From: Bob Beck <beck@openssl.org>
Date: Mon, 22 Dec 2025 18:32:08 +0000 (-0700)
Subject: Constify the X509_STORE_CTX argument to the lookup_certs functions.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51ba3bb8c3d2063ce96dc6d107d8664a578518dc;p=thirdparty%2Fopenssl.git

Constify the X509_STORE_CTX argument to the lookup_certs functions.

The justification for this not being const was because of
lookup_certs_sk(). The reasons this function could not have a
const store, is that it set the ctx's error code
when we could not allocate memory and returned NULL.

However, the other lookup_certs function, X509_STORE_CTX_get1_certs,
already does not set this error code when failing to allocate
memory on a return.

Given that you can't depend on the out of memory error code being
set in the general case, and the Beyonce rule appears to indicate
that nobody likes this behaviour (as nobody put a test on it) I
think it's safe to say we should just not modify the ctx, and
constify it.

For #28654

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Mon Jan 19 12:03:05 2026
(Merged from https://github.com/openssl/openssl/pull/29488)
---

diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h
index 9eef700436c..58f2d9f79b7 100644
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@@ -149,9 +149,8 @@ struct x509_store_st {
     int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
     /* Check policy status of the chain */
     int (*check_policy)(X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs)(X509_STORE_CTX *ctx,
+    STACK_OF(X509) *(*lookup_certs)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
-    /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
     STACK_OF(X509_CRL) *(*lookup_crls)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
     int (*cleanup)(X509_STORE_CTX *ctx);
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 1167fcf1fc1..bd32bc9b34c 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -829,7 +829,7 @@ out_free:
  * Collect from |ctx->store| all certs with subject matching |nm|.
  * Returns NULL on internal/fatal error, empty stack if not found.
  */
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx,
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(const X509_STORE_CTX *ctx,
     const X509_NAME *nm)
 {
     int i, idx = -1, cnt = 0;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ef15131e821..a789ec6f914 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -520,7 +520,7 @@ static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x
  * Alternative lookup method: look from a STACK stored in other_ctx.
  * Returns NULL on internal/fatal error, empty stack if not found.
  */
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
+static STACK_OF(X509) *lookup_certs_sk(const X509_STORE_CTX *ctx, const X509_NAME *nm)
 {
     STACK_OF(X509) *sk = sk_X509_new_null();
     X509 *x;
@@ -533,7 +533,6 @@ static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
         if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
             if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
                 OSSL_STACK_OF_X509_free(sk);
-                ctx->error = X509_V_ERR_OUT_OF_MEM;
                 return NULL;
             }
         }
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index 95367b8ff25..fd749f1bf38 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -244,7 +244,7 @@ struct x509_store_ctx_st { /* X509_STORE_CTX */
     int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
     /* Check policy status of the chain */
     int (*check_policy)(X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs)(X509_STORE_CTX *ctx,
+    STACK_OF(X509) *(*lookup_certs)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
     /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
     STACK_OF(X509_CRL) *(*lookup_crls)(const X509_STORE_CTX *ctx,
diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 17faf310b17..d7c1a6a4716 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -169,7 +169,7 @@ typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx,
     X509_CRL *crl, X509 *x);
 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
 typedef STACK_OF(X509)
-    *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
+    *(*X509_STORE_CTX_lookup_certs_fn)(const X509_STORE_CTX *ctx,
         const X509_NAME *nm);
 typedef STACK_OF(X509_CRL)
     *(*X509_STORE_CTX_lookup_crls_fn)(const X509_STORE_CTX *ctx,
@@ -427,7 +427,7 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs);
 #endif
 STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *xs);
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs);
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *xs,
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(const X509_STORE_CTX *xs,
     const X509_NAME *nm);
 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st,
     const X509_NAME *nm);