From patchwork Tue Jun 9 15:52:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 5023 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a17:907:c49a:b0:bf0:3ff0:dead with SMTP id tp26csp2646843ejc; Tue, 9 Jun 2026 08:52:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ866OBHTLv0WYai+YEH5DTRA6tyEBBfcXujtS4MNpgChmHu7TqTkqMi0qAVsX9h7VHCWeQXlQKywZA=@openvpn.net X-Received: by 2002:a05:6830:4c02:b0:7dc:e37b:b5d3 with SMTP id 46e09a7af769-7e70c657f85mr12932525a34.7.1781020363438; Tue, 09 Jun 2026 08:52:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781020363; cv=none; d=google.com; s=arc-20240605; b=BT2L0PYNPXiSdhgjMxbk9vMxp1pZD1cVt99J7Holk9pq0lOVUodipVWuGQKLhg9Iuw fexMrwwHkMLhcbZBXoLvvTjHaIkbaSEQ15YMhlywXkH3F7+2w/QagyaLV+XcVaJKMnwB Kw6r3XoHdPcEN2CUaO2/WxJ8RLM//gx/sg3NnUQmVVjHmaW40VXSGalqIvde8gANS7TH EFJyXz8BPDcnB0KSxtNRTolo1SdLr1HHW+cA35zkmsx3SbJ1CAduWp26FxeUFcaEEXvT yvLy/sKrxnt6ZVytgoGOvAQWGleQS1eCXKaRjg2GjMyj9ZYGxi6Ke63RBT2cy4BdxJDQ +43Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=NPsle3D8E52zDdHGVcKyvlY1Ji4ed3DYvIfkUMf+4PE=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Y4cT4gWcOXH9ZygSlRdb0tVvivY/Qph9nPnERVXoB9wM/aauHYKaukKrBpONeK4Mjb gw+lP4bxzEFphQqVOx2dMYmyhAJ3w2tcm5M7BtQA5bnO+DN+yJ5sOxpp4uA8gpKN5TeQ RjJypvjCrYcrvIRw4fNiAn6FvuK4CxJ0aYo2vRqwQt8QYXlBkZ/siZrTSkeg5KcVXm7f gW1GaeAswh8Az14Y5h474M37wEAkCSPUwI4rLfq74fYF24W59vQYipd3FVgcCnxV/j9m 9rnN2ebVqtds1emF3hflWsAjK1eEgCTwUZ3GT94aJGEnR36ioKMQULcQOnl9o2MBfp1g sxzQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=adYq3BlH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XFYGV5mz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BpWeqsxS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7e6e746e592si15043119a34.38.2026.06.09.08.52.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Jun 2026 08:52:43 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=adYq3BlH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XFYGV5mz; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BpWeqsxS; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=NPsle3D8E52zDdHGVcKyvlY1Ji4ed3DYvIfkUMf+4PE=; b=adYq3BlHf6Gds2Yzuc23qfdnQy FeQ4o1PZIfZ3QvXMhGeW7RaBJ+WPXNcU9Tf+zvk3+1drwSj7BZQ7kwuv/BVi8wMejUnUE22xEyzWI GuGsDMtBwHbLEwgZXLxQxWGYlQwXIl2+r3cY4Gyu2iUVk5LG2Qe/JPA6o10RCN6xaphE=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wWykp-0007ke-Qc; Tue, 09 Jun 2026 15:52:39 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wWykc-0007kJ-B7 for openvpn-devel@lists.sourceforge.net; Tue, 09 Jun 2026 15:52:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YgrFEfyY1Ydy8r95ra2hD1EEEFHWOTbi85qnW4PxiiM=; b=XFYGV5mzmQ+3XXKI0RCkS+0Lb6 nHcJmCsuzhSD10QDAcgVtcxv3WRzJX0j3Y/dsHOy3JShMi17FgsQ7hgU11qTSvUek98sbs4WtZj1d 1c0AF5VqOQfKpAXZyjx6FgNetndwtw09uUgmSZkA8f5Nik7HnFa2lbl/gf4sbAEDWAJI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YgrFEfyY1Ydy8r95ra2hD1EEEFHWOTbi85qnW4PxiiM=; b=BpWeqsxS5h7zYnuXXQ89LnJLjD ZMCH10dDaQIFVeZf50/ow/irc3CnubOZbXtRp3kTqWohaOmW6Env7KfMoJeDNDmtVrGwv/y06IByk Ol0kKQpA8pwI6KxQAmShJMsBqLccwANRlw7R6PdO4x0HzpVjKgTvfbneB6hLOgavtvC0=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wWykZ-00088b-KM for openvpn-devel@lists.sourceforge.net; Tue, 09 Jun 2026 15:52:26 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 659FqCDQ030798 for ; Tue, 9 Jun 2026 17:52:12 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 659FqCk7030797 for openvpn-devel@lists.sourceforge.net; Tue, 9 Jun 2026 17:52:12 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 9 Jun 2026 17:52:06 +0200 Message-ID: <20260609155211.30747-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe OpenSSL and AWS-LC disagree on the type that they use for stack size. Instead of doing a lot of various casts, use a typedef to avoid these casts and use the right type for each library. