From patchwork Thu Sep 11 20:16:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4402 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b149:b0:671:5a2c:6455 with SMTP id s9csp3391427maw; Thu, 11 Sep 2025 13:17:13 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXfi9h+UKGS2C1e6l0bUyg9JRKQ5NELwpnaKhbPZqyZVrwmDnjuEVP0TnsVmhAn/lYvv1pOrcXYHeo=@openvpn.net X-Google-Smtp-Source: AGHT+IHaEBvSV7eoKhpKuC1hEAzm80BvzRbytwBNBQ6NmrxYm216zzhzE/LxQ2Y4ujJZLgjbdnF8 X-Received: by 2002:a05:6871:7589:b0:31d:66fd:298d with SMTP id 586e51a60fabf-32e573e7b98mr214639fac.23.1757621833491; Thu, 11 Sep 2025 13:17:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1757621833; cv=none; d=google.com; s=arc-20240605; b=HiSER3CHGt5IBVA43kCTiDkwfvQaqpTGyT7Ptq6h9EcSc1PuYndRwGNGIT9zc7CR+l ezPuYtwrS34CF4k/reAe27nw+BzzpYXyeeiYcdFcPdXkATfIe6hoAfcbZfncD0v9Fxw2 eUJwWbNNrfnPMyHp378AzFUIhHjUmx6JMd82mnbrx/3eMIJqfUkKh9P+iSmku0a8txTp AfaUThYwggoepsMxmJXWCsn71ijoUKPIQAy8cKVQ/nNEbQTO/IqC+LJw1WBurRzIDcdN wdq2iv8KpdrASelYYlmCCmwPi/V7kre8XHHdYe9o1zGnqVgI+MJo5bAE3QMe0kczIiCv yjRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=AR3UCnDDvD82u+0nZ+BdIP7MRb7/mJItVPuVh0Y7k8s=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=FOgfwKpnV7TmsWBPH22g7prnDJuCxl2n2Whx4sRx4DnSs/w3+eGxEDxrKhioB9XZvD fvwBc3s7d3R/R9rQH6sGHEa19g4m6jJobNStv2eFdm8ZzCNECjn7EUyQWTp77x3cJRPi XuFCByM5LdUMaJkhBhrHf5w6rK8OboK/vpB4nfxLeTifub9UgogprmMM3WGXvp4tn989 /bwB6eeFjFADRBjU7Z9PKUalTrI0aIPtz7cnyYelE5csKxpeihCyBCVVB7Vsp2PRdSXq kgg7wVuP9/9XekyiDejwxA+zwO3tYVYV4Ioh+6yjOu6n8UC3hWoXuwPU+01LFZEivsqU sqsw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=IV0lvbFz; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mN4DqJhf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CdSWYW03; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-32d33555430si647522fac.111.2025.09.11.13.17.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Sep 2025 13:17:13 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=IV0lvbFz; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mN4DqJhf; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CdSWYW03; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=AR3UCnDDvD82u+0nZ+BdIP7MRb7/mJItVPuVh0Y7k8s=; b=IV0lvbFzzL7M9g47k6V2MSECpz VZo41tImPFr9Gf/+czHh2ocRJ+Co5YzEZyJ+S8AO3GLyBytKCHlcFLSiT0/hXUOu111PoTi3z1ZY/ 2aKV4VoJP8ut+mwpjV7L3+GcnPhD+EULg1XrMRHAhn9Qs+QvZhkqjXJwHIigNZtDDXc0=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uwnjC-0002CT-B1; Thu, 11 Sep 2025 20:17:10 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uwnj7-0002CJ-Rn for openvpn-devel@lists.sourceforge.net; Thu, 11 Sep 2025 20:17:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7zJpJocs3FR8LzgQIX+7Hefu+5lNr9JHLNsZjrTQgkA=; b=mN4DqJhfNZxqC4L6/bmOJxIoPT ZnZUjAZ81Hd9u3uS624UW75qxKr3kOMlwcQqf6F4Oy6aylt7D26SG7PKtDyLXb9crvbAyNiC+2CIb OSCdnmQU/j8Z//tYyDvuWcbYk4XQgsz4UrDiFE+9uND3TMU5PVAGBTUqKJEx28A4n4UI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7zJpJocs3FR8LzgQIX+7Hefu+5lNr9JHLNsZjrTQgkA=; b=CdSWYW03vg7xwRYtXW/pUOx7aH hbV2XzBItAIdd3x/CKNV/hFGK4Eo6vT7ShGsrr2RKLJJT2QFqQ8xvRgVimfaJFhrAQx+RFWaxx/Kw 6J9LhBsoit26YY9eXY7VwRNp+5jvkB+usoOoE4CN5SSorp7v2bZQyhpss/WnUP0LLE5k=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uwnj7-0003PS-0D for openvpn-devel@lists.sourceforge.net; Thu, 11 Sep 2025 20:17:05 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 58BKGwXJ025753 for ; Thu, 11 Sep 2025 22:16:58 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 58BKGw0N025752 for openvpn-devel@lists.sourceforge.net; Thu, 11 Sep 2025 22:16:58 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 11 Sep 2025 22:16:52 +0200 Message-ID: <20250911201658.25736-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld tls_options.ssl_flags is already unsigned, make sure the flags are as well to avoid spurious conversion warnings. Also fix various warning regarding the use of the flags for TLS version handling. