aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/core/tsi
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/tsi')
-rw-r--r--src/core/tsi/fake_transport_security.c18
-rw-r--r--src/core/tsi/ssl_transport_security.c115
2 files changed, 85 insertions, 48 deletions
diff --git a/src/core/tsi/fake_transport_security.c b/src/core/tsi/fake_transport_security.c
index 29127c4269..b1a975155a 100644
--- a/src/core/tsi/fake_transport_security.c
+++ b/src/core/tsi/fake_transport_security.c
@@ -100,7 +100,7 @@ static const char* tsi_fake_handshake_message_to_string(int msg) {
static tsi_result tsi_fake_handshake_message_from_string(
const char* msg_string, tsi_fake_handshake_message* msg) {
- int i;
+ tsi_fake_handshake_message i;
for (i = 0; i < TSI_FAKE_HANDSHAKE_MESSAGE_MAX; i++) {
if (strncmp(msg_string, tsi_fake_handshake_message_strings[i],
strlen(tsi_fake_handshake_message_strings[i])) == 0) {
@@ -171,7 +171,7 @@ static tsi_result fill_frame_from_bytes(const unsigned char* incoming_bytes,
memcpy(frame->data + frame->offset, bytes_cursor, available_size);
bytes_cursor += available_size;
frame->offset += available_size;
- *incoming_bytes_size = bytes_cursor - incoming_bytes;
+ *incoming_bytes_size = (size_t)(bytes_cursor - incoming_bytes);
return TSI_INCOMPLETE_DATA;
}
memcpy(frame->data + frame->offset, bytes_cursor, to_read_size);
@@ -187,12 +187,12 @@ static tsi_result fill_frame_from_bytes(const unsigned char* incoming_bytes,
memcpy(frame->data + frame->offset, bytes_cursor, available_size);
frame->offset += available_size;
bytes_cursor += available_size;
- *incoming_bytes_size = bytes_cursor - incoming_bytes;
+ *incoming_bytes_size = (size_t)(bytes_cursor - incoming_bytes);
return TSI_INCOMPLETE_DATA;
}
memcpy(frame->data + frame->offset, bytes_cursor, to_read_size);
bytes_cursor += to_read_size;
- *incoming_bytes_size = bytes_cursor - incoming_bytes;
+ *incoming_bytes_size = (size_t)(bytes_cursor - incoming_bytes);
tsi_fake_frame_reset(frame, 1 /* needs_draining */);
return TSI_OK;
}
@@ -219,7 +219,7 @@ static tsi_result bytes_to_frame(unsigned char* bytes, size_t bytes_size,
frame->offset = 0;
frame->size = bytes_size + TSI_FAKE_FRAME_HEADER_SIZE;
if (!tsi_fake_frame_ensure_size(frame)) return TSI_OUT_OF_RESOURCES;
- store32_little_endian(frame->size, frame->data);
+ store32_little_endian((gpr_uint32)frame->size, frame->data);
memcpy(frame->data + TSI_FAKE_FRAME_HEADER_SIZE, bytes, bytes_size);
tsi_fake_frame_reset(frame, 1 /* needs draining */);
return TSI_OK;
@@ -266,7 +266,7 @@ static tsi_result fake_protector_protect(tsi_frame_protector* self,
if (frame->size == 0) {
/* New frame, create a header. */
size_t written_in_frame_size = 0;
- store32_little_endian(impl->max_frame_size, frame_header);
+ store32_little_endian((gpr_uint32)impl->max_frame_size, frame_header);
written_in_frame_size = TSI_FAKE_FRAME_HEADER_SIZE;
result = fill_frame_from_bytes(frame_header, &written_in_frame_size, frame);
if (result != TSI_INCOMPLETE_DATA) {
@@ -303,7 +303,8 @@ static tsi_result fake_protector_protect_flush(
frame->size = frame->offset;
frame->offset = 0;
frame->needs_draining = 1;
- store32_little_endian(frame->size, frame->data); /* Overwrite header. */
+ store32_little_endian((gpr_uint32)frame->size,
+ frame->data); /* Overwrite header. */
}
result = drain_frame_to_bytes(protected_output_frames,
