plaisthos has uploaded this change for review. (
http://gerrit.openvpn.net/c/openvpn/+/1569?usp=email )
Change subject: Make aws-lc -Werrror clean
......................................................................
Make aws-lc -Werrror clean
Change-Id: I8ff30785f78fdcda136ef3fe982f8cda2edec059
---
M .github/workflows/build.yaml
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
M src/openvpn/ssl_openssl.c
M src/openvpn/ssl_verify_openssl.c
5 files changed, 42 insertions(+), 33 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1569/1
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 4207606..48373f9 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -498,7 +498,7 @@
OPENSSL_CFLAGS="-I${{ env.AWS_LC_INSTALL }}/include" \
OPENSSL_LIBS="-L${{ env.AWS_LC_INSTALL }}/lib -lssl -lcrypto" \
LDFLAGS="-Wl,-rpath=${{ env.AWS_LC_INSTALL }}/lib" \
- ./configure --with-crypto-library=openssl
+ ./configure --with-crypto-library=openssl --enable-werror
- name: make all
run: make -j3
- name: Ensure the build uses AWS-LC
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b6e2106..9beaf95 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -229,7 +229,7 @@
void
crypto_print_openssl_errors(const unsigned int flags)
{
- unsigned long err = 0;
+ openssl_err_t err = 0;
int line, errflags;
const char *file, *data, *func;
@@ -425,7 +425,7 @@
print_digest(EVP_MD *digest, void *unused)
{
printf("%s %d bit digest size\n", md_kt_name(EVP_MD_get0_name(digest)),
- EVP_MD_size(digest) * 8);
+ (int)EVP_MD_size(digest) * 8);
}
void
@@ -1022,7 +1022,7 @@
"Message hash algorithm '%s' uses a default hash "
"size (%d bytes) which is larger than " PACKAGE_NAME "'s
current "
"maximum hash size (%d bytes)",
- digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
+ digest, (int)EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
}
return md;
}
@@ -1152,7 +1152,7 @@
int
md_ctx_size(const EVP_MD_CTX *ctx)
{
- return EVP_MD_CTX_size(ctx);
+ return (int)EVP_MD_CTX_size(ctx);
}
void
@@ -1201,7 +1201,7 @@
evp_md_type *kt = md_get(mdname);
ASSERT(NULL != kt && NULL != ctx);
- int key_len = EVP_MD_size(kt);
+ size_t key_len = EVP_MD_size(kt);
HMAC_CTX_reset(ctx);
if (!HMAC_Init_ex(ctx, key, key_len, kt, NULL))
{
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index ab011d3..8fdb39a 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -45,6 +45,15 @@
#include <openssl/x509.h>
#include <openssl/err.h>
+/* Define the type of error. This is something that is less
+ * intrusive than casts everywhere */
+#if defined(OPENSSL_IS_AWSLC)
+typedef uint32_t openssl_err_t;
+#else
+typedef unsigned long openssl_err_t;
+#endif
+
+
/* Functionality missing in 1.1.0 */
#if OPENSSL_VERSION_NUMBER < 0x10101000L && !defined(ENABLE_CRYPTO_WOLFSSL)
#define SSL_CTX_set1_groups SSL_CTX_set1_curves
@@ -157,12 +166,12 @@
/* OpenSSL 1.1.1 and lower use only const EVP_MD, nothing to free */
}
-static inline unsigned long
+static inline openssl_err_t
ERR_get_error_all(const char **file, int *line, const char **func, const char
**data, int *flags)
{
static const char *empty = "";
*func = empty;
- unsigned long err = ERR_get_error_line_data(file, line, data, flags);
+ openssl_err_t err = ERR_get_error_line_data(file, line, data, flags);
return err;
}
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 48cbaa8..066ebab 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -518,8 +518,9 @@
void
tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
{
-#if OPENSSL_VERSION_NUMBER > 0x10100000L \
- && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >
0x3060000fL)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L
\
+ && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >
0x3060000fL) \
+ && !defined(OPENSSL_IS_AWSLC)
/* OpenSSL does not have certificate profiles, but a complex set of
* callbacks that we could try to implement to achieve something similar.
* For now, use OpenSSL's security levels to achieve similar (but not
equal)
@@ -549,7 +550,7 @@
if (profile)
{
msg(M_WARN,
- "WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
+ "WARNING: OpenSSL 1.1.0, aws-lc and LibreSSL do not support "
"--tls-cert-profile, ignoring user-set profile: '%s'",
profile);
}
@@ -906,7 +907,6 @@
X509 *cert;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12;
- int i;
char password[256];
ASSERT(NULL != ctx);
@@ -990,7 +990,7 @@
*/
if (ca && sk_X509_num(ca))
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ for (size_t i = 0; i < (size_t)sk_X509_num(ca); i++)
{
X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
@@ -1015,7 +1015,7 @@
*/
if (ca && sk_X509_num(ca))
{
- for (i = 0; i < sk_X509_num(ca); i++)
+ for (size_t i = 0; i < (size_t)sk_X509_num(ca); i++)
{
if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca,
i)))
{
@@ -1331,7 +1331,7 @@
* we need to manually find the CRL object from the stack
* and remove it */
STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
- for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
+ for (size_t i = 0; i < (size_t)sk_X509_OBJECT_num(objs); i++)
{
X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
@@ -1591,7 +1591,7 @@
ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char
*sig,
unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY
*ec)
{
- int capacity = ECDSA_size(ec);
+ int capacity = (int)ECDSA_size(ec);
/*
* ECDSA does not seem to have proper constants for paddings since
* there are only signatures without padding at the moment, use
@@ -1607,12 +1607,14 @@
return 0;
}
+#ifndef OPENSSL_IS_AWSLC
/* EC_KEY_METHOD callback: sign_setup(). We do no precomputations */
static int
ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
return 1;
}
+#endif
/* EC_KEY_METHOD callback: sign_sig().
