMBER)
+typedef unsigned long ctx_option_t;
#else
typedef long ctx_option_t;
#endif
/* add each entry from PEM file to x509_store */
for(i = 0; i < (int)sk_X509_INFO_num(inf); ++i) {
- itmp = sk_X509_INFO_value(inf, i);
+ itmp = sk_X509_INFO_value(inf, (ossl_valsize_t)i);
if(itmp->x509) {
if(X509_STORE_add_cert(store, itmp->x509)) {
++count;
else
continue;
- x509 = d2i_X509(NULL, &encoded_cert, pContext->cbCertEncoded);
+ x509 = d2i_X509(NULL, &encoded_cert, (long)pContext->cbCertEncoded);
if(!x509)
continue;
#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
/* mitigate CVE-2010-4180 */
- ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+ ctx_options &= ~(ctx_option_t)SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
#endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
/* unless the user explicitly asks to allow the protocol vulnerability we
use the work-around */
if(!ssl_config->enable_beast)
- ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+ ctx_options &= ~(ctx_option_t)SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
switch(ssl_version_min) {
#ifdef LIBRESSL_VERSION_NUMBER
#ifdef HAVE_OPENSSL_VERSION
char *p;
- int count;
+ size_t count;
const char *ver = OpenSSL_version(OPENSSL_VERSION);
const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */
if(strncasecompare(ver, expected, sizeof(expected) - 1)) {
return CURLE_FAILED_INIT;
}
/* RAND_bytes() returns 1 on success, 0 otherwise. */
- rc = RAND_bytes(entropy, curlx_uztosi(length));
+ rc = RAND_bytes(entropy, (ossl_valsize_t)curlx_uztosi(length));
return (rc == 1 ? CURLE_OK : CURLE_FAILED_INIT);
}
}
else if(nread == 0)
connssl->peer_closed = TRUE;
- *out_n = (int)nread;
+ *out_n = (uintptr_t)nread;
CURL_TRC_CF(io_ctx->data, io_ctx->cf, "cf->next recv(len=%zu) -> %zd, %d",
len, nread, result);
return ret;
else
ret = EINVAL;
}
- *out_n = (int)nwritten;
+ *out_n = (uintptr_t)nwritten;
CURL_TRC_CF(io_ctx->data, io_ctx->cf, "cf->next send(len=%zu) -> %zd, %d",
len, nwritten, result);
return ret;
const char *hostname = connssl->peer.hostname;
char errorbuf[256];
size_t errorlen;
- int result;
+ rustls_result result;
DEBUGASSERT(backend);
rconn = backend->conn;
{
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
long ssl_version = conn_config->version;
- long ssl_version_max = conn_config->version_max;
+ long ssl_version_max = (long)conn_config->version_max;
long i = ssl_version;
switch(ssl_version_max) {
if(!alg)
alg = get_alg_id_by_name(startCur);
if(alg)
- algIds[algCount++] = alg;
+ algIds[algCount++] = (ALG_ID)alg;
else if(!strncmp(startCur, "USE_STRONG_CRYPTO",
sizeof("USE_STRONG_CRYPTO") - 1) ||
!strncmp(startCur, "SCH_USE_STRONG_CRYPTO",
startCur++;
}
schannel_cred->palgSupportedAlgs = algIds;
- schannel_cred->cSupportedAlgs = algCount;
+ schannel_cred->cSupportedAlgs = (DWORD)algCount;
return CURLE_OK;
}
}
if(!ssl_config->auto_client_cert) {
- flags &= ~SCH_CRED_USE_DEFAULT_CREDS;
+ flags &= ~(DWORD)SCH_CRED_USE_DEFAULT_CREDS;
flags |= SCH_CRED_NO_DEFAULT_CREDS;
infof(data, "schannel: disabled automatic use of client certificate");
}
tls_parameters.pDisabledCrypto = crypto_settings;
/* The number of blocked suites */
- tls_parameters.cDisabledCrypto = crypto_settings_idx;
+ tls_parameters.cDisabledCrypto = (DWORD)crypto_settings_idx;
credentials.pTlsParameters = &tls_parameters;
credentials.cTlsParameters = 1;
static size_t schannel_version(char *buffer, size_t size)
{
- size = msnprintf(buffer, size, "Schannel");
-
- return size;
+ return msnprintf(buffer, size, "Schannel");
}
