Further const-correct config-based extension creation.
Constructing extensions from a config file should not modify the config
file or input certificates, so everything here should be const.
While I'm here, fix various missing sk_FOO_push malloc failure checks.
Change-Id: Ic29b21248a9d9243050c771fd0ce1e1d77f7ce7f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56027
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c
index 620b104..f036498 100644
--- a/crypto/conf/conf.c
+++ b/crypto/conf/conf.c
@@ -385,8 +385,9 @@
return lh_CONF_VALUE_retrieve(conf->data, &template);
}
-STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, const char *section) {
- CONF_VALUE *section_value = get_section(conf, section);
+const STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,
+ const char *section) {
+ const CONF_VALUE *section_value = get_section(conf, section);
if (section_value == NULL) {
return NULL;
}
diff --git a/crypto/x509/asn1_gen.c b/crypto/x509/asn1_gen.c
index 7f48435..821d90d 100644
--- a/crypto/x509/asn1_gen.c
+++ b/crypto/x509/asn1_gen.c
@@ -124,7 +124,7 @@
int exp_count;
} tag_exp_arg;
-static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
+static ASN1_TYPE *generate_v3(const char *str, const X509V3_CTX *cnf, int depth,
int *perr);
static int bitstr_cb(const char *elem, size_t len, void *bitstr);
static int asn1_cb(const char *elem, size_t len, void *bitstr);
@@ -132,12 +132,12 @@
int exp_constructed, int exp_pad, int imp_ok);
static int parse_tagging(const char *vstart, size_t vlen, int *ptag,
int *pclass);
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
- int depth, int *perr);
+static ASN1_TYPE *asn1_multi(int utype, const char *section,
+ const X509V3_CTX *cnf, int depth, int *perr);
static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype);
static int asn1_str2tag(const char *tagstr, size_t len);
-ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf) {
+ASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf) {
int err = 0;
ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err);
if (err) {
@@ -146,7 +146,7 @@
return ret;
}
-static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth,
+static ASN1_TYPE *generate_v3(const char *str, const X509V3_CTX *cnf, int depth,
int *perr) {
ASN1_TYPE *ret;
tag_exp_arg asn1_tags;
@@ -444,8 +444,8 @@
// Handle multiple types: SET and SEQUENCE
-static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
- int depth, int *perr) {
+static ASN1_TYPE *asn1_multi(int utype, const char *section,
+ const X509V3_CTX *cnf, int depth, int *perr) {
ASN1_TYPE *ret = NULL;
STACK_OF(ASN1_TYPE) *sk = NULL;
const STACK_OF(CONF_VALUE) *sect = NULL;
@@ -460,7 +460,7 @@
if (!cnf) {
goto bad;
}
- sect = X509V3_get_section(cnf, (char *)section);
+ sect = X509V3_get_section(cnf, section);
if (!sect) {
goto bad;
}
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 4cfc4ae..e102842 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -369,7 +369,7 @@
CRYPTO_EX_DATA ex_data;
} /* X509_STORE_CTX */;
-ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);
+ASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf);
int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
diff --git a/crypto/x509v3/internal.h b/crypto/x509v3/internal.h
index a1f3cee..a7bcb4e 100644
--- a/crypto/x509v3/internal.h
+++ b/crypto/x509v3/internal.h
@@ -136,7 +136,8 @@
int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
+const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx,
+ const char *section);
// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to
// |*extlist|. It returns one on success and zero on error. If |*extlist| is
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index 7616f4f..a7e1ee2 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c
@@ -72,7 +72,8 @@
static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(
const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values);
const X509V3_EXT_METHOD v3_akey_id = {
NID_authority_key_identifier,
@@ -132,22 +133,20 @@
// is always included.
