fix remaining shorten-64-to-32 warnings

Add checks before casting.
cisco · Jan 21, 2025 · 6e6c1dc · 6e6c1dc
1 parent ebfb916
commit 6e6c1dc
Show file tree

Hide file tree

Showing 13 changed files with 117 additions and 30 deletions.
diff --git a/crypto/cipher/aes_gcm_mbedtls.c b/crypto/cipher/aes_gcm_mbedtls.c
@@ -281,7 +281,7 @@ static srtp_err_status_t srtp_aes_gcm_mbedtls_context_init(void *cv,
 
     debug_print(srtp_mod_aes_gcm, "key:  %s",
                 srtp_octet_string_hex_string(key, c->key_size));
-    key_len_in_bits = (c->key_size << 3);
+    key_len_in_bits = (uint32_t)(c->key_size << 3);
     switch (c->key_size) {
     case SRTP_AES_256_KEY_LEN:
     case SRTP_AES_128_KEY_LEN:

diff --git a/crypto/cipher/aes_gcm_nss.c b/crypto/cipher/aes_gcm_nss.c
@@ -56,6 +56,7 @@
 #include "cipher_test_cases.h"
 #include <secerr.h>
 #include <nspr.h>
+#include <limits.h>
 
 srtp_debug_module_t srtp_mod_aes_gcm = {
     false,        /* debugging is off by default */
@@ -215,7 +216,7 @@ static srtp_err_status_t srtp_aes_gcm_nss_context_init(void *cv,
 
     /* explicitly cast away const of key */
     SECItem key_item = { siBuffer, (unsigned char *)(uintptr_t)key,
-                         c->key_size };
+                         (unsigned)c->key_size };
     c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
                                CKA_ENCRYPT, &key_item, NULL);
     PK11_FreeSlot(slot);
@@ -296,6 +297,10 @@ static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv,
     // Reset AAD
     c->aad_size = 0;
 
+    if (src_len > UINT_MAX || *dst_len > UINT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     unsigned int out_len = 0;
     int rv;
     SECItem param = { siBuffer, (unsigned char *)&c->params,
@@ -309,8 +314,8 @@ static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv,
             return srtp_err_status_buffer_small;
         }
 
-        rv = PK11_Encrypt(c->key, CKM_AES_GCM, &param, dst, &out_len, *dst_len,
-                          src, src_len);
+        rv = PK11_Encrypt(c->key, CKM_AES_GCM, &param, dst, &out_len,
+                          (unsigned int)*dst_len, src, (unsigned int)src_len);
     } else {
         if (c->dir != srtp_direction_decrypt) {
             return srtp_err_status_bad_param;
@@ -324,8 +329,8 @@ static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv,
             return srtp_err_status_buffer_small;
         }
 
-        rv = PK11_Decrypt(c->key, CKM_AES_GCM, &param, dst, &out_len, *dst_len,
-                          src, src_len);
+        rv = PK11_Decrypt(c->key, CKM_AES_GCM, &param, dst, &out_len,
+                          (unsigned int)*dst_len, src, (unsigned int)src_len);
     }
     *dst_len = out_len;
     srtp_err_status_t status = srtp_err_status_ok;

diff --git a/crypto/cipher/aes_gcm_ossl.c b/crypto/cipher/aes_gcm_ossl.c
@@ -258,6 +258,10 @@ static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv,
     debug_print(srtp_mod_aes_gcm, "setting AAD: %s",
                 srtp_octet_string_hex_string(aad, aad_len));
 
+    if (aad_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     if (c->dir == srtp_direction_encrypt) {
         if (EVP_EncryptUpdate(c->ctx, NULL, &len, aad, (int)aad_len) != 1) {
             return srtp_err_status_algo_fail;
@@ -300,6 +304,10 @@ static srtp_err_status_t srtp_aes_gcm_openssl_encrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     /*
      * Encrypt the data
      */
@@ -357,6 +365,10 @@ static srtp_err_status_t srtp_aes_gcm_openssl_decrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     /*
      * Decrypt the data
      */

diff --git a/crypto/cipher/aes_gcm_wssl.c b/crypto/cipher/aes_gcm_wssl.c
@@ -57,6 +57,7 @@
 #include "crypto_types.h"
 #include "cipher_types.h"
 #include "cipher_test_cases.h"
+#include <limits.h>
 
 srtp_debug_module_t srtp_mod_aes_gcm = {
     0,             /* debugging is off by default */
@@ -225,7 +226,8 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_context_init(void *cv,
         }
     }
 
