lib v* PR curl#13472

vszakats · Apr 29, 2024 · 3bb3c78 · 3bb3c78
1 parent 39939cc
commit 3bb3c78
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 56 deletions.
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
@@ -482,9 +482,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   CURLcode result = CURLE_OK;
   size_t size;
   unsigned char ntlmbuf[NTLM_BUFSIZE];
-  int lmrespoff;
+  unsigned int lmrespoff;
   unsigned char lmresp[24]; /* fixed-size */
-  int ntrespoff;
+  unsigned int ntrespoff;
   unsigned int ntresplen = 24;
   unsigned char ntresp[24]; /* fixed-size */
   unsigned char *ptr_ntresp = &ntresp[0];
@@ -508,7 +508,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
 
   if(user) {
     domain = userp;
-    domlen = (user - domain);
+    domlen = (size_t)(user - domain);
     user++;
   }
   else
@@ -585,7 +585,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
       return result;
 
     Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
-    ntlm->flags &= ~NTLMFLAG_NEGOTIATE_NTLM2_KEY;
+    ntlm->flags &= ~(unsigned int)NTLMFLAG_NEGOTIATE_NTLM2_KEY;
 
     /* A safer but less compatible alternative is:
      *   Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
@@ -605,7 +605,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   hostoff = useroff + userlen;
 
   /* Create the big type-3 message binary blob */
-  size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
+  size = (size_t)msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
                    NTLMSSP_SIGNATURE "%c"
                    "\x03%c%c%c"  /* 32-bit type = 3 */
 
@@ -683,7 +683,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
                    LONGQUARTET(ntlm->flags));
 
   DEBUGASSERT(size == 64);
-  DEBUGASSERT(size == (size_t)lmrespoff);
+  DEBUGASSERT(size == lmrespoff);
 
   /* We append the binary hashes */
   if(size < (NTLM_BUFSIZE - 0x18)) {
@@ -701,7 +701,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
     failf(data, "incoming NTLM message too big");
     return CURLE_OUT_OF_MEMORY;
   }
-  DEBUGASSERT(size == (size_t)ntrespoff);
+  DEBUGASSERT(size == ntrespoff);
   memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
   size += ntresplen;
 

diff --git a/lib/vtls/hostcheck.c b/lib/vtls/hostcheck.c
@@ -112,8 +112,8 @@ static bool hostmatch(const char *hostname,
   else {
     const char *hostname_label_end = memchr(hostname, '.', hostlen);
     if(hostname_label_end) {
-      size_t skiphost = hostname_label_end - hostname;
-      size_t skiplen = pattern_label_end - pattern;
+      size_t skiphost = (size_t)(hostname_label_end - hostname);
+      size_t skiplen = (size_t)(pattern_label_end - pattern);
       return pmatch(hostname_label_end, hostlen - skiphost,
                     pattern_label_end, patternlen - skiplen);
     }

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -320,9 +320,9 @@ struct multi_ssl_backend_data {
 #define push_certinfo(_label, _num)             \
 do {                              \
   long info_len = BIO_get_mem_data(mem, &ptr); \
-  Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
-  if(1 != BIO_reset(mem))                                        \
-    break;                                                       \
+  Curl_ssl_push_certinfo_len(data, _num, _label, ptr, (size_t)info_len); \
+  if(1 != BIO_reset(mem))                                                \
+    break;                                                               \
 } while(0)
 
 static void pubkey_show(struct Curl_easy *data,
@@ -729,7 +729,10 @@ static int ossl_bio_cf_out_write(BIO *bio, const char *buf, int blen)
   CURLcode result = CURLE_SEND_ERROR;
 
   DEBUGASSERT(data);
-  nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result);
+  if(blen < 0)
+    return 0;
+
+  nwritten = Curl_conn_cf_send(cf->next, data, buf, (size_t)blen, &result);
   CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, err=%d",
               blen, (int)nwritten, result);
   BIO_clear_retry_flags(bio);
@@ -754,8 +757,10 @@ static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
   /* OpenSSL catches this case, so should we. */
   if(!buf)
     return 0;
+  if(blen < 0)
+    return 0;
 
-  nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result);
+  nread = Curl_conn_cf_recv(cf->next, data, buf, (size_t)blen, &result);
   CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, err=%d",
               blen, (int)nread, result);
   BIO_clear_retry_flags(bio);
@@ -965,10 +970,10 @@ static int passwd_callback(char *buf, int num, int encrypting,
 {
   DEBUGASSERT(0 == encrypting);
 