static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *values) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values) {
char keyid = 0, issuer = 0;
- size_t i;
int j;
- CONF_VALUE *cnf;
ASN1_OCTET_STRING *ikeyid = NULL;
X509_NAME *isname = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
ASN1_INTEGER *serial = NULL;
- X509 *cert;
+ const X509 *cert;
AUTHORITY_KEYID *akeyid;
- for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
- cnf = sk_CONF_VALUE_value(values, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i);
if (!strcmp(cnf->name, "keyid")) {
keyid = 1;
if (cnf->value && !strcmp(cnf->value, "always")) {
@@ -189,7 +188,7 @@
if ((issuer && !ikeyid) || (issuer == 2)) {
isname = X509_NAME_dup(X509_get_issuer_name(cert));
- serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+ serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));
if (!isname || !serial) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
goto err;
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 31b87f1..3a7df6b 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -68,14 +68,18 @@
#include "internal.h"
-static void *v2i_subject_alt(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
-static void *v2i_issuer_alt(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
-static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
-static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
-static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+static void *v2i_subject_alt(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
+static void *v2i_issuer_alt(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
+static int copy_email(const X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
+static int copy_issuer(const X509V3_CTX *ctx, GENERAL_NAMES *gens);
+static int do_othername(GENERAL_NAME *gen, const char *value,
+ const X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, const char *value,
+ const X509V3_CTX *ctx);
static STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES_cb(
const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret) {
@@ -267,28 +271,27 @@
return 1;
}
-static void *v2i_issuer_alt(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
- GENERAL_NAMES *gens = NULL;
- CONF_VALUE *cnf;
- size_t i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+static void *v2i_issuer_alt(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
+ if (gens == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- cnf = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (x509v3_conf_name_matches(cnf->name, "issuer") && cnf->value &&
!strcmp(cnf->value, "copy")) {
if (!copy_issuer(ctx, gens)) {
goto err;
}
} else {
- GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
+ GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
+ if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {
+ GENERAL_NAME_free(gen);
goto err;
}
- sk_GENERAL_NAME_push(gens, gen);
}
}
return gens;
@@ -299,7 +302,7 @@
// Append subject altname of issuer to issuer alt name of subject
-static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) {
+static int copy_issuer(const X509V3_CTX *ctx, GENERAL_NAMES *gens) {
if (ctx && (ctx->flags == CTX_TEST)) {
return 1;
}
@@ -338,17 +341,16 @@
return ret;
}
-static void *v2i_subject_alt(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
- GENERAL_NAMES *gens = NULL;
- CONF_VALUE *cnf;
- size_t i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+static void *v2i_subject_alt(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
+ if (gens == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- cnf = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (x509v3_conf_name_matches(cnf->name, "email") && cnf->value &&
!strcmp(cnf->value, "copy")) {
if (!copy_email(ctx, gens, 0)) {
@@ -360,11 +362,11 @@
goto err;
}
} else {
- GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
+ GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
+ if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {
+ GENERAL_NAME_free(gen);
goto err;
}
- sk_GENERAL_NAME_push(gens, gen);
}
}
return gens;
@@ -375,7 +377,7 @@
// Copy any email addresses in a certificate or request to GENERAL_NAMES
-static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) {
+static int copy_email(const X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) {
X509_NAME *nm;
ASN1_IA5STRING *email = NULL;
X509_NAME_ENTRY *ne;
@@ -428,21 +430,20 @@
}
GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) {
- GENERAL_NAME *gen;
- GENERAL_NAMES *gens = NULL;
- CONF_VALUE *cnf;
- size_t i;
- if (!(gens = sk_GENERAL_NAME_new_null())) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();
+ if (gens == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- cnf = sk_CONF_VALUE_value(nval, i);
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+ GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);
+ if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {
+ GENERAL_NAME_free(gen);
goto err;
}
- sk_GENERAL_NAME_push(gens, gen);
}
return gens;
err:
@@ -450,14 +451,15 @@
return NULL;
}
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- CONF_VALUE *cnf) {
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx, const CONF_VALUE *cnf) {
return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
}
GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
- const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- int gen_type, const char *value, int is_nc) {
+ const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx, int gen_type,
+ const char *value, int is_nc) {
char is_string = 0;
GENERAL_NAME *gen = NULL;
@@ -545,19 +547,16 @@
GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc) {
- int type;
-
- char *name, *value;
-
- name = cnf->name;
- value = cnf->value;
-
+ const X509V3_CTX *ctx, const CONF_VALUE *cnf,
