diff --git a/include/openssl/type_check.h b/include/openssl/type_check.h index 674913a3..7e70918b 100644 --- a/include/openssl/type_check.h +++ b/include/openssl/type_check.h @@ -78,6 +78,10 @@ extern "C" { #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L #define OPENSSL_COMPILE_ASSERT(cond, msg) _Static_assert(cond, #msg) +#elif defined(__GNUC__) +#define OPENSSL_COMPILE_ASSERT(cond, msg) \ + typedef char OPENSSL_COMPILE_ASSERT_##msg[((cond) ? 1 : -1)] \ + __attribute__((unused)) #else #define OPENSSL_COMPILE_ASSERT(cond, msg) \ typedef char OPENSSL_COMPILE_ASSERT_##msg[((cond) ? 1 : -1)] diff --git a/ssl/ssl_aead_ctx.c b/ssl/ssl_aead_ctx.c index 1b951505..bba55ef3 100644 --- a/ssl/ssl_aead_ctx.c +++ b/ssl/ssl_aead_ctx.c @@ -26,9 +26,6 @@ #include "internal.h" -OPENSSL_COMPILE_ASSERT(EVP_AEAD_MAX_NONCE_LENGTH < 256, - variable_nonce_len_doesnt_fit_in_uint8_t); - SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, uint16_t version, const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len, @@ -78,6 +75,8 @@ SSL_AEAD_CTX *SSL_AEAD_CTX_new(enum evp_aead_direction_t direction, } assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH); + OPENSSL_COMPILE_ASSERT(EVP_AEAD_MAX_NONCE_LENGTH < 256, + variable_nonce_len_doesnt_fit_in_uint8_t); aead_ctx->variable_nonce_len = (uint8_t)EVP_AEAD_nonce_length(aead); if (mac_key_len == 0) { assert(fixed_iv_len <= sizeof(aead_ctx->fixed_nonce)); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 2a4dcbf3..34d1f860 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -365,13 +365,13 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, return set_signing_algorithm_prefs(ssl->cert, prefs, num_prefs); } -OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t), - digest_list_conversion_cannot_overflow); - int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids, size_t num_digests) { OPENSSL_free(ssl->cert->sigalgs); + OPENSSL_COMPILE_ASSERT(sizeof(int) >= 2 * sizeof(uint16_t), + digest_list_conversion_cannot_overflow); + ssl->cert->num_sigalgs = 0; ssl->cert->sigalgs = OPENSSL_malloc(sizeof(uint16_t) * 2 * num_digests); if (ssl->cert->sigalgs == NULL) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index b069e709..ec5dce0e 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3025,8 +3025,6 @@ int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, return 1; } -OPENSSL_COMPILE_ASSERT(kNumExtensions <= sizeof(uint32_t) * 8, too_many_bits); - static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, int *out_alert) { SSL *const ssl = hs->ssl; @@ -3066,6 +3064,9 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, continue; } + OPENSSL_COMPILE_ASSERT(kNumExtensions <= sizeof(hs->extensions.sent) * 8, + too_many_bits); + if (!(hs->extensions.sent & (1u << ext_index)) && type != TLSEXT_TYPE_renegotiate) { /* If the extension was never sent then it is illegal, except for the