From: Bob Beck <beck@openssl.org>
Date: Mon, 16 Feb 2026 23:13:39 +0000 (-0700)
Subject: Constify X509_verify
X-Git-Tag: openssl-4.0.0-alpha1~294
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e5321113a005dc99b3f6c70bcaa3cd8a832949bd;p=thirdparty%2Fopenssl.git

Constify X509_verify

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 18 14:56:08 2026
(Merged from https://github.com/openssl/openssl/pull/30035)
---

diff --git a/CHANGES.md b/CHANGES.md
index 2837e1b9f36..a2621cb75ca 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -130,6 +130,10 @@ OpenSSL 4.0
 
    *Alexandr Nedvedicky*
 
+ * The X509_verify function now takes a const X509 * argument
+
+   * Bob Beck *
+
  * The crypto-mdebug-backtrace configuration option has been entirely removed.
    The option has been a no-op since 1.0.2.
 
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index cf6e303f305..96a20d26319 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -30,7 +30,7 @@
 #include "crypto/x509_acert.h"
 #include "crypto/rsa.h"
 
-int X509_verify(X509 *a, EVP_PKEY *r)
+int X509_verify(const X509 *a, EVP_PKEY *r)
 {
     if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature) != 0)
         return 0;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 00328dc9741..83dff4bc0f2 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -327,7 +327,7 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
 
 const char *X509_verify_cert_error_string(long n);
 
-int X509_verify(X509 *a, EVP_PKEY *r);
+int X509_verify(const X509 *a, EVP_PKEY *r);
 int X509_self_signed(X509 *cert, int verify_signature);
 
 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,