protected_output_frames_size, frame);
@@ -384,7 +385,8 @@ static tsi_result fake_handshaker_get_bytes_to_send_to_peer(
return TSI_OK;
}
if (!impl->outgoing.needs_draining) {
- int next_message_to_send = impl->next_message_to_send + 2;
+ tsi_fake_handshake_message next_message_to_send =
+ impl->next_message_to_send + 2;
const char* msg_string =
tsi_fake_handshake_message_to_string(impl->next_message_to_send);
result = bytes_to_frame((unsigned char*)msg_string, strlen(msg_string),
diff --git a/src/core/tsi/ssl_transport_security.c b/src/core/tsi/ssl_transport_security.c
index 0b416f6c9d..99ce7ecadf 100644
--- a/src/core/tsi/ssl_transport_security.c
+++ b/src/core/tsi/ssl_transport_security.c
@@ -131,10 +131,13 @@ static unsigned long openssl_thread_id_cb(void) {
static void init_openssl(void) {
int i;
+ int num_locks;
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
- openssl_mutexes = malloc(CRYPTO_num_locks() * sizeof(gpr_mu));
+ num_locks = CRYPTO_num_locks();
+ GPR_ASSERT(num_locks > 0);
+ openssl_mutexes = malloc((size_t)num_locks * sizeof(gpr_mu));
GPR_ASSERT(openssl_mutexes != NULL);
for (i = 0; i < CRYPTO_num_locks(); i++) {
gpr_mu_init(&openssl_mutexes[i]);
@@ -249,7 +252,7 @@ static tsi_result ssl_get_x509_common_name(X509* cert, unsigned char** utf8,
gpr_log(GPR_ERROR, "Could not extract utf8 from asn1 string.");
return TSI_OUT_OF_RESOURCES;
}
- *utf8_size = utf8_returned_size;
+ *utf8_size = (size_t)utf8_returned_size;
return TSI_OK;
}
@@ -279,8 +282,8 @@ static tsi_result peer_property_from_x509_common_name(
/* Gets the subject SANs from an X509 cert as a tsi_peer_property. */
static tsi_result add_subject_alt_names_properties_to_peer(
tsi_peer* peer, GENERAL_NAMES* subject_alt_names,
- int subject_alt_name_count) {
- int i;
+ size_t subject_alt_name_count) {
+ size_t i;
tsi_result result = TSI_OK;
/* Reset for DNS entries filtering. */
@@ -288,7 +291,7 @@ static tsi_result add_subject_alt_names_properties_to_peer(
for (i = 0; i < subject_alt_name_count; i++) {
GENERAL_NAME* subject_alt_name =
- sk_GENERAL_NAME_value(subject_alt_names, i);
+ sk_GENERAL_NAME_value(subject_alt_names, (int)i);
/* Filter out the non-dns entries names. */
if (subject_alt_name->type == GEN_DNS) {
unsigned char* dns_name = NULL;
@@ -301,7 +304,7 @@ static tsi_result add_subject_alt_names_properties_to_peer(
}
result = tsi_construct_string_peer_property(
TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY,
- (const char*)dns_name, dns_name_size,
+ (const char*)dns_name, (size_t)dns_name_size,
&peer->properties[peer->property_count++]);
OPENSSL_free(dns_name);
if (result != TSI_OK) break;
@@ -318,9 +321,12 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type,
X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
int subject_alt_name_count =
(subject_alt_names != NULL) ? sk_GENERAL_NAME_num(subject_alt_names) : 0;
- size_t property_count = (include_certificate_type ? 1 : 0) +
- 1 /* common name */ + subject_alt_name_count;
- tsi_result result = tsi_construct_peer(property_count, peer);
+ size_t property_count;
+ tsi_result result;
+ GPR_ASSERT(subject_alt_name_count >= 0);
+ property_count = (include_certificate_type ? (size_t)1 : 0) +
+ 1 /* common name */ + (size_t)subject_alt_name_count;
+ result = tsi_construct_peer(property_count, peer);
if (result != TSI_OK) return result;
