[PATCH] lib/rsa: avoid -Wdiscarded-qualifiers

Mon Jan 10 17:22:15 CET 2022

On 1/10/22 17:12, Tom Rini wrote:
> On Mon, Jan 10, 2022 at 05:11:29PM +0100, Heinrich Schuchardt wrote:
>> On 1/10/22 16:06, Tom Rini wrote:
>>> On Mon, Jan 10, 2022 at 09:00:29AM -0600, Alex G. wrote:
>>>>
>>>>
>>>> On 1/9/22 8:39 AM, Heinrich Schuchardt wrote:
>>>>> The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
>>>>> Our code drops the const qualifier leading to
>>>>>
>>>>> In file included from tools/lib/rsa/rsa-sign.c:1:
>>>>> ./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
>>>>> ./tools/../lib/rsa/rsa-sign.c:631:13: warning:
>>>>> assignment discards ‘const’ qualifier from pointer target type
>>>>> [-Wdiscarded-qualifiers]
>>>>>      631 |         rsa = EVP_PKEY_get0_RSA(pkey);
>>>>>          |             ^
>>>>>
>>>>> Add a type conversion.
>>>>>
>>>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
>>>>> ---
>>>>>     lib/rsa/rsa-sign.c | 2 +-
>>>>>     1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
>>>>> index 44f21416ce..3b6e5f0f86 100644
>>>>> --- a/lib/rsa/rsa-sign.c
>>>>> +++ b/lib/rsa/rsa-sign.c
>>>>> @@ -628,7 +628,7 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
>>>>>     	if (ret)
>>>>>     		goto err_get_pub_key;
>>>>> -	rsa = EVP_PKEY_get0_RSA(pkey);
>>>>> +	rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
>>>>
>>>> I think it's the wrong path to discard const qualifiers, whether unwillingly
>>>> or by type punning. I suggest making 'rsa' a "const RSA *" and fixing the
>>>> downstream users to do the same.
>>>
>>> So, how do we trigger this warning, exactly?  The line here has been in
>>> place for several releases, but only with fe68a67a5f11 and removing
>>> legacy paths did this become the only option.  Of course, CI isn't
>>> kicking this problem right now.  But CI is Ubuntu 18.04, and while post
>>> v2022.01 we should at least move up to 20.04, I'm guessing this gets hit
>>> with something recent like 20.04, or Debian 11 or what will be Ubuntu
>>> 22.04.
>>>
>>> Should we take the cast now, and fix this up properly post release?
>>
>> I am using OpenSSLv3 as delivered by Ubuntu Jammy. Building
>> sandbox_defconfig shows the warning.
> 
> Right, so what will be 22.04.  I'm OK I think taking the cast for today
> if you'll clean up the code as suggested for post release.
> 

In 3a8b919932fdf07b6f I added #define OPENSSL_API_COMPAT 0x10101000L.
Would we also have to move to the current API? But that might create 
problems in old releases.

Best regards

Heinrich