From e5b563366b001be60c64410d063c24c0536373bd Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Wed, 18 Feb 2026 17:34:12 -0700 Subject: [PATCH] Constify X509_STORE_CTX functions invoving X509 * X509_STORE_CTX *ctx, const X509 *x); X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, const X509 *target, STACK_OF(X509) *untrusted); const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target); For #30052 Reviewed-by: Neil Horman Reviewed-by: Paul Dale MergeDate: Wed Feb 25 10:24:15 2026 (Merged from https://github.com/openssl/openssl/pull/30076) --- apps/lib/apps.c | 2 +- apps/lib/s_cb.c | 2 +- apps/verify.c | 2 +- apps/x509.c | 2 +- crypto/x509/t_x509.c | 5 +++-- crypto/x509/x509_local.h | 5 +++-- crypto/x509/x509_vfy.c | 24 ++++++++++++---------- doc/man3/X509_STORE_CTX_get_error.pod | 4 ++-- doc/man3/X509_STORE_CTX_new.pod | 4 ++-- doc/man3/X509_STORE_set_verify_cb_func.pod | 2 +- include/crypto/x509.h | 7 ++++--- include/openssl/x509_vfy.h.in | 14 ++++++------- test/ssl_old_test.c | 2 +- 13 files changed, 40 insertions(+), 35 deletions(-) diff --git a/apps/lib/apps.c b/apps/lib/apps.c index add16726b63..1e815617618 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -2583,7 +2583,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm) { - X509 *x; + const X509 *x; STACK_OF(X509_CRL) *crls = NULL; X509_CRL *crl; STACK_OF(DIST_POINT) *crldp; diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 2f1f652b053..77a3762be80 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -47,7 +47,7 @@ static const char *lookup(int val, const STRINT_PAIR *list, const char *def) int verify_callback(int ok, X509_STORE_CTX *ctx) { - X509 *err_cert; + const X509 *err_cert; int err, depth; err_cert = X509_STORE_CTX_get_current_cert(ctx); diff --git a/apps/verify.c b/apps/verify.c index 1de7c830caf..b8e5da65e9b 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -330,7 +330,7 @@ end: static int cb(int ok, X509_STORE_CTX *ctx) { int cert_error = X509_STORE_CTX_get_error(ctx); - X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); + const X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); if (!ok) { if (current_cert != NULL) { diff --git a/apps/x509.c b/apps/x509.c index 003dd7b984e..836d0a4011d 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1271,7 +1271,7 @@ end: static int callb(int ok, X509_STORE_CTX *ctx) { int err; - X509 *err_cert; + const X509 *err_cert; /* * It is ok to use a self-signed certificate. This case will catch both diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 74e1bc2b86e..99d68b32b47 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -374,7 +374,7 @@ int X509_aux_print(BIO *out, const X509 *x, int indent) * Helper functions for improving certificate verification error diagnostics */ -int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags) +int ossl_x509_print_ex_brief(BIO *bio, const X509 *cert, unsigned long neg_cflags) { unsigned long flags = ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN; X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); @@ -391,7 +391,8 @@ int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags) if (BIO_printf(bio, " certificate\n") <= 0 || !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_SUBJECT)) goto err; - if (X509_check_issued((X509 *)cert, cert) == X509_V_OK) { + /* XXX casts away const - remove cast once #30067 lands */ + if (X509_check_issued((X509 *)cert, (X509 *)cert) == X509_V_OK) { if (BIO_printf(bio, " self-issued\n") <= 0) goto err; } else { diff --git a/crypto/x509/x509_local.h b/crypto/x509/x509_local.h index ec6264e788a..1966ace95a1 100644 --- a/crypto/x509/x509_local.h +++ b/crypto/x509/x509_local.h @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ #include +#include #include "internal/refcount.h" #include "internal/hashtable.h" @@ -152,9 +153,9 @@ struct x509_store_st { /* error callback */ int (*verify_cb)(int ok, X509_STORE_CTX *ctx); /* get issuers cert from ctx */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + X509_STORE_CTX_get_issuer_fn get_issuer; /* check issued */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + X509_STORE_CTX_check_issued_fn check_issued; /* Check revocation status of chain */ int (*check_revocation)(X509_STORE_CTX *ctx); /* retrieve CRL */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index a94276651dc..ed9f78c47ec 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -52,7 +52,7 @@ static int verify_rpk(X509_STORE_CTX *ctx); static int dane_verify(X509_STORE_CTX *ctx); static int dane_verify_rpk(X509_STORE_CTX *ctx); static int null_callback(int ok, X509_STORE_CTX *e); -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); +static int check_issued(X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer); static int check_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_id(X509_STORE_CTX *ctx); @@ -412,7 +412,7 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert) * Maybe not touch X509_STORE_CTX_get1_issuer(), for API backward compatibility. */ static X509 *get0_best_issuer_sk(X509_STORE_CTX *ctx, int check_signing_allowed, - int no_dup, STACK_OF(X509) *sk, X509 *x) + int no_dup, STACK_OF(X509) *sk, const X509 *x) { int i; X509 *candidate, *issuer = NULL; @@ -453,7 +453,7 @@ static X509 *get0_best_issuer_sk(X509_STORE_CTX *ctx, int check_signing_allowed, * 0 certificate not found. * -1 some other error. */ -int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x) { const X509_NAME *xn = X509_get_issuer_name(x); X509_OBJECT *obj = X509_OBJECT_new(); @@ -491,9 +491,10 @@ end: } /* Check that the given certificate |x| is issued by the certificate |issuer| */ -static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +static int check_issued(ossl_unused X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer) { - int err = ossl_x509_likely_issued(issuer, x); + /* XXX casts away const, remove cast when #30067 lands */ + int err = ossl_x509_likely_issued((X509 *)issuer, (X509 *)x); if (err == X509_V_OK) return 1; @@ -508,7 +509,7 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer) * Alternative get_issuer method: look up from a STACK_OF(X509) in other_ctx. * Returns -1 on internal error. */ -static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x) { *issuer = get0_best_issuer_sk(ctx, 0, 1 /* no_dup */, ctx->other_ctx, x); if (*issuer == NULL) @@ -2706,7 +2707,7 @@ void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) ctx->error_depth = depth; } -X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) +const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) { return ctx->current_cert; } @@ -2728,7 +2729,7 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) return X509_chain_up_ref(ctx->chain); } -X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx) +const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx) { return ctx->current_issuer; } @@ -2743,9 +2744,10 @@ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) return ctx->parent; } -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) +void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *x) { - ctx->cert = x; + /* XXX casts away const - fix by making ctx->cert const */ + ctx->cert = (X509 *)x; } void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk) @@ -3087,7 +3089,7 @@ void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx, ctx->current_reasons = current_reasons; } -X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) +const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; } diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index e1c7ae734cb..dae6fa7d032 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -18,9 +18,9 @@ information void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth); - X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); + const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); - X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); + const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx); X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx); diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 143438655ef..fb34afdb1eb 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -32,13 +32,13 @@ X509_STORE_CTX_purpose_inherit void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, - X509 *target, STACK_OF(X509) *untrusted); + const X509 *target, STACK_OF(X509) *untrusted); int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store, EVP_PKEY *rpk); void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); - void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target); + void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target); void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target); diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod index 57fc6c9f643..adf783fc081 100644 --- a/doc/man3/X509_STORE_set_verify_cb_func.pod +++ b/doc/man3/X509_STORE_set_verify_cb_func.pod @@ -65,7 +65,7 @@ X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify); X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx); - int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x); X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx); void X509_STORE_set_get_issuer(X509_STORE *xs, X509_STORE_CTX_get_issuer_fn get_issuer); diff --git a/include/crypto/x509.h b/include/crypto/x509.h index 32c53b521c8..8ddeb1afaca 100644 --- a/include/crypto/x509.h +++ b/include/crypto/x509.h @@ -14,6 +14,7 @@ #include "internal/refcount.h" #include #include +#include #include #include "crypto/types.h" @@ -233,9 +234,9 @@ struct x509_store_ctx_st { /* X509_STORE_CTX */ /* error callback */ int (*verify_cb)(int ok, X509_STORE_CTX *ctx); /* get issuers cert from ctx */ - int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); + X509_STORE_CTX_get_issuer_fn get_issuer; /* check issued */ - int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + X509_STORE_CTX_check_issued_fn check_issued; /* Check revocation status of chain */ int (*check_revocation)(X509_STORE_CTX *ctx); /* retrieve CRL */ @@ -314,7 +315,7 @@ struct x509_object_st { int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc); int ossl_x509_set1_time(int *modified, ASN1_TIME **ptm, const ASN1_TIME *tm); -int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags); +int ossl_x509_print_ex_brief(BIO *bio, const X509 *cert, unsigned long neg_cflags); int ossl_x509v3_cache_extensions(const X509 *x); int ossl_x509_init_sig_info(X509 *x); diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in index ea6e450d0e7..575299c91d2 100644 --- a/include/openssl/x509_vfy.h.in +++ b/include/openssl/x509_vfy.h.in @@ -158,9 +158,9 @@ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx); typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, - X509_STORE_CTX *ctx, X509 *x); + X509_STORE_CTX *ctx, const X509 *x); typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, - X509 *x, X509 *issuer); + const X509 *x, const X509 *issuer); typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); @@ -494,7 +494,7 @@ void *X509_STORE_get_ex_data(const X509_STORE *xs, int idx); X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq); X509_STORE_CTX *X509_STORE_CTX_new(void); -int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); +int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x); void X509_STORE_CTX_free(X509_STORE_CTX *ctx); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, @@ -505,7 +505,7 @@ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); -X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); +const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); @@ -688,14 +688,14 @@ int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth); -X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); +const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); -X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx); +const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx); X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx); X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx); -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target); +void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target); void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target); void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk); void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 49e5a954d28..ffe53474fff 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -2911,7 +2911,7 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) if (cb_arg->app_verify) { char *s = NULL, buf[256]; - X509 *c = X509_STORE_CTX_get0_cert(ctx); + const X509 *c = X509_STORE_CTX_get0_cert(ctx); printf("In app_verify_callback, allowing cert. "); printf("Arg is: %s\n", cb_arg->string); -- 2.47.3