+ int is_nc) {
+ const char *name = cnf->name;
+ const char *value = cnf->value;
if (!value) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
return NULL;
}
+ int type;
if (x509v3_conf_name_matches(name, "email")) {
type = GEN_EMAIL;
} else if (x509v3_conf_name_matches(name, "URI")) {
@@ -581,7 +580,8 @@
return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
}
-static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) {
+static int do_othername(GENERAL_NAME *gen, const char *value,
+ const X509V3_CTX *ctx) {
char *objtmp = NULL;
const char *p;
int objlen;
@@ -611,7 +611,8 @@
return 1;
}
-static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) {
+static int do_dirname(GENERAL_NAME *gen, const char *value,
+ const X509V3_CTX *ctx) {
int ret = 0;
X509_NAME *nm = X509_NAME_new();
if (nm == NULL) {
diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509v3/v3_bcons.c
index 936a44d..11a6519 100644
--- a/crypto/x509v3/v3_bcons.c
+++ b/crypto/x509v3/v3_bcons.c
@@ -71,8 +71,8 @@
static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(
const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
static void *v2i_BASIC_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *values);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values);
const X509V3_EXT_METHOD v3_bcons = {
NID_basic_constraints,
@@ -107,17 +107,15 @@
}
static void *v2i_BASIC_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *values) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values) {
BASIC_CONSTRAINTS *bcons = NULL;
- CONF_VALUE *val;
- size_t i;
if (!(bcons = BASIC_CONSTRAINTS_new())) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
- val = sk_CONF_VALUE_value(values, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
if (!strcmp(val->name, "CA")) {
if (!X509V3_get_value_bool(val, &bcons->ca)) {
goto err;
diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c
index 9562826..c1d1734 100644
--- a/crypto/x509v3/v3_bitst.c
+++ b/crypto/x509v3/v3_bitst.c
@@ -102,17 +102,16 @@
}
static void *v2i_ASN1_BIT_STRING(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) {
- CONF_VALUE *val;
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
ASN1_BIT_STRING *bs;
- size_t i;
- const BIT_STRING_BITNAME *bnam;
if (!(bs = ASN1_BIT_STRING_new())) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- val = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
+ const BIT_STRING_BITNAME *bnam;
for (bnam = method->usr_data; bnam->lname; bnam++) {
if (!strcmp(bnam->sname, val->name) || !strcmp(bnam->lname, val->name)) {
if (!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index b5a760d..ef55363 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -74,20 +74,20 @@
static int v3_check_critical(const char **value);
static int v3_check_generic(const char **value);
-static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- int crit, const char *value);
+static X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ int ext_nid, int crit, const char *value);
static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int type,
- X509V3_CTX *ctx);
+ const X509V3_CTX *ctx);
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
int crit, void *ext_struc);
-static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,
long *ext_len);
// CONF *conf: Config file
// char *name: Name
// char *value: Value
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
- const char *value) {
+X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ const char *name, const char *value) {
int crit;
int ext_type;
X509_EXTENSION *ret;
@@ -105,8 +105,8 @@
// CONF *conf: Config file
// char *value: Value
-X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- const char *value) {
+X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, const X509V3_CTX *ctx,
+ int ext_nid, const char *value) {
int crit;
int ext_type;
crit = v3_check_critical(&value);
@@ -119,11 +119,12 @@
// CONF *conf: Config file
// char *value: Value
-static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
- int crit, const char *value) {
+static X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ int ext_nid, int crit, const char *value) {
const X509V3_EXT_METHOD *method;
X509_EXTENSION *ext;
- STACK_OF(CONF_VALUE) *nval;
+ const STACK_OF(CONF_VALUE) *nval;
+ STACK_OF(CONF_VALUE) *nval_owned = NULL;
void *ext_struc;
if (ext_nid == NID_undef) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_EXTENSION_NAME);
@@ -138,20 +139,17 @@
if (*value == '@') {
nval = NCONF_get_section(conf, value + 1);
} else {
- nval = X509V3_parse_list(value);
+ nval_owned = X509V3_parse_list(value);
+ nval = nval_owned;
}
if (nval == NULL || sk_CONF_VALUE_num(nval) <= 0) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_EXTENSION_STRING);
ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
- if (*value != '@') {
- sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- }
+ sk_CONF_VALUE_pop_free(nval_owned, X509V3_conf_free);
return NULL;
}
ext_struc = method->v2i(method, ctx, nval);
- if (*value != '@') {
- sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- }
+ sk_CONF_VALUE_pop_free(nval_owned, X509V3_conf_free);
if (!ext_struc) {
return NULL;
}
@@ -272,7 +270,7 @@
// Create a generic extension: for now just handle DER type
static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int gen_type,
- X509V3_CTX *ctx) {
+ const X509V3_CTX *ctx) {
unsigned char *ext_der = NULL;
long ext_len = 0;
ASN1_OBJECT *obj = NULL;
@@ -314,7 +312,7 @@
return extension;
}
-static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
+static unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,
long *ext_len) {
ASN1_TYPE *typ;
unsigned char *ext_der = NULL;
@@ -330,18 +328,17 @@
// This is the main function: add a bunch of extensions based on a config
// file section to an extension STACK.
