From patchwork Mon Mar  9 13:32:36 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Lichtenheld <frank@lichtenheld.com>
X-Patchwork-Id: 4812
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:1e24:b0:83c:d90d:321 with SMTP id
 ht36csp1224901mab;
        Mon, 9 Mar 2026 06:33:03 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXjoZwp4BW8loywNumHunYtOeYzL8onqTES97wjISVkFDgw3OQM5VtFsSBosKFWejhO2ShqjKRRwEY=@openvpn.net
X-Received: by 2002:a05:6870:ff4a:b0:3e8:970e:d4f7 with SMTP id
 586e51a60fabf-416e3f519e9mr6028654fac.11.1773063183211;
        Mon, 09 Mar 2026 06:33:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773063183; cv=none;
        d=google.com; s=arc-20240605;
        b=FmVEN60/YMQkqItZmcREk1gYY/x5poKWnEHR3HU/mSBZO0XU4GqMHKZYU2QmztdqR9
         HEcujxu1jnvW0Kh+bFt1bzl86NQhRte20MhAqxLGc1bGL0/POrNXharo0O7ykWBhqqhe
         XKxmdbqtk+ZBkSJqEWfV8KFUArd+rQxewG0ys/6r1LZa8tlURQXf1vPhSlx7YMiVhxjQ
         CoU7l0UroHS2rxRxouBpD0rbChsfEY3p3hONm4LxSaj0vtLv3HwVlvl9kSqZBDkkVqv/
         r6wzcfJ7ih32dIODXm81BaraefC0Yq4dCo53SAT2mLabLORTcP6TL2UtEkawHt3bZhVf
         w0Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature:dkim-signature;
        bh=2h06KVHCEHbUcg0dJm+6z8KxgJQ41x1zudPxysi6mco=;
        fh=CfxSpwd5kfiMJoL3kcov7PTxVKT7pGe/79idnx9XlBs=;
        b=FnnIXWOcZjysjmi6HdmMNZsKJ+zy8tuiLthXRANO1zlP5hX3RytsDc6W8vyPDgo9Gm
         VohYiX2F5X+Y6zd6kYAXB5tOrZAs7pJq4Pp+7wZjdfRNZeOov/l1NFgPH52XKugl0iiE
         qfV3s6cDDB1pTHLD2G1CvdCdrQYIbgYrGZWVEfWGUDFuBUSr1uyn8pOak1/QP545HM0k
         vCw7iL+mFM9+QT6EHHgH1r1SPNI+C8sZwqBUxlbrVRyHteW9XyVCoTVtWl2tavJPGQlI
         RlvPVzq625J9q14nXoAtXRIlmSU8dGga8joBr3xZsqk7VhJDtWqeXnl+XYyVu251C58k
         5kzQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=cuaaAuzj;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ZpPxKXjK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=V9Ey8ix9;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=u+5nuJFv;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-416e6560e2bsi7102821fac.6.2026.03.09.06.33.03
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 09 Mar 2026 06:33:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=cuaaAuzj;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=ZpPxKXjK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=V9Ey8ix9;
       dkim=neutral (body hash did not verify) header.i=@lichtenheld.com
 header.s=MBO0001 header.b=u+5nuJFv;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=2h06KVHCEHbUcg0dJm+6z8KxgJQ41x1zudPxysi6mco=; b=cuaaAuzjZy+4uzeyUHrVkUz2U6
	ddHAhlt8+C1G7zhovXMZxWy3afXafAXwZ9bKg2ERE6EayEtPEuiQ6Ms6+l1T1OJhRQpoh0AqEzlVe
	UGbiKv0jsb66iINdB1CgTA0iOck7f/AO4KTnvctX3v9Ij9MVOdzvLalpDFjIEcf+0CKE=;
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1vzajB-0002mJ-TW;
	Mon, 09 Mar 2026 13:32:57 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <frank@lichtenheld.com>) id 1vzaj9-0002m6-Am
 for openvpn-devel@lists.sourceforge.net;
 Mon, 09 Mar 2026 13:32:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=JkieV+0qkRsRgTHqlidoNK0S638tDORwi5t03j5Yrr0=; b=ZpPxKXjK5yRV/QmjVfPPq1DAu8
 7+l0fx1bbyG99MJzkHw2B5RIMq7aRvZN6lhgu/bBXN1IFC0rySBw97mqy4WOMue/bCwZsjkFgqk38
 crslK15zJ95btP3kKuA2TliuyV7QzJpeORtT31rDz4OXd7A9aMJkENphOFwLibThQIyA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=JkieV+0qkRsRgTHqlidoNK0S638tDORwi5t03j5Yrr0=; b=V9Ey8ix9cDnqRNtjW9nq9+47BE
 Jkh8cu995jkQyacTlIFHR4ebmNP4I67xUb2lr41kcNdGdRwJAEOK2TE9MeUlptCPewbFlqJbHdOq/
 O4Usew7nDNjqTGKgiTOwry1gJMxuC5G6mT3SYY095M+7dvS+D4VOokho5AtkPZXADMB8=;
Received: from mout-p-201.mailbox.org ([80.241.56.171])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1vzaj7-0000h6-Bd for openvpn-devel@lists.sourceforge.net;
 Mon, 09 Mar 2026 13:32:55 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org
 [IPv6:2001:67c:2050:b231:465::1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4fTycR4yjGz9tZW;
 Mon,  9 Mar 2026 14:32:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com;
 s=MBO0001; t=1773063159;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=JkieV+0qkRsRgTHqlidoNK0S638tDORwi5t03j5Yrr0=;
 b=u+5nuJFvaiOpS7SOKvUCweoqDRXyN6+oM8+i6a/CMak4BMls25BJjlvlcKjHe9TYRmIHwB
 +EnwxbeuJBHyXm0DYbat+dE7V21Fssj7f5IajoPIBwANB04D9hfboWnxoxPD1D1Bku2oui
 egtRilOErglrtVBvhfoowV7IPbSiAPjT4IAacdj4tJiJfkiFxVAy6myFvg5deIQBoyYSvy
 rdRQ7X3wHoBpOe4A1KG9aneAc0bn0tX3s4/0oAjAz3M4d6+kK+XN6Lu0TjBrn8mVQ2ISY/
 ppFLWMCfS3bUNvXkztQs1uqavgW7yO091lFmc/AHBarM2pNgarYViT9TiHFMcg==
Authentication-Results: outgoing_mbo_mout; dkim=none;
 spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates
 2001:67c:2050:b231:465::1 as permitted sender)
 smtp.mailfrom=frank@lichtenheld.com
From: Frank Lichtenheld <frank@lichtenheld.com>
To: openvpn-devel@lists.sourceforge.net
Date: Mon,  9 Mar 2026 14:32:36 +0100
Message-ID: <20260309133236.29732-1-frank@lichtenheld.com>
In-Reply-To: 
 <gerrit.1769789455000.I23cc00aee47aef007ab2e7d50b52c6de299505db@gerrit.openvpn.net>
References: 
 <gerrit.1769789455000.I23cc00aee47aef007ab2e7d50b52c6de299505db@gerrit.openvpn.net>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4fTycR4yjGz9tZW
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  * Avoid sign-compare warning when comparing string lengths
 * Use the nicer alias rfc822Name instead of the general ia5 from the
 GENERAL_NAME
 union. * Use the official ASN1_STRING_length API instead of [...]
 Content analysis details:   (-0.2 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-Headers-End: 1vzaj7-0000h6-Bd
Subject: [Openvpn-devel] [PATCH v7] ssl_verify_openssl: Clean up
 extract_x509_extension
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Arne Schwabe <arne-openvpn@rfc2549.org>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859191500152965336?=
X-GMAIL-MSGID: =?utf-8?q?1859191500152965336?=

