From: Tomas Mraz Date: Tue, 17 Jun 2025 09:13:35 +0000 (+0200) Subject: libssl: Silence warnings on Win64 builds X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abdbad370cdf6afb8ab6504fee200c4a8a84d3a8;p=thirdparty%2Fopenssl.git libssl: Silence warnings on Win64 builds Reviewed-by: Saša Nedvědický Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/27806) --- diff --git a/include/internal/quic_stream_map.h b/include/internal/quic_stream_map.h index d98f813261f..619a631cfcf 100644 --- a/include/internal/quic_stream_map.h +++ b/include/internal/quic_stream_map.h @@ -509,8 +509,8 @@ static ossl_inline ossl_unused int ossl_quic_stream_recv_get_final_size(const QU * Determines the number of bytes available still to be read, and (if * include_fin is 1) whether a FIN or reset has yet to be read. */ -static ossl_inline ossl_unused int ossl_quic_stream_recv_pending(const QUIC_STREAM *s, - int include_fin) +static ossl_inline ossl_unused size_t ossl_quic_stream_recv_pending(const QUIC_STREAM *s, + int include_fin) { size_t avail; int fin = 0; diff --git a/include/internal/quic_wire_pkt.h b/include/internal/quic_wire_pkt.h index 8688253eaee..98eb5035649 100644 --- a/include/internal/quic_wire_pkt.h +++ b/include/internal/quic_wire_pkt.h @@ -545,8 +545,8 @@ int ossl_quic_wire_get_pkt_hdr_dst_conn_id(const unsigned char *buf, * function returns non-zero does not guarantee that * ossl_quic_wire_encode_pkt_hdr() will succeed. */ -int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, - const QUIC_PKT_HDR *hdr); +size_t ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, + const QUIC_PKT_HDR *hdr); /* * Packet Number Encoding diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index d1034814bff..caeded6b5f3 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -433,10 +433,12 @@ static long ssl_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp) static int ssl_puts(BIO *bp, const char *str) { - int n, ret; + int ret; + size_t n = strlen(str); - n = strlen(str); - ret = BIO_write(bp, str, n); + if (n > INT_MAX) + return -1; + ret = BIO_write(bp, str, (int)n); return ret; } diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 9e1fbb0b294..302696f603b 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -768,7 +768,7 @@ int DTLSv1_listen(SSL *ssl, BIO_ADDR *client) BIO_ADDR_free(tmpclient); tmpclient = NULL; - if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) { + if (BIO_write(wbio, wbuf, (int)wreclen) < (int)wreclen) { if (BIO_should_retry(wbio)) { /* * Non-blocking IO...but we're stateless, so we're just diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 5ad5a79157f..e5fb74a634f 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -3163,10 +3163,11 @@ static size_t ossl_quic_pending_int(const SSL *s, int check_channel) } if (check_channel) + /* We care about boolean result here only */ avail = ossl_quic_stream_recv_pending(ctx.xso->stream, - /*include_fin=*/1) - || ossl_quic_channel_has_pending(ctx.qc->ch) - || ossl_quic_channel_is_term_any(ctx.qc->ch); + /*include_fin=*/1) > 0 + || ossl_quic_channel_has_pending(ctx.qc->ch) + || ossl_quic_channel_is_term_any(ctx.qc->ch); else avail = ossl_quic_stream_recv_pending(ctx.xso->stream, /*include_fin=*/0); @@ -4938,7 +4939,7 @@ size_t ossl_quic_get_accept_connection_queue_len(SSL *ssl) qctx_lock(&ctx); - ret = ossl_quic_port_get_num_incoming_channels(ctx.ql->port); + ret = (int)ossl_quic_port_get_num_incoming_channels(ctx.ql->port); qctx_unlock(&ctx); return ret; @@ -5187,7 +5188,7 @@ QUIC_NEEDS_LOCK static int test_poll_event_is(QUIC_CONNECTION *qc, int is_uni) { return ossl_quic_stream_map_get_accept_queue_len(ossl_quic_channel_get_qsm(qc->ch), - is_uni); + is_uni) > 0; } /* Do we have the OS (outgoing: stream) condition? */ diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c index cb658f4d61d..97eb6634fbb 100644 --- a/ssl/quic/quic_port.c +++ b/ssl/quic/quic_port.c @@ -946,10 +946,10 @@ static int encrypt_validation_token(const QUIC_PORT *port, size_t *ct_len) { int iv_len, len, ret = 0; - size_t tag_len; + int tag_len; unsigned char *iv = ciphertext, *data, *tag; - if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0 + if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) <= 