diff mbox series

[Openvpn-devel,v4] ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku

Message ID 20260119122058.14865-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v4] ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku | expand

Commit Message

Gert Doering Jan. 19, 2026, 12:20 p.m. UTC 
From: Frank Lichtenheld <frank@lichtenheld.com>

Just use the correct types.

v2:
 - Change type of expected_len argument to size_t

Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445
This mail reflects revision 4 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Jan. 19, 2026, 5:06 p.m. UTC | #1 
+1 on the v4 integer change from Mathias, and BB is happy as well -> +2 from
me, in it goes.  v4 is also quite simple and straightforward :-)

Your patch has been applied to the master branch.

commit de3ef0dc65036b6efc650c768e0296419a801b20
Author: Frank Lichtenheld
Date:   Mon Jan 19 13:20:51 2026 +0100

     ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku

     Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445
     Message-Id: <20260119122058.14865-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35322.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 1d56533..d70f2df 100644
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -243,7 +243,7 @@ 
  *                      if key usage is not enabled, or the values do not match.
  */
 result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku,
-                             int expected_len);
+                             size_t expected_len);
 
 /*
  * Verify X.509 extended key usage extension field.
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index b7de550..a38f5e9 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -483,7 +483,7 @@ 
 }
 
 result_t
-x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len)
+x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned int *const expected_ku, size_t expected_len)
 {
     msg(D_HANDSHAKE, "Validating certificate key usage");
 
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 633f78d..ec7acf8 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -674,13 +674,8 @@ 
     return FAILURE;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
 result_t
-x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len)
+x509_verify_cert_ku(X509 *x509, const unsigned int *const expected_ku, size_t expected_len)
 {
     ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL);
 
@@ -697,8 +692,8 @@ 
         return SUCCESS;
     }
 
-    unsigned nku = 0;
-    for (size_t i = 0; i < 8; i++)
+    unsigned int nku = 0;
+    for (int i = 0; i < 8; i++)
     {
         if (ASN1_BIT_STRING_get_bit(ku, i))
         {
@@ -738,10 +733,6 @@ 
     return fFound;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 result_t
 x509_verify_cert_eku(X509 *x509, const char *const expected_oid)
 {