From: Arne Schwabe <[email protected]> OpenSSL and AWS-LC disagree on the type that they use for stack size. Instead of doing a lot of various casts, use a typedef to avoid these casts and use the right type for each library.
Change-Id: Ifd29485524674c64d56fc5f7ef8bdd1e00215fc9 Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1627 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <[email protected]> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 3494ce6..ec059ac 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -49,8 +49,12 @@ * intrusive than casts everywhere */ #if defined(OPENSSL_IS_AWSLC) typedef uint32_t openssl_err_t; +typedef size_t openssl_stack_size_t; +#define PRI_OPENSSL_STACK "zu" #else typedef unsigned long openssl_err_t; +typedef int openssl_stack_size_t; +#define PRI_OPENSSL_STACK "d" #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 6130dc3..6ce5f3f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -981,7 +981,6 @@ X509 *cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12; - int i; char password[256]; ASSERT(NULL != ctx); @@ -1065,7 +1064,7 @@ */ if (ca && sk_X509_num(ca)) { - for (i = 0; i < sk_X509_num(ca); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++) { X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i))) @@ -1090,7 +1089,7 @@ */ if (ca && sk_X509_num(ca)) { - for (i = 0; i < sk_X509_num(ca); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_num(ca); i++) { if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i))) { @@ -1855,7 +1854,7 @@ X509_LOOKUP *lookup = NULL; X509_STORE *store = NULL; BIO *in = NULL; - int i, added = 0, prev = 0; + openssl_stack_size_t added = 0, prev = 0; ASSERT(NULL != ctx); @@ -1884,7 +1883,7 @@ if (info_stack) { - for (i = 0; i < sk_X509_INFO_num(info_stack); i++) + for (openssl_stack_size_t i = 0; i < sk_X509_INFO_num(info_stack); i++) { X509_INFO *info = sk_X509_INFO_value(info_stack, i); if (info->crl) @@ -1942,11 +1941,11 @@ if (tls_server) { - int cnum = sk_X509_NAME_num(cert_names); + openssl_stack_size_t cnum = sk_X509_NAME_num(cert_names); if (cnum != (prev + 1)) { crypto_msg(M_WARN, - "Cannot load CA certificate file %s (entry %d did not validate)", + "Cannot load CA certificate file %s (entry %" PRI_OPENSSL_STACK " did not validate)", print_key_filename(ca_file, ca_file_inline), added); } prev = cnum; @@ -1954,7 +1953,7 @@ } sk_X509_INFO_pop_free(info_stack, X509_INFO_free); } - int cnum; + openssl_stack_size_t cnum; if (tls_server) { cnum = sk_X509_NAME_num(cert_names); @@ -1972,8 +1971,8 @@ if (cnum != added) { crypto_msg(M_FATAL, - "Cannot load CA certificate file %s (only %d " - "of %d entries were valid X509 names)", + "Cannot load CA certificate file %s (only %" PRI_OPENSSL_STACK + "of %" PRI_OPENSSL_STACK "entries were valid X509 names)", print_key_filename(ca_file, ca_file_inline), cnum, added); } } @@ -2622,7 +2621,7 @@ #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); #endif - for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) + for (openssl_stack_size_t i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index a30099d..6bb61b6 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -138,10 +138,10 @@ * one, but we don't depend on it... */ - int numalts = sk_GENERAL_NAME_num(extensions); + openssl_stack_size_t numalts = sk_GENERAL_NAME_num(extensions); /* loop through all alternatives */ - for (int i = 0; i < numalts; i++) + for (openssl_stack_size_t i = 0; i < numalts; i++) { /* get a handle to alternative name number i */ const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i); @@ -763,10 +763,8 @@ } else { - int i; - msg(D_HANDSHAKE, "Validating certificate extended key usage"); - for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++) + for (openssl_stack_size_t i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++) { ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i); char szOid[1024]; _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