0 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0) goto err; @@ -964,7 +964,7 @@ static int encrypt_validation_token(const QUIC_PORT *port, if (!RAND_bytes_ex(port->engine->libctx, ciphertext, iv_len, 0) || !EVP_EncryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv) - || !EVP_EncryptUpdate(port->token_ctx, data, &len, plaintext, pt_len) + || !EVP_EncryptUpdate(port->token_ctx, data, &len, plaintext, (int)pt_len) || !EVP_EncryptFinal_ex(port->token_ctx, data + pt_len, &len) || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_GET_TAG, tag_len, tag)) goto err; @@ -996,15 +996,15 @@ static int decrypt_validation_token(const QUIC_PORT *port, size_t *pt_len) { int iv_len, len = 0, ret = 0; - size_t tag_len; + int tag_len; const unsigned char *iv = ciphertext, *data, *tag; - if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) == 0 + if ((tag_len = EVP_CIPHER_CTX_get_tag_length(port->token_ctx)) <= 0 || (iv_len = EVP_CIPHER_CTX_get_iv_length(port->token_ctx)) <= 0) goto err; /* Prevent decryption of a buffer that is not within reasonable bounds */ - if (ct_len < (iv_len + tag_len) || ct_len > ENCRYPTED_TOKEN_MAX_LEN) + if (ct_len < (size_t)(iv_len + tag_len) || ct_len > ENCRYPTED_TOKEN_MAX_LEN) goto err; *pt_len = ct_len - iv_len - tag_len; @@ -1018,7 +1018,7 @@ static int decrypt_validation_token(const QUIC_PORT *port, if (!EVP_DecryptInit_ex(port->token_ctx, NULL, NULL, NULL, iv) || !EVP_DecryptUpdate(port->token_ctx, plaintext, &len, data, - ct_len - iv_len - tag_len) + (int)(ct_len - iv_len - tag_len)) || !EVP_CIPHER_CTX_ctrl(port->token_ctx, EVP_CTRL_GCM_SET_TAG, tag_len, (void *)tag) || !EVP_DecryptFinal_ex(port->token_ctx, plaintext + len, &len)) diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index e01cc525345..eb037b90298 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -946,11 +946,11 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, return 0; /* Feed AAD data. */ - if (EVP_CipherUpdate(cctx, NULL, &l, aad, aad_len) != 1) + if (EVP_CipherUpdate(cctx, NULL, &l, aad, (int)aad_len) != 1) return 0; /* Feed encrypted packet body. */ - if (EVP_CipherUpdate(cctx, dst, &l, src, src_len - el->tag_len) != 1) + if (EVP_CipherUpdate(cctx, dst, &l, src, (int)(src_len - el->tag_len)) != 1) return 0; #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c index ef93a14f94a..e902113fb98 100644 --- a/ssl/quic/quic_record_tx.c +++ b/ssl/quic/quic_record_tx.c @@ -541,7 +541,7 @@ static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe, } /* Feed AAD data. */ - if (EVP_CipherUpdate(cctx, NULL, &l, hdr, hdr_len) != 1) { + if (EVP_CipherUpdate(cctx, NULL, &l, hdr, (int)hdr_len) != 1) { ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); return 0; } @@ -556,7 +556,7 @@ static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe, break; if (EVP_CipherUpdate(cctx, txe_data(txe) + txe->data_len, - &l, src, src_len) != 1) { + &l, src, (int)src_len) != 1) { ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); return 0; } diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c index f7106b2fef3..ef26286e350 100644 --- a/ssl/quic/quic_tserver.c +++ b/ssl/quic/quic_tserver.c @@ -66,7 +66,8 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out, alpnlen = srv->args.alpnlen; } - if (SSL_select_next_proto((unsigned char **)out, outlen, alpn, alpnlen, + if (SSL_select_next_proto((unsigned char **)out, outlen, alpn, + (unsigned int)alpnlen, in, inlen) != OPENSSL_NPN_NEGOTIATED) return SSL_TLSEXT_ERR_ALERT_FATAL; diff --git a/ssl/quic/quic_txp.c b/ssl/quic/quic_txp.c index 10d842bce0b..2920098b2d4 100644 --- a/ssl/quic/quic_txp.c +++ b/ssl/quic/quic_txp.c @@ -1320,7 +1320,7 @@ static int txp_determine_geometry(OSSL_QUIC_TX_PACKETISER *txp, /* Assemble packet header. */ phdr->type = ossl_quic_enc_level_to_pkt_type(enc_level); phdr->spin_bit = 0; - phdr->pn_len = txp_determine_pn_len(txp); + phdr->pn_len = (unsigned int)txp_determine_pn_len(txp); phdr->partial = 0; phdr->fixed = 1; phdr->reserved = 0; diff --git a/ssl/quic/quic_types.c b/ssl/quic/quic_types.c index 4ff3ae6580b..f9d04507075 100644 --- a/ssl/quic/quic_types.c +++ b/ssl/quic/quic_types.c @@ -19,7 +19,7 @@ int ossl_quic_gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, cid->id_len = (unsigned char)len; - if (RAND_bytes_ex(libctx, cid->id, len, len * 8) != 1) { + if (RAND_bytes_ex(libctx, cid->id, len, 0) != 1) { ERR_raise(ERR_LIB_SSL, ERR_R_RAND_LIB); cid->id_len = 0; return 0; diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index b6ee898eddf..edec1e1d611 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -607,8 +607,8 @@ int ossl_quic_wire_encode_pkt_hdr(WPACKET *pkt, return 1; } -int ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, - const QUIC_PKT_HDR *hdr) +size_t ossl_quic_wire_get_encoded_pkt_hdr_len(size_t short_conn_id_len, + const QUIC_PKT_HDR *hdr) { size_t len = 0, enclen; @@ -926,14 +926,14 @@ int ossl_quic_calculate_retry_integrity_tag(OSSL_LIB_CTX *libctx, } /* Feed packet header as AAD data. */ - if (EVP_CipherUpdate(cctx, NULL, &l, buf, hdr_enc_len) != 1) { + if (EVP_CipherUpdate(cctx, NULL, &l, buf, (int)hdr_enc_len) != 1) { ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); goto err; } /* Feed packet body as AAD data. */ if (EVP_CipherUpdate(cctx, NULL, &l, hdr->data, - hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN) != 1) { + (int)(hdr->len - QUIC_RETRY_INTEGRITY_TAG_LEN)) != 1) { ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB); goto err; } diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index 23715b2cc6a..9245d5fd17e 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -209,7 +209,7 @@ static int dtls_process_record(OSSL_RECORD_LAYER *rl, DTLS_BITMAP *bitmap) ERR_clear_last_mark(); OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %zd\n", rr->length); - BIO_dump_indent(trc_out, rr->data, rr->length, 4); + BIO_dump_indent(trc_out, rr->data, (int)rr->length, 4); } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 6bbba84d0d8..3e79a6a8343 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -69,10 +69,10 @@ static int tls13_set_crypto_state(OSSL_RECORD_LAYER *rl, int level, mode = EVP_CIPHER_get_mode(ciph); if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, enc) <= 0 - || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, + || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, (int)ivlen, NULL) <= 0 || (mode == EVP_CIPH_CCM_MODE - && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, + && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, (int)taglen, NULL) <= 0) || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, enc) <= 0) { ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); @@ -214,7 +214,7 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, if (EVP_CipherInit_ex(enc_ctx, NULL, NULL, NULL, nonce, sending) <= 0 || (!sending && EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_SET_TAG, - rl->taglen, + (int)rl->taglen, rec->data + rec->length) <= 0)) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; @@ -237,7 +237,7 @@ static int tls13_cipher(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *recs, } if (sending) { /* Add the tag */ - if (EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_GET_TAG, rl->taglen, + if (EVP_CIPHER_CTX_ctrl(enc_ctx, EVP_CTRL_AEAD_GET_TAG, (int)rl->taglen, rec->data + rec->length) <= 0) { RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; diff --git a/ssl/record/methods/tls1_meth.c b/ssl/record/methods/tls1_meth.c index 9275e19fbd3..05345a69a10 100644 --- a/ssl/record/methods/tls1_meth.c +++ b/ssl/record/methods/tls1_meth.c @@ -534,7 +534,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md BIO_printf(trc_out, "seq:\n"); BIO_dump_indent(trc_out, seq, 8, 4); BIO_printf(trc_out, "rec:\n"); - BIO_dump_indent(trc_out, rec->data, rec->length, 4); + BIO_dump_indent(trc_out, rec->data, (int)rec->length, 4); } OSSL_TRACE_END(TLS); if (!rl->isdtls && !tls_increment_sequence_ctr(rl)) { @@ -544,7 +544,7 @@ static int tls1_mac(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec, unsigned char *md OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "md:\n"); - BIO_dump_indent(trc_out, md, md_size, 4); + BIO_dump_indent(trc_out, md, (int)md_size, 4); } OSSL_TRACE_END(TLS); ret = 1; end: diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 80d4477bd0c..3b6c160cb6b 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -403,7 +403,7 @@ int