Make aws-lc -Werrror clean

Change-Id: I8ff30785f78fdcda136ef3fe982f8cda2edec059

Author: schwabe

.github/workflows/build.yaml

@@ -498,7 +498,7 @@ jobs:
           OPENSSL_CFLAGS="-I${{ env.AWS_LC_INSTALL }}/include" \
           OPENSSL_LIBS="-L${{ env.AWS_LC_INSTALL }}/lib -lssl -lcrypto" \
           LDFLAGS="-Wl,-rpath=${{ env.AWS_LC_INSTALL }}/lib" \
-          ./configure --with-crypto-library=openssl
+          ./configure --with-crypto-library=openssl --enable-werror
       - name: make all
         run: make -j3
       - name: Ensure the build uses AWS-LC

src/openvpn/crypto_openssl.c

@@ -229,7 +229,7 @@ crypto_clear_error(void)
 void
 crypto_print_openssl_errors(const unsigned int flags)
 {
-    unsigned long err = 0;
+    openssl_err_t err = 0;
     int line, errflags;
     const char *file, *data, *func;
 
@@ -425,7 +425,7 @@ void
 print_digest(EVP_MD *digest, void *unused)
 {
     printf("%s %d bit digest size\n", md_kt_name(EVP_MD_get0_name(digest)),
-           EVP_MD_size(digest) * 8);
+           (int)EVP_MD_size(digest) * 8);
 }
 
 void
@@ -1022,7 +1022,7 @@ md_get(const char *digest)
                    "Message hash algorithm '%s' uses a default hash "
                    "size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
                    "maximum hash size (%d bytes)",
-                   digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
+                   digest, (int)EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
     }
     return md;
 }
@@ -1152,7 +1152,7 @@ md_ctx_cleanup(EVP_MD_CTX *ctx)
 int
 md_ctx_size(const EVP_MD_CTX *ctx)
 {
-    return EVP_MD_CTX_size(ctx);
+    return (int)EVP_MD_CTX_size(ctx);
 }
 
 void
@@ -1201,7 +1201,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, const char *mdname)
     evp_md_type *kt = md_get(mdname);
     ASSERT(NULL != kt && NULL != ctx);
 
-    int key_len = EVP_MD_size(kt);
+    size_t key_len = EVP_MD_size(kt);
     HMAC_CTX_reset(ctx);
     if (!HMAC_Init_ex(ctx, key, key_len, kt, NULL))
     {

src/openvpn/openssl_compat.h

@@ -45,6 +45,15 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
+/* Define the type of error. This is something that is less
+ * intrusive than casts everywhere */
+#if defined(OPENSSL_IS_AWSLC)
+typedef uint32_t openssl_err_t;
+#else
+typedef unsigned long openssl_err_t;
+#endif
+
+
 /* Functionality missing in 1.1.0 */
 #if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL)
 #define SSL_CTX_set1_groups SSL_CTX_set1_curves
@@ -157,12 +166,12 @@ EVP_MD_free(const EVP_MD *md)
     /* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */
 }
 
-static inline unsigned long
+static inline openssl_err_t
 ERR_get_error_all(const char **file, int *line, const char **func, const char **data, int *flags)
 {
     static const char *empty = "";
     *func = empty;
-    unsigned long err = ERR_get_error_line_data(file, line, data, flags);
+    openssl_err_t err = ERR_get_error_line_data(file, line, data, flags);
     return err;
 }
 

src/openvpn/ssl_openssl.c

@@ -518,8 +518,9 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
 {
-#if OPENSSL_VERSION_NUMBER > 0x10100000L \
-    && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L                                            \
+    && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) \
+    && !defined(OPENSSL_IS_AWSLC)
     /* OpenSSL does not have certificate profiles, but a complex set of
      * callbacks that we could try to implement to achieve something similar.
      * For now, use OpenSSL's security levels to achieve similar (but not equal)
@@ -549,7 +550,7 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
     if (profile)
     {
         msg(M_WARN,
-            "WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
+            "WARNING: OpenSSL 1.1.0, aws-lc and LibreSSL do not support "
             "--tls-cert-profile, ignoring user-set profile: '%s'",
             profile);
     }
@@ -906,7 +907,6 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs
     X509 *cert;
     STACK_OF(X509) *ca = NULL;
     PKCS12 *p12;
-    int i;
     char password[256];
 
     ASSERT(NULL != ctx);
@@ -990,7 +990,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs
          */
         if (ca && sk_X509_num(ca))
         {
-            for (i = 0; i < sk_X509_num(ca); i++)
+            for (size_t i = 0; i < (size_t)sk_X509_num(ca); i++)
             {
                 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
                 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
@@ -1015,7 +1015,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs
          */
         if (ca && sk_X509_num(ca))
         {
-            for (i = 0; i < sk_X509_num(ca); i++)
+            for (size_t i = 0; i < (size_t)sk_X509_num(ca); i++)
             {
                 if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i)))
                 {
@@ -1331,7 +1331,7 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, b
      * we need to manually find the CRL object from the stack
      * and remove it */
     STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
-    for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
+    for (size_t i = 0; i < (size_t)sk_X509_OBJECT_num(objs); i++)
     {
         X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
         ASSERT(obj);
@@ -1591,7 +1591,7 @@ static int
 ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig,
            unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
 {
-    int capacity = ECDSA_size(ec);
+    int capacity = (int)ECDSA_size(ec);
     /*
      * ECDSA does not seem to have proper constants for paddings since
      * there are only signatures without padding at the moment, use
@@ -1607,12 +1607,14 @@ ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig,
     return 0;
 }
 