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
+int X509V3_EXT_add_nconf_sk(const CONF *conf, const X509V3_CTX *ctx,
+ const char *section,
STACK_OF(X509_EXTENSION) **sk) {
- X509_EXTENSION *ext;
- STACK_OF(CONF_VALUE) *nval;
- CONF_VALUE *val;
- size_t i;
- if (!(nval = NCONF_get_section(conf, section))) {
+ const STACK_OF(CONF_VALUE) *nval = NCONF_get_section(conf, section);
+ if (nval == NULL) {
return 0;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- val = sk_CONF_VALUE_value(nval, i);
- if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value))) {
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
+ X509_EXTENSION *ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value);
+ if (ext == NULL) {
return 0;
}
if (sk) {
@@ -354,8 +351,8 @@
// Convenience functions to add extensions to a certificate, CRL and request
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
- X509 *cert) {
+int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ const char *section, X509 *cert) {
STACK_OF(X509_EXTENSION) **sk = NULL;
if (cert) {
sk = &cert->cert_info->extensions;
@@ -365,8 +362,8 @@
// Same as above but for a CRL
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
- X509_CRL *crl) {
+int X509V3_EXT_CRL_add_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ const char *section, X509_CRL *crl) {
STACK_OF(X509_EXTENSION) **sk = NULL;
if (crl) {
sk = &crl->crl->extensions;
@@ -376,8 +373,8 @@
// Add extensions to certificate request
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
- X509_REQ *req) {
+int X509V3_EXT_REQ_add_nconf(const CONF *conf, const X509V3_CTX *ctx,
+ const char *section, X509_REQ *req) {
STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
int i;
if (req) {
@@ -394,9 +391,8 @@
// Config database functions
-// TODO(davidben): This function and |NCONF_get_section| should return const
-// pointers.
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section) {
+const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx,
+ const char *section) {
if (ctx->db == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
@@ -408,8 +404,8 @@
ctx->db = conf;
}
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
- X509_CRL *crl, int flags) {
+void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, const X509 *subj,
+ const X509_REQ *req, const X509_CRL *crl, int flags) {
ctx->issuer_cert = issuer;
ctx->subject_cert = subj;
ctx->crl = crl;
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index c2bc885..6fa011d 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -75,16 +75,19 @@
static int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
int indent);
-static void *r2i_certpol(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+static void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const char *value);
static void print_qualifiers(BIO *out, const STACK_OF(POLICYQUALINFO) *quals,
int indent);
static void print_notice(BIO *out, const USERNOTICE *notice, int indent);
-static POLICYINFO *policy_section(X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *polstrs, int ia5org);
-static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *unot, int ia5org);
-static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
+static POLICYINFO *policy_section(const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *polstrs,
+ int ia5org);
+static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *unot,
+ int ia5org);
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums,
+ const STACK_OF(CONF_VALUE) *nos);
const X509V3_EXT_METHOD v3_cpols = {
NID_certificate_policies,
@@ -147,40 +150,33 @@
IMPLEMENT_ASN1_FUNCTIONS_const(NOTICEREF)
-static void *r2i_certpol(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+static void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const char *value) {
- STACK_OF(POLICYINFO) *pols = NULL;
- char *pstr;
- POLICYINFO *pol;
- ASN1_OBJECT *pobj;
- STACK_OF(CONF_VALUE) *vals;
- CONF_VALUE *cnf;
- size_t i;
- int ia5org;
- pols = sk_POLICYINFO_new_null();
+ STACK_OF(POLICYINFO) *pols = sk_POLICYINFO_new_null();
if (pols == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- vals = X509V3_parse_list(value);
+ STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);
if (vals == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_X509V3_LIB);
goto err;
}
- ia5org = 0;
- for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
- cnf = sk_CONF_VALUE_value(vals, i);
+ int ia5org = 0;
+ for (size_t i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
