From: Helen Zhang <helzhang@cisco.com>
Date: Fri, 24 Apr 2026 14:53:18 +0000 (+0000)
Subject: change EVP_MD_size() return value from size_t to int.
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=dfcbc4a2d777917178f3799a067d05910bb829f4;p=thirdparty%2Fopenssl.git

change EVP_MD_size() return value from size_t to int.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Apr 29 15:14:20 2026
(Merged from https://github.com/openssl/openssl/pull/30803)
---

diff --git a/providers/implementations/kdfs/ikev2kdf.c b/providers/implementations/kdfs/ikev2kdf.c
index 538704f2041..cd960a84194 100644
--- a/providers/implementations/kdfs/ikev2kdf.c
+++ b/providers/implementations/kdfs/ikev2kdf.c
@@ -239,28 +239,28 @@ static int ikev2_check_secret_and_pad(KDF_IKEV2KDF *ctx)
 
     if (ctx->secret_len < IKEV2KDF_MAX_GROUP19_MODLEN)
         pad_len = IKEV2KDF_MAX_GROUP19_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP19_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP19_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP20_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP20_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP20_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP20_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP21_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP21_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP21_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP21_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP2_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP2_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP2_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP2_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP14_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP14_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP14_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP14_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP15_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP15_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len > IKEV2KDF_MAX_GROUP15_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP15_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP16_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP16_MODLEN - ctx->secret_len;
-    if ((ctx->secret_len >= IKEV2KDF_MAX_GROUP16_MODLEN)
+    else if ((ctx->secret_len > IKEV2KDF_MAX_GROUP16_MODLEN)
         && (ctx->secret_len < IKEV2KDF_MAX_GROUP17_MODLEN))
         pad_len = IKEV2KDF_MAX_GROUP17_MODLEN - ctx->secret_len;
-    if (ctx->secret_len > IKEV2KDF_MAX_GROUP17_MODLEN)
+    else if (ctx->secret_len > IKEV2KDF_MAX_GROUP17_MODLEN)
         pad_len = IKEV2KDF_MAX_GROUP18_MODLEN - ctx->secret_len;
 
     new_secret = OPENSSL_zalloc(ctx->secret_len + pad_len);
@@ -281,6 +281,7 @@ static int kdf_ikev2kdf_derive(void *vctx, unsigned char *key, size_t keylen,
     KDF_IKEV2KDF *ctx = (KDF_IKEV2KDF *)vctx;
     const EVP_MD *md;
     size_t md_size;
+    int value = 0;
 
     if (!ossl_prov_is_running() || !kdf_ikev2kdf_set_ctx_params(ctx, params))
         return 0;
@@ -290,9 +291,10 @@ static int kdf_ikev2kdf_derive(void *vctx, unsigned char *key, size_t keylen,
         ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_MESSAGE_DIGEST);
         return 0;
     }
-    md_size = EVP_MD_size(md);
-    if (md_size <= 0)
+    value = EVP_MD_size(md);
+    if (value <= 0)
         return 0;
+    md_size = (size_t)value;
 
     if (!ikev2_common_check_ctx_params(ctx))
         return 0;
@@ -333,7 +335,7 @@ static int kdf_ikev2kdf_derive(void *vctx, unsigned char *key, size_t keylen,
                 ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_KEY);
                 return 0;
             }
-            if (ctx->seedkey_len != (size_t)md_size) {
+            if (ctx->seedkey_len != md_size) {
                 ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
                 return 0;
             }
@@ -382,7 +384,7 @@ static int kdf_ikev2kdf_derive(void *vctx, unsigned char *key, size_t keylen,
             ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_DKM);
             return 0;
         }
-        if (ctx->sk_d_len != (size_t)md_size) {
+        if (ctx->sk_d_len != md_size) {
             ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
             return 0;
         }
@@ -491,7 +493,7 @@ static int kdf_ikev2kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
         return 0;
 
