Propagate const-correctness to PKCS7, CMS, and X509 attribute functions

author John Smith <xaum.io@gmail.com>

Thu, 29 Jan 2026 05:07:16 +0000 (06:07 +0100)

committer Tomas Mraz <tomas@openssl.org>

Fri, 13 Feb 2026 14:45:37 +0000 (15:45 +0100)
author John Smith <xaum.io@gmail.com>
Thu, 29 Jan 2026 05:07:16 +0000 (06:07 +0100)
committer Tomas Mraz <tomas@openssl.org>
Fri, 13 Feb 2026 14:45:37 +0000 (15:45 +0100)
diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c

index 86852afda43e0fd91e66844022eb0404cd5121e6..72f93cd8d7088576817f1f9dab776b50a097442b 100644 (file)
--- a/crypto/cms/cms_att.c
+++ b/crypto/cms/cms_att.c
@@ -113,7 +113,7 @@ int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si,
      return 0;
  }
  
-void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
+const void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
      const ASN1_OBJECT *oid,
      int lastpos, int type)
  {
@@ -182,7 +182,7 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
      return 0;
  }
  
-void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
+const void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
      int lastpos, int type)
  {
      return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type);
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c

index 480e1c8b1ddcaf19f93bdc645d350b478097f4a7..23b58dedbd33a9ef2062933641eca637e9e4b08a 100644 (file)
--- a/crypto/cms/cms_ess.c
+++ b/crypto/cms/cms_ess.c
@@ -25,7 +25,7 @@ IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest)
  
  int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
  {
-    ASN1_STRING *str;
+    const ASN1_STRING *str;
      CMS_ReceiptRequest *rr;
      ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_receiptRequest);
  
@@ -52,7 +52,7 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
  static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
      ESS_SIGNING_CERT **psc)
  {
-    ASN1_STRING *str;
+    const ASN1_STRING *str;
      ESS_SIGNING_CERT *sc;
      ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
  
@@ -79,7 +79,7 @@ static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
  static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
      ESS_SIGNING_CERT_V2 **psc)
  {
-    ASN1_STRING *str;
+    const ASN1_STRING *str;
      ESS_SIGNING_CERT_V2 *sc;
      ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
  
@@ -257,8 +257,9 @@ int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms)
      CMS_Receipt *rct = NULL;
      STACK_OF(CMS_SignerInfo) *sis, *osis;
      CMS_SignerInfo *si, *osi = NULL;
-    ASN1_OCTET_STRING *msig, **pcont;
-    ASN1_OBJECT *octype;
+    const ASN1_OCTET_STRING *msig;
+    ASN1_OCTET_STRING **pcont;
+    const ASN1_OBJECT *octype;
      unsigned char dig[EVP_MAX_MD_SIZE];
      unsigned int diglen;
  
@@ -381,7 +382,7 @@ ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si)
  {
      CMS_Receipt rct;
      CMS_ReceiptRequest *rr = NULL;
-    ASN1_OBJECT *ctype;
+    const ASN1_OBJECT *ctype;
      ASN1_OCTET_STRING *os = NULL;
  
      /* Get original receipt request */
diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h

index 65d3661f8a98140cd78435fc84e7a080cabd2e51..1fe90834f7d58713fd1872a1d239bf47b967c592 100644 (file)
--- a/crypto/cms/cms_local.h
+++ b/crypto/cms/cms_local.h
@@ -389,7 +389,7 @@ struct CMS_ReceiptsFrom_st {
  
  struct CMS_Receipt_st {
      int32_t version;
-    ASN1_OBJECT *contentType;
+    const ASN1_OBJECT *contentType;
      ASN1_OCTET_STRING *signedContentIdentifier;
      ASN1_OCTET_STRING *originatorSignatureValue;
  };
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c

index 040c8ea22e3b6c2ee18e204f62f1fbbe803b3de1..e6f9f6bf90d2927b837c3d641dd24e51513a8415 100644 (file)
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -141,7 +141,7 @@ static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si)
  
      sinfos = CMS_get0_SignerInfos(cms);
      for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
-        ASN1_OCTET_STRING *messageDigest;
+        const ASN1_OCTET_STRING *messageDigest;
  
          sitmp = sk_CMS_SignerInfo_value(sinfos, i);
          if (sitmp == si)
@@ -1387,7 +1387,7 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
  
  int CMS_SignerInfo_verify_ex(CMS_SignerInfo *si, BIO *chain, BIO *data)
  {
-    ASN1_OCTET_STRING *os = NULL;
+    const ASN1_OCTET_STRING *os = NULL;
      EVP_MD_CTX *mctx = EVP_MD_CTX_new();
      EVP_PKEY_CTX *pkctx = NULL;
      int r = -1;
diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c

index a1c09840e826ba73672d2fff3d0a401932e2d705..e57551f2737f154b8deda2f5ee6244a80294a3c9 100644 (file)
--- a/crypto/pkcs7/pk7_attr.c
+++ b/crypto/pkcs7/pk7_attr.c
@@ -42,7 +42,7 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si,
  
  STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
  {
-    ASN1_TYPE *cap;
+    const ASN1_TYPE *cap;
      const unsigned char *p;
  
      cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c

index 20928cbad0aeb2d1628e3f7eaf84f5b1c8c16b91..1cf2b1ed511cb2f7f1f51dc9522946a525ed641e 100644 (file)
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -20,7 +20,7 @@
  
  static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
      void *value);
-static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid);
+static const ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid);
  
  int PKCS7_type_is_other(PKCS7 *p7)
  {
@@ -1092,7 +1092,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
          unsigned char md_dat[EVP_MAX_MD_SIZE];
          unsigned int md_len;
          int alen;
-        ASN1_OCTET_STRING *message_digest;
+        const ASN1_OCTET_STRING *message_digest;
  
          if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len))
              goto err;
@@ -1165,17 +1165,17 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
      return ri->issuer_and_serial;
  }
  
-ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid)
+const ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid)
  {
      return get_attribute(si->auth_attr, nid);
  }
  
-ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid)
+const ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid)
  {
      return get_attribute(si->unauth_attr, nid);
  }
  
-static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid)
+static const ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid)
  {
      int idx = X509at_get_attr_by_NID(sk, nid, -1);
  
@@ -1184,9 +1184,9 @@ static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid)
      return X509_ATTRIBUTE_get0_type(X509at_get_attr(sk, idx), 0);
  }
  
-ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+const ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
  {
-    ASN1_TYPE *astype;
+    const ASN1_TYPE *astype;
      if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
          return NULL;
      if (astype->type != V_ASN1_OCTET_STRING)
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c

index c5604864cea76295e9d5938b4f123254a820f47c..060def46db76ec9a6b75973e53f4b49d6699477a 100644 (file)
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -185,7 +185,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
      int i;
      STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
      PKCS7_SIGNER_INFO *sitmp;
-    ASN1_OCTET_STRING *osdig = NULL;
+    const ASN1_OCTET_STRING *osdig = NULL;
      sinfos = PKCS7_get_signer_info(p7);
      for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
          sitmp = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c

index 6ad8786e6215314bf41ac09cc23d46e11c53a858..1b12cc715c91b53b93d7885943af57d31271daee 100644 (file)
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -205,7 +205,7 @@ end:
  
  static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
  {
-    ASN1_TYPE *attr;
+    const ASN1_TYPE *attr;
      const unsigned char *p;
  
      attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
@@ -217,7 +217,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
  
  static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si)
  {
-    ASN1_TYPE *attr;
+    const ASN1_TYPE *attr;
      const unsigned char *p;
  
      attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c

index ec84c0ba11b0dcade264d87bdf77455abb129f42..3735980b37f6a098b10841277680f11834fc7276 100644 (file)
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -238,11 +238,11 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
      return ret;
  }
  
-void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
+const void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
      const ASN1_OBJECT *obj, int lastpos, int type)
  {
      int i = X509at_get_attr_by_OBJ(x, obj, lastpos);
-    X509_ATTRIBUTE *at;
+    const X509_ATTRIBUTE *at;
  
      if (i == -1)
          return NULL;
diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in

index 60633354ed476294cd951498ea04ab308fda9e17..142095108c4e44e167ef5f46d5c0885d4348d053 100644 (file)
--- a/include/openssl/cms.h.in
+++ b/include/openssl/cms.h.in
@@ -331,7 +331,7 @@ int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si,
  int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si,
      const char *attrname, int type,
      const void *bytes, int len);
-void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
+const void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
      const ASN1_OBJECT *oid,
      int lastpos, int type);
  
@@ -352,7 +352,7 @@ int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si,
  int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
      const char *attrname, int type,
      const void *bytes, int len);
-void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
+const void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
      int lastpos, int type);
  
  int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in

index 02a79c292c754df66a351d792f6e7e6135dcf818..5065591e52be4a276fd34f41ec6d8d96854bd8c1 100644 (file)
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -307,13 +307,13 @@ int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7);
  
  PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
  ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7);
-ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
+const ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
  int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type,
      void *data);
  int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
      void *value);
-ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid);
-ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid);
+const ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid);
+const ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid);
  int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
      STACK_OF(X509_ATTRIBUTE) *sk);
  int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in

index f77d0025d30120719343ba232b34a74c82047db6..f34e5dceb735fed5a43203dbbda30468a8ce3d4b 100644 (file)
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -980,7 +980,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
      int type,
      const unsigned char *bytes,
      int len);
-void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
+const void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
      const ASN1_OBJECT *obj, int lastpos, int type);
  X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
      int atrtype, const void *data,
author	John Smith <xaum.io@gmail.com>
	Thu, 29 Jan 2026 05:07:16 +0000 (06:07 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Fri, 13 Feb 2026 14:45:37 +0000 (15:45 +0100)
crypto/cms/cms_att.c		patch \| blob \| blame \| history
crypto/cms/cms_ess.c		patch \| blob \| blame \| history
crypto/cms/cms_local.h		patch \| blob \| blame \| history
crypto/cms/cms_sd.c		patch \| blob \| blame \| history
crypto/pkcs7/pk7_attr.c		patch \| blob \| blame \| history
crypto/pkcs7/pk7_doit.c		patch \| blob \| blame \| history
crypto/pkcs7/pk7_smime.c		patch \| blob \| blame \| history
crypto/ts/ts_rsp_verify.c		patch \| blob \| blame \| history
crypto/x509/x509_att.c		patch \| blob \| blame \| history
include/openssl/cms.h.in		patch \| blob \| blame \| history
include/openssl/pkcs7.h.in		patch \| blob \| blame \| history
include/openssl/x509.h.in		patch \| blob \| blame \| history