From patchwork Fri Jan 16 13:57:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4713 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9186:b0:80a:3855:ce6a with SMTP id j6csp1663247maf; Fri, 16 Jan 2026 05:58:10 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUwAa8c5fU0BUWuKr0YCkePA+YbGPmYASEqHQTEejYabUGYXZPSdueeRKXQfx5KziGVM/+KziPejbg=@openvpn.net X-Received: by 2002:a05:6820:1992:b0:65d:22b:415a with SMTP id 006d021491bc7-661179ee71bmr1354301eaf.66.1768571890339; Fri, 16 Jan 2026 05:58:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768571890; cv=none; d=google.com; s=arc-20240605; b=NlrPH2Nf1eyqD3A7rEMT6KYBc8gOftVCJlYB2nAOC5HzJ77bFh3SifjhPnGJpdlsA5 WQW3r94Bpre1bNiJvlw4x0jPBDFYGtWrPMPL2wBRZUl6GZb3/rsNzcGG8xOa8bHrNJgc vVNNkPlkGhF1uvr03V7jGYrFqoSjlAFzFtNzpR6lrt/p6jkDHUiGVAkKFQX75RWLOlmr bymAEAhLyHceofFgCQ3rBG8I2sRydjmSQ6LNTmDBTQJCrGTThm7n+CV0exHJN9ZYTTQT RnYkYLeEG6ShM7gJKP2/uFKLf/qYPXV5yn46rfig3Zru7qIfQ/qYWPrFnCGw4Go/IMhT Fchw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=9bRsSrJGXW0ilA85/yS4y7ot/Tl9604XE4iRX3iTMeY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gsgg6jAJcVLSiLfoBYfuo7X9XWD/6ZIHTbvfc9EnGodpCW1nObyzbvUyh6MXMloCMo iMpe8387O+4G1oqZnBKv+4lTIddCStopfQCAlecsYmi5U/ckEzOiHZ7Nor6spFMB33fm EgmWNxdA8g8xIMH/PDZIoYM4DJTrNoRUT/Z/ArVv2WwE+rMpd9Q/MDcwn3rDxMJ3ZcHC NBDGQ94V1FEsNs91it6/7QwZ2/VTgqE7F1AHYNn7xzRefcWuIX6jiERWN8IiRVAq8CyM QggSi+0S3/xiVXU8uPCol8DoF2cgaasRniNTWwo9kVpkj1/6SMFwFuKcvh/faR/4KAat TaOQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=hAZlvJLa; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JfWfFi9M; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jNB4SQbz; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=y+efl0af; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 006d021491bc7-661188003f3si1338722eaf.85.2026.01.16.05.58.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Jan 2026 05:58:10 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=hAZlvJLa; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JfWfFi9M; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jNB4SQbz; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=y+efl0af; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=9bRsSrJGXW0ilA85/yS4y7ot/Tl9604XE4iRX3iTMeY=; b=hAZlvJLaTTZHNUJfMm/mFzKFOu gqtCYcnsGWpcbkwpH5JN979KvF24j6JGwDW0xrC94QLcjEB0iDyElLMuPxRaKGFnQLztdfb9sHd0w vaIJns6wcbXDKYkZ0rJpv3kwSdHsC6vknWNx+Llrb1EHuxQtMqPwT/NsGNJJ+2RVJLRY=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vgkKy-0000iI-W3; Fri, 16 Jan 2026 13:58:05 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vgkKm-0000hm-W1 for openvpn-devel@lists.sourceforge.net; Fri, 16 Jan 2026 13:57:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7yaVU/oN2+OW64ALG5WvlK5PSbKq3uVn7BQ/IZEldAo=; b=JfWfFi9M6941AwHwp0SjmBA+Ke tTazYMWqaaSzZiEryGdBwpZoCkRQRVC4ZvPnF1mrSjhKBbfJDOPcSMG+b1H+YnTOC6Az9b+s7SVZk S5feaUAyPrBwZ7cIUHveDkyClYOWWc7SfsQTsYUis4GGttcwOAQsAjA5rhbCIeg/K1xs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7yaVU/oN2+OW64ALG5WvlK5PSbKq3uVn7BQ/IZEldAo=; b=jNB4SQbz+V3iF67ZPBw17pJqKL ryUE6XFyLBu0wehi4PFSWd2foAuEc3/7ZxYqscyKRkP2AYeFtVHETTlT0tgrC1nl3Lwx7N2ak+6PF Kov5MBqqg9FV//HbAdmk/Tbs+jjDvns7wyc4WgWEYpI5Jtzp46kAPpUs1eAaYOu2Jid4=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vgkKf-0007wB-6a for openvpn-devel@lists.sourceforge.net; Fri, 16 Jan 2026 13:57:47 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4dt1d73LQgz9t8l; Fri, 16 Jan 2026 14:57:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1768571851; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7yaVU/oN2+OW64ALG5WvlK5PSbKq3uVn7BQ/IZEldAo=; b=y+efl0afJgVKIqH1dkKqOgDGqXjYrdblHvkP4maq6ljC6zD6x33ksAn6+QcuBB385hN/P1 tbNaL/Rv3RA8aGUr+NQ7Ih3+VTOnPsnC97mS5wm2SMEGb/geGp8dvd2S+cOkJ+EKysZyKG