From patchwork Wed Sep 24 15:02:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4449 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c08a:b0:72f:f16c:e055 with SMTP id jr10csp1611818mab; Wed, 24 Sep 2025 08:03:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVVkDwu3jpn0L4Bl+OZh/wQuvym8E9mhYjXZw0yI2ln639FOmFlm9bZIYp78V5SkRDmfd51QPVwvyk=@openvpn.net X-Google-Smtp-Source: AGHT+IH96vD/7dKCxjgrHQ4bGJI+x318Wti8lzQaUENtWTMdacEY/1EVfXprclY/8T/NXTgWqYci X-Received: by 2002:a17:90b:4d83:b0:32e:a10b:ce33 with SMTP id 98e67ed59e1d1-3342a2b94b5mr28870a91.21.1758726198020; Wed, 24 Sep 2025 08:03:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1758726198; cv=none; d=google.com; s=arc-20240605; b=VPJ2MxIYdXTeC07r7Vq1ROgO+9yIborz1EWTT8SmbkxFwykpcRmgCPDFWzbFShJPpQ Nfpin6sP6wafNwkB/r1ztILvbN9nz6BGjUvRtEparoTiiwmgmIP1LYR91r9wH0G6gr7g XLbg5yxj9/EWuTgXjyiJR/C8HHKgZ5I504RM8/iScgMcQzwivoD62KVXZhgOUcZpxJWH s75dLS/x92n1/ZNVkRN+F5BSKoAKLdzSTGHNh7LXRYkUSxv1Ai/xQRZ/AStlAZJdwa5j vK6Kj7qGvO+WNw/MX3yTj+xwBAQPP17U9d3HbmUpeqc74kLyHFyBAdoVkk27xvzeri8Q KTmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=9R0B6UHRMNEF/OxurHbLrHpXjLBm5qXqj0+HYGSkgBM=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=bMKkwodTzeuVSyXAO+qsV1sKBE4JT7Jam8lcsi+A7p5mQmvq2B9Qdkd7GZOyuKbp4j FfgOKo2lR4vl0rPZobdM4W9dFneL9I2tVRdEbODEQ5kMfm8toIjPl1msqpd90TRisIfh BQHC1pVbxM4Hs3Yfoa0raAQeNeGgGqgYvwWsmHdz/L8QKGqhNAVINoJ4HGz5lMWeeUXr uvEPGFyrckMZsNzdlJjXjgPeioyNitmsKjqJwvEtDqVj5oe5NWSR/BazQQOzCCtpTh8J Aqcsvs2ZKuRhWMhSp4kgFyfaw5DkhUczB9EGhdwUgEYHFqNKuqPKdij+Y43RA4Pn/mRD 0V7Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LUGJQXfj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ju3Sxd+H; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=krdna2Nr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-b555ba0554asi3792700a12.236.2025.09.24.08.03.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Sep 2025 08:03:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=LUGJQXfj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ju3Sxd+H; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=krdna2Nr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9R0B6UHRMNEF/OxurHbLrHpXjLBm5qXqj0+HYGSkgBM=; b=LUGJQXfjKzC/e5oCAwG5ltQNC/ ylW22Yz6TDabtgZW/CwhLF0EN+xXfzVtDR7Tsqt0BnzeVC7YeriaYmlIoKNPQWIZA1pRl3YzxtpYs c1UeOu56G42YFcrtiMLp8QPR2ua7OiON+tD7CL+MweMe85waluBbGXoWkmnrclAA3GFs=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1v1R1S-00088W-T8; Wed, 24 Sep 2025 15:03:11 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1v1R1R-00088P-8U for openvpn-devel@lists.sourceforge.net; Wed, 24 Sep 2025 15:03:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MfJCtoBPGKb5/j8rwBqzRfBlan9BsNE9qfdpO3SF+bE=; b=Ju3Sxd+HURpNxbKfSvDd6p9Slg NY0JZ8wcatdoCL07XZH9KSqF6+MNgh2svUKirXy7NmMWN36RP4JI9+oNrqX1MAsipty30VjZ2BmzD jsgE3ZVTOgpuUsusmx6M7ih14qBd2/rsBM2WBNwsJatupHfZ9pa4EmIedxYjdhHNJOQ8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MfJCtoBPGKb5/j8rwBqzRfBlan9BsNE9qfdpO3SF+bE=; b=krdna2Nr7NThOkGBtoMaei7PDG jY6dmFyluVNpNj2ZJl3xrDwUxY0JbL4+bhlG5+E5luaSoTYHciSe/+qRf8r8HLdMuyFjYcmpzSPrn NkadERdAV6WobkBZURjKN8nLW7JCQFKrVnK+y1KiiNj3qnZk7iTJvdw0rhSsQ9bJ0oo8=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1v1R1Q-00028Z-0k for openvpn-devel@lists.sourceforge.net; Wed, 