[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Wed Aug 17 15:35:57 UTC 2016


The branch master has been updated
       via  2e5ead831b1a92d78113b00978f8b3323268469f (commit)
       via  5ebd2fcbc76c8b777d044f25dd50d73d75625352 (commit)
       via  8adc1cb8510a9f4beab9e53f53c9690d2ced12fd (commit)
       via  8900f3e3982a016a25ad87a2270446e780038ec9 (commit)
       via  5e6089f0eba7b12f21b3237c57f2bd56049eb1ae (commit)
       via  6eabcc839f381bf07d004869ca8fe855edbb4846 (commit)
       via  a0754084f82cf1cd0c8629d61f779bb6a6c6b1a6 (commit)
       via  79613ea8442a309b76a737eacb2a69f612cc5f06 (commit)
      from  245c6bc33b1481052f347f316cec16888aa1be85 (commit)


- Log -----------------------------------------------------------------
commit 2e5ead831b1a92d78113b00978f8b3323268469f
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 15:49:36 2016 +0100

    Constify ssl_cert_type()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 5ebd2fcbc76c8b777d044f25dd50d73d75625352
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 14:58:56 2016 +0100

    Constify X509_certificate_type()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 8adc1cb8510a9f4beab9e53f53c9690d2ced12fd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 14:10:52 2016 +0100

    Constify X509_get0_signature()
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 8900f3e3982a016a25ad87a2270446e780038ec9
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 13:50:48 2016 +0100

    Convert X509* functions to use const getters
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 5e6089f0eba7b12f21b3237c57f2bd56049eb1ae
Author: Matt Caswell <matt at openssl.org>
Date:   Sat Aug 13 14:44:07 2016 +0100

    Convert X509_CRL* functions to use const getters
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit 6eabcc839f381bf07d004869ca8fe855edbb4846
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 15 10:07:30 2016 +0100

    Make X509_NAME_get0_der() conform to OpenSSL style
    
    Put the main object first in the params list.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Stephen Henson <steve at openssl.org>

commit a0754084f82cf1cd0c8629d61f779bb6a6c6b1a6
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Aug 17 12:34:22 2016 +0100

    Corrupt signature in place.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 79613ea8442a309b76a737eacb2a69f612cc5f06
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Aug 12 21:37:55 2016 +0100

    Convert OCSP* functions to use const getters
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                          | 13 +++----------
 apps/apps.h                          |  2 +-
 apps/crl.c                           |  7 +++----
 apps/ocsp.c                          |  5 ++---
 apps/x509.c                          |  6 +++---
 crypto/asn1/ameth_lib.c              |  2 +-
 crypto/evp/p_lib.c                   |  2 +-
 crypto/ocsp/ocsp_cl.c                |  8 +++-----
 crypto/x509/t_crl.c                  |  6 +++---
 crypto/x509/t_x509.c                 | 13 +++++++------
 crypto/x509/x509_set.c               |  7 ++++---
 crypto/x509/x509cset.c               |  6 +++---
 crypto/x509/x509type.c               |  4 ++--
 crypto/x509/x_name.c                 |  4 ++--
 crypto/x509/x_x509.c                 |  3 ++-
 crypto/x509v3/v3_prn.c               |  4 ++--
 doc/crypto/OCSP_resp_find_status.pod |  3 ++-
 doc/crypto/X509V3_get_d2i.pod        |  4 ++--
 doc/crypto/X509_NAME_get0_der.pod    |  4 ++--
 doc/crypto/X509_get0_signature.pod   | 10 ++++++----
 doc/crypto/X509_get0_uids.pod        |  3 ++-
 include/openssl/evp.h                |  4 ++--
 include/openssl/ocsp.h               |  6 +++---
 include/openssl/x509.h               | 25 ++++++++++++++-----------
 include/openssl/x509v3.h             |  4 ++--
 ssl/ssl_locl.h                       |  2 +-
 ssl/statem/statem_lib.c              |  2 +-
 27 files changed, 79 insertions(+), 80 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 17a9fdc..10ab626 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2583,15 +2583,8 @@ int has_stdin_waiting(void)
 #endif
 