if (cnf->value || !cnf->name) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER);
X509V3_conf_err(cnf);
goto err;
}
- pstr = cnf->name;
+ POLICYINFO *pol;
+ const char *pstr = cnf->name;
if (!strcmp(pstr, "ia5org")) {
ia5org = 1;
continue;
} else if (*pstr == '@') {
- STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1);
+ const STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1);
if (!polsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);
@@ -192,7 +188,8 @@
goto err;
}
} else {
- if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+ ASN1_OBJECT *pobj = OBJ_txt2obj(cnf->name, 0);
+ if (pobj == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(cnf);
goto err;
@@ -219,17 +216,16 @@
return NULL;
}
-static POLICYINFO *policy_section(X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *polstrs, int ia5org) {
- size_t i;
- CONF_VALUE *cnf;
+static POLICYINFO *policy_section(const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *polstrs,
+ int ia5org) {
POLICYINFO *pol;
POLICYQUALINFO *qual;
if (!(pol = POLICYINFO_new())) {
goto merr;
}
- for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
- cnf = sk_CONF_VALUE_value(polstrs, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(polstrs, i);
if (!strcmp(cnf->name, "policyIdentifier")) {
ASN1_OBJECT *pobj;
if (!(pobj = OBJ_txt2obj(cnf->value, 0))) {
@@ -267,10 +263,10 @@
X509V3_conf_err(cnf);
goto err;
}
- STACK_OF(CONF_VALUE) *unot = X509V3_get_section(ctx, cnf->value + 1);
+ const STACK_OF(CONF_VALUE) *unot =
+ X509V3_get_section(ctx, cnf->value + 1);
if (!unot) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);
-
X509V3_conf_err(cnf);
goto err;
}
@@ -306,12 +302,10 @@
return NULL;
}
-static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *unot, int ia5org) {
- size_t i;
- int ret;
- CONF_VALUE *cnf;
- USERNOTICE * not ;
+static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *unot,
+ int ia5org) {
+ USERNOTICE *notice;
POLICYQUALINFO *qual;
if (!(qual = POLICYQUALINFO_new())) {
goto merr;
@@ -321,29 +315,29 @@
OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (!(not = USERNOTICE_new())) {
+ if (!(notice = USERNOTICE_new())) {
goto merr;
}
- qual->d.usernotice = not ;
- for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
- cnf = sk_CONF_VALUE_value(unot, i);
+ qual->d.usernotice = notice;
+ for (size_t i = 0; i < sk_CONF_VALUE_num(unot); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(unot, i);
if (!strcmp(cnf->name, "explicitText")) {
- not ->exptext = ASN1_VISIBLESTRING_new();
- if (not ->exptext == NULL) {
+ notice->exptext = ASN1_VISIBLESTRING_new();
+ if (notice->exptext == NULL) {
goto merr;
}
- if (!ASN1_STRING_set(not ->exptext, cnf->value, strlen(cnf->value))) {
+ if (!ASN1_STRING_set(notice->exptext, cnf->value, strlen(cnf->value))) {
goto merr;
}
} else if (!strcmp(cnf->name, "organization")) {
NOTICEREF *nref;
- if (!not ->noticeref) {
+ if (!notice->noticeref) {
if (!(nref = NOTICEREF_new())) {
goto merr;
}
- not ->noticeref = nref;
+ notice->noticeref = nref;
} else {
- nref = not ->noticeref;
+ nref = notice->noticeref;
}
if (ia5org) {
nref->organization->type = V_ASN1_IA5STRING;
@@ -357,13 +351,13 @@
} else if (!strcmp(cnf->name, "noticeNumbers")) {
NOTICEREF *nref;
STACK_OF(CONF_VALUE) *nos;
- if (!not ->noticeref) {
+ if (!notice->noticeref) {
if (!(nref = NOTICEREF_new())) {
goto merr;
}
- not ->noticeref = nref;
+ notice->noticeref = nref;
} else {
- nref = not ->noticeref;
+ nref = notice->noticeref;
}
nos = X509V3_parse_list(cnf->value);
if (!nos || !sk_CONF_VALUE_num(nos)) {
@@ -371,7 +365,7 @@
X509V3_conf_err(cnf);
goto err;
}
- ret = nref_nos(nref->noticenos, nos);
+ int ret = nref_nos(nref->noticenos, nos);
sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
if (!ret) {
goto err;
@@ -383,8 +377,8 @@
}
}
- if (not ->noticeref &&
- (!not ->noticeref->noticenos || !not ->noticeref->organization)) {
+ if (notice->noticeref &&
+ (!notice->noticeref->noticenos || !notice->noticeref->organization)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
goto err;
}
@@ -399,30 +393,22 @@
return NULL;
}
-static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) {
- CONF_VALUE *cnf;
- ASN1_INTEGER *aint;
-
- size_t i;
-
- for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
- cnf = sk_CONF_VALUE_value(nos, i);
- if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums,
+ const STACK_OF(CONF_VALUE) *nos) {
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nos); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nos, i);
