[PATCH] lib/rsa: avoid -Wdiscarded-qualifiers

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Mon Jan 10 17:46:58 CET 2022


On 1/10/22 17:29, Tom Rini wrote:
> On Mon, Jan 10, 2022 at 05:22:15PM +0100, Heinrich Schuchardt wrote:
>> On 1/10/22 17:12, Tom Rini wrote:
>>> On Mon, Jan 10, 2022 at 05:11:29PM +0100, Heinrich Schuchardt wrote:
>>>> On 1/10/22 16:06, Tom Rini wrote:
>>>>> On Mon, Jan 10, 2022 at 09:00:29AM -0600, Alex G. wrote:
>>>>>>
>>>>>>
>>>>>> On 1/9/22 8:39 AM, Heinrich Schuchardt wrote:
>>>>>>> The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
>>>>>>> Our code drops the const qualifier leading to
>>>>>>>
>>>>>>> In file included from tools/lib/rsa/rsa-sign.c:1:
>>>>>>> ./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
>>>>>>> ./tools/../lib/rsa/rsa-sign.c:631:13: warning:
>>>>>>> assignment discards ‘const’ qualifier from pointer target type
>>>>>>> [-Wdiscarded-qualifiers]
>>>>>>>       631 |         rsa = EVP_PKEY_get0_RSA(pkey);
>>>>>>>           |             ^
>>>>>>>
>>>>>>> Add a type conversion.
>>>>>>>
>>>>>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
>>>>>>> ---
>>>>>>>      lib/rsa/rsa-sign.c | 2 +-
>>>>>>>      1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>>>
>>>>>>> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
>>>>>>> index 44f21416ce..3b6e5f0f86 100644
>>>>>>> --- a/lib/rsa/rsa-sign.c
>>>>>>> +++ b/lib/rsa/rsa-sign.c
>>>>>>> @@ -628,7 +628,7 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest)
>>>>>>>      	if (ret)
>>>>>>>      		goto err_get_pub_key;
>>>>>>> -	rsa = EVP_PKEY_get0_RSA(pkey);
>>>>>>> +	rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
>>>>>>
>>>>>> I think it's the wrong path to discard const qualifiers, whether unwillingly
>>>>>> or by type punning. I suggest making 'rsa' a "const RSA *" and fixing the
>>>>>> downstream users to do the same.
>>>>>
>>>>> So, how do we trigger this warning, exactly?  The line here has been in
>>>>> place for several releases, but only with fe68a67a5f11 and removing
>>>>> legacy paths did this become the only option.  Of course, CI isn't
>>>>> kicking this problem right now.  But CI is Ubuntu 18.04, and while post
>>>>> v2022.01 we should at least move up to 20.04, I'm guessing this gets hit
>>>>> with something recent like 20.04, or Debian 11 or what will be Ubuntu
>>>>> 22.04.
>>>>>
>>>>> Should we take the cast now, and fix this up properly post release?
>>>>
>>>> I am using OpenSSLv3 as delivered by Ubuntu Jammy. Building
>>>> sandbox_defconfig shows the warning.
>>>
>>> Right, so what will be 22.04.  I'm OK I think taking the cast for today
>>> if you'll clean up the code as suggested for post release.
>>>
>>
>> In 3a8b919932fdf07b6f I added #define OPENSSL_API_COMPAT 0x10101000L.
> 
> Which is OpenSSL 1.1.0 API, right?
> 
>> Would we also have to move to the current API? But that might create
>> problems in old releases.
> 
> How old of a release would it be a problem for?  We dropped support for
> older than 1.1.0 with fe68a67a5f11.
> 

According to
https://www.openssl.org/policies/releasestrat.html
Open SSL version 1.1.1 will be supported until 2023-09-11 (LTS).

We will have to keep OPENSSL_API_COMPAT up to that date.

For building against OpenSSL 3 without warning we need to fix the 
problem with const. And yes propagating const throughout our code will 
be a cleaner solution.

Best regards

Heinrich


More information about the U-Boot mailing list