 /* Corrupt a signature by modifying final byte */
-int corrupt_signature(ASN1_STRING *signature)
+void corrupt_signature(const ASN1_STRING *signature)
 {
-        unsigned char *s;
-        size_t slen = ASN1_STRING_length(signature);
-
-        s = OPENSSL_memdup(ASN1_STRING_get0_data(signature), slen);
-        if (s == NULL)
-            return 0;
-        s[slen - 1] ^= 0x1;
-        ASN1_STRING_set0(signature, s, slen);
-        return 1;
+        unsigned char *s = signature->data;
+        s[signature->length - 1] ^= 0x1;
 }
diff --git a/apps/apps.h b/apps/apps.h
index 8fb6f44..9658d5c 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -71,7 +71,7 @@ void wait_for_async(SSL *s);
 int has_stdin_waiting(void);
 # endif
 
-int corrupt_signature(ASN1_STRING *signature);
+void corrupt_signature(const ASN1_STRING *signature);
 
 /*
  * Common verification options.
diff --git a/apps/crl.c b/apps/crl.c
index 0140ff7..0e8093c 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -250,11 +250,10 @@ int crl_main(int argc, char **argv)
     }
 
     if (badsig) {
-        ASN1_BIT_STRING *sig;
+        const ASN1_BIT_STRING *sig;
 
-        X509_CRL_get0_signature(&sig, NULL, x);
-        if (!corrupt_signature(sig))
-            goto end;
+        X509_CRL_get0_signature(x, &sig, NULL);
+        corrupt_signature(sig);
     }
 
     if (num) {
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 1766878..5bd1aca 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -950,9 +950,8 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
     OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
 
     if (badsig) {
-        ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
-        if (!corrupt_signature(sig))
-            goto end;
+        const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
+        corrupt_signature(sig);
     }
 
     *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
diff --git a/apps/x509.c b/apps/x509.c
index 23265b2..6f72f82 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -604,10 +604,10 @@ int x509_main(int argc, char **argv)
     }
 
     if (badsig) {
-        ASN1_BIT_STRING *signature;
+        const ASN1_BIT_STRING *signature;
+
         X509_get0_signature(&signature, NULL, x);
-        if (!corrupt_signature(signature))
-            goto end;
+        corrupt_signature(signature);
     }
 
     if (num) {
diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index 1d32f5d..cfde49a 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -221,7 +221,7 @@ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *ppkey_base_id,
     return 1;
 }
 
-const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(EVP_PKEY *pkey)
+const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey)
 {
     return pkey->ameth;
 }
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 5b776ff..a4dcf58 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -24,7 +24,7 @@
 
 static void EVP_PKEY_free_it(EVP_PKEY *x);
 
-int EVP_PKEY_bits(EVP_PKEY *pkey)
+int EVP_PKEY_bits(const EVP_PKEY *pkey)
 {
     if (pkey && pkey->ameth && pkey->ameth->pkey_bits)
         return pkey->ameth->pkey_bits(pkey);
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 0ae474b..a42b80f 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -161,7 +161,7 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
     return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
 }
 
-ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs)
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
 {
     return bs->signature;
 }
@@ -186,10 +186,8 @@ OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
     return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
 }
 
-ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* bs)
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
 {
-    if (!bs)
-        return NULL;
     return bs->tbsResponseData.producedAt;
 }
 
@@ -361,7 +359,7 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
     return ret;
 }
 
-OCSP_CERTID *OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP *single)
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
 {
     return single->certId;
 }
diff --git a/crypto/x509/t_crl.c b/crypto/x509/t_crl.c
index 9b6b5a5..2451ee7 100644
--- a/crypto/x509/t_crl.c
+++ b/crypto/x509/t_crl.c
@@ -36,8 +36,8 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
 {
     STACK_OF(X509_REVOKED) *rev;
     X509_REVOKED *r;
-    X509_ALGOR *sig_alg;
-    ASN1_BIT_STRING *sig;
+    const X509_ALGOR *sig_alg;
+    const ASN1_BIT_STRING *sig;
     long l;
     int i;
     char *p;
@@ -45,7 +45,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
     BIO_printf(out, "Certificate Revocation List (CRL):\n");
     l = X509_CRL_get_version(x);
     BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l);
-    X509_CRL_get0_signature(&sig, &sig_alg, x);
+    X509_CRL_get0_signature(x, &sig, &sig_alg);
     X509_signature_print(out, sig_alg, NULL);
     p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);
     BIO_printf(out, "%8sIssuer: %s\n", "", p);
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index c96ada8..5d7c130 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -110,7 +110,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
     }
 