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uwnj7-0003PS-0D Subject: [Openvpn-devel] [PATCH v9] ssl_common: Make sure ssl flags are treated as unsigned X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1843000071698122593?= X-GMAIL-MSGID: =?utf-8?q?1843000071698122593?= From: Frank Lichtenheld tls_options.ssl_flags is already unsigned, make sure the flags are as well to avoid spurious conversion warnings. Also fix various warning regarding the use of the flags for TLS version handling. Change-Id: I03e5ece7580ca4ebd41a7928ead544df46e8bad1 Signed-off-by: Frank Lichtenheld Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1104 This mail reflects revision 9 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 74946a4..7f86611 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2717,9 +2717,9 @@ "may accept clients which do not present a certificate"); } - const int tls_version_max = + const unsigned int tls_version_max = (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; - const int tls_version_min = + const unsigned int tls_version_min = (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; if (tls_version_max > 0 && tls_version_max < tls_version_min) @@ -3385,10 +3385,10 @@ options_set_backwards_compatible_options(struct options *o) { /* TLS min version is not set */ - int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; + unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; if (tls_ver_min == 0) { - int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; + unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; if (need_compatibility_before(o, 20307)) { /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ @@ -9367,9 +9367,8 @@ } else if (streq(p[0], "tls-version-min") && p[1] && !p[3]) { - int ver; VERIFY_PERMISSION(OPT_P_GENERAL); - ver = tls_version_parse(p[1], p[2]); + int ver = tls_version_parse(p[1], p[2]); if (ver == TLS_VER_BAD) { msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); @@ -9385,20 +9384,19 @@ #endif options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); - options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); + options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MIN_SHIFT); } else if (streq(p[0], "tls-version-max") && p[1] && !p[2]) { - int ver; VERIFY_PERMISSION(OPT_P_GENERAL); - ver = tls_version_parse(p[1], NULL); + int ver = tls_version_parse(p[1], NULL); if (ver == TLS_VER_BAD) { msg(msglevel, "unknown tls-version-max parameter: %s", p[1]); goto err; } options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); - options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); + options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MAX_SHIFT); } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "pkcs12") && p[1] && !p[2]) diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 428bf5a..a40f18d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -421,17 +421,17 @@ #endif /* configuration file SSL-related boolean and low-permutation options */ -#define SSLF_CLIENT_CERT_NOT_REQUIRED (1 << 0) -#define SSLF_CLIENT_CERT_OPTIONAL (1 << 1) -#define SSLF_USERNAME_AS_COMMON_NAME (1 << 2) -#define SSLF_AUTH_USER_PASS_OPTIONAL (1 << 3) -#define SSLF_OPT_VERIFY (1 << 4) -#define SSLF_CRL_VERIFY_DIR (1 << 5) +#define SSLF_CLIENT_CERT_NOT_REQUIRED (1u << 0) +#define SSLF_CLIENT_CERT_OPTIONAL (1u << 1) +#define SSLF_USERNAME_AS_COMMON_NAME (1u << 2) +#define SSLF_AUTH_USER_PASS_OPTIONAL (1u << 3) +#define SSLF_OPT_VERIFY (1u << 4) +#define SSLF_CRL_VERIFY_DIR (1u << 5) #define SSLF_TLS_VERSION_MIN_SHIFT 6 -#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */ +#define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */ #define SSLF_TLS_VERSION_MAX_SHIFT 10 -#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */ -#define SSLF_TLS_DEBUG_ENABLED (1 << 14) +#define SSLF_TLS_VERSION_MAX_MASK 0xFu /* (uses bit positions 10 to 13) */ +#define SSLF_TLS_DEBUG_ENABLED (1u << 14) unsigned int ssl_flags; #ifdef ENABLE_MANAGEMENT