Dev news

Commit 5d066a2473 for openssl.org

commit 5d066a2473e4ee241792f0074ea4e51527fe46e1
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Thu Mar 5 15:37:07 2026 +0100

    Partially revert "Constify X509_STORE_CTX functions invoving X509 *"

    This reverts constification of the return value types
    of X509_STORE_CTX_get_current_cert(), X509_STORE_CTX_get0_current_issuer(),
    X509_STORE_CTX_get0_cert() functions, and arguments
    of X509_STORE_CTX_set_cert() and X509_STORE_CTX_init() functions.
    Constification of users of these functions, as well as
    X509_STORE_CTX_get_issuer_fn and X509_STORE_CTX_check_issued_fn types,
    remained in place.

    Complements: e5b563366b00 "Constify X509_STORE_CTX functions invoving X509 *"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Neil Horman <nhorman@openssl.org>
    MergeDate: Fri Mar  6 18:33:12 2026
    (Merged from https://github.com/openssl/openssl/pull/30272)

diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 99d68b32b4..9b92f2ac2b 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -391,8 +391,7 @@ int ossl_x509_print_ex_brief(BIO *bio, const X509 *cert, unsigned long neg_cflag
     if (BIO_printf(bio, "    certificate\n") <= 0
         || !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_SUBJECT))
         goto err;
-    /* XXX casts away const - remove cast once #30067 lands */
-    if (X509_check_issued((X509 *)cert, (X509 *)cert) == X509_V_OK) {
+    if (X509_check_issued(cert, cert) == X509_V_OK) {
         if (BIO_printf(bio, "        self-issued\n") <= 0)
             goto err;
     } else {
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c5428dc15d..8d93eca935 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -493,8 +493,7 @@ end:
 /* Check that the given certificate |x| is issued by the certificate |issuer| */
 static int check_issued(ossl_unused X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer)
 {
-    /* XXX casts away const, remove cast when #30067 lands */
-    int err = ossl_x509_likely_issued((X509 *)issuer, (X509 *)x);
+    int err = ossl_x509_likely_issued(issuer, x);

     if (err == X509_V_OK)
         return 1;
@@ -2693,7 +2692,7 @@ void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
     ctx->error_depth = depth;
 }

-const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx)
 {
     return ctx->current_cert;
 }
@@ -2715,7 +2714,7 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx)
     return X509_chain_up_ref(ctx->chain);
 }

-const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx)
 {
     return ctx->current_issuer;
 }
@@ -2730,10 +2729,9 @@ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx)
     return ctx->parent;
 }

-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *x)
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
 {
-    /* XXX casts away const - fix by making ctx->cert const */
-    ctx->cert = (X509 *)x;
+    ctx->cert = x;
 }

 void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
@@ -3075,7 +3073,7 @@ void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx,
     ctx->current_reasons = current_reasons;
 }

-const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
 {
     return ctx->cert;
 }
diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod
index dae6fa7d03..e1c7ae734c 100644
--- a/doc/man3/X509_STORE_CTX_get_error.pod
+++ b/doc/man3/X509_STORE_CTX_get_error.pod
@@ -18,9 +18,9 @@ information
  void  X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
  int   X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
  void  X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
- const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
+ X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
  void  X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
- const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
+ X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
  STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
  X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);

diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod
index fb34afdb1e..143438655e 100644
--- a/doc/man3/X509_STORE_CTX_new.pod
+++ b/doc/man3/X509_STORE_CTX_new.pod
@@ -32,13 +32,13 @@ X509_STORE_CTX_purpose_inherit
  void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

  int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
-                         const X509 *target, STACK_OF(X509) *untrusted);
+                         X509 *target, STACK_OF(X509) *untrusted);
  int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store,
                              EVP_PKEY *rpk);

  void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

- void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target);
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
  void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
  void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);

diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 575299c91d..3d1fe26e0f 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -505,7 +505,7 @@ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);

 X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);
-const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
 EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
@@ -688,14 +688,14 @@ int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
 int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
-const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
-const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
 X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);
 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target);
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
 void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);