Dev news

Commit 9d856e4d7f for openssl.org

commit 9d856e4d7f9adc7ed822d3297fce004544b6c79e
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Fri May 1 02:07:38 2026 +0200

    Avoid needless casting away of const in X509_VERIFY_PARAM_get1_ip_asc

    Instead of needlessly casting const away, simply update the prototype
    of ossl_ipaddr_to_asc(), that doesn't modify the passed data in any way
    anyway.

    Fixes: f584ae959cbc "Let's support multiple names for certificate verification"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    MergeDate: Sat May  2 18:07:19 2026
    (Merged from https://github.com/openssl/openssl/pull/31051)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index d41684afd5..774d3790e2 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -1081,7 +1081,7 @@ int X509_check_ip_asc(const X509 *x, const char *ipasc, unsigned int flags)
     return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, 0, NULL);
 }

-char *ossl_ipaddr_to_asc(unsigned char *p, int len)
+char *ossl_ipaddr_to_asc(const unsigned char *p, int len)
 {
     /*
      * 40 is enough space for the longest IPv6 address + nul terminator byte
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index bc2eb2cce1..c115bb3c9b 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -866,8 +866,7 @@ static const unsigned char *int_X509_VERIFY_PARAM_get0_ip(X509_VERIFY_PARAM *par
 char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param)
 {
     size_t iplen;
-    /* XXX casts away const */
-    unsigned char *ip = (unsigned char *)int_X509_VERIFY_PARAM_get0_ip(param, &iplen, 0);
+    const unsigned char *ip = int_X509_VERIFY_PARAM_get0_ip(param, &iplen, 0);

     return ip == NULL ? NULL : ossl_ipaddr_to_asc(ip, (int)iplen);
 }
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index cb807abdef..0dcc6b6acd 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -156,7 +156,7 @@ const void *ossl_bsearch(const void *key, const void *base, int num,

 char *ossl_sk_ASN1_UTF8STRING2text(STACK_OF(ASN1_UTF8STRING) *text,
     const char *sep, size_t max_len);
-char *ossl_ipaddr_to_asc(unsigned char *p, int len);
+char *ossl_ipaddr_to_asc(const unsigned char *p, int len);

 char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep);
 unsigned char *ossl_hexstr2buf_sep(const char *str, long *buflen,