-    err = wc_AesGcmSetKey(c->ctx, (const unsigned char *)key, c->key_size);
+    err = wc_AesGcmSetKey(c->ctx, (const unsigned char *)key,
+                          (word32)c->key_size);
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);
         return srtp_err_status_init_fail;
@@ -298,10 +300,16 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_set_aad(void *cv,
     memcpy(c->aad + c->aad_size, aad, aad_len);
     c->aad_size += aad_len;
 #else
+    if (aad_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     if (c->dir == srtp_direction_encrypt) {
-        err = wc_AesGcmEncryptUpdate(c->ctx, NULL, NULL, 0, aad, aad_len);
+        err =
+            wc_AesGcmEncryptUpdate(c->ctx, NULL, NULL, 0, aad, (word32)aad_len);
     } else {
-        err = wc_AesGcmDecryptUpdate(c->ctx, NULL, NULL, 0, aad, aad_len);
+        err =
+            wc_AesGcmDecryptUpdate(c->ctx, NULL, NULL, 0, aad, (word32)aad_len);
     }
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);
@@ -338,6 +346,10 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_encrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
 #ifndef WOLFSSL_AESGCM_STREAM
     // tag must always be 16 bytes when passed to wc_AesGcmEncrypt, can truncate
     // to c->tag_len after
@@ -349,12 +361,12 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_encrypt(void *cv,
         memcpy(dst + src_len, tag, c->tag_len);
     }
 #else
-    err = wc_AesGcmEncryptUpdate(c->ctx, dst, src, src_len, NULL, 0);
+    err = wc_AesGcmEncryptUpdate(c->ctx, dst, src, (word32)src_len, NULL, 0);
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);
         return srtp_err_status_algo_fail;
     }
-    err = wc_AesGcmEncryptFinal(c->ctx, dst + src_len, c->tag_len);
+    err = wc_AesGcmEncryptFinal(c->ctx, dst + src_len, (word32)c->tag_len);
 #endif
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);
@@ -397,6 +409,10 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_decrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
 #ifndef WOLFSSL_AESGCM_STREAM
     debug_print(srtp_mod_aes_gcm, "AAD: %s",
                 srtp_octet_string_hex_string(c->aad, c->aad_size));
@@ -406,14 +422,14 @@ static srtp_err_status_t srtp_aes_gcm_wolfssl_decrypt(void *cv,
                            c->aad, c->aad_size);
     c->aad_size = 0;
 #else
-    err = wc_AesGcmDecryptUpdate(c->ctx, dst, src, (src_len - c->tag_len), NULL,
-                                 0);
+    err = wc_AesGcmDecryptUpdate(c->ctx, dst, src,
+                                 (word32)(src_len - c->tag_len), NULL, 0);
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);
         return srtp_err_status_algo_fail;
     }
-    err =
-        wc_AesGcmDecryptFinal(c->ctx, src + (src_len - c->tag_len), c->tag_len);
+    err = wc_AesGcmDecryptFinal(c->ctx, src + (src_len - c->tag_len),
+                                (word32)c->tag_len);
 #endif
     if (err < 0) {
         debug_print(srtp_mod_aes_gcm, "wolfSSL error code:  %d", err);

diff --git a/crypto/cipher/aes_icm_mbedtls.c b/crypto/cipher/aes_icm_mbedtls.c
@@ -301,7 +301,7 @@ static srtp_err_status_t srtp_aes_icm_mbedtls_context_init(void *cv,
                                                            const uint8_t *key)
 {
     srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
-    uint32_t key_size_in_bits = (c->key_size << 3);
+    uint32_t key_size_in_bits = (uint32_t)(c->key_size << 3);
     int errcode = 0;
 
     /*

diff --git a/crypto/cipher/aes_icm_nss.c b/crypto/cipher/aes_icm_nss.c
@@ -54,6 +54,8 @@
 #include "cipher_types.h"
 #include "cipher_test_cases.h"
 
