Blob Blame History Raw
From e0fe31f1fc2ba13ada1d6bc35231847b75be4ee9 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 8 Aug 2019 18:02:08 +0200
Subject: [PATCH 1/2] gnutls_int.h: make DECR_LEN neutral to signedness

DECR_LEN was previously implemented in a way that it first decrements
the given length and then checks whether the result is negative.  This
requires the caller to properly coerce the length argument to a signed
integer, before invoking the macro.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/gnutls_int.h | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 179d71b4a..7f7b6a7c9 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -256,14 +256,15 @@ typedef enum record_send_state_t {
 
 #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
 
-#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
+#define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
 #define DECR_LEN_FINAL(len, x) do { \
-	len-=x; \
-	if (len != 0) \
+	if (len != x) \
 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \
+	else \
+		len = 0; \
 	} while (0)
-#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0)
-#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0)
+#define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET)
+#define DECR_LENGTH_COM(len, x, COM) do { if (len<x) {gnutls_assert(); COM;} else len-=x; } while (0)
 
 #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
 #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
-- 
2.21.0


From 5e9b2ec29449c76b1b938a0ebf0dc9b92cae7057 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 8 Aug 2019 18:04:18 +0200
Subject: [PATCH 2/2] lib/*: remove unnecessary cast to ssize_t

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 lib/crypto-api.c             | 10 +++++-----
 lib/ext/alpn.c               |  3 +--
 lib/ext/client_cert_type.c   |  9 ++++-----
 lib/ext/cookie.c             |  5 ++---
 lib/ext/ec_point_formats.c   |  7 +++----
 lib/ext/key_share.c          |  5 ++---
 lib/ext/max_record.c         |  3 +--
 lib/ext/psk_ke_modes.c       |  3 +--
 lib/ext/record_size_limit.c  |  3 +--
 lib/ext/safe_renegotiation.c |  3 +--
 lib/ext/server_cert_type.c   |  9 ++++-----
 lib/ext/server_name.c        |  3 +--
 lib/ext/session_ticket.c     |  5 ++---
 lib/ext/signature.c          |  3 +--
 lib/ext/srp.c                |  3 +--
 lib/ext/srtp.c               |  5 ++---
 lib/ext/status_request.c     |  3 +--
 lib/ext/supported_groups.c   |  3 +--
 lib/ext/supported_versions.c |  5 ++---
 lib/extv.c                   |  8 ++++----
 lib/sslv2_compat.c           |  3 +--
 lib/supplemental.c           |  4 ++--
 lib/tls13/certificate.c      | 21 +++++++++++----------
 lib/tls13/psk_ext_parser.c   |  4 +---
 lib/tls13/psk_ext_parser.h   |  4 ++--
 lib/tls13/session_ticket.c   |  2 +-
 26 files changed, 58 insertions(+), 78 deletions(-)

diff --git a/lib/crypto-api.c b/lib/crypto-api.c
index 2834c0199..09b3d7bfc 100644
--- a/lib/crypto-api.c
+++ b/lib/crypto-api.c
@@ -990,9 +990,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
 	api_aead_cipher_hd_st *h = handle;
 	ssize_t ret;
 	uint8_t *dst;
-	ssize_t dst_size, total = 0;
+	size_t dst_size, total = 0;
 	uint8_t *p;
-	ssize_t blocksize = handle->ctx_enc.e->blocksize;
+	size_t blocksize = handle->ctx_enc.e->blocksize;
 	struct iov_iter_st iter;
 	size_t blocks;
 
@@ -1071,7 +1071,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
 		if (ret == 0)
 			break;
 		blocks = ret;
-		if (unlikely((size_t) dst_size < blocksize * blocks))
+		if (unlikely(dst_size < blocksize * blocks))
 			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p,
 					      blocksize * blocks,
@@ -1083,7 +1083,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
 		total += blocksize * blocks;
 	}
 	if (iter.block_offset > 0) {
-		if (unlikely((size_t) dst_size < iter.block_offset))
+		if (unlikely(dst_size < iter.block_offset))
 			return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 		ret = _gnutls_cipher_encrypt2(&handle->ctx_enc,
 					      iter.block, iter.block_offset,
@@ -1095,7 +1095,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle,
 		total += iter.block_offset;
 	}
 