* Avoid sign-compare warning when comparing string
  lengths
* Use the nicer alias rfc822Name instead of the general ia5
  from the GENERAL_NAME union.
* Use the official ASN1_STRING_length API instead of accessing
  the struct directly.
* C11 changes

Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507
This mail reflects revision 7 of this Change.

Acked-by according to Gerrit (reflected above):
Arne Schwabe <arne-openvpn@rfc2549.org>

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 58f665c..46401cd 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -118,16 +118,10 @@
     return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wsign-compare"
-#endif
-
 static bool
 extract_x509_extension(X509 *cert, char *fieldname, char *out, size_t size)
 {
     bool retval = false;
-    char *buf = 0;
 
     if (!x509_username_field_ext_supported(fieldname))
     {
@@ -139,29 +133,28 @@
     GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL);
     if (extensions)
     {
-        int numalts;
-        int i;
         /* get amount of alternatives,
          * RFC2459 claims there MUST be at least
          * one, but we don't depend on it...
          */
 
-        numalts = sk_GENERAL_NAME_num(extensions);
+        int numalts = sk_GENERAL_NAME_num(extensions);
 
         /* loop through all alternatives */
-        for (i = 0; i < numalts; i++)
+        for (int i = 0; i < numalts; i++)
         {
             /* get a handle to alternative name number i */
             const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
+            char *buf = NULL;
 
             switch (name->type)
             {
                 case GEN_EMAIL:
-                    if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0)
+                    if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.rfc822Name) < 0)
                     {
                         continue;
                     }
-                    if (strlen(buf) != name->d.ia5->length)
+                    if ((ssize_t)strlen(buf) != ASN1_STRING_length(name->d.rfc822Name))
                     {
                         msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
                         OPENSSL_free(buf);
@@ -175,7 +168,7 @@
                     break;
 
                 default:
-                    msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", __func__,
+                    msg(D_TLS_DEBUG, "%s: ignoring general name field type %d", __func__,
                         name->type);
                     break;
             }
@@ -185,10 +178,6 @@
     return retval;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 /*
  * Extract a field from an X509 subject name.
  *