On 1/10/22 17:29, Tom Rini wrote:
On Mon, Jan 10, 2022 at 05:22:15PM +0100, Heinrich Schuchardt wrote:
On 1/10/22 17:12, Tom Rini wrote:
On Mon, Jan 10, 2022 at 05:11:29PM +0100, Heinrich Schuchardt wrote:
On 1/10/22 16:06, Tom Rini wrote:
On Mon, Jan 10, 2022 at 09:00:29AM -0600, Alex G. wrote:
On 1/9/22 8:39 AM, Heinrich Schuchardt wrote:
The return type of EVP_PKEY_get0_RSA() is const struct rsa_st *.
Our code drops the const qualifier leading to
In file included from tools/lib/rsa/rsa-sign.c:1:
./tools/../lib/rsa/rsa-sign.c: In function ‘rsa_add_verify_data’:
./tools/../lib/rsa/rsa-sign.c:631:13: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
631 | rsa = EVP_PKEY_get0_RSA(pkey);
| ^
Add a type conversion.
Signed-off-by: Heinrich Schuchardt <[email protected]>
---
lib/rsa/rsa-sign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 44f21416ce..3b6e5f0f86 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -628,7 +628,7 @@ int rsa_add_verify_data(struct image_sign_info *info, void
*keydest)
if (ret)
goto err_get_pub_key;
- rsa = EVP_PKEY_get0_RSA(pkey);
+ rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
I think it's the wrong path to discard const qualifiers, whether unwillingly
or by type punning. I suggest making 'rsa' a "const RSA *" and fixing the
downstream users to do the same.
So, how do we trigger this warning, exactly? The line here has been in
place for several releases, but only with fe68a67a5f11 and removing
legacy paths did this become the only option. Of course, CI isn't
kicking this problem right now. But CI is Ubuntu 18.04, and while post
v2022.01 we should at least move up to 20.04, I'm guessing this gets hit
with something recent like 20.04, or Debian 11 or what will be Ubuntu
22.04.
Should we take the cast now, and fix this up properly post release?
I am using OpenSSLv3 as delivered by Ubuntu Jammy. Building
sandbox_defconfig shows the warning.
Right, so what will be 22.04. I'm OK I think taking the cast for today
if you'll clean up the code as suggested for post release.
In 3a8b919932fdf07b6f I added #define OPENSSL_API_COMPAT 0x10101000L.
Which is OpenSSL 1.1.0 API, right?
Would we also have to move to the current API? But that might create
problems in old releases.
How old of a release would it be a problem for? We dropped support for
older than 1.1.0 with fe68a67a5f11.
According to
https://www.openssl.org/policies/releasestrat.html
Open SSL version 1.1.1 will be supported until 2023-09-11 (LTS).
We will have to keep OPENSSL_API_COMPAT up to that date.
For building against OpenSSL 3 without warning we need to fix the
problem with const. And yes propagating const throughout our code will
be a cleaner solution.
Best regards
Heinrich
