From patchwork Mon Jan 19 12:20:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4716 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9186:b0:80a:3855:ce6a with SMTP id j6csp3152513maf; Mon, 19 Jan 2026 04:21:11 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXvOwx5FNxKLKtlhAZCA5mNsdHNBpVfcqNGGg3Kyw/gJs8Lr2YPZm2BWtTCd+wBLHhq6BVmXQziUOo=@openvpn.net X-Received: by 2002:a05:6830:2e07:b0:7cf:da7d:539f with SMTP id 46e09a7af769-7cfdeebeb0emr6016848a34.37.1768825271419; Mon, 19 Jan 2026 04:21:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1768825271; cv=none; d=google.com; s=arc-20240605; b=hPGUFMm13zs5xw3Q4bprS9K/4mWKTQnCv+Ed5DfCvmpLmYjah4QjC6Zo9CCPRCJYXk /DUcVwGkEsVlz6mim0/Ah9dWhQDrCdTfCetkWpptz55FEMWDh+c66buhduiWqXEvTawC zAev0j9/Awk/NKgp2SmJ2dE59MrH2+a0ClJGzkXfNI12LTPlOrSu5OLfKt4os/xyU4j+ K7SFs8Twb42PxFczz0fcp2CiuKmJe2bI7KIUQHoSyUgEzZVT1zGHuo3VnDVaya2MNM+B 7I4DXRickWEkFXDdfbWWKXEVPPy++mabLV8SwAZGQSlrk6umT8s/zczjYQ0PJoUV6lN5 b9+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=kF+oqGmgQAIUvd6rQ9JPd9w0HFE0bLOdYh7q4rP5VqI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=j9NPzm6vxBWtmrKSpnnrYbvfGjrxZOLWqvUJvViKIp7ZoHkWYDVnnaEoRP46t40XRh ivTFPt1RpCC9mLne/+Wb8WMu5+M+ZkHTR0HxqQOj4fUDfyd+nYkUvr5YsWhxFpgtwOFg +YskMJQcga0gYDwx2/UX5shU9/nYFTvI/C3j0UD0QASc/oNy2ev26Q+Zy8pfyjTDvcC5 FNbwGRfSBeHd6Lcyi7hQGG8giVgqztaW03gMF6PEKP3mcv6YMfJKAqcVEbaj6FSZ0qNx snQUsbXoYqpXDb0rJjJAsMATwBXkbzWyKWoGgxXRuVB9FP0QLP3O8RMvOGSI7jumYsyD PZ3g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EDULLaAw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eltw76L+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=N2BgzX13; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7cfdf4269e6si5328298a34.81.2026.01.19.04.21.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Jan 2026 04:21:11 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EDULLaAw; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=eltw76L+; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=N2BgzX13; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=kF+oqGmgQAIUvd6rQ9JPd9w0HFE0bLOdYh7q4rP5VqI=; b=EDULLaAwRQ4B+PJpAiRQa8qOdS XTHtfv35afR6h02Um7T2HSCzFWR3vU4RKaIk6gGh9Hf7Vri6kQdoZbuUKn2uvHlF4UAP/f2mtjms3 lUDjH42xIejzDhQjXrGAIcLPSZzSvHVSCppO+2Pg8wd5KSW/QZFv41c5Mr2zivAMGxYo=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vhoFo-0007eL-86; Mon, 19 Jan 2026 12:21:08 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vhoFn-0007eE-1v for openvpn-devel@lists.sourceforge.net; Mon, 19 Jan 2026 12:21:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=F+J/GZfe3tYiLp4/22dzUGTN8WIbpd1vixKF7lRMIEE=; b=eltw76L+OkYJiIXlOWBcZ0l9mD SOZmkaiTED8Sjpld6Qa4vdQrUHfvf0kAGgSX9bX/rXqaGmnib9cFPCGuyWweg/mdkaK9TcZuUXEtU aOoY4yPMzdQ5LHacd+c2onxzc3hOG9x4/lShMoKAYqtdFyvEuSobUQ1Z5XX7T6NfyQ34=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=F+J/GZfe3tYiLp4/22dzUGTN8WIbpd1vixKF7lRMIEE=; b=N2BgzX13HEhHFfcMcxVvYT1NPm MVnQer7jo1VTaljxaxIoLhK/zLgHi1IovB1lb6N2QwN61UoWfVYmKXMgM5vf3GzS51AgbliqeZL5c //IIQGowIXs8HWmG9fOGOdXCrJzCSP44idsdxFY30DLvOsLZCYcXRN01eSJ1mAtc18sI=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vhoFl-0001ob-QS for openvpn-devel@lists.sourceforge.net; Mon, 19 Jan 2026 12:21:06 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 60JCKwJL014880 for ; Mon, 19 Jan 2026 13:20:58 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 60JCKw9B014879 for openvpn-devel@lists.sourceforge.net; Mon, 19 Jan 2026 13:20:58 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Jan 2026 13:20:51 +0100 Message-ID: <20260119122058.14865-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Just use the correct types. v2: - Change type of expected_len argument to size_t Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [193.149.48.134 listed in list.dnswl.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vhoFl-0001ob-QS Subject: [Openvpn-devel] [PATCH v4] ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1854747727889960882?= X-GMAIL-MSGID: =?utf-8?q?1854747727889960882?= From: Frank Lichtenheld Just use the correct types. v2: - Change type of expected_len argument to size_t Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 1d56533..d70f2df 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -243,7 +243,7 @@ * if key usage is not enabled, or the values do not match. */ result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku, - int expected_len); + size_t expected_len); /* * Verify X.509 extended key usage extension field. diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index b7de550..a38f5e9 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -483,7 +483,7 @@ } result_t -x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) +x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned int *const expected_ku, size_t expected_len) { msg(D_HANDSHAKE, "Validating certificate key usage"); diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 633f78d..ec7acf8 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -674,13 +674,8 @@ return FAILURE; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wconversion" -#endif - result_t -x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len) +x509_verify_cert_ku(X509 *x509, const unsigned int *const expected_ku, size_t expected_len) { ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL); @@ -697,8 +692,8 @@ return SUCCESS; } - unsigned nku = 0; - for (size_t i = 0; i < 8; i++) + unsigned int nku = 0; + for (int i = 0; i < 8; i++) { if (ASN1_BIT_STRING_get_bit(ku, i)) { @@ -738,10 +733,6 @@ return fFound; } -#if defined(__GNUC__) || defined(__clang__) -#pragma GCC diagnostic pop -#endif - result_t x509_verify_cert_eku(X509 *x509, const char *const expected_oid) {