lsh123 · lsh123 · Feb 8, 2025 · Feb 7, 2025 · Feb 8, 2025 · Feb 8, 2025
diff --git a/src/openssl/app.c b/src/openssl/app.c
@@ -760,7 +760,7 @@ xmlSecOpenSSLAppCheckCertMatchesKey(EVP_PKEY * pKey,  X509 * cert) {
 static X509 *
 xmlSecOpenSSLAppFindKeyCert(EVP_PKEY * pKey, STACK_OF(X509) * certs) {
     X509 * cert;
-    int ii, size;
+    xmlSecOpenSSLSizeT ii, size;
     int ret;
 
     xmlSecAssert2(pKey != NULL, NULL);

diff --git a/src/openssl/ciphers.c b/src/openssl/ciphers.c
@@ -127,7 +127,6 @@ xmlSecOpenSSLEvpBlockCipherCtxInit(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx,
             xmlSecInternalError2("xmlSecBufferAppend", cipherName, "size=%d", ivLen);
             return(-1);
         }
-
     } else {
         /* if we don't have enough data, exit and hope that
          * we'll have iv next time */

diff --git a/src/openssl/globals.h b/src/openssl/globals.h
@@ -18,6 +18,8 @@
 #include "config.h"
 #endif /* HAVE_CONFIG_H */
 
+#include <openssl/crypto.h>
+
 #define IN_XMLSEC_CRYPTO
 #define XMLSEC_PRIVATE
 
@@ -31,17 +33,24 @@
  */
 #define XMLSEC_OPENSSL_ERROR_BUFFER_SIZE                1024
 
+/** AWS LC and OpenSSL have different types for error code type */
+#ifdef OPENSSL_IS_AWSLC
+typedef uint32_t xmlSecOpenSSLErrorType;
+#else /* OPENSSL_IS_AWSLC */
+typedef unsigned long xmlSecOpenSSLErrorType;
+#endif /* ! OPENSSL_IS_AWSLC */
+
 /**
  * xmlSecOpenSSLError:
  * @errorFunction:      the failed function name.
  * @errorObject:        the error specific error object (e.g. transform, key data, etc).
  *
  * Macro. The XMLSec library macro for reporting OpenSSL crypro errors.
  */
-#define __xmlSecOpenSSLError(errorType, errorFunction, errorObject)      \
+#define xmlSecOpenSSLError(errorFunction, errorObject)      \
     {                                                       \
         char _openssl_error_buf[XMLSEC_OPENSSL_ERROR_BUFFER_SIZE]; \
-        errorType _openssl_error_code = ERR_peek_last_error(); \
+        xmlSecOpenSSLErrorType _openssl_error_code = ERR_peek_last_error(); \
         ERR_error_string_n(_openssl_error_code, _openssl_error_buf, sizeof(_openssl_error_buf)); \
         xmlSecError(XMLSEC_ERRORS_HERE,                     \
                     (const char*)(errorObject),             \
@@ -62,9 +71,9 @@
  *
  * Macro. The XMLSec library macro for reporting OpenSSL crypro errors.
  */
-#define __xmlSecOpenSSLError2(errorType, errorFunction, errorObject, msg, param) \
+#define xmlSecOpenSSLError2(errorFunction, errorObject, msg, param) \
         char _openssl_error_buf[XMLSEC_OPENSSL_ERROR_BUFFER_SIZE];  \
-        errorType _openssl_error_code = ERR_peek_last_error();  \
+        xmlSecOpenSSLErrorType _openssl_error_code = ERR_peek_last_error();  \
         ERR_error_string_n(_openssl_error_code, _openssl_error_buf, sizeof(_openssl_error_buf)); \
         xmlSecError(XMLSEC_ERRORS_HERE,                     \
                     (const char*)(errorObject),             \
@@ -85,9 +94,9 @@
   *
   * Macro. The XMLSec library macro for reporting OpenSSL crypro errors.
   */
-#define __xmlSecOpenSSLError3(errorType, errorFunction, errorObject, msg, param1, param2) \
+#define xmlSecOpenSSLError3(errorFunction, errorObject, msg, param1, param2) \
         char _openssl_error_buf[XMLSEC_OPENSSL_ERROR_BUFFER_SIZE];  \
-        errorType _openssl_error_code = ERR_peek_last_error();  \
+        xmlSecOpenSSLErrorType _openssl_error_code = ERR_peek_last_error();  \
         ERR_error_string_n(_openssl_error_code, _openssl_error_buf, sizeof(_openssl_error_buf)); \
         xmlSecError(XMLSEC_ERRORS_HERE,                     \
                     (const char*)(errorObject),             \
@@ -99,26 +108,4 @@
                     xmlSecErrorsSafeString(_openssl_error_buf) \
         );                                                  \
 