+#ifndef OPENSSL_IS_AWSLC
 /* EC_KEY_METHOD callback: sign_setup(). We do no precomputations */
 static int
 ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 {
     return 1;
 }
+#endif
 
 /* EC_KEY_METHOD callback: sign_sig().
  * Sign the hash and return the result as a newly allocated ECDS_SIG
@@ -1623,7 +1625,7 @@ ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, co
                EC_KEY *ec)
 {
     ECDSA_SIG *ecsig = NULL;
-    unsigned int len = ECDSA_size(ec);
+    unsigned int len = (unsigned int)ECDSA_size(ec);
     struct gc_arena gc = gc_new();
 
     unsigned char *buf = gc_malloc(len, false, &gc);
@@ -1790,7 +1792,7 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inli
     X509_STORE *store = NULL;
     X509_NAME *xn = NULL;
     BIO *in = NULL;
-    int i, added = 0, prev = 0;
+    size_t added = 0, prev = 0;
 
     ASSERT(NULL != ctx);
 
@@ -1819,7 +1821,7 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inli
 
         if (info_stack)
         {
-            for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
+            for (size_t i = 0; i < (size_t)sk_X509_INFO_num(info_stack); i++)
             {
                 X509_INFO *info = sk_X509_INFO_value(info_stack, i);
                 if (info->crl)
@@ -1872,19 +1874,19 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inli
 
                 if (tls_server)
                 {
-                    int cnum = sk_X509_NAME_num(cert_names);
+                    size_t cnum = sk_X509_NAME_num(cert_names);
                     if (cnum != (prev + 1))
                     {
                         crypto_msg(M_WARN,
-                                   "Cannot load CA certificate file %s (entry %d did not validate)",
+                                   "Cannot load CA certificate file %s (entry %zu did not validate)",
                                    print_key_filename(ca_file, ca_file_inline), added);
                     }
                     prev = cnum;
                 }
             }
             sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
         }
-        int cnum;
+        size_t cnum;
         if (tls_server)
         {
             cnum = sk_X509_NAME_num(cert_names);
@@ -1902,8 +1904,8 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inli
             if (cnum != added)
             {
                 crypto_msg(M_FATAL,
-                           "Cannot load CA certificate file %s (only %d "
-                           "of %d entries were valid X509 names)",
+                           "Cannot load CA certificate file %s (only %zu "
+                           "of %zu entries were valid X509 names)",
                            print_key_filename(ca_file, ca_file_inline), cnum, added);
             }
         }
@@ -2552,7 +2554,7 @@ show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_pr
 #else
     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
 #endif
-    for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
+    for (size_t i = 0; i < (size_t)sk_SSL_CIPHER_num(sk); i++)
     {
         const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
 

src/openvpn/ssl_verify_openssl.c

@@ -138,10 +138,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, size_t size)
          * one, but we don't depend on it...
          */
 
-        int numalts = sk_GENERAL_NAME_num(extensions);
+        size_t numalts = sk_GENERAL_NAME_num(extensions);
 
         /* loop through all alternatives */
-        for (int i = 0; i < numalts; i++)
+        for (size_t i = 0; i < numalts; i++)
         {
             /* get a handle to alternative name number i */
             const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
@@ -344,7 +344,7 @@ x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc)
     const EVP_MD *sha1 = EVP_sha1();
     struct buffer hash = alloc_buf_gc((size_t)EVP_MD_size(sha1), gc);
     X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL);
-    ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1)));
+    ASSERT(buf_inc_len(&hash, (int)EVP_MD_size(sha1)));
     return hash;
 }
 
@@ -354,7 +354,7 @@ x509_get_sha256_fingerprint(X509 *cert, struct gc_arena *gc)
     const EVP_MD *sha256 = EVP_sha256();
     struct buffer hash = alloc_buf_gc((size_t)EVP_MD_size(sha256), gc);
     X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL);
-    ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256)));
+    ASSERT(buf_inc_len(&hash, (int)EVP_MD_size(sha256)));
     return hash;
 }
 
@@ -739,10 +739,8 @@ x509_verify_cert_eku(X509 *x509, const char *const expected_oid)
     }
     else
     {
-        int i;
-
         msg(D_HANDSHAKE, "Validating certificate extended key usage");
-        for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++)
+        for (size_t i = 0; SUCCESS != fFound && i < (size_t)sk_ASN1_OBJECT_num(eku); i++)
         {
             ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i);
             char szOid[1024];
@@ -791,7 +789,7 @@ tls_verify_crl_missing(const struct tls_options *opt)
     }
 
     STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
-    for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
+    for (size_t i = 0; i < (size_t)sk_X509_OBJECT_num(objs); i++)
     {
         X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
         ASSERT(obj);