Constify the X509_STORE_CTX argument to the lookup_certs functions.

The justification for this not being const was because of
lookup_certs_sk(). The reasons this function could not have a
const store, is that it set the ctx's error code
when we could not allocate memory and returned NULL.

However, the other lookup_certs function, X509_STORE_CTX_get1_certs,
already does not set this error code when failing to allocate
memory on a return.

Given that you can't depend on the out of memory error code being
set in the general case, and the Beyonce rule appears to indicate
that nobody likes this behaviour (as nobody put a test on it) I
think it's safe to say we should just not modify the ctx, and
constify it.

For #28654

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Jan 19 12:03:05 2026
(Merged from https://github.com/openssl/openssl/pull/29488)

diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index 9eef700436c77b1b347ab4c45ac3070894caeaf7..58f2d9f79b793573d6dcac7be801fd190f01aae7 100644 (file)
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -149,9 +149,8 @@ struct x509_store_st {
     int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
     /* Check policy status of the chain */
     int (*check_policy)(X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs)(X509_STORE_CTX *ctx,
+    STACK_OF(X509) *(*lookup_certs)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
-    /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
     STACK_OF(X509_CRL) *(*lookup_crls)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
     int (*cleanup)(X509_STORE_CTX *ctx);

diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 1167fcf1fc1146e74d09024607832b5e689a99d9..bd32bc9b34ce69f717cbd8da5389060c4d8ff704 100644 (file)
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -829,7 +829,7 @@ out_free:
  * Collect from |ctx->store| all certs with subject matching |nm|.
  * Returns NULL on internal/fatal error, empty stack if not found.
  */
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx,
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(const X509_STORE_CTX *ctx,
     const X509_NAME *nm)
 {
     int i, idx = -1, cnt = 0;

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ef15131e821fe4172136f700599acb567f3f9bc4..a789ec6f9141e208bc317087076c811a5218eab4 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -520,7 +520,7 @@ static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x
  * Alternative lookup method: look from a STACK stored in other_ctx.
  * Returns NULL on internal/fatal error, empty stack if not found.
  */
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
+static STACK_OF(X509) *lookup_certs_sk(const X509_STORE_CTX *ctx, const X509_NAME *nm)
 {
     STACK_OF(X509) *sk = sk_X509_new_null();
     X509 *x;
@@ -533,7 +533,6 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
         if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
             if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
                 OSSL_STACK_OF_X509_free(sk);
-                ctx->error = X509_V_ERR_OUT_OF_MEM;
                 return NULL;
             }
         }

diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 95367b8ff25b21fc08c62cb1a5d928a538297019..fd749f1bf38457b16a4ff5b8eb3826b257e03f36 100644 (file)
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -244,7 +244,7 @@ struct x509_store_ctx_st { /* X509_STORE_CTX */
     int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
     /* Check policy status of the chain */
     int (*check_policy)(X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs)(X509_STORE_CTX *ctx,
+    STACK_OF(X509) *(*lookup_certs)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
     /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
     STACK_OF(X509_CRL) *(*lookup_crls)(const X509_STORE_CTX *ctx,

diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 17faf310b17d8d5518239b275bcd1d799797ef43..d7c1a6a47167310ba71a6e7852248cb43a5f391f 100644 (file)
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -169,7 +169,7 @@ typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx,
     X509_CRL *crl, X509 *x);
 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
 typedef STACK_OF(X509)
-    *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
+    *(*X509_STORE_CTX_lookup_certs_fn)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
 typedef STACK_OF(X509_CRL)
     *(*X509_STORE_CTX_lookup_crls_fn)(const X509_STORE_CTX *ctx,
@@ -427,7 +427,7 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs);
 #endif
 STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *xs);
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs);
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *xs,
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(const X509_STORE_CTX *xs,
     const X509_NAME *nm);
 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st,
     const X509_NAME *nm);