-
-
-#ifdef OPENSSL_IS_BORINGSSL
-
-#define xmlSecOpenSSLError(errorFunction, errorObject) \
-	__xmlSecOpenSSLError(uint32_t, errorFunction, errorObject)
-#define xmlSecOpenSSLError2(errorFunction, errorObject, msg, param) \
-	__xmlSecOpenSSLError2(uint32_t, errorFunction, errorObject, msg, param)
-#define xmlSecOpenSSLError3(errorFunction, errorObject, msg, param1, param2) \
-	__xmlSecOpenSSLError3(uint32_t, errorFunction, errorObject, msg, param1, param2)
-
-#else /* OPENSSL_IS_BORINGSSL */
-
-#define xmlSecOpenSSLError(errorFunction, errorObject) \
-	__xmlSecOpenSSLError(unsigned long, errorFunction, errorObject)
-#define xmlSecOpenSSLError2(errorFunction, errorObject, msg, param) \
-	__xmlSecOpenSSLError2(unsigned long, errorFunction, errorObject, msg, param)
-#define xmlSecOpenSSLError3(errorFunction, errorObject, msg, param1, param2) \
-	__xmlSecOpenSSLError3(unsigned long, errorFunction, errorObject, msg, param1, param2)
-
-#endif /* ! OPENSSL_IS_BORINGSSL */
-
 #endif /* ! __XMLSEC_GLOBALS_H__ */
diff --git a/src/openssl/openssl_compat.h b/src/openssl/openssl_compat.h
@@ -7,40 +7,35 @@
 #ifndef __XMLSEC_OPENSSL_OPENSSL_COMPAT_H__
 #define __XMLSEC_OPENSSL_OPENSSL_COMPAT_H__
 
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 
 #include "../cast_helpers.h"
 
 
 /******************************************************************************
  *
- * boringssl compatibility
+ * AWS LC compatibility (based on BoringSSL)
  *
  *****************************************************************************/
-#ifdef OPENSSL_IS_BORINGSSL
-
-/* Not implemented by LibreSSL (yet?) */
-#define XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM   1
-#define XMLSEC_OPENSSL_NO_STORE             1
-#define XMLSEC_OPENSSL_NO_DEEP_COPY         1
-#define XMLSEC_OPENSSL_NO_CRL_VERIFICATION  1
-#define XMLSEC_NO_RSA_OAEP                  1
-#define XMLSEC_NO_DH                        1
-#define XMLSEC_NO_DSA                       1
-#define XMLSEC_NO_SHA3                      1
+#ifdef OPENSSL_IS_AWSLC
 
+#ifndef OPENSSL_IS_BORINGSSL
+#define OPENSSL_IS_BORINGSSL
+#endif /* OPENSSL_IS_BORINGSSL */
 
 #define EVP_CIPHER_key_length   (int)EVP_CIPHER_key_length
 #define EVP_CIPHER_iv_length    (int)EVP_CIPHER_iv_length
 #define EVP_CIPHER_block_size   (int)EVP_CIPHER_block_size
 
 #define ECDSA_do_verify(digest, digest_len, sig, key) \
-    ECDSA_do_verify(digest, (size_t)(digest_len), sig, key)
+       ECDSA_do_verify(digest, (size_t)(digest_len), sig, key)
 #define ECDSA_do_sign(digest, digest_len, key) \
-    ECDSA_do_sign(digest, (size_t)(digest_len), key)
+       ECDSA_do_sign(digest, (size_t)(digest_len), key)
 
 #define HMAC_Init_ex(ctx, key, key_len, md, impl) \
        HMAC_Init_ex(ctx, key, (size_t)(key_len), md, impl)
+
 #define AES_set_encrypt_key(user_key, bits, aes_key) \
        AES_set_encrypt_key(user_key, (unsigned)(bits), aes_key)
 #define AES_set_decrypt_key(user_key, bits, aes_key) \
@@ -51,7 +46,6 @@
 #define RSA_private_decrypt(flen, from, to, rsa, padding) \
        RSA_private_decrypt((size_t)(flen), from, to, rsa, padding)
 
-
 #define EVP_MD_size (int)EVP_MD_size
 #define RSA_size    (int)RSA_size
 
@@ -60,29 +54,37 @@
 #define BN_bn2bin    (int)BN_bn2bin
 #define BN_bin2bn(in, len, ret) BN_bin2bn(in, (size_t)(len), ret)
 
-#define sk_X509_insert   (int)sk_X509_insert
-#define sk_X509_push     (int)sk_X509_push
-#define sk_X509_num      (int)sk_X509_num
-#define sk_X509_CRL_num  (int)sk_X509_CRL_num
-#define sk_X509_CRL_push (int)sk_X509_CRL_push
-#define sk_X509_CRL_value(sk, idx)        sk_X509_CRL_value(sk, (size_t)(idx))
-#define sk_X509_value(sk, idx)            sk_X509_value(sk, (size_t)(idx))
-#define sk_X509_NAME_ENTRY_value(sk, idx) sk_X509_NAME_ENTRY_value(sk, (size_t)(idx))
-#define sk_X509_REVOKED_value(sk, idx)    sk_X509_REVOKED_value(sk, (size_t)(idx))
-
 #define BIO_pending      (int)BIO_pending
 