24 Sep 2025 15:03:09 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 58OF31KJ029331 for ; Wed, 24 Sep 2025 17:03:01 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 58OF31eP029330 for openvpn-devel@lists.sourceforge.net; Wed, 24 Sep 2025 17:03:01 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 Sep 2025 17:02:55 +0200 Message-ID: <20250924150300.29318-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld libressl changed the API for the involved functions. Since uint16_t is a true subset of int it should be safe to switch to that for all OpenSSL variants. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1v1R1Q-00028Z-0k Subject: [Openvpn-devel] [PATCH v2] ssl_openssl: Use uint16_t internally for TLS versions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1844158080557351433?= X-GMAIL-MSGID: =?utf-8?q?1844158080557351433?= From: Frank Lichtenheld libressl changed the API for the involved functions. Since uint16_t is a true subset of int it should be safe to switch to that for all OpenSSL variants. One trivial drive-by fix in unrelated code to be able to enable -Wconversion fully for the file. This just adds a cast where the comment says we intend a cast. Change-Id: I9ea87531afb553f789289787403900a4758b8e1c Signed-off-by: Frank Lichtenheld Acked-by: MaxF Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1212 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1212 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 89deeaa..434df7d 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -235,8 +235,8 @@ } /** Convert internal version number to openssl version number */ -static int -openssl_tls_version(int ver) +static uint16_t +openssl_tls_version(unsigned int ver) { if (ver == TLS_VER_1_0) { @@ -272,23 +272,18 @@ return 0; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags) { - int tls_ver_min = + uint16_t tls_ver_min = openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK); - int tls_ver_max = + uint16_t tls_ver_max = openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK); if (!tls_ver_min) { /* Enforce at least TLS 1.0 */ - int cur_min = SSL_CTX_get_min_proto_version(ctx->ctx); + uint16_t cur_min = (uint16_t)SSL_CTX_get_min_proto_version(ctx->ctx); tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min; } @@ -387,7 +382,7 @@ /* %.*s format specifier expects length of type int, so guarantee */ /* that length is small enough and cast to int. */ msg(D_LOW, "No valid translation found for TLS cipher '%.*s'", - constrain_int(current_cipher_len, 0, 256), current_cipher); + constrain_int((int)current_cipher_len, 0, 256), current_cipher); } else { @@ -429,10 +424,6 @@ } } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { @@ -2522,11 +2513,6 @@ msg(D_HANDSHAKE, "%s%s%s%s%s", s1, s2, s3, s4, s5); } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13) { @@ -2541,7 +2527,7 @@ #if defined(TLS1_3_VERSION) if (tls13) { - SSL_CTX_set_min_proto_version(tls_ctx.ctx, openssl_tls_version(TLS_VER_1_3)); + SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list); } else @@ -2594,10 +2580,6 @@ SSL_CTX_free(tls_ctx.ctx); } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - /* * Show the Elliptic curves that are available for us to use * in the OpenSSL library.