-Wcast-qual not enabled in cmake file

[boquan-fang]

Problem:

1. -Wcast-qual is not enabled with awslc.
2. The S2N_LIBCRYPTO environmental variable needs to be set for that -Wcast-qual to be enabled.
   

   s2n-tls/CMakeLists.txt

   Lines 212 to 215 in 45bf1d4

   	if (NOT $ENV{S2N_LIBCRYPTO} MATCHES "awslc")
   	# add cast-qual back in for non AWS-LC
   	target_compile_options(${PROJECT_NAME} PRIVATE -Wcast-qual)
   	endif()

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

• -Wcast-qual should be enabled even if no environmental variables are set.
• -Wcast-qual should be enabled for awslc.

[maddeleine]

We can actually enable this compile flag but we first have to update our version of aws-lc to v1.33.0. That version fixes the one cast-qual issue when built with aws-lc.

[boquan-fang]

I have updated the flag in PR #4735. Seems like awslc has enabled S2N_LIBCRYPTO_SUPPORTS_KYBER. That triggers a cast-qual violation. I am not sure if update awslc version solves that problem.

In file included from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/error/s2n_errno.h:23,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/utils/s2n_safety.h:23,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_pq.h:22,
                 from /codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:19:
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c: In function 's2n_kyber_evp_decapsulate':
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:83:30: error: cast discards 'const' qualifier from pointer target type [-Werror=cast-qual]
   83 |                              (uint8_t *) ciphertext, kem->ciphertext_length),
      |                              ^
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/utils/s2n_ensure.h:35:15: note: in definition of macro '__S2N_ENSURE'
   35 |         if (!(cond)) {             \
      |               ^~~~
/codebuild/output/src2687327939/src/github.com/aws/s2n-tls/crypto/s2n_kyber_evp.c:82:5: note: in expansion of macro 'POSIX_GUARD_OSSL'
   82 |     POSIX_GUARD_OSSL(EVP_PKEY_decapsulate(kyber_pkey_ctx, shared_secret, &shared_secret_size,
      |     ^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
CMakeFiles/s2n.dir/build.make:518: recipe for target 'CMakeFiles/s2n.dir/crypto/s2n_kyber_evp.c.o' failed
make[2]: *** [CMakeFiles/s2n.dir/crypto/s2n_kyber_evp.c.o] Error 1
make[2]: *** Waiting for unfinished jobs....
CMakeFiles/Makefile2:4153: recipe for target 'CMakeFiles/s2n.dir/all' failed
make[1]: *** [CMakeFiles/s2n.dir/all] Error 2
Makefile:140: recipe for target 'all' failed
make: *** [all] Error 2```

[boquan-fang]

aws-lc's FIPS branch is not synced up with the main branch. The FIPS branch needs casting from const pointer to non const pointer which will trigger errors for -Wcast-qual check. Their next sync is schedule on 3 September 2024, and we need to wait until then to fix this issue.

When aws-lc team updates their FIPS 2022 branch, we will sync up with that branch and fix this issue.

Here is the part of code that triggers this problem:
https://github.com/aws/aws-lc/blob/fips-2022-11-02/crypto/fipsmodule/evp/evp_ctx.c#L539-L541