From patchwork Sat Mar 14 17:09:43 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 4830
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:2755:b0:83c:d90d:321 with SMTP id j21csp1943468maq;
        Sat, 14 Mar 2026 10:10:00 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVMh7cvyoBxzmP+PP0bp07H5OV245mD1yM3gJhmmzRxjLvmnQ3RugOiIq1eQ0hbda9WcVOyHJZHlKM=@openvpn.net
X-Received: by 2002:a05:6808:19a8:b0:467:20b0:1c2e with SMTP id
 5614622812f47-467430a1591mr7272360b6e.8.1773508200066;
        Sat, 14 Mar 2026 10:10:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773508200; cv=none;
        d=google.com; s=arc-20240605;
        b=KAg3EPZ0eJC6nuWmN3w/RrrxKHz1b8aRE/30DLZCJNvpYISAhUmmVLdQoXgXsSKKlL
         5FWRSQJXthI2inajiaBf4G5pbJ78gUj6q0PQ5FekbwF6sUF/dRhymcwZg1tRxrnqLHDa
         Xjqa44FJlAiny8bCPc1Xp6YDbkpvuBKLO0dL6qTJ5eeeULJZLNO8IzOXWeR/NMp2dS47
         9fTfFbQ9C6Q93fcedU83FG57wOpuIpTtbQHOJO/eHMoxVWoWv7Eh8EEPuH3o9E7E5ZUS
         iKJX/d/JXjtit8N/yrvN7j3yYPQw4lXHa5p1KuQ0FojuzuG4VDFDr1ytEkuZS/QaLV3F
         LXMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=PbD5BQJ1MNX6rrsZBXvqyssxIAJU+FqxlXBouaREVu8=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=Nv1xCK52RJ35IldMDvt3/LF7pd5B938uqhpIk3GCW01SE27HpXCGDlaTfxFicp6wN2
         yWHPOVYMNPcAiwwnbwScjY6XhkjK2Yc0fXb59VgXNwW/ig+lYAap9zKGjB/9Wd9X3eST
         +QmZQKBeiYgAsG5r2Bwa8GiDdMkJbYTkR7CI8IKZBXIm4o7o/rHpJaSOMhE8IGPHN0lN
         XSYhotKntOx/CLIBptfucXnnSJ/LxLxSBQ5S6QtVJIkboea0oKnJU/0VtV/Wlnen+5/B
         3WZgJmqg7PI72/I5mXYaufCpCpwgeJjvVBqKGHOZytcVUNR76u0VjwWjSN4kw2LriE6b
         TkMg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fMheCpCG;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=H+fpQ6Cl;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=ZUJVj06b;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 586e51a60fabf-4177e63c167si7278374fac.157.2026.03.14.10.09.59
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 14 Mar 2026 10:10:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lists.sourceforge.net header.s=beta
 header.b=fMheCpCG;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=H+fpQ6Cl;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=ZUJVj06b;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
	List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
	Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=PbD5BQJ1MNX6rrsZBXvqyssxIAJU+FqxlXBouaREVu8=; b=fMheCpCG1J9UvW9/yWY3mPAIb5
	2Ppl/ucX22FEgjiXi2KvOyo0cqp7faVHqpla4chC2htMwRiXq7xdmkOiw/Tb1iyO/Hc4FAd5U7WeF
	BVZLAmlam3+05E/Tx1EuknlnXUTk6iDJuafC4+F/I22rmoirLd554vS2r6E6Juiz5MRw=;
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1w1SUv-0004My-UI;
	Sat, 14 Mar 2026 17:09:57 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue4.greenie.muc.de>) id 1w1SUu-0004Mk-Rt
 for openvpn-devel@lists.sourceforge.net;
 Sat, 14 Mar 2026 17:09:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=iK3HrEV/MqWRdbVmYe78cKQvPVgohaSi2Urbr1i/IAs=; b=H+fpQ6ClRMHa9JIX52d8fY/nTo
 jA+01XByw2uzK+9EJFi5nj91m646yH7GrNVVgs1tt0PCWjXWh2Z07GXG8ikpf7mMJ1ZxSOxtUzq+j
 WPMoFFFlA0ZvHNierajQN53fCirSAxSa2+QvUW6QuhzLtRU5a838Zwi5mnXkn2FsrSwA=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=iK3HrEV/MqWRdbVmYe78cKQvPVgohaSi2Urbr1i/IAs=; b=ZUJVj06b9x2HheV+52GSBqvinS
 f7MiCNC4YH5VP2PyFybvrSTOzDYQQWqfRs6EaYsTQbXuDqi1cME4J+Rn/wINC07xMcoVrQrEx/ZBl
 joiy69n7bd3Q82tMqgm8Kl2dsP2B00efaM4w6rqWa34j0hRvsm8T4W9XM75/bbPG2q2s=;
Received: from [193.149.48.129] (helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1w1SUt-00052y-Q9 for openvpn-devel@lists.sourceforge.net;
 Sat, 14 Mar 2026 17:09:56 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 62EH9nRs002912
 for <openvpn-devel@lists.sourceforge.net>; Sat, 14 Mar 2026 18:09:49 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 62EH9nZ7002911
 for openvpn-devel@lists.sourceforge.net; Sat, 14 Mar 2026 18:09:49 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 14 Mar 2026 18:09:43 +0100
Message-ID: <20260314170948.2898-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.52.0
In-Reply-To: 
 <gerrit.1772798203000.I777a3a5f4f137432a19746972e2aad1732184feb@gerrit.openvpn.net>
References: 
 <gerrit.1772798203000.I777a3a5f4f137432a19746972e2aad1732184feb@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software,
 running on the system "sfi-spamd-2.hosts.colo.sdot.me",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Frank Lichtenheld <frank@lichtenheld.com> Change-Id:
 I777a3a5f4f137432a19746972e2aad1732184feb Signed-off-by: Frank Lichtenheld
 <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit
 URL: https://gerrit.openvpn.net/c/open [...]
 Content analysis details:   (1.3 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1w1SUt-00052y-Q9
Subject: [Openvpn-devel] [PATCH v4] ssl_mbedtls: Avoid conversion and
 sign-compare warnings
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1859658134328198300?=
X-GMAIL-MSGID: =?utf-8?q?1859658134328198300?=

