From: Bob Beck <beck@openssl.org>
Date: Mon, 29 Sep 2025 21:16:33 +0000 (-0600)
Subject: Constify return value of X509_get_X509_PUBKEY()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc756e594ed5a27af378d3bfcfbe8c7142ce0dc1;p=thirdparty%2Fopenssl.git

Constify return value of X509_get_X509_PUBKEY()

You really should not be mutating this.

Part of #28654
Fixes: https://github.com/openssl/project/issues/1771

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/29428)
---

diff --git a/crypto/cms/cms_kemri.c b/crypto/cms/cms_kemri.c
index d5900ecfc47..0e21d35c569 100644
--- a/crypto/cms/cms_kemri.c
+++ b/crypto/cms/cms_kemri.c
@@ -83,7 +83,7 @@ int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
     CMS_OtherRecipientInfo *ori;
     CMS_KEMRecipientInfo *kemri;
     int idtype;
-    X509_PUBKEY *x_pubkey;
+    const X509_PUBKEY *x_pubkey;
     X509_ALGOR *x_alg;
 
     ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
diff --git a/crypto/ct/ct_local.h b/crypto/ct/ct_local.h
index d2f6c48cbde..a06e42bb5be 100644
--- a/crypto/ct/ct_local.h
+++ b/crypto/ct/ct_local.h
@@ -145,7 +145,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
  * Issuer must not be NULL.
  * Returns 1 on success, 0 on failure.
  */
-__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer);
 
 /*
  * Sets the public key of the issuer of the certificate that the SCT was created
@@ -153,14 +153,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
  * The public key must not be NULL.
  * Returns 1 on success, 0 on failure.
  */
-__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey);
 
 /*
  * Sets the public key of the CT log that the SCT is from.
  * Returns 1 on success, 0 on failure.
  */
 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-
 /*
  * Sets the time to evaluate the SCT against, in milliseconds since the Unix
  * epoch. If the SCT's timestamp is after this time, it will be interpreted as
diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c
index af5be04eff4..aa1ebbfea79 100644
--- a/crypto/ct/ct_sct_ctx.c
+++ b/crypto/ct/ct_sct_ctx.c
@@ -197,7 +197,7 @@ err:
     return 0;
 }
 
-__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey,
+__owur static int ct_public_key_hash(SCT_CTX *sctx, const X509_PUBKEY *pkey,
     unsigned char **hash, size_t *hash_len)
 {
     int ret = 0;
@@ -241,12 +241,12 @@ err:
     return ret;
 }
 
-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
+int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer)
 {
     return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
 }
 
-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
+int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey)
 {
     return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen);
 }
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 7c866eec765..91351d5d780 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -138,7 +138,7 @@ int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, unsigned long c
             goto err;
     }
     if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
+        const X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
         ASN1_OBJECT *xpoid;
         X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
         if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index af5af610582..10178522a0b 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -159,7 +159,7 @@ int X509_get_signature_type(const X509 *x)
     return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm));
 }
 
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
 {
     return x->cert_info.key;
 }
diff --git a/doc/man3/X509_get_pubkey.pod b/doc/man3/X509_get_pubkey.pod
index 86c1edac639..4bf79586bc9 100644
--- a/doc/man3/X509_get_pubkey.pod
+++ b/doc/man3/X509_get_pubkey.pod
@@ -14,7 +14,7 @@ X509_REQ_get_X509_PUBKEY
  EVP_PKEY *X509_get_pubkey(X509 *x);
  EVP_PKEY *X509_get0_pubkey(const X509 *x);
  int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
- X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+ const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
 
  EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
  EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req);
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 0366320992d..1a62dfad8a2 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -689,7 +689,7 @@ EVP_PKEY *X509_get0_pubkey(const X509 *x);
  * This one is only used so that a binary form can output, as in
  * i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &buf)
  */
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
 void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
     const ASN1_BIT_STRING **psuid);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 0a3ddebf363..28dc586d340 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1328,7 +1328,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
 {
     int pdata_len = 0;
     unsigned char *pdata = NULL;
-    X509_PUBKEY *xpk = NULL;
+    const X509_PUBKEY *xpk = NULL;
     unsigned long ret = 0;
     X509 *x509 = NULL;
 
diff --git a/test/algorithmid_test.c b/test/algorithmid_test.c
index 09ab73e839c..f4732bc30c3 100644
--- a/test/algorithmid_test.c
+++ b/test/algorithmid_test.c
@@ -20,7 +20,7 @@ static const char *pubkey_filename = NULL; /* For test_spki_file() */
 
 #define ALGORITHMID_NAME "algorithm-id"
 
-static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename)
+static int test_spki_aid(const X509_PUBKEY *pubkey, const char *filename)
 {
     const ASN1_OBJECT *oid;
     X509_ALGOR *alg = NULL;
@@ -103,7 +103,7 @@ end:
 
 static int test_x509_spki_aid(X509 *cert, const char *filename)
 {
-    X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
+    const X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
 
     return test_spki_aid(pubkey, filename);
 }
diff --git a/test/keymgmt_internal_test.c b/test/keymgmt_internal_test.c
index c44c44ed730..17cea21ed27 100644
--- a/test/keymgmt_internal_test.c
+++ b/test/keymgmt_internal_test.c
@@ -301,7 +301,7 @@ static int test_evp_pkey_export_to_provider(int n)
     OSSL_PROVIDER *prov = NULL;
     X509 *cert = NULL;
     BIO *bio = NULL;
-    X509_PUBKEY *pubkey = NULL;
+    const X509_PUBKEY *pubkey = NULL;
     EVP_KEYMGMT *keymgmt = NULL;
     EVP_PKEY *pkey = NULL;
     void *keydata = NULL;