do {
if (include_certificate_type) {
@@ -334,8 +340,8 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type,
if (result != TSI_OK) break;
if (subject_alt_name_count != 0) {
- result = add_subject_alt_names_properties_to_peer(peer, subject_alt_names,
- subject_alt_name_count);
+ result = add_subject_alt_names_properties_to_peer(
+ peer, subject_alt_names, (size_t)subject_alt_name_count);
if (result != TSI_OK) break;
}
} while (0);
@@ -360,7 +366,10 @@ static void log_ssl_error_stack(void) {
/* Performs an SSL_read and handle errors. */
static tsi_result do_ssl_read(SSL* ssl, unsigned char* unprotected_bytes,
size_t* unprotected_bytes_size) {
- int read_from_ssl = SSL_read(ssl, unprotected_bytes, *unprotected_bytes_size);
+ int read_from_ssl;
+ GPR_ASSERT(*unprotected_bytes_size <= INT_MAX);
+ read_from_ssl =
+ SSL_read(ssl, unprotected_bytes, (int)*unprotected_bytes_size);
if (read_from_ssl == 0) {
gpr_log(GPR_ERROR, "SSL_read returned 0 unexpectedly.");
return TSI_INTERNAL_ERROR;
@@ -387,15 +396,17 @@ static tsi_result do_ssl_read(SSL* ssl, unsigned char* unprotected_bytes,
return TSI_PROTOCOL_FAILURE;
}
}
- *unprotected_bytes_size = read_from_ssl;
+ *unprotected_bytes_size = (size_t)read_from_ssl;
return TSI_OK;
}
/* Performs an SSL_write and handle errors. */
static tsi_result do_ssl_write(SSL* ssl, unsigned char* unprotected_bytes,
size_t unprotected_bytes_size) {
- int ssl_write_result =
- SSL_write(ssl, unprotected_bytes, unprotected_bytes_size);
+ int ssl_write_result;
+ GPR_ASSERT(unprotected_bytes_size <= INT_MAX);
+ ssl_write_result =
+ SSL_write(ssl, unprotected_bytes, (int)unprotected_bytes_size);
if (ssl_write_result < 0) {
ssl_write_result = SSL_get_error(ssl, ssl_write_result);
if (ssl_write_result == SSL_ERROR_WANT_READ) {
@@ -417,7 +428,9 @@ static tsi_result ssl_ctx_use_certificate_chain(
size_t pem_cert_chain_size) {
tsi_result result = TSI_OK;
X509* certificate = NULL;
- BIO* pem = BIO_new_mem_buf((void*)pem_cert_chain, pem_cert_chain_size);
+ BIO* pem;
+ GPR_ASSERT(pem_cert_chain_size <= INT_MAX);
+ pem = BIO_new_mem_buf((void*)pem_cert_chain, (int)pem_cert_chain_size);
if (pem == NULL) return TSI_OUT_OF_RESOURCES;
do {
@@ -458,7 +471,9 @@ static tsi_result ssl_ctx_use_private_key(SSL_CTX* context,
size_t pem_key_size) {
tsi_result result = TSI_OK;
EVP_PKEY* private_key = NULL;
- BIO* pem = BIO_new_mem_buf((void*)pem_key, pem_key_size);
+ BIO* pem;
+ GPR_ASSERT(pem_key_size <= INT_MAX);
+ pem = BIO_new_mem_buf((void*)pem_key, (int)pem_key_size);
if (pem == NULL) return TSI_OUT_OF_RESOURCES;
do {
private_key = PEM_read_bio_PrivateKey(pem, NULL, NULL, "");
@@ -485,8 +500,11 @@ static tsi_result ssl_ctx_load_verification_certs(
size_t num_roots = 0;
X509* root = NULL;
X509_NAME* root_name = NULL;
- BIO* pem = BIO_new_mem_buf((void*)pem_roots, pem_roots_size);
- X509_STORE* root_store = SSL_CTX_get_cert_store(context);
+ BIO* pem;
+ X509_STORE* root_store;
+ GPR_ASSERT(pem_roots_size <= INT_MAX);
+ pem = BIO_new_mem_buf((void*)pem_roots, (int)pem_roots_size);
+ root_store = SSL_CTX_get_cert_store(context);
if (root_store == NULL) return TSI_INVALID_ARGUMENT;
if (pem == NULL) return TSI_OUT_OF_RESOURCES;
if (root_names != NULL) {
@@ -586,7 +604,9 @@ static tsi_result extract_x509_subject_names_from_pem_cert(
const unsigned char* pem_cert, size_t pem_cert_size, tsi_peer* peer) {