+ ASN1_INTEGER *aint = s2i_ASN1_INTEGER(NULL, cnf->name);
+ if (aint == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);
- goto err;
+ return 0;
}
if (!sk_ASN1_INTEGER_push(nnums, aint)) {
- goto merr;
+ ASN1_INTEGER_free(aint);
+ OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
+ return 0;
}
}
return 1;
-
-merr:
- ASN1_INTEGER_free(aint);
- OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
-
-err:
- return 0;
}
static int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index 4093d7b..0291630 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -70,8 +70,8 @@
#include "internal.h"
-static void *v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
+static void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
int indent);
@@ -109,28 +109,27 @@
NULL,
};
-static STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx,
+static STACK_OF(GENERAL_NAME) *gnames_from_sectname(const X509V3_CTX *ctx,
char *sect) {
- STACK_OF(CONF_VALUE) *gnsect;
- STACK_OF(GENERAL_NAME) *gens;
+ const STACK_OF(CONF_VALUE) *gnsect;
+ STACK_OF(CONF_VALUE) *gnsect_owned = NULL;
if (*sect == '@') {
gnsect = X509V3_get_section(ctx, sect + 1);
} else {
- gnsect = X509V3_parse_list(sect);
+ gnsect_owned = X509V3_parse_list(sect);
+ gnsect = gnsect_owned;
}
if (!gnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
return NULL;
}
- gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
- if (*sect != '@') {
- sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
- }
+ STACK_OF(GENERAL_NAME) *gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
+ sk_CONF_VALUE_pop_free(gnsect_owned, X509V3_conf_free);
return gens;
}
-static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
- CONF_VALUE *cnf) {
+static int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx,
+ const CONF_VALUE *cnf) {
STACK_OF(GENERAL_NAME) *fnm = NULL;
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
if (!strncmp(cnf->name, "fullname", 9)) {
@@ -203,7 +202,7 @@
{8, "AA Compromise", "AACompromise"},
{-1, NULL, NULL}};
-static int set_reasons(ASN1_BIT_STRING **preas, char *value) {
+static int set_reasons(ASN1_BIT_STRING **preas, const char *value) {
STACK_OF(CONF_VALUE) *rsk = NULL;
const BIT_STRING_BITNAME *pbn;
const char *bnam;
@@ -266,19 +265,16 @@
return 1;
}
-static DIST_POINT *crldp_from_section(X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
- size_t i;
- CONF_VALUE *cnf;
+static DIST_POINT *crldp_from_section(const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
DIST_POINT *point = NULL;
point = DIST_POINT_new();
if (!point) {
goto err;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- int ret;
- cnf = sk_CONF_VALUE_value(nval, i);
- ret = set_dist_point_name(&point->distpoint, ctx, cnf);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+ int ret = set_dist_point_name(&point->distpoint, ctx, cnf);
if (ret > 0) {
continue;
}
@@ -304,21 +300,19 @@
return NULL;
}
-static void *v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
+static void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
STACK_OF(DIST_POINT) *crld = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gen = NULL;
- CONF_VALUE *cnf;
- size_t i;
if (!(crld = sk_DIST_POINT_new_null())) {
goto merr;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
DIST_POINT *point;
- cnf = sk_CONF_VALUE_value(nval, i);
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (!cnf->value) {
- STACK_OF(CONF_VALUE) *dpsect = X509V3_get_section(ctx, cnf->name);
+ const STACK_OF(CONF_VALUE) *dpsect = X509V3_get_section(ctx, cnf->name);
if (!dpsect) {
goto err;
}
@@ -420,8 +414,8 @@
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
int indent);
-static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
+static void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
const X509V3_EXT_METHOD v3_idp = {
NID_issuing_distribution_point,
@@ -440,22 +434,17 @@
NULL,
};
-static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
- ISSUING_DIST_POINT *idp = NULL;
- CONF_VALUE *cnf;
- char *name, *val;
- size_t i;
- int ret;
- idp = ISSUING_DIST_POINT_new();
+static void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ ISSUING_DIST_POINT *idp = ISSUING_DIST_POINT_new();
if (!idp) {
goto merr;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- cnf = sk_CONF_VALUE_value(nval, i);
- name = cnf->name;
- val = cnf->value;
- ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+ const char *name = cnf->name;
