ssl_openssl: Use uint16_t internally for TLS versions

flichtenheld · cron2 · commit 04d24fbeb529 · 2025-09-26T22:49:10.000+02:00
libressl changed the API for the involved functions. Since uint16_t is a true subset of int it should be safe to switch to that for all OpenSSL variants. One trivial drive-by fix in unrelated code to be able to enable -Wconversion fully for the file. This just adds a cast where the comment says we intend a cast. Change-Id: I9ea87531afb553f789289787403900a4758b8e1c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF <max@max-fillinger.net> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1212 Message-Id: <20250924150300.29318-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59238230/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
@@ -235,8 +235,8 @@ tls_version_max(void)
 }
 
 /** Convert internal version number to openssl version number */
-static int
-openssl_tls_version(int ver)
+static uint16_t
+openssl_tls_version(unsigned int ver)
 {
     if (ver == TLS_VER_1_0)
     {
@@ -272,23 +272,18 @@ openssl_tls_version(int ver)
     return 0;
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
 static bool
 tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
 {
-    int tls_ver_min =
+    uint16_t tls_ver_min =
         openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);
-    int tls_ver_max =
+    uint16_t tls_ver_max =
         openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);
 
     if (!tls_ver_min)
     {
         /* Enforce at least TLS 1.0 */
-        int cur_min = SSL_CTX_get_min_proto_version(ctx->ctx);
+        uint16_t cur_min = (uint16_t)SSL_CTX_get_min_proto_version(ctx->ctx);
         tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
     }
 
@@ -387,7 +382,7 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe
             /* %.*s format specifier expects length of type int, so guarantee */
             /* that length is small enough and cast to int. */
             msg(D_LOW, "No valid translation found for TLS cipher '%.*s'",
-                constrain_int(current_cipher_len, 0, 256), current_cipher);
+                constrain_int((int)current_cipher_len, 0, 256), current_cipher);
         }
         else
         {
@@ -429,10 +424,6 @@ convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphe
     }
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 void
 tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 {
@@ -2522,11 +2513,6 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
     msg(D_HANDSHAKE, "%s%s%s%s%s", s1, s2, s3, s4, s5);
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion"
-#endif
-
 void
 show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
 {
@@ -2541,7 +2527,7 @@ show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_pr
 #if defined(TLS1_3_VERSION)
     if (tls13)
     {
-        SSL_CTX_set_min_proto_version(tls_ctx.ctx, openssl_tls_version(TLS_VER_1_3));
+        SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
         tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
     }
     else
@@ -2594,10 +2580,6 @@ show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_pr
     SSL_CTX_free(tls_ctx.ctx);
 }
 
-#if defined(__GNUC__) || defined(__clang__)
-#pragma GCC diagnostic pop
-#endif
-
 /*
  * Show the Elliptic curves that are available for us to use
  * in the OpenSSL library.