-  if(!encrypting) {
+  if(!encrypting && num >= 0) {
     int klen = curlx_uztosi(strlen((char *)global_passwd));
     if(num > klen) {
-      memcpy(buf, global_passwd, klen + 1);
+      memcpy(buf, global_passwd, (size_t)(klen + 1));
       return klen;
     }
   }
@@ -1889,7 +1894,7 @@ static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
     if(cf->next && cf->next->connected && !connssl->peer_closed) {
       char buf[1024];
       int nread, err;
-      long sslerr;
+      unsigned long sslerr;
 
       /* Maybe the server has already sent a close notify alert.
          Read it to avoid an RST on the TCP connection. */
@@ -2312,9 +2317,9 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
         if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
           peerlen = ASN1_STRING_length(tmp);
           if(peerlen >= 0) {
-            peer_CN = OPENSSL_malloc(peerlen + 1);
+            peer_CN = OPENSSL_malloc((size_t)(peerlen + 1));
             if(peer_CN) {
-              memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
+              memcpy(peer_CN, ASN1_STRING_get0_data(tmp), (size_t)peerlen);
               peer_CN[peerlen] = '\0';
             }
             else
@@ -2342,7 +2347,7 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
       result = CURLE_PEER_FAILED_VERIFICATION;
     }
     else if(!Curl_cert_hostcheck((const char *)peer_CN,
-                                 peerlen, peer->hostname, hostlen)) {
+                                 (size_t)peerlen, peer->hostname, hostlen)) {
       failf(data, "SSL: certificate subject name '%s' does not match "
             "target host name '%s'", peer_CN, peer->dispname);
       result = CURLE_PEER_FAILED_VERIFICATION;
@@ -3642,14 +3647,14 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
 
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
   /* mitigate CVE-2010-4180 */
-  ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+  ctx_options &= ~(ctx_option_t)SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
 #endif
 
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
   /* unless the user explicitly asks to allow the protocol vulnerability we
      use the work-around */
   if(!ssl_config->enable_beast)
-    ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    ctx_options &= ~(ctx_option_t)SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 #endif
 
   switch(ssl_version) {
@@ -3687,7 +3692,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
 
 #ifdef HAS_ALPN
   if(alpn && alpn_len) {
-    if(SSL_CTX_set_alpn_protos(octx->ssl_ctx, alpn, (int)alpn_len)) {
+    if(SSL_CTX_set_alpn_protos(octx->ssl_ctx, alpn, (unsigned int)alpn_len)) {
       failf(data, "Error setting ALPN");
       return CURLE_SSL_CONNECT_ERROR;
     }
@@ -4026,7 +4031,7 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
 #endif
 
   result = Curl_ossl_ctx_init(octx, cf, data, &connssl->peer, TRNSPRT_TCP,
-                              proto.data, proto.len, NULL, NULL,
+                              proto.data, (size_t)proto.len, NULL, NULL,
                               ossl_new_session_cb, cf);
   if(result)
     return result;
@@ -4417,7 +4422,7 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
     if(len1 < 1)
       break; /* failed */
 
-    buff1 = temp = malloc(len1);
+    buff1 = temp = malloc((size_t)len1);
     if(!buff1)
       break; /* failed */
 
@@ -4435,7 +4440,7 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
     /* End Gyrations */
 
     /* The one good exit point */
-    result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
+    result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, (size_t)len1);
   } while(0);
 