+ const char *val = cnf->value;
+ int ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
if (ret > 0) {
continue;
}
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index 568e289..d493bf2 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -67,8 +67,8 @@
static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
@@ -115,12 +115,10 @@
static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *ext_list) {
- EXTENDED_KEY_USAGE *eku = a;
- size_t i;
- ASN1_OBJECT *obj;
- char obj_tmp[80];
- for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
- obj = sk_ASN1_OBJECT_value(eku, i);
+ const EXTENDED_KEY_USAGE *eku = a;
+ for (size_t i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+ const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(eku, i);
+ char obj_tmp[80];
i2t_ASN1_OBJECT(obj_tmp, 80, obj);
X509V3_add_value(NULL, obj_tmp, &ext_list);
}
@@ -128,33 +126,31 @@
}
static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
- EXTENDED_KEY_USAGE *extku;
- char *extval;
- ASN1_OBJECT *objtmp;
- CONF_VALUE *val;
- size_t i;
-
- if (!(extku = sk_ASN1_OBJECT_new_null())) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ EXTENDED_KEY_USAGE *extku = sk_ASN1_OBJECT_new_null();
+ if (extku == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- val = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
+ const char *extval;
if (val->value) {
extval = val->value;
} else {
extval = val->name;
}
- if (!(objtmp = OBJ_txt2obj(extval, 0))) {
+ ASN1_OBJECT *obj = OBJ_txt2obj(extval, 0);
+ if (obj == NULL || !sk_ASN1_OBJECT_push(extku, obj)) {
+ ASN1_OBJECT_free(obj);
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
- sk_ASN1_OBJECT_push(extku, objtmp);
}
+
return extku;
}
diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509v3/v3_ia5.c
index 8abf40c..80ba5f9 100644
--- a/crypto/x509v3/v3_ia5.c
+++ b/crypto/x509v3/v3_ia5.c
@@ -86,7 +86,7 @@
}
static void *s2i_ASN1_IA5STRING(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str) {
+ const X509V3_CTX *ctx, const char *str) {
ASN1_IA5STRING *ia5;
if (!str) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
diff --git a/crypto/x509v3/v3_info.c b/crypto/x509v3/v3_info.c
index 872346a..386b519 100644
--- a/crypto/x509v3/v3_info.c
+++ b/crypto/x509v3/v3_info.c
@@ -71,8 +71,8 @@
static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret);
static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
const X509V3_EXT_METHOD v3_info = {
NID_info_access,
@@ -166,8 +166,8 @@
}
static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
AUTHORITY_INFO_ACCESS *ainfo = NULL;
ACCESS_DESCRIPTION *acc;
char *objtmp, *ptmp;
@@ -176,7 +176,7 @@
return NULL;
}
for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+ const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
if (!(acc = ACCESS_DESCRIPTION_new()) ||
!sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/x509v3/v3_int.c b/crypto/x509v3/v3_int.c
index 50cef84..843c758 100644
--- a/crypto/x509v3/v3_int.c
+++ b/crypto/x509v3/v3_int.c
@@ -65,7 +65,7 @@
return i2s_ASN1_INTEGER(method, ext);
}
-static void *s2i_asn1_int(const X509V3_EXT_METHOD *meth, X509V3_CTX *ctx,
+static void *s2i_asn1_int(const X509V3_EXT_METHOD *meth, const X509V3_CTX *ctx,
const char *value) {
return s2i_ASN1_INTEGER(meth, value);
}
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index f923e29..97a79c8 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -70,7 +70,8 @@
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
BIO *bp, int ind);
static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
@@ -120,9 +121,8 @@
IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) {
- size_t i;
- CONF_VALUE tval, *val;
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
NAME_CONSTRAINTS *ncons = NULL;
GENERAL_SUBTREE *sub = NULL;
@@ -130,8 +130,9 @@
if (!ncons) {
goto memerr;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- val = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
+ CONF_VALUE tval;
if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
ptree = &ncons->permittedSubtrees;
tval.name = val->name + 10;
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
index b490a11..f0ed0b8 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/x509v3/v3_ocsp.c
@@ -20,8 +20,8 @@
static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
BIO *out, int indent);
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- const char *str);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx, const char *str);
const X509V3_EXT_METHOD v3_crl_invdate = {