From: Frank Lichtenheld <frank@lichtenheld.com>

Change-Id: I777a3a5f4f137432a19746972e2aad1732184feb
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1559
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1559
This mail reflects revision 4 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index a9506ef..d0c481e 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -624,12 +624,6 @@
     return 0;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#pragma GCC diagnostic ignored "-Wsign-compare"
-#endif
-
 #if MBEDTLS_VERSION_NUMBER < 0x04000000
 /**
  * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses
@@ -656,7 +650,6 @@
 {
     struct external_context *const ctx = ctx_voidptr;
     int rv;
-    uint8_t *to_sign = NULL;
     size_t asn_len = 0, oid_size = 0;
     const char *oid = NULL;
 
@@ -688,11 +681,13 @@
         asn_len = 10 + oid_size;
     }
 
-    if ((SIZE_MAX - hashlen) < asn_len || ctx->signature_length < (asn_len + hashlen))
+    if (ctx->signature_length < (asn_len + hashlen)
+        || (asn_len + hashlen) > UINT8_MAX)
     {
         return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
     }
 
+    uint8_t *to_sign = NULL;
     ALLOC_ARRAY_CLEAR(to_sign, uint8_t, asn_len + hashlen);
     uint8_t *p = to_sign;
     if (md_alg != MBEDTLS_MD_NONE)
@@ -707,20 +702,20 @@
          * Digest ::= OCTET STRING
          */
         *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
-        *p++ = (unsigned char)(0x08 + oid_size + hashlen);
+        *p++ = (uint8_t)(0x08 + oid_size + hashlen);
         *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
-        *p++ = (unsigned char)(0x04 + oid_size);
+        *p++ = (uint8_t)(0x04 + oid_size);
         *p++ = MBEDTLS_ASN1_OID;
-        *p++ = oid_size & 0xFF;
+        *p++ = (uint8_t)oid_size;
         memcpy(p, oid, oid_size);
         p += oid_size;
         *p++ = MBEDTLS_ASN1_NULL;
         *p++ = 0x00;
         *p++ = MBEDTLS_ASN1_OCTET_STRING;
-        *p++ = hashlen;
+        *p++ = (uint8_t)hashlen;
 
         /* Double-check ASN length */
-        ASSERT(asn_len == p - to_sign);
+        ASSERT(asn_len == (uintptr_t)(p - to_sign));
     }
 
     /* Copy the hash to be signed */
@@ -810,7 +805,7 @@
         goto cleanup;
     }
 
-    if (openvpn_base64_decode(dst_b64, dst, (int)dst_len) != dst_len)
+    if (openvpn_base64_decode(dst_b64, dst, (int)dst_len) != (int)dst_len)
     {
         goto cleanup;
     }
@@ -923,6 +918,8 @@
 {
     size_t read_len = 0;
 
+    ASSERT(out_len <= INT_MAX);
+
     if (in->first_block == NULL)
     {
         return MBEDTLS_ERR_SSL_WANT_READ;
@@ -930,7 +927,7 @@
 
     while (in->first_block != NULL && read_len < out_len)
     {
-        int block_len = in->first_block->length - in->data_start;
+        size_t block_len = in->first_block->length - in->data_start;
         if (block_len <= out_len - read_len)
         {
             buffer_entry *cur_entry = in->first_block;
@@ -956,7 +953,7 @@
         }
     }
 
-    return read_len;
+    return (int)read_len;
 }
 
 static int
@@ -975,6 +972,8 @@
         return MBEDTLS_ERR_NET_SEND_FAILED;
     }
 
+    ASSERT(len <= INT_MAX);
+
     new_block->length = len;
     new_block->next_block = NULL;
 
@@ -992,7 +991,7 @@
 
     out->last_block = new_block;
 
-    return len;
+    return (int)len;
 }
 
 static int
@@ -1012,7 +1011,7 @@
 static void
 my_debug(void *ctx, int level, const char *file, int line, const char *str)
 {
-    int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG;
+    msglvl_t my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG;
     msg(my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str);
 }
 
@@ -1048,10 +1047,6 @@
 #endif /* MBEDTLS_VERSION_NUMBER < 0x040000 */
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 int
 tls_version_max(void)
 {
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index 7495085..ad5479c 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -565,11 +565,6 @@
     gc_free(&gc);
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wsign-compare"
-#endif
-
 /*
  * Save X509 fields to environment, using the naming convention:
  *
@@ -678,10 +673,6 @@
     return fFound;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 result_t
 x509_verify_cert_eku(mbedtls_x509_crt *cert, const char *const expected_oid)
 {