From 9e7b5b253c795104655e97ff0804bbf1488a9e6d Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 29 Apr 2025 11:20:46 +0200
Subject: [PATCH] libssl: Properly handle the different return types of
 `sk_GENERAL_NAME_num`

---
 pdns/libssl.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index d123823b20..9bc00818fb 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -545,12 +545,19 @@ struct StackOfNamesDeleter
   }
 };
 
+#if defined(OPENSSL_IS_BORINGSSL)
+/* return type of OpenSSL's sk_XXX_num() */
+using SSLStackIndex size_t;
+#else
+using SSLStackIndex = int;
+#endif
+
 static std::unordered_set<std::string> get_names_from_certificate(const X509* certificate)
 {
   std::unordered_set<std::string> result;
   auto names = std::unique_ptr<STACK_OF(GENERAL_NAME), StackOfNamesDeleter>(static_cast<STACK_OF(GENERAL_NAME)*>(X509_get_ext_d2i(certificate, NID_subject_alt_name, nullptr, nullptr)));
   if (names) {
-    for (int idx = 0; idx < sk_GENERAL_NAME_num(names.get()); idx++) {
+    for (SSLStackIndex idx = 0; idx < sk_GENERAL_NAME_num(names.get()); idx++) {
       const auto* name = sk_GENERAL_NAME_value(names.get(), idx);
       if (name->type != GEN_DNS) {
         /* ignore GEN_IPADD / name->d.iPAddress (raw IP address bytes), it cannot be used in SNI anyway */
-- 
2.47.2