ssl_verify_openssl: Avoid conversion warning in x509_verify_cert_ku

Just use the correct types.

v2:
 - Change type of expected_len argument to size_t

Change-Id: Ia6c3f0395bd6cd67064fe77420d9df2b66763049
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1445
Message-Id: <20260119122058.14865-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35322.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h
index 0a2de03d12a38db0d53ef00a2f8461a1205a14b4..9272cae5c2465468aa3cc183c73f634f89fe4907 100644 (file)
--- a/src/openvpn/ssl_verify_backend.h
+++ b/src/openvpn/ssl_verify_backend.h
@@ -240,7 +240,7 @@ result_t x509_verify_ns_cert_type(openvpn_x509_cert_t *cert, const int usage);
  *                      if key usage is not enabled, or the values do not match.
  */
 result_t x509_verify_cert_ku(openvpn_x509_cert_t *x509, const unsigned *const expected_ku,
-                             int expected_len);
+                             size_t expected_len);
 
 /*
  * Verify X.509 extended key usage extension field.

diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index 80396f87cf42504917f7fd7ff9c040edf5470143..9d89a1d252c62990c6dd7a2157b3291a02908172 100644 (file)
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -486,7 +486,7 @@ x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage)
 }
 
 result_t
-x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len)
+x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned int *const expected_ku, size_t expected_len)
 {
     msg(D_HANDSHAKE, "Validating certificate key usage");
 

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 4f6573d044915beea43f17c5dd55b243958bca31..60d5756ad10054db2a763aa80308c04d385aa811 100644 (file)
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -670,13 +670,8 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
     return FAILURE;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
 result_t
-x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_len)
+x509_verify_cert_ku(X509 *x509, const unsigned int *const expected_ku, size_t expected_len)
 {
     ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL);
 
@@ -693,8 +688,8 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_
         return SUCCESS;
     }
 
-    unsigned nku = 0;
-    for (size_t i = 0; i < 8; i++)
+    unsigned int nku = 0;
+    for (int i = 0; i < 8; i++)
     {
         if (ASN1_BIT_STRING_get_bit(ku, i))
         {
@@ -734,10 +729,6 @@ x509_verify_cert_ku(X509 *x509, const unsigned *const expected_ku, int expected_
     return fFound;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 result_t
 x509_verify_cert_eku(X509 *x509, const char *const expected_oid)
 {