-#define sk_X509_NAME_ENTRY_num (int)sk_X509_NAME_ENTRY_num
-#define sk_X509_NAME_ENTRY_push (int)sk_X509_NAME_ENTRY_push
+#endif /* ! OPENSSL_IS_AWSLC */
+
+
+/******************************************************************************
+ *
+ * boringssl compatibility
+ *
+ *****************************************************************************/
+#ifdef OPENSSL_IS_BORINGSSL
+
+/* Not implemented by LibreSSL (yet?) */
+#define XMLSEC_OPENSSL_NO_ASN1_TIME_TO_TM   1
+#define XMLSEC_OPENSSL_NO_STORE             1
+#define XMLSEC_OPENSSL_NO_DEEP_COPY         1
+#define XMLSEC_OPENSSL_NO_CRL_VERIFICATION  1
+#define XMLSEC_NO_RSA_OAEP                  1
+#define XMLSEC_NO_DH                        1
+#define XMLSEC_NO_DSA                       1
+#define XMLSEC_NO_SHA3                      1
+
 
 #define ENGINE_cleanup(...)                 {}
 #define CONF_modules_unload(...)            {}
 
-#define RAND_priv_bytes(buf,len)            RAND_bytes((buf), (size_t)(len))
+#define RAND_priv_bytes(buf,len)            RAND_bytes((buf), (len))
 #define RAND_write_file(file)               (0)
 
 #define EVP_PKEY_base_id(pkey)              EVP_PKEY_id(pkey)
-#define EVP_CipherFinal(ctx, out, out_len)  EVP_CipherFinal_ex(ctx, out, out_len)
+#define EVP_CipherFinal(ctx, out, out_len)  EVP_CipherFinal_ex((ctx), (out), (out_len))
 #define EVP_read_pw_string(...)             (-1)
 
 #define X509_get0_pubkey(cert)              X509_get_pubkey((cert))
@@ -94,6 +96,30 @@
 
 #endif /* OPENSSL_IS_BORINGSSL */
 
+
+/* BoringSSL redefines int->size_t for bunch of x509 functions */
+#if defined(OPENSSL_IS_BORINGSSL)
+
+typedef size_t xmlSecOpenSSLSizeT;
+
+#define XMLSEC_OPENSSL_SAFE_CAST_SIZE_T_TO_SIZE(srcVal, dstVal, errorAction, errorObject)  \
+       (dstVal) = (srcVal)
+#define XMLSEC_OPENSSL_SAFE_CAST_SIZE_TO_SIZE_T(srcVal, dstVal, errorAction, errorObject) \
+       (dstVal) = (srcVal)
+
+#else /* defined(OPENSSL_IS_BORINGSSL) */
+
+typedef int xmlSecOpenSSLSizeT;
+
+#define XMLSEC_OPENSSL_SAFE_CAST_SIZE_T_TO_SIZE(srcVal, dstVal, errorAction, errorObject) \
+       XMLSEC_SAFE_CAST_INT_TO_SIZE((srcVal), (dstVal), errorAction, (errorObject))
+
+#define XMLSEC_OPENSSL_SAFE_CAST_SIZE_TO_SIZE_T(srcVal, dstVal, errorAction, errorObject) \
+       XMLSEC_SAFE_CAST_SIZE_TO_INT((srcVal), (dstVal), errorAction, (errorObject))
+
+#endif /* defined(OPENSSL_IS_BORINGSSL) */
+
+
 /******************************************************************************
  *
  * LibreSSL compatibility (implements most of OpenSSL 1.1 API)
@@ -124,7 +150,6 @@
 
 #endif /* defined(LIBRESSL_VERSION_NUMBER) */
 
-
 /******************************************************************************
  *
  * OpenSSL 3.0.0 compatibility
@@ -158,8 +183,8 @@
 
 #define RAND_priv_bytes_ex(ctx,buf,num,strength)                    xmlSecOpenSSLCompatRand((buf),(num))
 static inline int xmlSecOpenSSLCompatRand(unsigned char *buf, xmlSecSize size) {
-    int num;
-    XMLSEC_SAFE_CAST_SIZE_TO_INT(size, num, return(0), NULL);
+    xmlSecOpenSSLSizeT num;
+    XMLSEC_OPENSSL_SAFE_CAST_SIZE_TO_SIZE_T(size, num, return(0), NULL);
     return(RAND_priv_bytes(buf, num));
 }