tsi_result result = TSI_OK;
X509* cert = NULL;
- BIO* pem = BIO_new_mem_buf((void*)pem_cert, pem_cert_size);
+ BIO* pem;
+ GPR_ASSERT(pem_cert_size <= INT_MAX);
+ pem = BIO_new_mem_buf((void*)pem_cert, (int)pem_cert_size);
if (pem == NULL) return TSI_OUT_OF_RESOURCES;
cert = PEM_read_bio_X509(pem, NULL, NULL, "");
@@ -616,7 +636,7 @@ static tsi_result build_alpn_protocol_name_list(
gpr_log(GPR_ERROR, "Invalid 0-length protocol name.");
return TSI_INVALID_ARGUMENT;
}
- *protocol_name_list_length += alpn_protocols_lengths[i] + 1;
+ *protocol_name_list_length += (size_t)alpn_protocols_lengths[i] + 1;
}
*protocol_name_list = malloc(*protocol_name_list_length);
if (*protocol_name_list == NULL) return TSI_OUT_OF_RESOURCES;
@@ -648,17 +668,18 @@ static tsi_result ssl_protector_protect(tsi_frame_protector* self,
tsi_result result = TSI_OK;
/* First see if we have some pending data in the SSL BIO. */
- size_t pending_in_ssl = BIO_pending(impl->from_ssl);
+ int pending_in_ssl = BIO_pending(impl->from_ssl);
if (pending_in_ssl > 0) {
*unprotected_bytes_size = 0;
+ GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
- *protected_output_frames_size);
+ (int)*protected_output_frames_size);
if (read_from_ssl < 0) {
gpr_log(GPR_ERROR,
"Could not read from BIO even though some data is pending");
return TSI_INTERNAL_ERROR;
}
- *protected_output_frames_size = read_from_ssl;
+ *protected_output_frames_size = (size_t)read_from_ssl;
return TSI_OK;
}
@@ -678,13 +699,14 @@ static tsi_result ssl_protector_protect(tsi_frame_protector* self,
result = do_ssl_write(impl->ssl, impl->buffer, impl->buffer_size);
if (result != TSI_OK) return result;
+ GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
- *protected_output_frames_size);
+ (int)*protected_output_frames_size);
if (read_from_ssl < 0) {
gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write.");
return TSI_INTERNAL_ERROR;
}
- *protected_output_frames_size = read_from_ssl;
+ *protected_output_frames_size = (size_t)read_from_ssl;
*unprotected_bytes_size = available;
impl->buffer_offset = 0;
return TSI_OK;
@@ -696,6 +718,7 @@ static tsi_result ssl_protector_protect_flush(
tsi_result result = TSI_OK;
tsi_ssl_frame_protector* impl = (tsi_ssl_frame_protector*)self;
int read_from_ssl = 0;
+ int pending;
if (impl->buffer_offset != 0) {
result = do_ssl_write(impl->ssl, impl->buffer, impl->buffer_offset);
@@ -703,17 +726,22 @@ static tsi_result ssl_protector_protect_flush(
impl->buffer_offset = 0;
}
- *still_pending_size = BIO_pending(impl->from_ssl);
+ pending = BIO_pending(impl->from_ssl);
+ GPR_ASSERT(pending >= 0);
+ *still_pending_size = (size_t)pending;
if (*still_pending_size == 0) return TSI_OK;
+ GPR_ASSERT(*protected_output_frames_size <= INT_MAX);
read_from_ssl = BIO_read(impl->from_ssl, protected_output_frames,
- *protected_output_frames_size);
+ (int)*protected_output_frames_size);
if (read_from_ssl <= 0) {
gpr_log(GPR_ERROR, "Could not read from BIO after SSL_write.");
return TSI_INTERNAL_ERROR;
}
- *protected_output_frames_size = read_from_ssl;
- *still_pending_size = BIO_pending(impl->from_ssl);
+ *protected_output_frames_size = (size_t)read_from_ssl;
+ pending = BIO_pending(impl->from_ssl);
+ GPR_ASSERT(pending >= 0);
+ *still_pending_size = (size_t)pending;
return TSI_OK;
}
