From 495f4beb8622f5fbcb2dd6c852c02d05ffbc03ee Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <dev@ddvo.net>
Date: Fri, 7 Feb 2025 12:34:25 +0100
Subject: [PATCH] constify X509_*print*(), X509_get0_*_objects(),
 X509_*_get0(), ..., effectively in OpenSSL 4.0

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28033)
---
 crypto/asn1/t_spki.c                 |  2 +-
 crypto/x509/t_crl.c                  |  4 ++--
 crypto/x509/t_req.c                  |  6 +++---
 crypto/x509/t_x509.c                 |  8 ++++----
 crypto/x509/x509cset.c               |  2 +-
 crypto/x509/x_x509a.c                |  8 ++++----
 doc/man3/X509_CRL_get0_by_serial.pod |  6 +++++-
 include/openssl/x509.h.in            | 26 +++++++++++++-------------
 include/openssl/x509_vfy.h.in        |  4 ++--
 9 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/crypto/asn1/t_spki.c b/crypto/asn1/t_spki.c
index 0397f1f9ee5..759a83099f2 100644
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -17,7 +17,7 @@
 
 /* Print out an SPKI */
 
-int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
+int NETSCAPE_SPKI_print(BIO *out, OSSL_FUTURE_CONST NETSCAPE_SPKI *spki)
 {
     EVP_PKEY *pkey;
     ASN1_IA5STRING *chal;
diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c
index a92d0cb3b06..306b07ea888 100644
--- a/crypto/x509/t_crl.c
+++ b/crypto/x509/t_crl.c
@@ -32,12 +32,12 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 }
 #endif
 
-int X509_CRL_print(BIO *out, X509_CRL *x)
+int X509_CRL_print(BIO *out, OSSL_FUTURE_CONST X509_CRL *x)
 {
   return X509_CRL_print_ex(out, x, XN_FLAG_COMPAT);
 }
 
-int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag)
+int X509_CRL_print_ex(BIO *out, OSSL_FUTURE_CONST X509_CRL *x, unsigned long nmflag)
 {
     STACK_OF(X509_REVOKED) *rev;
     X509_REVOKED *r;
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index 1c5f41d6765..0ac0f250f95 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -18,7 +18,7 @@
 #include <openssl/dsa.h>
 
 #ifndef OPENSSL_NO_STDIO
-int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
+int X509_REQ_print_fp(FILE *fp, OSSL_FUTURE_CONST X509_REQ *x)
 {
     BIO *b;
     int ret;
@@ -34,7 +34,7 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
 }
 #endif
 
-int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
+int X509_REQ_print_ex(BIO *bp, OSSL_FUTURE_CONST X509_REQ *x, unsigned long nmflags,
                       unsigned long cflag)
 {
     long l;
@@ -210,7 +210,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
     return 0;
 }
 
-int X509_REQ_print(BIO *bp, X509_REQ *x)
+int X509_REQ_print(BIO *bp, OSSL_FUTURE_CONST X509_REQ *x)
 {
     return X509_REQ_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
 }
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index fadf8cbbec1..089902e8a47 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -50,12 +50,12 @@ int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,
 }
 #endif
 
-int X509_print(BIO *bp, X509 *x)
+int X509_print(BIO *bp, OSSL_FUTURE_CONST X509 *x)
 {
     return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
 }
 
-int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
+int X509_print_ex(BIO *bp, OSSL_FUTURE_CONST X509 *x, unsigned long nmflags,
                   unsigned long cflag)
 {
     long l;
@@ -200,7 +200,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
     return ret;
 }
 
-int X509_ocspid_print(BIO *bp, X509 *x)
+int X509_ocspid_print(BIO *bp, OSSL_FUTURE_CONST X509 *x)
 {
     unsigned char *der = NULL;
     unsigned char *dertmp;
@@ -322,7 +322,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
     return 1;
 }
 
-int X509_aux_print(BIO *out, X509 *x, int indent)
+int X509_aux_print(BIO *out, OSSL_FUTURE_CONST X509 *x, int indent)
 {
     char oidstr[80], first;
     STACK_OF(ASN1_OBJECT) *trust, *reject;
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index eeaac3b25b0..8d4aff6d8ae 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -120,7 +120,7 @@ const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl)
     return crl->crl.extensions;
 }
 
-STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl)
+STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(OSSL_FUTURE_CONST X509_CRL *crl)
 {
     return crl->crl.revoked;
 }
diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c
index f7953c269e7..22680a27233 100644
--- a/crypto/x509/x_x509a.c
+++ b/crypto/x509/x_x509a.c
@@ -82,7 +82,7 @@ int X509_keyid_set1(X509 *x, const unsigned char *id, int len)
     return ASN1_STRING_set(aux->keyid, id, len);
 }
 
-unsigned char *X509_alias_get0(X509 *x, int *len)
+unsigned char *X509_alias_get0(OSSL_FUTURE_CONST X509 *x, int *len)
 {
     if (!x->aux || !x->aux->alias)
         return NULL;
@@ -91,7 +91,7 @@ unsigned char *X509_alias_get0(X509 *x, int *len)
     return x->aux->alias->data;
 }
 