* Sign the hash and return the result as a newly allocated ECDS_SIG
@@ -1623,7 +1625,7 @@
EC_KEY *ec)
{
ECDSA_SIG *ecsig = NULL;
- unsigned int len = ECDSA_size(ec);
+ unsigned int len = (unsigned int)ECDSA_size(ec);
struct gc_arena gc = gc_new();
unsigned char *buf = gc_malloc(len, false, &gc);
@@ -1790,7 +1792,7 @@
X509_STORE *store = NULL;
X509_NAME *xn = NULL;
BIO *in = NULL;
- int i, added = 0, prev = 0;
+ size_t added = 0, prev = 0;
ASSERT(NULL != ctx);
@@ -1819,7 +1821,7 @@
if (info_stack)
{
- for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
+ for (size_t i = 0; i < (size_t)sk_X509_INFO_num(info_stack); i++)
{
X509_INFO *info = sk_X509_INFO_value(info_stack, i);
if (info->crl)
@@ -1872,11 +1874,11 @@
if (tls_server)
{
- int cnum = sk_X509_NAME_num(cert_names);
+ size_t cnum = sk_X509_NAME_num(cert_names);
if (cnum != (prev + 1))
{
crypto_msg(M_WARN,
- "Cannot load CA certificate file %s (entry
%d did not validate)",
+ "Cannot load CA certificate file %s (entry
%zu did not validate)",
print_key_filename(ca_file,
ca_file_inline), added);
}
prev = cnum;
@@ -1884,7 +1886,7 @@
}
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
}
- int cnum;
+ size_t cnum;
if (tls_server)
{
cnum = sk_X509_NAME_num(cert_names);
@@ -1902,8 +1904,8 @@
if (cnum != added)
{
crypto_msg(M_FATAL,
- "Cannot load CA certificate file %s (only %d "
- "of %d entries were valid X509 names)",
+ "Cannot load CA certificate file %s (only %zu "
+ "of %zu entries were valid X509 names)",
print_key_filename(ca_file, ca_file_inline), cnum,
added);
}
}
@@ -2552,7 +2554,7 @@
#else
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
#endif
- for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
+ for (size_t i = 0; i < (size_t)sk_SSL_CIPHER_num(sk); i++)
{
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 46401cd..a8139ea 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -138,10 +138,10 @@
* one, but we don't depend on it...
*/
- int numalts = sk_GENERAL_NAME_num(extensions);
+ size_t numalts = sk_GENERAL_NAME_num(extensions);
/* loop through all alternatives */
- for (int i = 0; i < numalts; i++)
+ for (size_t i = 0; i < numalts; i++)
{
/* get a handle to alternative name number i */
const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
@@ -344,7 +344,7 @@
const EVP_MD *sha1 = EVP_sha1();
struct buffer hash = alloc_buf_gc((size_t)EVP_MD_size(sha1), gc);
X509_digest(cert, EVP_sha1(), BPTR(&hash), NULL);
- ASSERT(buf_inc_len(&hash, EVP_MD_size(sha1)));
+ ASSERT(buf_inc_len(&hash, (int)EVP_MD_size(sha1)));
return hash;
}
@@ -354,7 +354,7 @@
const EVP_MD *sha256 = EVP_sha256();
struct buffer hash = alloc_buf_gc((size_t)EVP_MD_size(sha256), gc);
X509_digest(cert, EVP_sha256(), BPTR(&hash), NULL);
- ASSERT(buf_inc_len(&hash, EVP_MD_size(sha256)));
+ ASSERT(buf_inc_len(&hash, (int)EVP_MD_size(sha256)));
return hash;
}
@@ -739,10 +739,8 @@
}
else
{
- int i;
-
msg(D_HANDSHAKE, "Validating certificate extended key usage");
- for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++)
+ for (size_t i = 0; SUCCESS != fFound && i <
(size_t)sk_ASN1_OBJECT_num(eku); i++)
{
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i);
char szOid[1024];
@@ -791,7 +789,7 @@
}
STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
- for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
+ for (size_t i = 0; i < (size_t)sk_X509_OBJECT_num(objs); i++)
{
X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
ASSERT(obj);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1569?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8ff30785f78fdcda136ef3fe982f8cda2edec059
Gerrit-Change-Number: 1569
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