@@ -740,14 +768,15 @@ static tsi_result ssl_protector_unprotect(
*unprotected_bytes_size = output_bytes_size - output_bytes_offset;
/* Then, try to write some data to ssl. */
+ GPR_ASSERT(*protected_frames_bytes_size <= INT_MAX);
written_into_ssl = BIO_write(impl->into_ssl, protected_frames_bytes,
- *protected_frames_bytes_size);
+ (int)*protected_frames_bytes_size);
if (written_into_ssl < 0) {
gpr_log(GPR_ERROR, "Sending protected frame to ssl failed with %d",
written_into_ssl);
return TSI_INTERNAL_ERROR;
}
- *protected_frames_bytes_size = written_into_ssl;
+ *protected_frames_bytes_size = (size_t)written_into_ssl;
/* Now try to read some data again. */
result = do_ssl_read(impl->ssl, unprotected_bytes, unprotected_bytes_size);
@@ -781,7 +810,8 @@ static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(tsi_handshaker* self,
*bytes_size > INT_MAX) {
return TSI_INVALID_ARGUMENT;
}
- bytes_read_from_ssl = BIO_read(impl->from_ssl, bytes, *bytes_size);
+ GPR_ASSERT(*bytes_size <= INT_MAX);
+ bytes_read_from_ssl = BIO_read(impl->from_ssl, bytes, (int)*bytes_size);
if (bytes_read_from_ssl < 0) {
*bytes_size = 0;
if (!BIO_should_retry(impl->from_ssl)) {
@@ -811,13 +841,15 @@ static tsi_result ssl_handshaker_process_bytes_from_peer(
if (bytes == NULL || bytes_size == 0 || *bytes_size > INT_MAX) {
return TSI_INVALID_ARGUMENT;
}
- bytes_written_into_ssl_size = BIO_write(impl->into_ssl, bytes, *bytes_size);
+ GPR_ASSERT(*bytes_size <= INT_MAX);
+ bytes_written_into_ssl_size =
+ BIO_write(impl->into_ssl, bytes, (int)*bytes_size);
if (bytes_written_into_ssl_size < 0) {
gpr_log(GPR_ERROR, "Could not write to memory BIO.");
impl->result = TSI_INTERNAL_ERROR;
return impl->result;
}
- *bytes_size = bytes_written_into_ssl_size;
+ *bytes_size = (size_t)bytes_written_into_ssl_size;
if (!tsi_handshaker_is_in_progress(self)) {
impl->result = TSI_OK;
@@ -1033,9 +1065,9 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
static int select_protocol_list(const unsigned char** out,
unsigned char* outlen,
const unsigned char* client_list,
- unsigned int client_list_len,
+ size_t client_list_len,
const unsigned char* server_list,
- unsigned int server_list_len) {
+ size_t server_list_len) {
const unsigned char* client_current = client_list;
while ((unsigned int)(client_current - client_list) < client_list_len) {
unsigned char client_current_len = *(client_current++);
@@ -1208,7 +1240,8 @@ static int server_handshaker_factory_npn_advertised_callback(
tsi_ssl_server_handshaker_factory* factory =
(tsi_ssl_server_handshaker_factory*)arg;
*out = factory->alpn_protocol_list;
- *outlen = factory->alpn_protocol_list_length;
+ GPR_ASSERT(factory->alpn_protocol_list_length <= UINT_MAX);
+ *outlen = (unsigned int)factory->alpn_protocol_list_length;
return SSL_TLSEXT_ERR_OK;
}
@@ -1266,8 +1299,10 @@ tsi_result tsi_create_ssl_client_handshaker_factory(
break;
}
#if TSI_OPENSSL_ALPN_SUPPORT
- if (SSL_CTX_set_alpn_protos(ssl_context, impl->alpn_protocol_list,
- impl->alpn_protocol_list_length)) {
+ GPR_ASSERT(impl->alpn_protocol_list_length < UINT_MAX);
+ if (SSL_CTX_set_alpn_protos(
+ ssl_context, impl->alpn_protocol_list,
+ (unsigned int)impl->alpn_protocol_list_length)) {
gpr_log(GPR_ERROR, "Could not set alpn protocol list to context.");
result = TSI_INVALID_ARGUMENT;
break;
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-26 14:49:52 +0000