     if (p.size != NULL) {
-        size_t sz = 0;
+        int sz = 0;
         const EVP_MD *md = NULL;
 
         md = ossl_prov_digest_md(&ctx->digest);
@@ -502,7 +504,7 @@ static int kdf_ikev2kdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
         sz = EVP_MD_size(md);
         if (sz <= 0)
             return 0;
-        if (!OSSL_PARAM_set_size_t(p.size, sz))
+        if (!OSSL_PARAM_set_size_t(p.size, (size_t)sz))
             return 0;
     }
     return 1;
@@ -592,7 +594,7 @@ err:
  * IKEV2_REKEY - KDF in compliance with SP800-135 for IKEv2,
  *               re-generate the seedkey.
  *
- * algorithm:  HMAC(sk_d, Ni || Nr || seedkey || (if dh==1 then shared_secret))
+ * algorithm:  HMAC(sk_d, new secret || Ni || Nr )
  *
  * Inputs:
  *   libctx - provider LIB context
@@ -693,16 +695,18 @@ static int IKEV2_DKM(OSSL_LIB_CTX *libctx, unsigned char *dkm, const size_t len_
     size_t outl = 0, hmac_len = 0, ii;
     unsigned char *hmac = NULL;
     int ret = 0;
-    int md_size = 0;
+    size_t md_size = 0;
+    int value = 0;
     unsigned char counter = 1;
     OSSL_PARAM params[] = {
         OSSL_PARAM_construct_utf8_string("digest", (char *)EVP_MD_name(evp_md), 0),
         OSSL_PARAM_construct_end()
     };
 
-    md_size = EVP_MD_size(evp_md);
-    if (md_size <= 0)
+    value = EVP_MD_size(evp_md);
+    if (value <= 0)
         return 0;
+    md_size = (size_t)value;
     /* len_out may not fit the last hmac, round up */
     hmac_len = ((len_out + md_size - 1) / md_size) * md_size;
     hmac = OPENSSL_malloc(hmac_len);
@@ -736,7 +740,7 @@ static int IKEV2_DKM(OSSL_LIB_CTX *libctx, unsigned char *dkm, const size_t len_
                 goto err;
         if (!EVP_MAC_update(ctx, &counter, 1))
             goto err;
-        if (!EVP_MAC_final(ctx, &hmac[ii], &outl, len_out))
+        if (!EVP_MAC_final(ctx, &hmac[ii], &outl, md_size))
             goto err;
         counter++;
     }
diff --git a/providers/implementations/kdfs/snmpkdf.c b/providers/implementations/kdfs/snmpkdf.c
index 6b5837e4205..e857abc1e8e 100644
--- a/providers/implementations/kdfs/snmpkdf.c
+++ b/providers/implementations/kdfs/snmpkdf.c
@@ -292,6 +292,7 @@ static int SNMPKDF(const EVP_MD *evp_md,
     size_t mdsize = 0, len = 0;
     unsigned int md_len = 0;
     int ret = 0;
+    int value = 0;
 
     /* Limited to SHA-1 and SHA-2 hashes presently */
     if (okey == NULL || keylen == 0)
@@ -303,9 +304,10 @@ static int SNMPKDF(const EVP_MD *evp_md,
         goto err;
     }
 
-    mdsize = EVP_MD_get_size(evp_md);
-    if (mdsize <= 0 || mdsize > keylen)
+    value = EVP_MD_get_size(evp_md);
+    if (value <= 0 || (size_t)value > keylen)
         goto err;
+    mdsize = (size_t)value;
 
     if (!EVP_DigestInit_ex(md, evp_md, NULL))
         goto err;
@@ -324,7 +326,7 @@ static int SNMPKDF(const EVP_MD *evp_md,
         || !EVP_DigestFinal_ex(md, digest, &md_len))
         goto err;
 
-    memcpy(okey, digest, md_len);
+    memcpy(okey, digest, (keylen < md_len) ? keylen : md_len);
 
     ret = 1;