-unsigned char *X509_keyid_get0(X509 *x, int *len)
+unsigned char *X509_keyid_get0(OSSL_FUTURE_CONST X509 *x, int *len)
 {
     if (!x->aux || !x->aux->keyid)
         return NULL;
@@ -159,14 +159,14 @@ void X509_reject_clear(X509 *x)
     }
 }
 
-STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x)
+STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(OSSL_FUTURE_CONST X509 *x)
 {
     if (x->aux != NULL)
         return x->aux->trust;
     return NULL;
 }
 
-STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x)
+STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(OSSL_FUTURE_CONST X509 *x)
 {
     if (x->aux != NULL)
         return x->aux->reject;
diff --git a/doc/man3/X509_CRL_get0_by_serial.pod b/doc/man3/X509_CRL_get0_by_serial.pod
index e0061563bc7..8ec5bfc0da1 100644
--- a/doc/man3/X509_CRL_get0_by_serial.pod
+++ b/doc/man3/X509_CRL_get0_by_serial.pod
@@ -16,7 +16,7 @@ functions
                              X509_REVOKED **ret, const ASN1_INTEGER *serial);
  int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 
- STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
+ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(const X509_CRL *crl);
 
  const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *r);
  const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *r);
@@ -103,6 +103,10 @@ L<X509_sign(3)>,
 L<X509V3_get_d2i(3)>,
 L<X509_verify_cert(3)>
 
+=head1 HISTORY
+
+X509_CRL_get_REVOKED() was constified in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 5428334f44f..d1d5ca2bb4d 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -344,7 +344,7 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
 EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
 int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
 
-int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
+int NETSCAPE_SPKI_print(BIO *out, OSSL_FUTURE_CONST NETSCAPE_SPKI *spki);
 
 int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent);
 int X509_signature_print(BIO *bp, const X509_ALGOR *alg,
@@ -600,8 +600,8 @@ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x);
 
 int X509_alias_set1(X509 *x, const unsigned char *name, int len);
 int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
-unsigned char *X509_alias_get0(X509 *x, int *len);
-unsigned char *X509_keyid_get0(X509 *x, int *len);
+unsigned char *X509_alias_get0(OSSL_FUTURE_CONST X509 *x, int *len);
+unsigned char *X509_keyid_get0(OSSL_FUTURE_CONST X509 *x, int *len);
 
 DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
 DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
@@ -759,7 +759,7 @@ OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
 #endif
 X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
-STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
+STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(OSSL_FUTURE_CONST X509_CRL *crl);
 const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl);
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
                              const X509_ALGOR **palg);
@@ -821,13 +821,13 @@ unsigned long X509_NAME_hash_old(const X509_NAME *x);
 
 int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-int X509_aux_print(BIO *out, X509 *x, int indent);
+int X509_aux_print(BIO *out, OSSL_FUTURE_CONST X509 *x, int indent);
 # ifndef OPENSSL_NO_STDIO
 int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag,
                      unsigned long cflag);
 int X509_print_fp(FILE *bp, X509 *x);
 int X509_CRL_print_fp(FILE *bp, X509_CRL *x);
-int X509_REQ_print_fp(FILE *bp, X509_REQ *req);
+int X509_REQ_print_fp(FILE *bp, OSSL_FUTURE_CONST X509_REQ *req);
 int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
                           unsigned long flags);
 # endif
@@ -835,15 +835,15 @@ int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
 int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
 int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
                        unsigned long flags);
-int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
+int X509_print_ex(BIO *bp, OSSL_FUTURE_CONST X509 *x, unsigned long nmflag,
                   unsigned long cflag);
-int X509_print(BIO *bp, X509 *x);
-int X509_ocspid_print(BIO *bp, X509 *x);
-int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag);
-int X509_CRL_print(BIO *bp, X509_CRL *x);
-int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
+int X509_print(BIO *bp, OSSL_FUTURE_CONST X509 *x);
+int X509_ocspid_print(BIO *bp, OSSL_FUTURE_CONST X509 *x);
+int X509_CRL_print_ex(BIO *out, OSSL_FUTURE_CONST X509_CRL *x, unsigned long nmflag);
+int X509_CRL_print(BIO *bp, OSSL_FUTURE_CONST X509_CRL *x);
+int X509_REQ_print_ex(BIO *bp, OSSL_FUTURE_CONST X509_REQ *x, unsigned long nmflag,
                       unsigned long cflag);
-int X509_REQ_print(BIO *bp, X509_REQ *req);
+int X509_REQ_print(BIO *bp, OSSL_FUTURE_CONST X509_REQ *req);
 
 int X509_NAME_entry_count(const X509_NAME *name);
 int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 56f19ec8d61..440bc7168b3 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -132,8 +132,8 @@ int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj);
 int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj);
 void X509_trust_clear(X509 *x);
 void X509_reject_clear(X509 *x);
-STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x);
-STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x);
+STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(OSSL_FUTURE_CONST X509 *x);
+STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(OSSL_FUTURE_CONST X509 *x);
 
 int (*X509_TRUST_set_default(int (*trust) (int, X509 *, int))) (int, X509 *,
                                                                 int);
-- 
2.47.3