+#include <limits.h>
+
 srtp_debug_module_t srtp_mod_aes_icm = {
     false,        /* debugging is off by default */
     "aes icm nss" /* printable module name       */
@@ -256,7 +258,7 @@ static srtp_err_status_t srtp_aes_icm_nss_context_init(void *cv,
 
     /* explicitly cast away const of key */
     SECItem keyItem = { siBuffer, (unsigned char *)(uintptr_t)key,
-                        c->key_size };
+                        (unsigned int)c->key_size };
     c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
                                CKA_ENCRYPT, &keyItem, NULL);
     PK11_FreeSlot(slot);
@@ -342,8 +344,13 @@ static srtp_err_status_t srtp_aes_icm_nss_encrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > UINT_MAX || *dst_len > UINT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     int out_len = 0;
-    int rv = PK11_CipherOp(c->ctx, dst, &out_len, *dst_len, src, src_len);
+    int rv = PK11_CipherOp(c->ctx, dst, &out_len, (unsigned int)*dst_len, src,
+                           (unsigned int)src_len);
     *dst_len = out_len;
     srtp_err_status_t status = srtp_err_status_ok;
     if (rv != SECSuccess) {

diff --git a/crypto/cipher/aes_icm_ossl.c b/crypto/cipher/aes_icm_ossl.c
@@ -316,6 +316,10 @@ static srtp_err_status_t srtp_aes_icm_openssl_encrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     if (!EVP_EncryptUpdate(c->ctx, dst, &len, src, (int)src_len)) {
         return srtp_err_status_cipher_fail;
     }

diff --git a/crypto/cipher/aes_icm_wssl.c b/crypto/cipher/aes_icm_wssl.c
@@ -56,6 +56,7 @@
 #include "alloc.h"
 #include "cipher_types.h"
 #include "cipher_test_cases.h"
+#include <limits.h>
 
 srtp_debug_module_t srtp_mod_aes_icm = {
     0,             /* debugging is off by default */
@@ -326,7 +327,11 @@ static srtp_err_status_t srtp_aes_icm_wolfssl_encrypt(void *cv,
         return srtp_err_status_buffer_small;
     }
 
-    err = wc_AesCtrEncrypt(c->ctx, dst, src, src_len);
+    if (src_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    err = wc_AesCtrEncrypt(c->ctx, dst, src, (word32)src_len);
     if (err < 0) {
         debug_print(srtp_mod_aes_icm, "wolfSSL encrypt error: %d", err);
         return srtp_err_status_cipher_fail;

diff --git a/crypto/hash/hmac_nss.c b/crypto/hash/hmac_nss.c
@@ -48,6 +48,8 @@
 #include <nss.h>
 #include <pk11pub.h>
 
+#include <limits.h>
+
 #define SHA1_DIGEST_SIZE 20
 
 /* the debug module for authentiation */
@@ -187,8 +189,13 @@ static srtp_err_status_t srtp_hmac_init(void *statev,
         return srtp_err_status_bad_param;
     }
 
+    if (key_len > UINT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     /* explicitly cast away const of key */
-    SECItem key_item = { siBuffer, (unsigned char *)(uintptr_t)key, key_len };
+    SECItem key_item = { siBuffer, (unsigned char *)(uintptr_t)key,
+                         (unsigned int)key_len };
     sym_key = PK11_ImportSymKey(slot, CKM_SHA_1_HMAC, PK11_OriginUnwrap,
                                 CKA_SIGN, &key_item, NULL);
     PK11_FreeSlot(slot);
@@ -221,7 +228,12 @@ static srtp_err_status_t srtp_hmac_update(void *statev,
     debug_print(srtp_mod_hmac, "input: %s",
                 srtp_octet_string_hex_string(message, msg_octets));
 
-    if (PK11_DigestOp(hmac->ctx, message, msg_octets) != SECSuccess) {
+    if (msg_octets > UINT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (PK11_DigestOp(hmac->ctx, message, (unsigned int)msg_octets) !=
+        SECSuccess) {
         return srtp_err_status_auth_fail;
     }
 
@@ -247,7 +259,12 @@ static srtp_err_status_t srtp_hmac_compute(void *statev,
         return srtp_err_status_bad_param;
     }
 