     if (!(cflag & X509_FLAG_NO_SIGNAME)) {
-        X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x);
+        const X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x);
         if (X509_signature_print(bp, tsig_alg, NULL) <= 0)
             goto err;
     }
@@ -170,8 +170,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
     }
 
     if (!(cflag & X509_FLAG_NO_IDS)) {
-        ASN1_BIT_STRING *iuid, *suid;
-        X509_get0_uids(&iuid, &suid, x);
+        const ASN1_BIT_STRING *iuid, *suid;
+        X509_get0_uids(x, &iuid, &suid);
         if (iuid != NULL) {
             if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
                 goto err;
@@ -191,8 +191,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
                                 X509_get0_extensions(x), cflag, 8);
 
     if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
-        X509_ALGOR *sig_alg;
-        ASN1_BIT_STRING *sig;
+        const X509_ALGOR *sig_alg;
+        const ASN1_BIT_STRING *sig;
         X509_get0_signature(&sig, &sig_alg, x);
         if (X509_signature_print(bp, sig_alg, sig) <= 0)
             goto err;
@@ -287,7 +287,8 @@ int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
     return 1;
 }
 
-int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
+int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
+                         const ASN1_STRING *sig)
 {
     int sig_nid;
     if (BIO_puts(bp, "    Signature Algorithm: ") <= 0)
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index ecf5f04..dfcecb1 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -135,12 +135,13 @@ X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
     return x->cert_info.key;
 }
 
-STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
+const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
 {
     return x->cert_info.extensions;
 }
 
-void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x)
+void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+                    const ASN1_BIT_STRING **psuid)
 {
     if (piuid != NULL)
         *piuid = x->cert_info.issuerUID;
@@ -148,7 +149,7 @@ void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x)
         *psuid = x->cert_info.subjectUID;
 }
 
-X509_ALGOR *X509_get0_tbs_sigalg(X509 *x)
+const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
 {
     return &x->cert_info.signature;
 }
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index 1498054..e33caf7 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -115,7 +115,7 @@ X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl)
     return crl->crl.issuer;
 }
 
-STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(X509_CRL *crl)
+const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl)
 {
     return crl->crl.extensions;
 }
@@ -125,8 +125,8 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl)
     return crl->crl.revoked;
 }
 
-void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
-                             X509_CRL *crl)
+void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+                             const X509_ALGOR **palg)
 {
     if (psig != NULL)
         *psig = &crl->signature;
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 9acab04..aca8355 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -13,9 +13,9 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
+int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
 {
-    EVP_PKEY *pk;
+    const EVP_PKEY *pk;
     int ret = 0, i;
 
     if (x == NULL)
diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
index a2eb709..a7ae31e 100644
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@@ -550,8 +550,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)
     return 0;
 }
 
-int X509_NAME_get0_der(const unsigned char **pder, size_t *pderlen,
-                       X509_NAME *nm)
+int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+                       size_t *pderlen)
 {
     /* Make sure encoding is valid */
     if (i2d_X509_NAME(nm, NULL) <= 0)
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 7d9f981..6783fd8 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -209,7 +209,8 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
     return i2d_X509_CINF(&x->cert_info, pp);
 }
 
-void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x)
+void X509_get0_signature(const ASN1_BIT_STRING **psig,
+                         const X509_ALGOR **palg, const X509 *x)
 {
     if (psig)
         *psig = &x->signature;
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index 4b1d0c3..f384c34 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -135,8 +135,8 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
     return ok;
 }
 
-int X509V3_extensions_print(BIO *bp, char *title,
-                            STACK_OF(X509_EXTENSION) *exts,
+int X509V3_extensions_print(BIO *bp, const char *title,
+                            const STACK_OF(X509_EXTENSION) *exts,
                             unsigned long flag, int indent)
 {
     int i, j;
diff --git a/doc/crypto/OCSP_resp_find_status.pod b/doc/crypto/OCSP_resp_find_status.pod
index 2dcd318..36f66a8 100644
--- a/doc/crypto/OCSP_resp_find_status.pod
+++ b/doc/crypto/OCSP_resp_find_status.pod
@@ -27,7 +27,8 @@ OCSP_single_get0_status, OCSP_check_validity
                              ASN1_GENERALIZEDTIME **thisupd,
                              ASN1_GENERALIZEDTIME **nextupd);
 
- ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* single);
+ const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+                             const OCSP_BASICRESP* single);
 
  const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
 
diff --git a/doc/crypto/X509V3_get_d2i.pod b/doc/crypto/X509V3_get_d2i.pod
index 126393e..9375a8e 100644
--- a/doc/crypto/X509V3_get_d2i.pod
+++ b/doc/crypto/X509V3_get_d2i.pod
@@ -32,8 +32,8 @@ X509_REVOKED_add1_ext_i2d - X509 extension decode and encode functions
  int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
                                unsigned long flags);
 
- STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
- STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(X509_CRL *crl);
+ const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+ const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
  STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
 
 =head1 DESCRIPTION
diff --git a/doc/crypto/X509_NAME_get0_der.pod b/doc/crypto/X509_NAME_get0_der.pod
index 062bc7e..f91fd4d 100644
--- a/doc/crypto/X509_NAME_get0_der.pod
+++ b/doc/crypto/X509_NAME_get0_der.pod
@@ -8,8 +8,8 @@ X509_NAME_get0_der - get X509_NAME DER encoding
 
  #include <openssl/x509.h>
 
- int X509_NAME_get0_der(const unsigned char **pder, size_t *pderlen,
-                        X509_NAME *nm)
+ int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+                        size_t *pderlen)
 
 
 =head1 DESCRIPTION
diff --git a/doc/crypto/X509_get0_signature.pod b/doc/crypto/X509_get0_signature.pod
index 7de2236..0741dfb 100644
--- a/doc/crypto/X509_get0_signature.pod
+++ b/doc/crypto/X509_get0_signature.pod
@@ -10,17 +10,19 @@ X509_CRL_get_signature_nid - signature information
 
  #include <openssl/x509.h>
 
- void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+ void X509_get0_signature(const ASN1_BIT_STRING **psig,
+                          const X509_ALGOR **palg,
                           const X509 *x);
  int X509_get_signature_nid(const X509 *x);
- X509_ALGOR *X509_get0_tbs_sigalg(X509 *x);
+ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
 
  void X509_REQ_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
                               const X509_REQ *crl);
  int X509_REQ_get_signature_nid(const X509_REQ *crl);
 
- void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
-                              const X509_CRL *crl);
+ void X509_CRL_get0_signature(const X509_CRL *crl,
+                              const ASN1_BIT_STRING **psig,
+                              const X509_ALGOR **palg);
  int X509_CRL_get_signature_nid(const X509_CRL *crl);
 
 =head1 DESCRIPTION
diff --git a/doc/crypto/X509_get0_uids.pod b/doc/crypto/X509_get0_uids.pod
index ccdded6..4eab26e 100644
--- a/doc/crypto/X509_get0_uids.pod
+++ b/doc/crypto/X509_get0_uids.pod
@@ -8,7 +8,8 @@ X509_get0_uids - get certificate unique identifiers
 
  #include <openssl/x509.h>
 
- void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x);
+ void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+                     const ASN1_BIT_STRING **psuid);
 
 =head1 DESCRIPTION
 
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 3727545..b9c83b2 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -895,7 +895,7 @@ int EVP_PKEY_encrypt_old(unsigned char *enc_key,
 int EVP_PKEY_type(int type);
 int EVP_PKEY_id(const EVP_PKEY *pkey);
 int EVP_PKEY_base_id(const EVP_PKEY *pkey);
-int EVP_PKEY_bits(EVP_PKEY *pkey);
+int EVP_PKEY_bits(const EVP_PKEY *pkey);
 int EVP_PKEY_security_bits(const EVP_PKEY *pkey);
 int EVP_PKEY_size(EVP_PKEY *pkey);
 int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
@@ -1047,7 +1047,7 @@ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id,
                             const char **ppem_str,
                             const EVP_PKEY_ASN1_METHOD *ameth);
 
-const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(EVP_PKEY *pkey);
+const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey);
 EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
                                         const char *pem_str,
                                         const char *info);
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 64e0ee4..a1e4e88 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -208,11 +208,11 @@ int OCSP_request_sign(OCSP_REQUEST *req,
 int OCSP_response_status(OCSP_RESPONSE *resp);
 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
 
-ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs);
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
 
 int OCSP_resp_count(OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
-ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* bs);
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs);
 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                       const ASN1_OCTET_STRING **pid,
@@ -318,7 +318,7 @@ void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
 int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
                                  int crit, unsigned long flags);
 int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
-OCSP_CERTID *OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP *x);
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x);
 
 DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
 DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index f8d1881..2238529 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -351,7 +351,8 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
 int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
 
 int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent);
-int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig);
+int X509_signature_print(BIO *bp, const X509_ALGOR *alg,
+                         const ASN1_STRING *sig);
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
@@ -547,7 +548,8 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length);
 
 int i2d_re_X509_tbs(X509 *x, unsigned char **pp);
 
-void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, X509 *x);
+void X509_get0_signature(const ASN1_BIT_STRING **psig,
+                         const X509_ALGOR **palg, const X509 *x);
 int X509_get_signature_nid(const X509 *x);
 
 int X509_trusted(const X509 *x);
@@ -629,14 +631,15 @@ int X509_get_signature_type(const X509 *x);
  * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
  */
 X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
-STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
-void X509_get0_uids(ASN1_BIT_STRING **piuid, ASN1_BIT_STRING **psuid, X509 *x);
-X509_ALGOR *X509_get0_tbs_sigalg(X509 *x);
+const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
+                    const ASN1_BIT_STRING **psuid);
+const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
 
 EVP_PKEY *X509_get0_pubkey(const X509 *x);
 EVP_PKEY *X509_get_pubkey(X509 *x);
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
-int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
+int X509_certificate_type(const X509 *x, const EVP_PKEY *pubkey);
 
 long X509_REQ_get_version(const X509_REQ *req);
 int X509_REQ_set_version(X509_REQ *x, long version);
@@ -685,10 +688,10 @@ long X509_CRL_get_version(const X509_CRL *crl);
 ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl);
 ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl);
 X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
-STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(X509_CRL *crl);
+const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
 STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
-void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
-                             X509_CRL *crl);
+void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
+                             const X509_ALGOR **palg);
 int X509_CRL_get_signature_nid(const X509_CRL *crl);
 int i2d_re_X509_CRL_tbs(X509_CRL *req, unsigned char **pp);
 
@@ -798,8 +801,8 @@ ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne);
 
-int X509_NAME_get0_der(const unsigned char **pder, size_t *pderlen,
-                       X509_NAME *nm);
+int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+                       size_t *pderlen);
 
 int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
 int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index c3f3863..5ca76a0 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -639,8 +639,8 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
 #ifndef OPENSSL_NO_STDIO
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 #endif
-int X509V3_extensions_print(BIO *out, char *title,
-                            STACK_OF(X509_EXTENSION) *exts,
+int X509V3_extensions_print(BIO *out, const char *title,
+                            const STACK_OF(X509_EXTENSION) *exts,
                             unsigned long flag, int indent);
 
 int X509_check_ca(X509 *x);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 46161a8..e7084fc 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1858,7 +1858,7 @@ __owur CERT_PKEY *ssl_get_server_send_pkey(SSL *s);
 __owur int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
                                    size_t *serverinfo_length);
 __owur EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
-__owur int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
+__owur int ssl_cert_type(const X509 *x, const EVP_PKEY *pkey);
 void ssl_set_masks(SSL *s);
 __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 __owur int ssl_verify_alarm_type(long type);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index ae986f5..7cf84c7 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -520,7 +520,7 @@ int tls_get_message_body(SSL *s, unsigned long *len)
     return 1;
 }
 
-int ssl_cert_type(X509 *x, EVP_PKEY *pk)
+int ssl_cert_type(const X509 *x, const EVP_PKEY *pk)
 {
     if (pk == NULL &&
         (pk = X509_get0_pubkey(x)) == NULL)


More information about the openssl-commits mailing list