From: John Smith Date: Thu, 29 Jan 2026 05:07:16 +0000 (+0100) Subject: Propagate const-correctness to PKCS7, CMS, and X509 attribute functions X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d24535c973bfb89c5bdc23452bbf7d49ae2361a1;p=thirdparty%2Fopenssl.git Propagate const-correctness to PKCS7, CMS, and X509 attribute functions Following the const-correctness changes to X509_ATTRIBUTE accessor functions, update all dependent functions to also return const pointers: PKCS7 functions: - PKCS7_get_attribute: returns const ASN1_TYPE * - PKCS7_get_signed_attribute: returns const ASN1_TYPE * - PKCS7_digest_from_attributes: returns const ASN1_OCTET_STRING * X509 functions: - X509at_get0_data_by_OBJ: returns const void * CMS functions: - CMS_signed_get0_data_by_OBJ: returns const void * - CMS_unsigned_get0_data_by_OBJ: returns const void * Update all callers to use const-qualified pointers for return values. Co-Authored-By: Claude Opus 4.5 Reviewed-by: Frederik Wedel-Heinen Reviewed-by: Dmitry Belyavskiy Reviewed-by: David von Oheimb Reviewed-by: Tim Hudson MergeDate: Fri Feb 13 14:46:28 2026 (Merged from https://github.com/openssl/openssl/pull/29813) --- diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c index 86852afda43..72f93cd8d70 100644 --- a/crypto/cms/cms_att.c +++ b/crypto/cms/cms_att.c @@ -113,7 +113,7 @@ int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, return 0; } -void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, +const void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *oid, int lastpos, int type) { @@ -182,7 +182,7 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, return 0; } -void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, +const void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, int type) { return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type); diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 480e1c8b1dd..23b58dedbd3 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -25,7 +25,7 @@ IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest) int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) { - ASN1_STRING *str; + const ASN1_STRING *str; CMS_ReceiptRequest *rr; ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_receiptRequest); @@ -52,7 +52,7 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, ESS_SIGNING_CERT **psc) { - ASN1_STRING *str; + const ASN1_STRING *str; ESS_SIGNING_CERT *sc; ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate); @@ -79,7 +79,7 @@ static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 **psc) { - ASN1_STRING *str; + const ASN1_STRING *str; ESS_SIGNING_CERT_V2 *sc; ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2); @@ -257,8 +257,9 @@ int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) CMS_Receipt *rct = NULL; STACK_OF(CMS_SignerInfo) *sis, *osis; CMS_SignerInfo *si, *osi = NULL; - ASN1_OCTET_STRING *msig, **pcont; - ASN1_OBJECT *octype; + const ASN1_OCTET_STRING *msig; + ASN1_OCTET_STRING **pcont; + const ASN1_OBJECT *octype; unsigned char dig[EVP_MAX_MD_SIZE]; unsigned int diglen; @@ -381,7 +382,7 @@ ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si) { CMS_Receipt rct; CMS_ReceiptRequest *rr = NULL; - ASN1_OBJECT *ctype; + const ASN1_OBJECT *ctype; ASN1_OCTET_STRING *os = NULL; /* Get original receipt request */ diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 65d3661f8a9..1fe90834f7d 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -389,7 +389,7 @@ struct CMS_ReceiptsFrom_st { struct CMS_Receipt_st { int32_t version; - ASN1_OBJECT *contentType; + const ASN1_OBJECT *contentType; ASN1_OCTET_STRING *signedContentIdentifier; ASN1_OCTET_STRING *originatorSignatureValue; }; diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 040c8ea22e3..e6f9f6bf90d 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -141,7 +141,7 @@ static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) sinfos = CMS_get0_SignerInfos(cms); for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { - ASN1_OCTET_STRING *messageDigest; + const ASN1_OCTET_STRING *messageDigest; sitmp = sk_CMS_SignerInfo_value(sinfos, i); if (sitmp == si) @@ -1387,7 +1387,7 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) int CMS_SignerInfo_verify_ex(CMS_SignerInfo *si, BIO *chain, BIO *data) { - ASN1_OCTET_STRING *os = NULL; + const ASN1_OCTET_STRING *os = NULL; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); EVP_PKEY_CTX *pkctx = NULL; int r = -1; diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c index a1c09840e82..e57551f2737 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -42,7 +42,7 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) { - ASN1_TYPE *cap; + const ASN1_TYPE *cap; const unsigned char *p; cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 20928cbad0a..1cf2b1ed511 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -20,7 +20,7 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); -static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid); +static const ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid); int PKCS7_type_is_other(PKCS7 *p7) { @@ -1092,7 +1092,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, unsigned char md_dat[EVP_MAX_MD_SIZE]; unsigned int md_len; int alen; - ASN1_OCTET_STRING *message_digest; + const ASN1_OCTET_STRING *message_digest; if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len)) goto err; @@ -1165,17 +1165,17 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) return ri->issuer_and_serial; } -ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid) +const ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid) { return get_attribute(si->auth_attr, nid); } -ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid) +const ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid) { return get_attribute(si->unauth_attr, nid); } -static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid) +static const ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid) { int idx = X509at_get_attr_by_NID(sk, nid, -1); @@ -1184,9 +1184,9 @@ static ASN1_TYPE *get_attribute(const STACK_OF(X509_ATTRIBUTE) *sk, int nid) return X509_ATTRIBUTE_get0_type(X509at_get_attr(sk, idx), 0); } -ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) +const ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) { - ASN1_TYPE *astype; + const ASN1_TYPE *astype; if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) return NULL; if (astype->type != V_ASN1_OCTET_STRING) diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index c5604864cea..060def46db7 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -185,7 +185,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si) int i; STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *sitmp; - ASN1_OCTET_STRING *osdig = NULL; + const ASN1_OCTET_STRING *osdig = NULL; sinfos = PKCS7_get_signer_info(p7); for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { sitmp = sk_PKCS7_SIGNER_INFO_value(sinfos, i); diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 6ad8786e621..1b12cc715c9 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -205,7 +205,7 @@ end: static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) { - ASN1_TYPE *attr; + const ASN1_TYPE *attr; const unsigned char *p; attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); @@ -217,7 +217,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si) { - ASN1_TYPE *attr; + const ASN1_TYPE *attr; const unsigned char *p; attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index ec84c0ba11b..3735980b37f 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -238,11 +238,11 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) return ret; } -void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, +const void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, int lastpos, int type) { int i = X509at_get_attr_by_OBJ(x, obj, lastpos); - X509_ATTRIBUTE *at; + const X509_ATTRIBUTE *at; if (i == -1) return NULL; diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 60633354ed4..142095108c4 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -331,7 +331,7 @@ int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type, const void *bytes, int len); -void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, +const void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *oid, int lastpos, int type); @@ -352,7 +352,7 @@ int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type, const void *bytes, int len); -void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, +const void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, int type); int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in index 02a79c292c7..5065591e52b 100644 --- a/include/openssl/pkcs7.h.in +++ b/include/openssl/pkcs7.h.in @@ -307,13 +307,13 @@ int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7); PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx); ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7); -ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk); +const ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk); int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type, void *data); int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value); -ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid); -ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid); +const ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid); +const ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid); int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk); int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index f77d0025d30..f34e5dceb73 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -980,7 +980,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) int type, const unsigned char *bytes, int len); -void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, +const void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, int lastpos, int type); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int atrtype, const void *data,