-    if (PK11_DigestOp(hmac->ctx, message, msg_octets) != SECSuccess) {
+    if (msg_octets > UINT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (PK11_DigestOp(hmac->ctx, message, (unsigned int)msg_octets) !=
+        SECSuccess) {
         return srtp_err_status_auth_fail;
     }
 

diff --git a/crypto/hash/hmac_ossl.c b/crypto/hash/hmac_ossl.c
@@ -240,7 +240,11 @@ static srtp_err_status_t srtp_hmac_init(void *statev,
         return srtp_err_status_auth_fail;
     }
 #else
-    if (HMAC_Init_ex(hmac->ctx, key, key_len, EVP_sha1(), NULL) == 0) {
+    if (key_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (HMAC_Init_ex(hmac->ctx, key, (int)key_len, EVP_sha1(), NULL) == 0) {
         return srtp_err_status_auth_fail;
     }
 #endif

diff --git a/crypto/hash/hmac_wssl.c b/crypto/hash/hmac_wssl.c
@@ -53,6 +53,7 @@
 #include "alloc.h"
 #include "err.h" /* for srtp_debug */
 #include "auth_test_cases.h"
+#include <limits.h>
 
 #define SHA1_DIGEST_SIZE 20
 
@@ -135,7 +136,11 @@ static srtp_err_status_t srtp_hmac_wolfssl_init(void *statev,
     Hmac *state = (Hmac *)statev;
     int err;
 
-    err = wc_HmacSetKey(state, WC_SHA, key, key_len);
+    if (key_len > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    err = wc_HmacSetKey(state, WC_SHA, key, (word32)key_len);
     if (err < 0) {
         debug_print(srtp_mod_hmac, "wolfSSL error code: %d", err);
         return srtp_err_status_auth_fail;
@@ -154,7 +159,11 @@ static srtp_err_status_t srtp_hmac_wolfssl_update(void *statev,
     debug_print(srtp_mod_hmac, "input: %s",
                 srtp_octet_string_hex_string(message, msg_octets));
 
-    err = wc_HmacUpdate(state, message, msg_octets);
+    if (msg_octets > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
+    err = wc_HmacUpdate(state, message, (word32)msg_octets);
     if (err < 0) {
         debug_print(srtp_mod_hmac, "wolfSSL error code: %d", err);
         return srtp_err_status_auth_fail;
@@ -182,8 +191,12 @@ static srtp_err_status_t srtp_hmac_wolfssl_compute(void *statev,
         return srtp_err_status_bad_param;
     }
 
+    if (msg_octets > INT_MAX) {
+        return srtp_err_status_bad_param;
+    }
+
     /* hash message, copy output into H */
-    err = wc_HmacUpdate(state, message, msg_octets);
+    err = wc_HmacUpdate(state, message, (word32)msg_octets);
     if (err < 0) {
         debug_print(srtp_mod_hmac, "wolfSSL error code: %d", err);
         return srtp_err_status_auth_fail;

diff --git a/crypto/math/datatypes.c b/crypto/math/datatypes.c
@@ -210,7 +210,7 @@ void v128_left_shift(v128_t *x, size_t shift)
         return;
     }
 
-    const int base_index = shift >> 5;
+    const int base_index = (int)(shift >> 5);
     const int bit_index = shift & 31;
 
     __m128i mm = _mm_loadu_si128((const __m128i *)x);
@@ -325,8 +325,8 @@ void bitvector_left_shift(bitvector_t *x, size_t shift)
         ((const __m128i *)right_shift_masks)[4u - (base_index & 3u)];
     __m128i mm_left_shift_mask =
         ((const __m128i *)left_shift_masks)[base_index & 3u];
-    __m128i mm_shift_right = _mm_cvtsi32_si128(bit_index);
-    __m128i mm_shift_left = _mm_cvtsi32_si128(32 - bit_index);
+    __m128i mm_shift_right = _mm_cvtsi32_si128((int)bit_index);
+    __m128i mm_shift_left = _mm_cvtsi32_si128((int)(32 - bit_index));
 
     __m128i mm_current = _mm_loadu_si128(from);
     __m128i mm_current_r = _mm_srl_epi32(mm_current, mm_shift_right);