Original file line number	Diff line number	Diff line change
`@@ -235,8 +235,8 @@ tls_version_max(void)`
`235`	`235`	`}`
`236`	`236`
`237`	`237`	`/** Convert internal version number to openssl version number */`
`238`		`-static int`
`239`		`-openssl_tls_version(int ver)`
	`238`	`+static uint16_t`
	`239`	`+openssl_tls_version(unsigned int ver)`
`240`	`240`	`{`
`241`	`241`	`if (ver == TLS_VER_1_0)`
`242`	`242`	`{`
`@@ -272,23 +272,18 @@ openssl_tls_version(int ver)`
`272`	`272`	`return 0;`
`273`	`273`	`}`
`274`	`274`
`275`		`-#if defined(__GNUC__) \|\| defined(__clang__)`
`276`		`-#pragma GCC diagnostic push`
`277`		`-#pragma GCC diagnostic ignored "-Wconversion"`
`278`		`-#endif`
`279`		`-`
`280`	`275`	`static bool`
`281`	`276`	`tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)`
`282`	`277`	`{`
`283`		`- int tls_ver_min =`
	`278`	`+ uint16_t tls_ver_min =`
`284`	`279`	`openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);`
`285`		`- int tls_ver_max =`
	`280`	`+ uint16_t tls_ver_max =`
`286`	`281`	`openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);`
`287`	`282`
`288`	`283`	`if (!tls_ver_min)`
`289`	`284`	`{`
`290`	`285`	`/* Enforce at least TLS 1.0 */`
`291`		`- int cur_min = SSL_CTX_get_min_proto_version(ctx->ctx);`
	`286`	`+ uint16_t cur_min = (uint16_t)SSL_CTX_get_min_proto_version(ctx->ctx);`
`292`	`287`	`tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;`
`293`	`288`	`}`
`294`	`289`
`@@ -387,7 +382,7 @@ convert_tls_list_to_openssl(char openssl_ciphers, size_t len, const char ciphe`
`387`	`382`	`/* %.s format specifier expects length of type int, so guarantee /`
`388`	`383`	`/* that length is small enough and cast to int. */`
`389`	`384`	`msg(D_LOW, "No valid translation found for TLS cipher '%.*s'",`
`390`		`- constrain_int(current_cipher_len, 0, 256), current_cipher);`
	`385`	`+ constrain_int((int)current_cipher_len, 0, 256), current_cipher);`
`391`	`386`	`}`
`392`	`387`	`else`
`393`	`388`	`{`
`@@ -429,10 +424,6 @@ convert_tls_list_to_openssl(char openssl_ciphers, size_t len, const char ciphe`
`429`	`424`	`}`
`430`	`425`	`}`
`431`	`426`
`432`		`-#if defined(__GNUC__) \|\| defined(__clang__)`
`433`		`-#pragma GCC diagnostic pop`
`434`		`-#endif`
`435`		`-`
`436`	`427`	`void`
`437`	`428`	`tls_ctx_restrict_ciphers(struct tls_root_ctx ctx, const char ciphers)`
`438`	`429`	`{`
`@@ -2522,11 +2513,6 @@ print_details(struct key_state_ssl ks_ssl, const char prefix)`
`2522`	`2513`	`msg(D_HANDSHAKE, "%s%s%s%s%s", s1, s2, s3, s4, s5);`
`2523`	`2514`	`}`
`2524`	`2515`
`2525`		`-#if defined(__GNUC__) \|\| defined(__clang__)`
`2526`		`-#pragma GCC diagnostic push`
`2527`		`-#pragma GCC diagnostic ignored "-Wconversion"`
`2528`		`-#endif`
`2529`		`-`
`2530`	`2516`	`void`
`2531`	`2517`	`show_available_tls_ciphers_list(const char cipher_list, const char tls_cert_profile, bool tls13)`
`2532`	`2518`	`{`
`@@ -2541,7 +2527,7 @@ show_available_tls_ciphers_list(const char cipher_list, const char tls_cert_pr`
`2541`	`2527`	`#if defined(TLS1_3_VERSION)`
`2542`	`2528`	`if (tls13)`
`2543`	`2529`	`{`
`2544`		`- SSL_CTX_set_min_proto_version(tls_ctx.ctx, openssl_tls_version(TLS_VER_1_3));`
	`2530`	`+ SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);`
`2545`	`2531`	`tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);`
`2546`	`2532`	`}`
`2547`	`2533`	`else`
`@@ -2594,10 +2580,6 @@ show_available_tls_ciphers_list(const char cipher_list, const char tls_cert_pr`
`2594`	`2580`	`SSL_CTX_free(tls_ctx.ctx);`
`2595`	`2581`	`}`
`2596`	`2582`
`2597`		`-#if defined(__GNUC__) \|\| defined(__clang__)`
`2598`		`-#pragma GCC diagnostic pop`
`2599`		`-#endif`
`2600`		`-`
`2601`	`2583`	`/*`
`2602`	`2584`	`* Show the Elliptic curves that are available for us to use`
`2603`	`2585`	`* in the OpenSSL library.`