Constify X509_verify

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 18 14:56:08 2026
(Merged from https://github.com/openssl/openssl/pull/30035)

diff --git a/CHANGES.md b/CHANGES.md
index 2837e1b9f367c8b40da15294a502678d893643c6..a2621cb75cac65a53e790362f6553b0617ac1d88 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -130,6 +130,10 @@ OpenSSL 4.0
 
    *Alexandr Nedvedicky*
 
+ * The X509_verify function now takes a const X509 * argument
+
+   * Bob Beck *
+
  * The crypto-mdebug-backtrace configuration option has been entirely removed.
    The option has been a no-op since 1.0.2.
 

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index cf6e303f3057d710d4b069261c30ce886953a22d..96a20d26319939745d3f7d19a4dd17e1999065e6 100644 (file)
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -30,7 +30,7 @@
 #include "crypto/x509_acert.h"
 #include "crypto/rsa.h"
 
-int X509_verify(X509 *a, EVP_PKEY *r)
+int X509_verify(const X509 *a, EVP_PKEY *r)
 {
     if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature) != 0)
         return 0;

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 00328dc9741a7caac181d9f4fbc3a0fbc2f1124d..83dff4bc0f25c4ac2543aa69112309d0b658a048 100644 (file)
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -327,7 +327,7 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
 
 const char *X509_verify_cert_error_string(long n);
 
-int X509_verify(X509 *a, EVP_PKEY *r);
+int X509_verify(const X509 *a, EVP_PKEY *r);
 int X509_self_signed(X509 *cert, int verify_signature);
 
 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,