tls_default_read_n(OSSL_RECORD_LAYER *rl, size_t n, size_t max, int extend, clear_sys_error(); if (bio != NULL) { - ret = BIO_read(bio, pkt + len + left, max - left); + ret = BIO_read(bio, pkt + len + left, (int)(max - left)); if (ret > 0) { bioread = ret; ret = OSSL_RECORD_RETURN_SUCCESS; @@ -506,7 +506,7 @@ static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length, } /* If we are dealing with ciphertext we need to allow for the overhead */ - max_early_data += overhead; + max_early_data += (uint32_t)overhead; if (rl->early_data_count + length > max_early_data) { RLAYERfatal(rl, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, @@ -874,7 +874,7 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl) } OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "dec %lu\n", (unsigned long)rr[0].length); - BIO_dump_indent(trc_out, rr[0].data, rr[0].length, 4); + BIO_dump_indent(trc_out, rr[0].data, (int)rr[0].length, 4); } OSSL_TRACE_END(TLS); /* r->length is now the compressed data plus mac */ @@ -2064,7 +2064,7 @@ const COMP_METHOD *tls_get_compression(OSSL_RECORD_LAYER *rl) void tls_set_max_frag_len(OSSL_RECORD_LAYER *rl, size_t max_frag_len) { - rl->max_frag_len = max_frag_len; + rl->max_frag_len = (unsigned int)max_frag_len; /* * We don't need to adjust buffer sizes. Write buffer sizes are * automatically checked anyway. We should only be changing the read buffer diff --git a/ssl/record/methods/tls_multib.c b/ssl/record/methods/tls_multib.c index 3c2c30ef162..ec37b4b066f 100644 --- a/ssl/record/methods/tls_multib.c +++ b/ssl/record/methods/tls_multib.c @@ -118,7 +118,7 @@ static int tls_write_records_multiblock_int(OSSL_RECORD_LAYER *rl, } wb = &rl->wbuf[0]; - mb_param.interleave = numtempl; + mb_param.interleave = (unsigned int)numtempl; memcpy(aad, rl->sequence, 8); aad[8] = templates[0].type; aad[9] = (unsigned char)(templates[0].version >> 8); diff --git a/ssl/record/methods/tls_pad.c b/ssl/record/methods/tls_pad.c index 23198f3a493..055f298b981 100644 --- a/ssl/record/methods/tls_pad.c +++ b/ssl/record/methods/tls_pad.c @@ -280,7 +280,8 @@ static int ssl3_cbc_copy_mac(size_t *reclen, */ aux1 = rotated_mac[rotate_offset & ~32]; aux2 = rotated_mac[rotate_offset | 32]; - mask = constant_time_eq_8(rotate_offset & ~32, rotate_offset); + mask = constant_time_eq_8((unsigned int)(rotate_offset & ~32), + (unsigned int)rotate_offset); aux3 = constant_time_select_8(mask, aux1, aux2); rotate_offset++; @@ -296,7 +297,8 @@ static int ssl3_cbc_copy_mac(size_t *reclen, rotate_offset &= constant_time_lt_s(rotate_offset, mac_size); for (i = 0; i < mac_size; i++) { for (j = 0; j < mac_size; j++) - out[j] |= rotated_mac[i] & constant_time_eq_8_s(j, rotate_offset); + out[j] |= rotated_mac[i] & constant_time_eq_8_s((unsigned int)j, + (unsigned int)rotate_offset); rotate_offset++; rotate_offset &= constant_time_lt_s(rotate_offset, mac_size); diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 889b12dd66d..dac248fec8f 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -159,14 +159,14 @@ static int ossl_early_data_count_ok(SSL_CONNECTION *s, size_t length, } /* If we are dealing with ciphertext we need to allow for the overhead */ - max_early_data += overhead; + max_early_data += (uint32_t)overhead; if (s->early_data_count + length > max_early_data) { SSLfatal(s, send ? SSL_AD_INTERNAL_ERROR : SSL_AD_UNEXPECTED_MESSAGE, SSL_R_TOO_MUCH_EARLY_DATA); return 0; } - s->early_data_count += length; + s->early_data_count += (uint32_t)length; return 1; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 14373cdfa02..12c30f665ea 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3803,7 +3803,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return 0; if (pctype) *pctype = sc->s3.tmp.ctype; - return sc->s3.tmp.ctype_len; + return (long)sc->s3.tmp.ctype_len; } case SSL_CTRL_SET_CLIENT_CERT_TYPES: @@ -4412,7 +4412,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl * that. */ if (s->psk_server_callback != NULL) { - for (j = 0; j < s->ssl_pkey_num && !ssl_has_cert(s, j); j++); + for (j = 0; j < s->ssl_pkey_num && !ssl_has_cert(s, (int)j); j++); if (j == s->ssl_pkey_num) { /* There are no certificates */ prefer_sha256 = 1; diff --git a/ssl/ssl_cert_comp.c