yw+Ay1cXst7/5sK67O6AmJobjo3At10yQa1fhmQVzChUDycXVOL8vMYSXF1XoKoqcfEM/B nUbmREBlKDjJU8PuzB0T+HTm5m2XtVpj1Fx8P0spz3L3xVrgci6Q3jYid8tYd7YN1sFD5W wt4dcgPp3gOvcFk9Pda6hDG2cY4v5HXJEPjdMU2Njf9MJs+8xoh2Y4AFlEfD6w== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates 2001:67c:2050:b231:465::102 as permitted sender) smtp.mailfrom=frank@lichtenheld.com From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 16 Jan 2026 14:57:29 +0100 Message-ID: <20260116135729.40545-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4dt1d73LQgz9t8l X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Due to the differences in the types of APIs between xkey provider and Windows cryptoapi we can't avoid the casts. And they should be safe generally since the involved sizes should be small compared to [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1vgkKf-0007wB-6a Subject: [Openvpn-devel] [PATCH v1] cryptoapi: Avoid conversion warnings X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854482038537757171?= X-GMAIL-MSGID: =?utf-8?q?1854482038537757171?= Due to the differences in the types of APIs between xkey provider and Windows cryptoapi we can't avoid the casts. And they should be safe generally since the involved sizes should be small compared to the maximum values. So just add asserts and explicit cast to avoid the warnings. Change-Id: I789022af7c4977c4dff4f7671f491fe5836828fa Signed-off-by: Frank Lichtenheld Acked-by: Selva Nair Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1464 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1464 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Selva Nair diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index b18b9d4..49f5bbb 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -61,7 +61,7 @@ return 0; } -#else /* HAVE_XKEY_PROVIDER */ +#else /* HAVE_XKEY_PROVIDER */ static XKEY_EXTERNAL_SIGN_fn xkey_cng_sign; @@ -341,21 +341,18 @@ return rv; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - /** Sign hash in tbs using EC key in cd and NCryptSignHash */ static int xkey_cng_ec_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { - DWORD len = *siglen; + ASSERT(*siglen <= UINT_MAX); + ASSERT(tbslen <= UINT_MAX); + DWORD len = (DWORD)*siglen; msg(D_LOW, "Signing using NCryptSignHash with EC key"); - DWORD status = NCryptSignHash(cd->crypt_prov, NULL, (BYTE *)tbs, tbslen, sig, len, &len, 0); + DWORD status = NCryptSignHash(cd->crypt_prov, NULL, (BYTE *)tbs, (DWORD)tbslen, sig, len, &len, 0); if (status != ERROR_SUCCESS) { @@ -383,7 +380,9 @@ ASSERT(cd); ASSERT(sig); + ASSERT(*siglen <= UINT_MAX); ASSERT(tbs); + ASSERT(tbslen <= INT_MAX); DWORD status = ERROR_SUCCESS; DWORD len = 0; @@ -406,10 +405,10 @@ } else if (!strcmp(sigalg.padmode, "pss")) { - int saltlen = tbslen; /* digest size by default */ + int saltlen = (int)tbslen; /* digest size by default */ if (!strcmp(sigalg.saltlen, "max")) { - saltlen = xkey_max_saltlen(EVP_PKEY_bits(cd->pubkey), tbslen); + saltlen = xkey_max_saltlen(EVP_PKEY_bits(cd->pubkey), saltlen); if (saltlen < 0) { msg(M_NONFATAL, "Error in cryptoapicert: invalid salt length (%d)", saltlen); @@ -420,8 +419,8 @@ msg(D_LOW, "Signing using NCryptSignHash with PSS padding: hashalg <%s>, saltlen <%d>", sigalg.mdname, saltlen); - BCRYPT_PSS_PADDING_INFO padinfo = { hashalg, - (DWORD)saltlen }; /* cast is safe as saltlen >= 0 */ + /* cast is safe as saltlen >= 0 */ + BCRYPT_PSS_PADDING_INFO padinfo = { hashalg, (DWORD)saltlen }; status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD)tbslen, sig, (DWORD)*siglen, &len, BCRYPT_PAD_PSS); } @@ -442,10 +441,6 @@ return (*siglen > 0); } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - /** Dispatch sign op to xkey_cng__sign */ static int xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs,