Commit e5321113a0 for openssl.org

commit e5321113a005dc99b3f6c70bcaa3cd8a832949bd
Author: Bob Beck <beck@openssl.org>
Date:   Mon Feb 16 16:13:39 2026 -0700

    Constify X509_verify

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    MergeDate: Wed Feb 18 14:56:08 2026
    (Merged from https://github.com/openssl/openssl/pull/30035)

diff --git a/CHANGES.md b/CHANGES.md
index 2837e1b9f3..a2621cb75c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -130,6 +130,10 @@ OpenSSL 4.0

    *Alexandr Nedvedicky*

+ * The X509_verify function now takes a const X509 * argument
+
+   * Bob Beck *
+
  * The crypto-mdebug-backtrace configuration option has been entirely removed.
    The option has been a no-op since 1.0.2.

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index cf6e303f30..96a20d2631 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -30,7 +30,7 @@
 #include "crypto/x509_acert.h"
 #include "crypto/rsa.h"

-int X509_verify(X509 *a, EVP_PKEY *r)
+int X509_verify(const X509 *a, EVP_PKEY *r)
 {
     if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature) != 0)
         return 0;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 00328dc974..83dff4bc0f 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -327,7 +327,7 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);

 const char *X509_verify_cert_error_string(long n);

-int X509_verify(X509 *a, EVP_PKEY *r);
+int X509_verify(const X509 *a, EVP_PKEY *r);
 int X509_self_signed(X509 *cert, int verify_signature);

 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,