b/ssl/ssl_cert_comp.c index 018fcc14a56..68be524c27c 100644 --- a/ssl/ssl_cert_comp.c +++ b/ssl/ssl_cert_comp.c @@ -111,12 +111,13 @@ __owur static OSSL_COMP_CERT *OSSL_COMP_CERT_from_uncompressed_data(unsigned cha } if ((max_length = ossl_calculate_comp_expansion(alg, len)) == 0 + || max_length > INT_MAX || method == NULL || (comp_ctx = COMP_CTX_new(method)) == NULL || (comp_data = OPENSSL_zalloc(max_length)) == NULL) goto err; - comp_length = COMP_compress_block(comp_ctx, comp_data, max_length, data, len); + comp_length = COMP_compress_block(comp_ctx, comp_data, (int)max_length, data, (int)len); if (comp_length <= 0) goto err; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9696a4c55fa..9ebd8d34f69 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3468,7 +3468,7 @@ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size) if (sk_SSL_CIPHER_find(srvrsk, c) < 0) continue; - n = OPENSSL_strnlen(c->name, size); + n = (int)OPENSSL_strnlen(c->name, size); if (n >= size) { if (p != buf) --p; @@ -7328,7 +7328,7 @@ __owur unsigned int ssl_get_max_send_fragment(const SSL_CONNECTION *sc) return GET_MAX_FRAGMENT_LENGTH(sc->session); /* return current SSL connection setting */ - return sc->max_send_fragment; + return (unsigned int)sc->max_send_fragment; } __owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc) @@ -7340,10 +7340,10 @@ __owur unsigned int ssl_get_split_send_fragment(const SSL_CONNECTION *sc) /* else limit |split_send_fragment| to current |max_send_fragment| */ if (sc->split_send_fragment > sc->max_send_fragment) - return sc->max_send_fragment; + return (unsigned int)sc->max_send_fragment; /* return current SSL connection setting */ - return sc->split_send_fragment; + return (unsigned int)sc->split_send_fragment; } int SSL_stateless(SSL *s) diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index e833bcdbc37..a1ea7ed105d 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -903,7 +903,7 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) break; } /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */ - name_len = strlen(name); + name_len = (unsigned int)strlen(name); if (name_len < sizeof(NAME_PREFIX1) - 1) { ERR_raise(ERR_LIB_SSL, SSL_R_PEM_NAME_TOO_SHORT); goto end; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index a50f7ce96b6..c3aa35009d8 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -527,7 +527,7 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, int copy = 1; ret = s->session_ctx->get_session_cb(SSL_CONNECTION_GET_USER_SSL(s), - sess_id, sess_id_len, ©); + sess_id, (int)sess_id_len, ©); if (ret != NULL) { if (ret->not_resumable) { diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 9811e5c94b9..8b555856632 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -656,7 +656,7 @@ int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet, SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); goto err; } - idx = thisex - raw_extensions; + idx = (unsigned int)(thisex - raw_extensions); /*- * Check that we requested this extension (if appropriate). Requests can * be sent in the ClientHello and CertificateRequest. Unsolicited @@ -696,7 +696,7 @@ int tls_collect_extensions(SSL_CONNECTION *s, PACKET *packet, if (s->ext.debug_cb) s->ext.debug_cb(SSL_CONNECTION_GET_USER_SSL(s), !s->server, thisex->type, PACKET_data(&thisex->data), - PACKET_remaining(&thisex->data), + (int)PACKET_remaining(&thisex->data), s->ext.debug_arg); } } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index baa7c47b3cd..5055b67bfe8 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1466,7 +1466,7 @@ int tls_parse_stoc_session_ticket(SSL_CONNECTION *s, PACKET *pkt, if (s->ext.session_ticket_cb != NULL && !s->ext.session_ticket_cb(ssl, PACKET_data(pkt), - PACKET_remaining(pkt), + (int)PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); return 0; @@ -1638,7 +1638,7 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, } if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), &selected, &selected_len, - PACKET_data(pkt), PACKET_remaining(pkt), + PACKET_data(pkt), (unsigned int)PACKET_remaining(pkt), sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK || selected_len == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 