static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM,
/* pwszDNSName is in ia5 string format and hence doesn't contain any
* non-ascii characters. */
while(*dns_w != '\0') {
- *current_pos++ = (char)(*dns_w++);
+ *current_pos++ = (TCHAR)(*dns_w++);
}
*current_pos++ = '\0';
actual_length += (DWORD)current_length;
size_t cbuf_size = ((size_t)CFStringGetLength(c) * 4) + 1;
cbuf = calloc(1, cbuf_size);
if(cbuf) {
- if(!CFStringGetCString(c, cbuf, cbuf_size,
+ if(!CFStringGetCString(c, cbuf, (CFIndex)cbuf_size,
kCFStringEncodingUTF8)) {
failf(data, "SSL: invalid CA certificate subject");
result = CURLE_PEER_FAILED_VERIFICATION;
if(blob) {
pkcs_data = CFDataCreate(kCFAllocatorDefault,
- (const unsigned char *)blob->data, blob->len);
+ (const unsigned char *)blob->data,
+ (CFIndex)blob->len);
status = (pkcs_data != NULL) ? errSecSuccess : errSecAllocate;
resource_imported = (pkcs_data != NULL);
}
pkcs_url =
CFURLCreateFromFileSystemRepresentation(NULL,
(const UInt8 *)cPath,
- strlen(cPath), false);
+ (CFIndex)strlen(cPath), false);
resource_imported =
CFURLCreateDataAndPropertiesFromResource(NULL,
pkcs_url, &pkcs_data,
const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
char *ciphers;
OSStatus err = noErr;
+ CURLcode result;
#if CURL_BUILD_MAC
int darwinver_maj = 0, darwinver_min = 0;
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
- {
- CURLcode result = set_ssl_version_min_max(cf, data);
- if(result != CURLE_OK)
- return result;
- break;
- }
+ result = set_ssl_version_min_max(cf, data);
+ if(result != CURLE_OK)
+ return result;
+ break;
case CURL_SSLVERSION_SSLv3:
case CURL_SSLVERSION_SSLv2:
failf(data, "SSL versions not supported");
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
- {
- CURLcode result = set_ssl_version_min_max(cf, data);
- if(result != CURLE_OK)
- return result;
- break;
- }
+ result = set_ssl_version_min_max(cf, data);
+ if(result != CURLE_OK)
+ return result;
+ break;
case CURL_SSLVERSION_SSLv3:
case CURL_SSLVERSION_SSLv2:
failf(data, "SSL versions not supported");
err = SecIdentityCopyCertificate(cert_and_key, &cert);
if(err == noErr) {
char *certp;
- CURLcode result = CopyCertSubject(data, cert, &certp);
+ result = CopyCertSubject(data, cert, &certp);
if(!result) {
infof(data, "Client certificate: %s", certp);
free(certp);
ciphers = conn_config->cipher_list;
if(ciphers) {
- err = sectransp_set_selected_ciphers(data, backend->ssl_ctx, ciphers);
+ result = sectransp_set_selected_ciphers(data, backend->ssl_ctx, ciphers);
}
else {
- err = sectransp_set_default_ciphers(data, backend->ssl_ctx);
+ result = sectransp_set_default_ciphers(data, backend->ssl_ctx);
}
- if(err != noErr) {
+ if(result != CURLE_OK) {
failf(data, "SSL: Unable to set ciphers for SSL/TLS handshake. "
- "Error code: %d", err);
+ "Error code: %d", (int)result);
return CURLE_SSL_CIPHER;
}
/* If there isn't one, then let's make one up! This has to be done prior
to starting the handshake. */
else {
- CURLcode result;
ssl_sessionid =
aprintf("%s:%d:%d:%s:%d",
ssl_cafile ? ssl_cafile : "(blob memory)",
char *sep_start, *sep_end, *cert_start, *cert_end;
size_t i, j, err;
size_t len;
- unsigned char *b64;
+ char *b64;
/* Jump through the separators at the beginning of the certificate. */
sep_start = strstr(in, "-----");
return 0;
}
-static int append_cert_to_array(struct Curl_easy *data,
- const unsigned char *buf, size_t buflen,
- CFMutableArrayRef array)
+static CURLcode append_cert_to_array(struct Curl_easy *data,
+ const unsigned char *buf, size_t buflen,
+ CFMutableArrayRef array)
{
char *certp;
CURLcode result;