-	if ((size_t)dst_size < tag_size)
+	if (dst_size < tag_size)
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
 	_gnutls_cipher_tag(&handle->ctx_enc, dst, tag_size);
diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c
index 34f6ce09d..b9991f0a1 100644
--- a/lib/ext/alpn.c
+++ b/lib/ext/alpn.c
@@ -51,13 +51,12 @@ const hello_ext_entry_st ext_mod_alpn = {
 
 static int
 _gnutls_alpn_recv_params(gnutls_session_t session,
-			 const uint8_t * data, size_t _data_size)
+			 const uint8_t * data, size_t data_size)
 {
 	unsigned int i;
 	int ret;
 	const uint8_t *p = data;
 	unsigned len1, len;
-	ssize_t data_size = _data_size;
 	alpn_ext_st *priv;
 	gnutls_ext_priv_data_t epriv;
 	int selected_protocol_index;
diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c
index 471d42c5f..b627b71f9 100644
--- a/lib/ext/client_cert_type.c
+++ b/lib/ext/client_cert_type.c
@@ -73,7 +73,6 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
 	gnutls_certificate_type_t cert_type;
 
 	uint8_t i, found = 0;
-	ssize_t len = data_size;
 	const uint8_t* pdata = data;
 
 	/* Only activate this extension if we have cert credentials set
@@ -86,7 +85,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
 
 		/* Compare packet length with expected packet length. For the
 		 * client this is a single byte. */
-		if (len != 1) {
+		if (data_size != 1) {
 			return
 					gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 		}
@@ -136,8 +135,8 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
 
 	} else {	// server mode
 		// Compare packet length with expected packet length.
-		DECR_LEN(len, 1);
-		if (data[0] != len) {
+		DECR_LEN(data_size, 1);
+		if (data[0] != data_size) {
 			return
 					gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 		}
@@ -145,7 +144,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session,
 
 		// Assign the contents of our data buffer to a gnutls_datum_t
 		cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
-		cert_types.size = len;
+		cert_types.size = data_size;
 
 		// Store the client certificate types in our session
 		_gnutls_hello_ext_set_datum(session,
diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c
index 1e66c3d49..0feb2f0e5 100644
--- a/lib/ext/cookie.c
+++ b/lib/ext/cookie.c
@@ -53,10 +53,9 @@ const hello_ext_entry_st ext_mod_cookie = {
 /* Only client sends this extension. */
 static int
 cookie_recv_params(gnutls_session_t session,
-		   const uint8_t * data, size_t _data_size)
+		   const uint8_t * data, size_t data_size)
 {
-	ssize_t data_size = _data_size;
-	ssize_t csize;
+	size_t csize;
 	int ret;
 	gnutls_datum_t tmp;
 
diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c
index eb59ec139..c702d434c 100644
--- a/lib/ext/ec_point_formats.c
+++ b/lib/ext/ec_point_formats.c
@@ -57,11 +57,10 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = {
 static int
 _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
 				     const uint8_t * data,
-				     size_t _data_size)
+				     size_t data_size)
 {
-	int len, i;
+	size_t len, i;
 	int uncompressed = 0;
-	int data_size = _data_size;
 
 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
 		if (data_size < 1)
@@ -91,7 +90,7 @@ _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session,
 		/* only sanity check here. We only support uncompressed points
 		 * and a client must support it thus nothing to check.
 		 */
-		if (_data_size < 1)
+		if (data_size < 1)
 			return
 			    gnutls_assert_val
 			    (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index 599eff8fb..8f0912e69 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -504,11 +504,10 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou
 
 static int
 key_share_recv_params(gnutls_session_t session,
-		      const uint8_t * data, size_t _data_size)
+		      const uint8_t * data, size_t data_size)
 {
 	int ret;
-	ssize_t data_size = _data_size;
-	ssize_t size;
+	size_t size;
 	unsigned gid;
 	const version_entry_st *ver;
 	const gnutls_group_entry_st *group;
diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c
index dbb98cf62..3cada69be 100644
--- a/lib/ext/max_record.c
+++ b/lib/ext/max_record.c
@@ -65,10 +65,9 @@ const hello_ext_entry_st ext_mod_max_record_size = {
 
 static int
 _gnutls_max_record_recv_params(gnutls_session_t session,
-			       const uint8_t * data, size_t _data_size)
+			       const uint8_t * data, size_t data_size)
 {
 	ssize_t new_size;
-	ssize_t data_size = _data_size;
 
