Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1104?usp=email
to look at the new patch set (#2).
Change subject: ssl_common: Make sure ssl flags are treated as unsigned
......................................................................
ssl_common: Make sure ssl flags are treated as unsigned
tls_options.ssl_flags is already unsigned, make sure the
flags are as well to avoid spurious conversion warnings.
Also fix various warning regarding the use of the flags
for TLS version handling.
Change-Id: I03e5ece7580ca4ebd41a7928ead544df46e8bad1
Signed-off-by: Frank Lichtenheld <fr...@lichtenheld.com>
---
M src/openvpn/options.c
M src/openvpn/ssl_common.h
2 files changed, 20 insertions(+), 22 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/04/1104/2
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 0662b49..6ad1170 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2722,14 +2722,14 @@
"may accept clients which do not present a certificate");
}
- const int tls_version_max =
+ const unsigned int tls_version_max =
(options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
& SSLF_TLS_VERSION_MAX_MASK;
- const int tls_version_min =
+ const unsigned int tls_version_min =
(options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
& SSLF_TLS_VERSION_MIN_MASK;
- if (tls_version_max > 0 && tls_version_max < tls_version_min)
+ if (tls_version_max < tls_version_min)
{
msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
}
@@ -3387,12 +3387,12 @@
options_set_backwards_compatible_options(struct options *o)
{
/* TLS min version is not set */
- int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
- & SSLF_TLS_VERSION_MIN_MASK;
+ unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
+ & SSLF_TLS_VERSION_MIN_MASK;
if (tls_ver_min == 0)
{
- int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
- & SSLF_TLS_VERSION_MAX_MASK;
+ unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
+ & SSLF_TLS_VERSION_MAX_MASK;
if (need_compatibility_before(o, 20307))
{
/* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
@@ -9074,9 +9074,8 @@
}
else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
{
- int ver;
VERIFY_PERMISSION(OPT_P_GENERAL);
- ver = tls_version_parse(p[1], p[2]);
+ int ver = tls_version_parse(p[1], p[2]);
if (ver == TLS_VER_BAD)
{
msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
@@ -9093,13 +9092,12 @@
options->ssl_flags &=
~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
- options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
+ options->ssl_flags |= ((unsigned int)ver <<
SSLF_TLS_VERSION_MIN_SHIFT);
}
else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
{
- int ver;
VERIFY_PERMISSION(OPT_P_GENERAL);
- ver = tls_version_parse(p[1], NULL);
+ int ver = tls_version_parse(p[1], NULL);
if (ver == TLS_VER_BAD)
{
msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
@@ -9107,7 +9105,7 @@
}
options->ssl_flags &=
~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
- options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
+ options->ssl_flags |= ((unsigned int)ver <<
SSLF_TLS_VERSION_MAX_SHIFT);
}
#ifndef ENABLE_CRYPTO_MBEDTLS
else if (streq(p[0], "pkcs12") && p[1] && !p[2])
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index e9e50da..750891c 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -415,17 +415,17 @@
#endif
/* configuration file SSL-related boolean and low-permutation options */
-#define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
-#define SSLF_CLIENT_CERT_OPTIONAL (1<<1)
-#define SSLF_USERNAME_AS_COMMON_NAME (1<<2)
-#define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3)
-#define SSLF_OPT_VERIFY (1<<4)
-#define SSLF_CRL_VERIFY_DIR (1<<5)
+#define SSLF_CLIENT_CERT_NOT_REQUIRED (1u<<0)
+#define SSLF_CLIENT_CERT_OPTIONAL (1u<<1)
+#define SSLF_USERNAME_AS_COMMON_NAME (1u<<2)
+#define SSLF_AUTH_USER_PASS_OPTIONAL (1u<<3)
+#define SSLF_OPT_VERIFY (1u<<4)
+#define SSLF_CRL_VERIFY_DIR (1u<<5)
#define SSLF_TLS_VERSION_MIN_SHIFT 6
-#define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */
+#define SSLF_TLS_VERSION_MIN_MASK 0xFu /* (uses bit positions 6 to 9) */
#define SSLF_TLS_VERSION_MAX_SHIFT 10
-#define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
-#define SSLF_TLS_DEBUG_ENABLED (1<<14)
+#define SSLF_TLS_VERSION_MAX_MASK 0xFu /* (uses bit positions 10 to 13) */
+#define SSLF_TLS_DEBUG_ENABLED (1u<<14)
unsigned int ssl_flags;
#ifdef ENABLE_MANAGEMENT
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1104?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I03e5ece7580ca4ebd41a7928ead544df46e8bad1
Gerrit-Change-Number: 1104
Gerrit-PatchSet: 2
Gerrit-Owner: flichtenheld <fr...@lichtenheld.com>
Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: plaisthos <arne-open...@rfc2549.org>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