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wWykZ-00088b-KM Subject: [Openvpn-devel] [PATCH v2] AWS-LC: Use openssl_stack_size_t for declaring stack size X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1867535208655201973 X-GMAIL-MSGID: 1867535208655201973 From: Arne Schwabe OpenSSL and AWS-LC disagree on the type that they use for stack size. Instead of doing a lot of various casts, use a typedef to avoid these casts and use the right type for each library. Change-Id: Ifd29485524674c64d56fc5f7ef8bdd1e00215fc9 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 3494ce6..ec059ac 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -49,8 +49,12 @@ * intrusive than casts everywhere */ #if defined(OPENSSL_IS_AWSLC) typedef uint32_t openssl_err_t; +typedef size_t openssl_stack_size_t; +#define PRI_OPENSSL_STACK "zu" #else typedef unsigned long openssl_err_t; +typedef int openssl_stack_size_t; +#define PRI_OPENSSL_STACK "d" #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 6130dc3..6ce5f3f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -981,7 +981,6 @@ X509 *cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12; - int i; char password[256]; ASSERT(NULL != ctx); @@ -1065,7 +1064,7 @@ */ if (ca && sk_X509_num(ca)) { - for (i = 0; i < sk_X509_num(ca); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++) { X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i))) @@ -1090,7 +1089,7 @@ */ if (ca && sk_X509_num(ca)) { - for (i = 0; i < sk_X509_num(ca); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++) { if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i))) { @@ -1855,7 +1854,7 @@ X509_LOOKUP *lookup = NULL; X509_STORE *store = NULL; BIO *in = NULL; - int i, added = 0, prev = 0; + openssl_stack_size_t added = 0, prev = 0; ASSERT(NULL != ctx); @@ -1884,7 +1883,7 @@ if (info_stack) { - for (i = 0; i < sk_X509_INFO_num(info_stack); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_INFO_num(info_stack); i++) { X509_INFO *info = sk_X509_INFO_value(info_stack, i); if (info->crl) @@ -1942,11 +1941,11 @@ if (tls_server) { - int cnum = sk_X509_NAME_num(cert_names); + openssl_stack_size_t cnum = sk_X509_NAME_num(cert_names); if (cnum != (prev + 1)) { crypto_msg(M_WARN, - "Cannot load CA certificate file %s (entry %d did not validate)", + "Cannot load CA certificate file %s (entry %" PRI_OPENSSL_STACK " did not validate)", print_key_filename(ca_file, ca_file_inline), added); } prev = cnum; @@ -1954,7 +1953,7 @@ } sk_X509_INFO_pop_free(info_stack, X509_INFO_free); } - int cnum; + openssl_stack_size_t cnum; if (tls_server) { cnum = sk_X509_NAME_num(cert_names); @@ -1972,8 +1971,8 @@ if (cnum != added) { crypto_msg(M_FATAL, - "Cannot load CA certificate file %s (only %d " - "of %d entries were valid X509 names)", + "Cannot load CA certificate file %s (only %" PRI_OPENSSL_STACK + "of %" PRI_OPENSSL_STACK "entries were valid X509 names)", print_key_filename(ca_file, ca_file_inline), cnum, added); } } @@ -2622,7 +2621,7 @@ #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); #endif - for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) + for (openssl_stack_size_t i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index a30099d..6bb61b6 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -138,10 +138,10 @@ * one, but we don't depend on it... */ - int numalts = sk_GENERAL_NAME_num(extensions); + openssl_stack_size_t numalts = sk_GENERAL_NAME_num(extensions); /* loop through all alternatives */ - for (int i = 0; i < numalts; i++) + for (openssl_stack_size_t i = 0; i < numalts; i++) { /* get a handle to alternative name number i */ const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i); @@ -763,10 +763,8 @@ } else { - int i; - msg(D_HANDSHAKE, "Validating certificate extended key usage"); - for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++) + for (openssl_stack_size_t i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++) { ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i); char szOid[1024];