search

aws / s2n-tls

An implementation of the TLS/SSL protocols
https://aws.github.io/s2n-tls/usage-guide/
Apache License 2.0
4.51k stars 704 forks source link

-Wcast-qual not enabled in cmake file #4710

Open boquan-fang opened 1 month ago

boquan-fang commented 1 month ago

Problem:

  1. -Wcast-qual is not enabled with awslc.
  2. The S2N_LIBCRYPTO environmental variable needs to be set for that -Wcast-qual to be enabled. https://github.com/aws/s2n-tls/blob/45bf1d4bc314cf8b18b8632e8be25180e45f121f/CMakeLists.txt#L212-L215

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

maddeleine commented 1 month ago

We can actually enable this compile flag but we first have to update our version of aws-lc to v1.33.0. That version fixes the one cast-qual issue when built with aws-lc.

boquan-fang commented 2 weeks ago

I have updated the flag in PR #4735. Seems like awslc has enabled S2N_LIBCRYPTO_SUPPORTS_KYBER. That triggers a cast-qual violation. I am not sure if update awslc version solves that problem.


In file included from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/error/s2n_errno.h:23,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/utils/s2n_safety.h:23,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_pq.h:22,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:19:
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c: In function 's2n_kyber_evp_decapsulate':
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:83:30: error: cast discards 'const' qualifier from pointer target type [-Werror=cast-qual]
   83 |                              (uint8_t *) ciphertext, kem->ciphertext_length),
      |                              ^
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/utils/s2n_ensure.h:35:15: note: in definition of macro '__S2N_ENSURE'
   35 |         if (!(cond)) {             \
      |               ^~~~
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:82:5: note: in expansion of macro 'POSIX_GUARD_OSSL'
   82 |     POSIX_GUARD_OSSL(EVP_PKEY_decapsulate(kyber_pkey_ctx, shared_secret, &shared_secret_size,
      |     ^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
CMakeFiles/s2n.dir/build.make:518: recipe for target 'CMakeFiles/s2n.dir/crypto/s2n_kyber_evp.c.o' failed
make[2]: *** [CMakeFiles/s2n.dir/crypto/s2n_kyber_evp.c.o] Error 1
make[2]: *** Waiting for unfinished jobs....
CMakeFiles/Makefile2:4153: recipe for target 'CMakeFiles/s2n.dir/all' failed
make[1]: *** [CMakeFiles/s2n.dir/all] Error 2
Makefile:140: recipe for target 'all' failed
make: *** [all] Error 2```
boquan-fang commented 2 weeks ago

aws-lc's FIPS branch is not synced up with the main branch. The FIPS branch needs casting from const pointer to non const pointer which will trigger errors for -Wcast-qual check. Their next sync is schedule on 3 September 2024, and we need to wait until then to fix this issue.

When aws-lc team updates their FIPS 2022 branch, we will sync up with that branch and fix this issue.

Here is the part of code that triggers this problem: https://github.com/aws/aws-lc/blob/fips-2022-11-02/crypto/fipsmodule/evp/evp_ctx.c#L539-L541