   if(buff1)
@@ -5114,27 +5119,28 @@ static size_t ossl_version(char *buffer, size_t size)
   }
   return count;
 #else
-  return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
-                   OSSL_PACKAGE,
-                   (LIBRESSL_VERSION_NUMBER>>28)&0xf,
-                   (LIBRESSL_VERSION_NUMBER>>20)&0xff,
-                   (LIBRESSL_VERSION_NUMBER>>12)&0xff);
+  return (size_t)msnprintf(buffer, size, "%s/%lx.%lx.%lx",
+                           OSSL_PACKAGE,
+                           (LIBRESSL_VERSION_NUMBER>>28)&0xf,
+                           (LIBRESSL_VERSION_NUMBER>>20)&0xff,
+                           (LIBRESSL_VERSION_NUMBER>>12)&0xff);
 #endif
 #elif defined(OPENSSL_IS_BORINGSSL)
 #ifdef CURL_BORINGSSL_VERSION
-  return msnprintf(buffer, size, "%s/%s",
-                   OSSL_PACKAGE,
-                   CURL_BORINGSSL_VERSION);
+  return (size_t)msnprintf(buffer, size, "%s/%s",
+                           OSSL_PACKAGE,
+                           CURL_BORINGSSL_VERSION);
 #else
-  return msnprintf(buffer, size, OSSL_PACKAGE);
+  return (size_t)msnprintf(buffer, size, OSSL_PACKAGE);
 #endif
 #elif defined(OPENSSL_IS_AWSLC)
-  return msnprintf(buffer, size, "%s/%s",
-                   OSSL_PACKAGE,
-                   AWSLC_VERSION_NUMBER_STRING);
+  return (size_t)msnprintf(buffer, size, "%s/%s",
+                           OSSL_PACKAGE,
+                           AWSLC_VERSION_NUMBER_STRING);
 #elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
-  return msnprintf(buffer, size, "%s/%s",
-                   OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
+  return (size_t)msnprintf(buffer, size, "%s/%s",
+                           OSSL_PACKAGE,
+                           OpenSSL_version(OPENSSL_VERSION_STRING));
 #else
   /* not LibreSSL, BoringSSL and not using OpenSSL_version */
 
@@ -5163,16 +5169,16 @@ static size_t ossl_version(char *buffer, size_t size)
       sub[0]='\0';
   }
 
-  return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
+  return (size_t)msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
 #ifdef OPENSSL_FIPS
-                   "-fips"
-#endif
-                   ,
-                   OSSL_PACKAGE,
-                   (ssleay_value>>28)&0xf,
-                   (ssleay_value>>20)&0xff,
-                   (ssleay_value>>12)&0xff,
-                   sub);
+                           "-fips"
+#endif
+                           ,
+                           OSSL_PACKAGE,
+                           (ssleay_value>>28)&0xf,
+                           (ssleay_value>>20)&0xff,
+                           (ssleay_value>>12)&0xff,
+                           sub);
 #endif /* OPENSSL_IS_BORINGSSL */
 }
 

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
@@ -946,7 +946,7 @@ static CURLcode pubkey_pem_to_der(const char *pem,
   if(!begin_pos)
     return CURLE_BAD_CONTENT_ENCODING;
 
-  pem_count = begin_pos - pem;
+  pem_count = (size_t)(begin_pos - pem);
   /* Invalid if not at beginning AND not directly following \n */
   if(0 != pem_count && '\n' != pem[pem_count - 1])
     return CURLE_BAD_CONTENT_ENCODING;
@@ -959,7 +959,7 @@ static CURLcode pubkey_pem_to_der(const char *pem,
   if(!end_pos)
     return CURLE_BAD_CONTENT_ENCODING;
 
-  pem_len = end_pos - pem;
+  pem_len = (size_t)(end_pos - pem);
 
   stripped_pem = malloc(pem_len - pem_count + 1);
   if(!stripped_pem)
@@ -1418,12 +1418,13 @@ static size_t multissl_version(char *buffer, size_t size)
       bool paren = (selected != available_backends[i]);
 
       if(available_backends[i]->version(vb, sizeof(vb))) {
-        p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
+        p += msnprintf(p, (size_t)(end - p), "%s%s%s%s",
+                       (p != backends ? " " : ""),
                        (paren ? "(" : ""), vb, (paren ? ")" : ""));
       }
     }
 
-    backends_len = p - backends;
+    backends_len = (size_t)(p - backends);
   }
 
   if(size) {
@@ -1983,10 +1984,10 @@ CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
 
 #endif /* !CURL_DISABLE_PROXY */
 
-bool Curl_ssl_supports(struct Curl_easy *data, int option)
+bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option)
 {
   (void)data;
-  return (Curl_ssl->supports & option)? TRUE : FALSE;
+  return (Curl_ssl->supports & ssl_option)? TRUE : FALSE;
 }
 
 static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)

diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
@@ -205,7 +205,7 @@ CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
  * Option is one of the defined SSLSUPP_* values.
  * `data` maybe NULL for the features of the default implementation.
  */
-bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option);
+bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option);
 
 /**
  * Get the internal ssl instance (like OpenSSL's SSL*) from the filter