 	if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED)
 		return 0;
diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
index da7a55098..8d8effb43 100644
--- a/lib/ext/psk_ke_modes.c
+++ b/lib/ext/psk_ke_modes.c
@@ -106,10 +106,9 @@ psk_ke_modes_send_params(gnutls_session_t session,
  */
 static int
 psk_ke_modes_recv_params(gnutls_session_t session,
-			 const unsigned char *data, size_t _len)
+			 const unsigned char *data, size_t len)
 {
 	uint8_t ke_modes_len;
-	ssize_t len = _len;
 	const version_entry_st *vers = get_version(session);
 	gnutls_psk_server_credentials_t cred;
 	int dhpsk_pos = MAX_POS;
diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c
index e9fe6a1d8..0e94fece3 100644
--- a/lib/ext/record_size_limit.c
+++ b/lib/ext/record_size_limit.c
@@ -48,10 +48,9 @@ const hello_ext_entry_st ext_mod_record_size_limit = {
 
 static int
 _gnutls_record_size_limit_recv_params(gnutls_session_t session,
-				      const uint8_t * data, size_t _data_size)
+				      const uint8_t * data, size_t data_size)
 {
 	ssize_t new_size;
-	ssize_t data_size = _data_size;
 	const version_entry_st *vers;
 
 	DECR_LEN(data_size, 2);
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 6424f45b5..bb4a57e45 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -265,10 +265,9 @@ int _gnutls_ext_sr_send_cs(gnutls_session_t session)
 
 static int
 _gnutls_sr_recv_params(gnutls_session_t session,
-		       const uint8_t * data, size_t _data_size)
+		       const uint8_t * data, size_t data_size)
 {
 	unsigned int len;
-	ssize_t data_size = _data_size;
 	sr_ext_st *priv;
 	gnutls_ext_priv_data_t epriv;
 	int set = 0, ret;
diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c
index dbcb3971b..864a44bbc 100644
--- a/lib/ext/server_cert_type.c
+++ b/lib/ext/server_cert_type.c
@@ -73,7 +73,6 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
 	gnutls_certificate_type_t cert_type;
 
 	uint8_t i, found = 0;
-	ssize_t len = data_size;
 	const uint8_t* pdata = data;
 
 	/* Only activate this extension if we have cert credentials set
@@ -86,7 +85,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
 
 		/* Compare packet length with expected packet length. For the
 		 * client this is a single byte. */
-		if (len != 1) {
+		if (data_size != 1) {
 			return
 					gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 		}
@@ -135,8 +134,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
 
 	} else {		// server mode
 		// Compare packet length with expected packet length.
-		DECR_LEN(len, 1);
-		if (data[0] != len) {
+		DECR_LEN(data_size, 1);
+		if (data[0] != data_size) {
 			return
 					gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 		}
@@ -144,7 +143,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session,
 
 		// Assign the contents of our data buffer to a gnutls_datum_t
 		cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning
-		cert_types.size = len;
+		cert_types.size = data_size;
 
 		// Store the server certificate types in our session
 		_gnutls_hello_ext_set_datum(session,
diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c
index 259dc998e..0c6331569 100644
--- a/lib/ext/server_name.c
+++ b/lib/ext/server_name.c
@@ -66,11 +66,10 @@ const hello_ext_entry_st ext_mod_server_name = {
  */
 static int
 _gnutls_server_name_recv_params(gnutls_session_t session,
-				const uint8_t * data, size_t _data_size)
+				const uint8_t * data, size_t data_size)
 {
 	const unsigned char *p;
 	uint16_t len, type;
-	ssize_t data_size = _data_size;
 	gnutls_datum_t name;
 
 	if (session->security_parameters.entity == GNUTLS_SERVER) {
diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c
index 98db39ff8..263273fa2 100644
--- a/lib/ext/session_ticket.c
+++ b/lib/ext/session_ticket.c
@@ -78,7 +78,7 @@ static int
 unpack_ticket(const gnutls_datum_t *ticket_data, struct ticket_st *ticket)
 {
 	const uint8_t * data = ticket_data->data;
-	ssize_t data_size = ticket_data->size;
+	size_t data_size = ticket_data->size;
 	const uint8_t *encrypted_state;
 
 	/* Format:
@@ -371,11 +371,10 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state)
 
 static int
 session_ticket_recv_params(gnutls_session_t session,
-			   const uint8_t * data, size_t _data_size)
+			   const uint8_t * data, size_t data_size)
 {
 	gnutls_datum_t ticket_data;
 	gnutls_datum_t state;
-	ssize_t data_size = _data_size;
 	int ret;
 
 	if (session->internals.flags & GNUTLS_NO_TICKETS)
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index e734d2c7d..a90f58d53 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -187,9 +187,8 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session,
 static int
 _gnutls_signature_algorithm_recv_params(gnutls_session_t session,
 					const uint8_t * data,
-					size_t _data_size)
+					size_t data_size)
 {
-	ssize_t data_size = _data_size;
 	int ret;
 
