From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Sun, 15 Feb 2026 14:34:59 +0000 (+0100)
Subject: Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex().
X-Git-Tag: openssl-4.0.0-alpha1~261
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2ed55548df51b827e0f84df4ef0029fd767f282;p=thirdparty%2Fopenssl.git

Const correct time parameter for X509_cmp_time(), X509_time_adj() and X509_time_adj_ex().

Fixes #21371

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Feb 20 16:36:52 2026
(Merged from https://github.com/openssl/openssl/pull/30020)
---

diff --git a/CHANGES.md b/CHANGES.md
index e550d22f6fa..249242276c9 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -58,6 +58,11 @@ OpenSSL 4.0
 
    *Neil Horman*
 
+ * Const correct time parameter for X509_cmp_time(), X509_time_adj() and
+   X509_time_adj_ex().
+
+   *Frederik Wedel-Heinen*
+
  * OPENSSL_cleanup() now runs in a global destructor, or not at all by default.
 
    OpenSSL_cleanup() will no longer by default free global objects when run from
diff --git a/apps/ca.c b/apps/ca.c
index bb83fe8161f..5f5029f7ad5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2271,7 +2271,7 @@ end:
     return ok;
 }
 
-int do_updatedb(CA_DB *db, time_t *now)
+int do_updatedb(CA_DB *db, const time_t *now)
 {
     ASN1_TIME *a_tm = NULL;
     int i, cnt = 0;
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 8f9181db86a..feeb9d7f414 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -219,7 +219,7 @@ typedef struct ca_db_st {
 #endif
 } CA_DB;
 
-extern int do_updatedb(CA_DB *db, time_t *now);
+extern int do_updatedb(CA_DB *db, const time_t *now);
 
 void app_bail_out(char *fmt, ...);
 /**
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index d36ff92150e..1fbc766891b 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2376,7 +2376,7 @@ int X509_cmp_current_time(const ASN1_TIME *ctm)
 }
 
 /* returns 0 on error, otherwise 1 if ctm > cmp_time, else -1 */
-int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
+int X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time)
 {
     int64_t cert_time, posix_time = cmp_time == NULL ? (int64_t)time(NULL) : (int64_t)*cmp_time;
 
@@ -2446,13 +2446,13 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
     return X509_time_adj(s, adj, NULL);
 }
 
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm)
 {
     return X509_time_adj_ex(s, 0, offset_sec, in_tm);
 }
 
 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
-    int offset_day, long offset_sec, time_t *in_tm)
+    int offset_day, long offset_sec, const time_t *in_tm)
 {
     time_t t;
 
diff --git a/doc/man3/X509_check_certificate_times.pod b/doc/man3/X509_check_certificate_times.pod
index fa991784f6a..53f8c9fe80c 100644
--- a/doc/man3/X509_check_certificate_times.pod
+++ b/doc/man3/X509_check_certificate_times.pod
@@ -9,16 +9,17 @@ X509_cmp_time, X509_cmp_current_time, X509_cmp_timeframe - X509 time functions
 
  int X509_check_certificate_times(const X509_VERIFY_PARAM *vpm, const X509 *x,
                                   int *error);
- ASN1_TIME *X509_time_adj(ASN1_TIME *asn1_time, long offset_sec, time_t *in_tm);
+ ASN1_TIME *X509_time_adj(ASN1_TIME *asn1_time, long offset_sec,
+                          const time_t *in_tm);
  ASN1_TIME *X509_time_adj_ex(ASN1_TIME *asn1_time, int offset_day, long
-                             offset_sec, time_t *in_tm);
+                             offset_sec, const time_t *in_tm);
  ASN1_TIME *X509_gmtime_adj(ASN1_TIME *asn1_time, long offset_sec);
 
 The following functions have been deprecated since OpenSSL 4.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
 see L<openssl_user_macros(7)>:
 
- int X509_cmp_time(const ASN1_TIME *asn1_time, time_t *in_tm);
+ int X509_cmp_time(const ASN1_TIME *asn1_time, const time_t *in_tm);
  int X509_cmp_current_time(const ASN1_TIME *asn1_time);
  int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm,
                         const ASN1_TIME *start, const ASN1_TIME *end);
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 1ff92fcad16..010141a060c 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -496,7 +496,7 @@ DECLARE_ASN1_DUP_FUNCTION(X509_NAME)
 DECLARE_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
 
 #ifndef OPENSSL_NO_DEPRECATED_4_0
-OSSL_DEPRECATEDIN_4_0 int X509_cmp_time(const ASN1_TIME *s, time_t *t);
+OSSL_DEPRECATEDIN_4_0 int X509_cmp_time(const ASN1_TIME *s, const time_t *t);
 OSSL_DEPRECATEDIN_4_0 int X509_cmp_current_time(const ASN1_TIME *s);
 OSSL_DEPRECATEDIN_4_0 int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm,
     const ASN1_TIME *start,
@@ -504,9 +504,9 @@ OSSL_DEPRECATEDIN_4_0 int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm,
 #endif
 int X509_check_certificate_times(const X509_VERIFY_PARAM *vpm, const X509 *x,
     int *error);
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, const time_t *t);
 ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
-    int offset_day, long offset_sec, time_t *t);
+    int offset_day, long offset_sec, const time_t *t);
 ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
 
 const char *X509_get_default_cert_area(void);