diff mbox series

[Openvpn-devel,v2] AWS-LC: Use openssl_stack_size_t for declaring stack size

Message ID 20260609155211.30747-1-gert@greenie.muc.de
State New
Headers
Series [Openvpn-devel,v2] AWS-LC: Use openssl_stack_size_t for declaring stack size |

Commit Message

Gert Doering June 9, 2026, 3:52 p.m. UTC 
  From: Arne Schwabe <arne@rfc2549.org>

OpenSSL and AWS-LC disagree on the type that they use for
stack size. Instead of doing a lot of various casts, use
a typedef to avoid these casts and use the right type for
each library.

Change-Id: Ifd29485524674c64d56fc5f7ef8bdd1e00215fc9
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>
diff mbox series

Patch

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 3494ce6..ec059ac 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -49,8 +49,12 @@ 
  * intrusive than casts everywhere */
 #if defined(OPENSSL_IS_AWSLC)
 typedef uint32_t openssl_err_t;
+typedef size_t openssl_stack_size_t;
+#define PRI_OPENSSL_STACK "zu"
 #else
 typedef unsigned long openssl_err_t;
+typedef int openssl_stack_size_t;
+#define PRI_OPENSSL_STACK "d"
 #endif
 
 
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 6130dc3..6ce5f3f 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -981,7 +981,6 @@ 
     X509 *cert;
     STACK_OF(X509) *ca = NULL;
     PKCS12 *p12;
-    int i;
     char password[256];
 
     ASSERT(NULL != ctx);
@@ -1065,7 +1064,7 @@ 
          */
         if (ca && sk_X509_num(ca))
         {
-            for (i = 0; i < sk_X509_num(ca); i++)
+            for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++)
             {
                 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
                 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
@@ -1090,7 +1089,7 @@ 
          */
         if (ca && sk_X509_num(ca))
         {
-            for (i = 0; i < sk_X509_num(ca); i++)
+            for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++)
             {
                 if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i)))
                 {
@@ -1855,7 +1854,7 @@ 
     X509_LOOKUP *lookup = NULL;
     X509_STORE *store = NULL;
     BIO *in = NULL;
-    int i, added = 0, prev = 0;
+    openssl_stack_size_t added = 0, prev = 0;
 
     ASSERT(NULL != ctx);
 
@@ -1884,7 +1883,7 @@ 
 
         if (info_stack)
         {
-            for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
+            for (openssl_stack_size_t i = 0; i < sk_X509_INFO_num(info_stack); i++)
             {
                 X509_INFO *info = sk_X509_INFO_value(info_stack, i);
                 if (info->crl)
@@ -1942,11 +1941,11 @@ 
 
                 if (tls_server)
                 {
-                    int cnum = sk_X509_NAME_num(cert_names);
+                    openssl_stack_size_t cnum = sk_X509_NAME_num(cert_names);
                     if (cnum != (prev + 1))
                     {
                         crypto_msg(M_WARN,
-                                   "Cannot load CA certificate file %s (entry %d did not validate)",
+                                   "Cannot load CA certificate file %s (entry %" PRI_OPENSSL_STACK " did not validate)",
                                    print_key_filename(ca_file, ca_file_inline), added);
                     }
                     prev = cnum;
@@ -1954,7 +1953,7 @@ 
             }
             sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
         }
-        int cnum;
+        openssl_stack_size_t cnum;
         if (tls_server)
         {
             cnum = sk_X509_NAME_num(cert_names);
@@ -1972,8 +1971,8 @@ 
             if (cnum != added)
             {
                 crypto_msg(M_FATAL,
-                           "Cannot load CA certificate file %s (only %d "
-                           "of %d entries were valid X509 names)",
+                           "Cannot load CA certificate file %s (only %" PRI_OPENSSL_STACK
+                           "of %" PRI_OPENSSL_STACK "entries were valid X509 names)",
                            print_key_filename(ca_file, ca_file_inline), cnum, added);
             }
         }
@@ -2622,7 +2621,7 @@ 
 #else
     STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
 #endif
-    for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
+    for (openssl_stack_size_t i = 0; i < sk_SSL_CIPHER_num(sk); i++)
     {
         const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
 
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index a30099d..6bb61b6 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -138,10 +138,10 @@ 
          * one, but we don't depend on it...
          */
 
-        int numalts = sk_GENERAL_NAME_num(extensions);
+        openssl_stack_size_t numalts = sk_GENERAL_NAME_num(extensions);
 
         /* loop through all alternatives */
-        for (int i = 0; i < numalts; i++)
+        for (openssl_stack_size_t i = 0; i < numalts; i++)
         {
             /* get a handle to alternative name number i */
             const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
@@ -763,10 +763,8 @@ 
     }
     else
     {
-        int i;
-
         msg(D_HANDSHAKE, "Validating certificate extended key usage");
-        for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++)
+        for (openssl_stack_size_t i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++)
         {
             ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i);
             char szOid[1024];