 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
diff --git a/lib/ext/srp.c b/lib/ext/srp.c
index 8b58222e0..07f6e6883 100644
--- a/lib/ext/srp.c
+++ b/lib/ext/srp.c
@@ -59,10 +59,9 @@ const hello_ext_entry_st ext_mod_srp = {
 
 static int
 _gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data,
-			size_t _data_size)
+			size_t data_size)
 {
 	uint8_t len;
-	ssize_t data_size = _data_size;
 	gnutls_ext_priv_data_t epriv;
 	srp_ext_st *priv;
 
diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c
index 3fc7ed35a..412e26d45 100644
--- a/lib/ext/srtp.c
+++ b/lib/ext/srtp.c
@@ -162,13 +162,12 @@ const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile)
 
 static int
 _gnutls_srtp_recv_params(gnutls_session_t session,
-			 const uint8_t * data, size_t _data_size)
+			 const uint8_t * data, size_t data_size)
 {
 	unsigned int i;
 	int ret;
 	const uint8_t *p = data;
-	int len;
-	ssize_t data_size = _data_size;
+	size_t len;
 	srtp_ext_st *priv;
 	gnutls_ext_priv_data_t epriv;
 	uint16_t profile;
diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c
index d8779e8cf..cf9d5bd03 100644
--- a/lib/ext/status_request.c
+++ b/lib/ext/status_request.c
@@ -86,9 +86,8 @@ client_send(gnutls_session_t session,
 static int
 server_recv(gnutls_session_t session,
 	    status_request_ext_st * priv,
-	    const uint8_t * data, size_t size)
+	    const uint8_t * data, size_t data_size)
 {
-	ssize_t data_size = size;
 	unsigned rid_bytes = 0;
 
 	/* minimum message is type (1) + responder_id_list (2) +
diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
index 952d3bb0c..ef7859f73 100644
--- a/lib/ext/supported_groups.c
+++ b/lib/ext/supported_groups.c
@@ -93,10 +93,9 @@ static unsigned get_min_dh(gnutls_session_t session)
  */
 static int
 _gnutls_supported_groups_recv_params(gnutls_session_t session,
-				  const uint8_t * data, size_t _data_size)
+				  const uint8_t * data, size_t data_size)
 {
 	int i;
-	ssize_t data_size = _data_size;
 	uint16_t len;
 	const uint8_t *p = data;
 	const gnutls_group_entry_st *group = NULL;
diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c
index 52828ee37..8d52fad5c 100644
--- a/lib/ext/supported_versions.c
+++ b/lib/ext/supported_versions.c
@@ -54,12 +54,11 @@ const hello_ext_entry_st ext_mod_supported_versions = {
 
 static int
 supported_versions_recv_params(gnutls_session_t session,
-			       const uint8_t * data, size_t _data_size)
+			       const uint8_t * data, size_t data_size)
 {
 	const version_entry_st *vers;
-	ssize_t data_size = _data_size;
 	uint8_t major, minor;
-	ssize_t bytes;
+	size_t bytes;
 	int ret;
 
 	if (session->security_parameters.entity == GNUTLS_SERVER) {
diff --git a/lib/extv.c b/lib/extv.c
index bfdfdf974..0c0c46f32 100644
--- a/lib/extv.c
+++ b/lib/extv.c
@@ -105,7 +105,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
 			 const gnutls_datum_t *data, unsigned int flags)
 {
 	if (flags & GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO) {
-		ssize_t size = data->size;
+		size_t size = data->size;
 		size_t len;
 		uint8_t *p = data->data;
 
@@ -137,12 +137,12 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
 		DECR_LEN(size, len);
 		p += len;
 
-		if (size <= 0)
+		if (size == 0)
 			return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
 
 		return _gnutls_extv_parse(ctx, cb, p, size);
 	} else if (flags & GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO) {
-		ssize_t size = data->size;
+		size_t size = data->size;
 		size_t len;
 		uint8_t *p = data->data;
 
@@ -181,7 +181,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb,
 		DECR_LEN(size, len);
 		p += len;
 