1a09913ad63..9a52164da39 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -267,7 +267,7 @@ int tls_parse_ctos_session_ticket(SSL_CONNECTION *s, PACKET *pkt, { if (s->ext.session_ticket_cb && !s->ext.session_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s), - PACKET_data(pkt), PACKET_remaining(pkt), + PACKET_data(pkt), (int)PACKET_remaining(pkt), s->ext.session_ticket_cb_arg)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; @@ -816,7 +816,7 @@ static void check_overlap(SSL_CONNECTION *s, if (new_group_idx < group_idx) { group_idx = new_group_idx; *candidate_group_idx = current_group; - *prio_group_idx = group_idx; + *prio_group_idx = (int)group_idx; *selected_group = prio_groups[group_idx]; } } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ba4500dd659..50d1541773e 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -3909,8 +3909,8 @@ CON_FUNC_RETURN tls_construct_client_compressed_certificate(SSL_CONNECTION *sc, || !WPACKET_reserve_bytes(pkt, max_length, NULL)) goto err; - comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), max_length, - (unsigned char *)buf->data, length); + comp_len = COMP_compress_block(comp, WPACKET_get_curr(pkt), (int)max_length, + (unsigned char *)buf->data, (int)length); if (comp_len <= 0) goto err; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 1e11d077f9e..65530df7a43 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -506,7 +506,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256)) || (PACKET_remaining(pkt) == 128 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) { - len = PACKET_remaining(pkt); + len = (unsigned int)PACKET_remaining(pkt); } else #endif if (!PACKET_get_net_2(pkt, &len)) { @@ -1953,7 +1953,7 @@ static int is_tls13_capable(const SSL_CONNECTION *s) default: break; } - if (!ssl_has_cert(s, i)) + if (!ssl_has_cert(s, (int)i)) continue; if (i != SSL_PKEY_ECC) return 1; @@ -2919,8 +2919,9 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc, if (!BUF_MEM_grow(buf, expected_length) || !PACKET_buf_init(tmppkt, (unsigned char *)buf->data, expected_length) - || COMP_expand_block(comp, (unsigned char *)buf->data, expected_length, - (unsigned char*)PACKET_data(pkt), comp_length) != (int)expected_length) { + || COMP_expand_block(comp, (unsigned char *)buf->data, (int)expected_length, + (unsigned char*)PACKET_data(pkt), + (int)comp_length) != (int)expected_length) { SSLfatal(sc, SSL_AD_BAD_CERTIFICATE, SSL_R_BAD_DECOMPRESSION); goto err; } diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 4ce45647f44..d38143caa08 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1778,7 +1778,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) { if (sctx->app_verify_cookie_cb != NULL) { if (sctx->app_verify_cookie_cb(ussl, clienthello->dtls_cookie, - clienthello->dtls_cookie_len) == 0) { + (unsigned int)clienthello->dtls_cookie_len) == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); goto err; @@ -3276,7 +3276,7 @@ static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) ptr = PACKET_data(pkt); /* Some implementations provide extra data in the opaqueBlob * We have nothing to do with this blob so we just skip it */ - pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt)); + pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, (long)PACKET_remaining(pkt)); if (pKX == NULL || pKX->kxBlob == NULL || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 474ea7bf5b6..a28a1532f10 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -245,7 +245,7 @@ int tls1_change_cipher_state(SSL_CONNECTION *s, int which) BIO_printf(trc_out, "which = %04X, key:\n", which); BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); BIO_printf(trc_out, "iv:\n"); - BIO_dump_indent(trc_out, iv, k, 4); + BIO_dump_indent(trc_out, iv, (int)k, 4); } OSSL_TRACE_END(TLS); return 1; @@ -308,7 +308,7 @@ int tls1_setup_key_block(SSL_CONNECTION *s) BIO_printf(trc_out, "master key\n"); BIO_dump_indent(trc_out, s->session->master_key, - s->session->master_key_length, 4); + (int)s->session->master_key_length, 4); } OSSL_TRACE_END(TLS); if (!tls1_generate_key_block(s, p, num)) { @@ -318,7 +318,7 @@ int tls1_setup_key_block(SSL_CONNECTION *s) OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "key block\n"); - BIO_dump_indent(trc_out, p, num, 4); + BIO_dump_indent(trc_out, p, (int)num, 4); } OSSL_TRACE_END(TLS); ret = 1; @@ -375,7 +375,7 @@ int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, } OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "Handshake hashes:\n"); - BIO_dump(trc_out, (char *)hash, hashlen); + BIO_dump(trc_out, (char *)hash, (int)hashlen); } OSSL_TRACE_END(TLS); if (!tls1_PRF(s, TLS_MD_EXTENDED_MASTER_SECRET_CONST, @@ -405,7 +405,7 @@ int tls1_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, OSSL_TRACE_BEGIN(TLS) { BIO_printf(trc_out, "Premaster Secret:\n"); - BIO_dump_indent(trc_out, p, len, 4); + BIO_dump_indent(trc_out, p, (int)len, 4); BIO_printf(trc_out, "Client Random:\n"); BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); BIO_printf(trc_out, "Server Random:\n"); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 1d18ad96350..1f873ed8ca1 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -958,13 +958,13 @@ int tls1_get0_implemented_groups(int min_proto_version, int max_proto_version, TLS_GROUP_IX *gix; uint16_t id = 0; int ret = 0; - size_t ix; + int ix; - if (grps == NULL || out == NULL) + if (grps == NULL || out == NULL || num > INT_MAX) return 0; if ((collect = sk_TLS_GROUP_IX_new(tls_group_ix_cmp)) == NULL) return 0; - for (ix = 0; ix < num; ++ix, ++grps) { + for (ix = 0; ix < (int)num; ++ix, ++grps) { if (grps->mintls > 0 && max_proto_version > 0 && grps->mintls > max_proto_version) continue; @@ -984,7 +984,7 @@ int tls1_get0_implemented_groups(int min_proto_version, int max_proto_version, sk_TLS_GROUP_IX_sort(collect); num = sk_TLS_GROUP_IX_num(collect); - for (ix = 0; ix < num; ++ix) { + for (ix = 0; ix < (int)num; ++ix) { gix = sk_TLS_GROUP_IX_value(collect, ix); if (!all && gix->grp->group_id == id) continue; @@ -2245,7 +2245,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) cache[cache_idx].hash = si.hash_name?OBJ_txt2nid(si.hash_name):NID_undef; cache[cache_idx].hash_idx = ssl_get_md_idx(cache[cache_idx].hash); cache[cache_idx].sig = OBJ_txt2nid(si.sigalg_name); - cache[cache_idx].sig_idx = i + SSL_PKEY_NUM; + cache[cache_idx].sig_idx = (int)(i + SSL_PKEY_NUM); cache[cache_idx].sigandhash = OBJ_txt2nid(si.sigalg_name); cache[cache_idx].curve = NID_undef; cache[cache_idx].mintls = TLS1_3_VERSION; @@ -2457,7 +2457,7 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s, if (clu == NULL) continue; if (clu->amask & s->s3.tmp.new_cipher->algorithm_auth) { - idx = i; + idx = (int)i; break; } } @@ -2492,7 +2492,7 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL_CONNECTION *s, } } } else { - idx = s->cert->key - s->cert->pkeys; + idx = (int)(s->cert->key - s->cert->pkeys); } } if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) @@ -2523,7 +2523,7 @@ int tls1_set_peer_legacy_sigalg(SSL_CONNECTION *s, const EVP_PKEY *pkey) if (ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)) == NULL) return 0; - lu = tls1_get_legacy_sigalg(s, idx); + lu = tls1_get_legacy_sigalg(s, (int)idx); if (lu == NULL) return 0; s->s3.tmp.peer_sigalg = lu; @@ -2968,7 +2968,7 @@ int tls1_set_server_sigalgs(SSL_CONNECTION *s) size_t sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs); for (i = 0; i < s->ssl_pkey_num; i++) { - const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, i); + const SIGALG_LOOKUP *lu = tls1_get_legacy_sigalg(s, (int)i); size_t j; if (lu == NULL) @@ -3222,7 +3222,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, p = sdec; sess = d2i_SSL_SESSION_ex(NULL, &p, slen, sctx->libctx, sctx->propq); - slen -= p - sdec; + slen -= (int)(p - sdec); OPENSSL_free(sdec); if (sess) { /* Some additional consistency checks */ @@ -4050,7 +4050,7 @@ int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk, if (ssl_cert_lookup_by_pkey(pk, &certidx, SSL_CONNECTION_GET_CTX(s)) == NULL) return 0; - idx = certidx; + idx = (int)certidx; pvalid = s->s3.tmp.valid_flags + idx; if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) @@ -4655,7 +4655,7 @@ int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) /* If ciphersuite doesn't require a cert nothing to do */ if (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aCERT)) return 1; - if (!s->server && !ssl_has_cert(s, s->cert->key - s->cert->pkeys)) + if (!s->server && !ssl_has_cert(s, (int)(s->cert->key - s->cert->pkeys))) return 1; if (SSL_USE_SIGALGS(s)) { @@ -4682,7 +4682,7 @@ int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) if ((sig_idx = tls12_get_cert_sigalg_idx(s, lu)) == -1) continue; } else { - int cc_idx = s->cert->key - s->cert->pkeys; + int cc_idx = (int)(s->cert->key - s->cert->pkeys); sig_idx = lu->sig_idx; if (cc_idx != sig_idx) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index f24669c4f55..ed8112a94b9 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -802,7 +802,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, if (plen + 1 > xlen) return 0; BIO_indent(bio, indent + 2, 80); - BIO_write(bio, ext, plen); + BIO_write(bio, ext, (int)plen); BIO_puts(bio, "\n"); ext += plen; xlen -= plen + 1; @@ -954,7 +954,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, return ssl_trace_list(bio, indent + 2, ext + 1, xlen, 1, ssl_cert_type_tbl); default: - BIO_dump_indent(bio, (const char *)ext, extlen, indent + 2); + BIO_dump_indent(bio, (const char *)ext, (int)extlen, indent + 2); } return 1; } @@ -996,7 +996,7 @@ static int ssl_print_extensions(BIO *bio, int indent, int server, if (extslen < extlen + 4) { BIO_printf(bio, "extensions, extype = %d, extlen = %d\n", extype, (int)extlen); - BIO_dump_indent(bio, (const char *)msg, extslen, indent + 2); + BIO_dump_indent(bio, (const char *)msg, (int)extslen, indent + 2); return 0; } msg += 4; @@ -1301,7 +1301,7 @@ static int ssl_print_certificate(BIO *bio, const SSL_CONNECTION *sc, int indent, BIO_indent(bio, indent, 80); BIO_printf(bio, "ASN.1Cert, length=%d", (int)clen); x = X509_new_ex(ctx->libctx, ctx->propq); - if (x != NULL && d2i_X509(&x, &q, clen) == NULL) { + if (x != NULL && d2i_X509(&x, &q, (long)clen) == NULL) { X509_free(x); x = NULL; } @@ -1343,7 +1343,7 @@ static int ssl_print_raw_public_key(BIO *bio, const SSL *ssl, int server, BIO_indent(bio, indent, 80); BIO_printf(bio, "raw_public_key, length=%d\n", (int)clen); - pkey = d2i_PUBKEY_ex(NULL, &msg, clen, ssl->ctx->libctx, ssl->ctx->propq); + pkey = d2i_PUBKEY_ex(NULL, &msg, (long)clen, ssl->ctx->libctx, ssl->ctx->propq); if (pkey == NULL) return 0; EVP_PKEY_print_public(bio, pkey, indent + 2, NULL); @@ -1428,7 +1428,7 @@ static int ssl_print_compressed_certificates(BIO *bio, const SSL_CONNECTION *sc, else BIO_printf(bio, "Compressed length=%d, Ratio=unknown\n", (int)clen); - BIO_dump_indent(bio, (const char *)msg, clen, indent); + BIO_dump_indent(bio, (const char *)msg, (int)clen, indent); #ifndef OPENSSL_NO_COMP_ALG if (!ossl_comp_has_alg(alg)) @@ -1453,7 +1453,8 @@ static int ssl_print_compressed_certificates(BIO *bio, const SSL_CONNECTION *sc, } if ((comp = COMP_CTX_new(method)) == NULL - || COMP_expand_block(comp, ucdata, uclen, (unsigned char*)msg, clen) != (int)uclen) + || COMP_expand_block(comp, ucdata, (int)uclen, + (unsigned char*)msg, (int)clen) != (int)uclen) goto err; ret = ssl_print_certificates(bio, sc, server, indent, ucdata, uclen); @@ -1534,7 +1535,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, const SSL_CONNECTION *sc BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "DistinguishedName (len=%d): ", (int)dlen); p = msg; - nm = d2i_X509_NAME(NULL, &p, dlen); + nm = d2i_X509_NAME(NULL, &p, (long)dlen); if (!nm) { BIO_puts(bio, "\n"); } else { @@ -1712,7 +1713,7 @@ static int ssl_print_handshake(BIO *bio, const SSL_CONNECTION *sc, int server, default: BIO_indent(bio, indent + 2, 80); BIO_puts(bio, "Unsupported, hex dump follows:\n"); - BIO_dump_indent(bio, (const char *)msg, msglen, indent + 4); + BIO_dump_indent(bio, (const char *)msg, (int)msglen, indent + 4); } return 1; } diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c index 64a9a7942b3..b489ab11fa5 100644 --- a/ssl/tls_depr.c +++ b/ssl/tls_depr.c @@ -119,7 +119,7 @@ void ssl_hmac_old_free(SSL_HMAC *ctx) int ssl_hmac_old_init(SSL_HMAC *ctx, void *key, size_t len, char *md) { - return HMAC_Init_ex(ctx->old_ctx, key, len, EVP_get_digestbyname(md), NULL); + return HMAC_Init_ex(ctx->old_ctx, key, (int)len, EVP_get_digestbyname(md), NULL); } int ssl_hmac_old_update(SSL_HMAC *ctx, const unsigned char *data, size_t len)