SecCertificateRef cacert;
CFDataRef certdata;
- certdata = CFDataCreate(kCFAllocatorDefault, buf, buflen);
+ certdata = CFDataCreate(kCFAllocatorDefault, buf, (CFIndex)buflen);
if(!certdata) {
failf(data, "SSL: failed to allocate array for CA certificate");
return CURLE_OUT_OF_MEMORY;
const unsigned char *certbuf, size_t buflen,
SSLContextRef ctx)
{
- int n = 0, rc;
+ int n = 0;
+ CURLcode rc;
long res;
unsigned char *der;
size_t derlen, offset = 0;
#elif SECTRANSP_PINNEDPUBKEY_V2
{
- OSStatus success;
- success = SecItemExport(keyRef, kSecFormatOpenSSL, 0, NULL,
- &publicKeyBits);
- CFRelease(keyRef);
- if(success != errSecSuccess || !publicKeyBits)
- break;
+ OSStatus success;
+ success = SecItemExport(keyRef, kSecFormatOpenSSL, 0, NULL,
+ &publicKeyBits);
+ CFRelease(keyRef);
+ if(success != errSecSuccess || !publicKeyBits)
+ break;
}
#endif /* SECTRANSP_PINNEDPUBKEY_V2 */
- pubkeylen = CFDataGetLength(publicKeyBits);
+ pubkeylen = (size_t)CFDataGetLength(publicKeyBits);
pubkey = (unsigned char *)CFDataGetBytePtr(publicKeyBits);
switch(pubkeylen) {
#endif /* !CURL_DISABLE_PROXY */
-bool Curl_ssl_supports(struct Curl_easy *data, int option)
+bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option)
{
(void)data;
- return (Curl_ssl->supports & option)? TRUE : FALSE;
+ return (Curl_ssl->supports & ssl_option)? TRUE : FALSE;
}
static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
* Option is one of the defined SSLSUPP_* values.
* `data` maybe NULL for the features of the default implementation.
*/
-bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option);
+bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option);
/**
* Get the internal ssl instance (like OpenSSL's SSL*) from the filter
/* load certificate blob */
if(ca_info_blob) {
if(wolfSSL_CTX_load_verify_buffer(wssl->ctx, ca_info_blob->data,
- ca_info_blob->len,
+ (long)ca_info_blob->len,
SSL_FILETYPE_PEM) != SSL_SUCCESS) {
if(imported_native_ca) {
infof(data, "error importing CA certificate blob, continuing anyway");
result = Curl_alpn_to_proto_str(&proto, connssl->alpn);
if(result ||
- wolfSSL_UseALPN(backend->handle, (char *)proto.data, proto.len,
+ wolfSSL_UseALPN(backend->handle,
+ (char *)proto.data, (unsigned int)proto.len,
WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) {
failf(data, "SSL: failed setting ALPN protocols");
return CURLE_SSL_CONNECT_ERROR;
}
else {
failf(data, "SSL_connect failed with error %d: %s", detail,
- wolfSSL_ERR_error_string(detail, error_buffer));
+ wolfSSL_ERR_error_string((unsigned long)detail, error_buffer));
return CURLE_SSL_CONNECT_ERROR;
}
}
}
CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d, %d", len, rc, err);
failf(data, "SSL write: %s, errno %d",
- wolfSSL_ERR_error_string(err, error_buffer),
+ wolfSSL_ERR_error_string((unsigned long)err, error_buffer),
SOCKERRNO);
*curlcode = CURLE_SEND_ERROR;
return -1;
return -1;
}
failf(data, "SSL read: %s, errno %d",
- wolfSSL_ERR_error_string(err, error_buffer), SOCKERRNO);
+ wolfSSL_ERR_error_string((unsigned long)err, error_buffer),
+ SOCKERRNO);
*curlcode = CURLE_RECV_ERROR;
return -1;
}
else {
while(!result && (from < end)) {
char buf[4]; /* decode buffer */
- int charsize = 1;
+ size_t charsize = 1;
unsigned int wc = 0;
switch(size) {
if(ssl_push_certinfo(data, certnum, "ECC Public Key", q))
return 1;
}
- return do_pubkey_field(data, certnum, "ecPublicKey", pubkey);
+ return do_pubkey_field(data, certnum, "ecPublicKey", pubkey) == CURLE_OK
+ ? 0 : 1;
}
/* Get the public key (single element). */
projects / thirdparty / curl.git / commitdiff