-		if (size <= 0)
+		if (size == 0)
 			return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
 
 		return _gnutls_extv_parse(ctx, cb, p, size);
diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c
index 6122d1098..9d247ba4c 100644
--- a/lib/sslv2_compat.c
+++ b/lib/sslv2_compat.c
@@ -87,14 +87,13 @@ _gnutls_handshake_select_v2_suite(gnutls_session_t session,
  */
 int
 _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
-			     unsigned int datalen)
+			     unsigned int len)
 {
 	uint16_t session_id_len = 0;
 	int pos = 0;
 	int ret = 0, sret = 0;
 	uint16_t sizeOfSuites;
 	uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor;
-	int len = datalen;
 	int neg_version;
 	const version_entry_st *vers;
 	uint16_t challenge;
diff --git a/lib/supplemental.c b/lib/supplemental.c
index cd90fa1fb..07b38cc93 100644
--- a/lib/supplemental.c
+++ b/lib/supplemental.c
@@ -192,14 +192,14 @@ _gnutls_parse_supplemental(gnutls_session_t session,
 			   const uint8_t * data, int datalen)
 {
 	const uint8_t *p = data;
-	ssize_t dsize = datalen;
+	size_t dsize = datalen;
 	size_t total_size;
 
 	DECR_LEN(dsize, 3);
 	total_size = _gnutls_read_uint24(p);
 	p += 3;
 
-	if (dsize != (ssize_t) total_size) {
+	if (dsize != total_size) {
 		gnutls_assert();
 		return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 	}
diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c
index bd257237f..8a1a11872 100644
--- a/lib/tls13/certificate.c
+++ b/lib/tls13/certificate.c
@@ -360,11 +360,12 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data
 static int
 parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
 {
-	int len, ret;
+	int ret;
+	size_t len;
 	uint8_t *p = data;
 	cert_auth_info_t info;
 	gnutls_certificate_credentials_t cred;
-	ssize_t dsize = data_size, size;
+	size_t size;
 	int i;
 	unsigned npeer_certs, npeer_ocsp, j;
 	crt_cert_ctx_st ctx;
@@ -395,31 +396,31 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
 	if (info == NULL)
 		return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
 
-	DECR_LEN(dsize, 3);
+	DECR_LEN(data_size, 3);
 	size = _gnutls_read_uint24(p);
 	p += 3;
 
-	if (size != dsize)
+	if (size != data_size)
 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 
 	if (size == 0)
 		return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND);
 
-	i = dsize;
+	i = data_size;
 
 	while (i > 0) {
-		DECR_LEN(dsize, 3);
+		DECR_LEN(data_size, 3);
 		len = _gnutls_read_uint24(p);
 		if (len == 0)
 			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 
-		DECR_LEN(dsize, len);
+		DECR_LEN(data_size, len);
 		p += len + 3;
 		i -= len + 3;
 
-		DECR_LEN(dsize, 2);
+		DECR_LEN(data_size, 2);
 		len = _gnutls_read_uint16(p);
-		DECR_LEN(dsize, len);
+		DECR_LEN(data_size, len);
 
 		i -= len + 2;
 		p += len + 2;
@@ -427,7 +428,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size)
 		nentries++;
 	}
 
-	if (dsize != 0)
+	if (data_size != 0)
 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 
 	/* this is unnecessary - keeping to avoid a regression due to a re-org
diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c
index 6e3a12f90..33ebc0461 100644
--- a/lib/tls13/psk_ext_parser.c
+++ b/lib/tls13/psk_ext_parser.c
@@ -28,10 +28,8 @@
  * are present, or 0, on success.
  */
 int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p,
-				  const unsigned char *data, size_t _len)
+				  const unsigned char *data, size_t len)
 {
-	ssize_t len = _len;
-
 	if (!p || !data || !len)
 		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h
index 30b47e904..f46b211e0 100644
--- a/lib/tls13/psk_ext_parser.h
+++ b/lib/tls13/psk_ext_parser.h
@@ -25,10 +25,10 @@
 
 struct psk_ext_parser_st {
 	const unsigned char *identities_data;
-	ssize_t identities_len;
+	size_t identities_len;
 
 	const unsigned char *binders_data;
-	ssize_t binders_len;
+	size_t binders_len;
 };
 
 typedef struct psk_ext_parser_st psk_ext_parser_st;
diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c
index 146aee9b1..072a56d9c 100644
--- a/lib/tls13/session_ticket.c
+++ b/lib/tls13/session_ticket.c
@@ -105,7 +105,7 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, tls13_ticket_st
 	gnutls_mac_algorithm_t kdf;
 	const mac_entry_st *prf;
 	uint8_t *p;
-	ssize_t len;
+	size_t len;
 	uint64_t v;
 	int ret;
 
-- 
2.21.0