NID_invalidity_date,
@@ -75,7 +75,7 @@
return 1;
}
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- const char *str) {
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+ const X509V3_CTX *ctx, const char *str) {
return ASN1_NULL_new();
}
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index ccbc885..5616aac 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -49,7 +49,7 @@
static int i2r_pci(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
int indent);
-static void *r2i_pci(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+static void *r2i_pci(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const char *str);
const X509V3_EXT_METHOD v3_pci = {
@@ -195,7 +195,7 @@
return 0;
}
-static void *r2i_pci(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+static void *r2i_pci(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const char *value) {
PROXY_CERT_INFO_EXTENSION *pci = NULL;
STACK_OF(CONF_VALUE) *vals;
diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
index 69c8933..ea1e8ba 100644
--- a/crypto/x509v3/v3_pcons.c
+++ b/crypto/x509v3/v3_pcons.c
@@ -72,8 +72,8 @@
const X509V3_EXT_METHOD *method, void *bcons,
STACK_OF(CONF_VALUE) *extlist);
static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *values);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values);
const X509V3_EXT_METHOD v3_policy_constraints = {
NID_policy_constraints,
@@ -100,7 +100,7 @@
static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(
const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *extlist) {
- POLICY_CONSTRAINTS *pcons = a;
+ const POLICY_CONSTRAINTS *pcons = a;
X509V3_add_value_int("Require Explicit Policy", pcons->requireExplicitPolicy,
&extlist);
X509V3_add_value_int("Inhibit Policy Mapping", pcons->inhibitPolicyMapping,
@@ -109,17 +109,15 @@
}
static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *values) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values) {
POLICY_CONSTRAINTS *pcons = NULL;
- CONF_VALUE *val;
- size_t i;
if (!(pcons = POLICY_CONSTRAINTS_new())) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
- val = sk_CONF_VALUE_value(values, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
if (!strcmp(val->name, "requireExplicitPolicy")) {
if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy)) {
goto err;
diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509v3/v3_pmaps.c
index 3e9dcb3..3049347 100644
--- a/crypto/x509v3/v3_pmaps.c
+++ b/crypto/x509v3/v3_pmaps.c
@@ -67,7 +67,8 @@
static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
@@ -101,13 +102,10 @@
static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *ext_list) {
- POLICY_MAPPINGS *pmaps = a;
- POLICY_MAPPING *pmap;
- size_t i;
- char obj_tmp1[80];
- char obj_tmp2[80];
- for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
- pmap = sk_POLICY_MAPPING_value(pmaps, i);
+ const POLICY_MAPPINGS *pmaps = a;
+ for (size_t i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
+ const POLICY_MAPPING *pmap = sk_POLICY_MAPPING_value(pmaps, i);
+ char obj_tmp1[80], obj_tmp2[80];
i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);
i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);
X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);
@@ -116,43 +114,39 @@
}
static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) {
- POLICY_MAPPINGS *pmaps;
- POLICY_MAPPING *pmap;
- ASN1_OBJECT *obj1, *obj2;
- CONF_VALUE *val;
- size_t i;
-
- if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval) {
+ POLICY_MAPPINGS *pmaps = sk_POLICY_MAPPING_new_null();
+ if (pmaps == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
- val = sk_CONF_VALUE_value(nval, i);
+ for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+ const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);
if (!val->value || !val->name) {
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
- obj1 = OBJ_txt2obj(val->name, 0);
- obj2 = OBJ_txt2obj(val->value, 0);
+ ASN1_OBJECT *obj1 = OBJ_txt2obj(val->name, 0);
+ ASN1_OBJECT *obj2 = OBJ_txt2obj(val->value, 0);
if (!obj1 || !obj2) {
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
X509V3_conf_err(val);
return NULL;
}
- pmap = POLICY_MAPPING_new();
- if (!pmap) {
+ POLICY_MAPPING *pmap = POLICY_MAPPING_new();
+ if (pmap == NULL || !sk_POLICY_MAPPING_push(pmaps, pmap)) {
+ POLICY_MAPPING_free(pmap);
sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
pmap->issuerDomainPolicy = obj1;
pmap->subjectDomainPolicy = obj2;
- sk_POLICY_MAPPING_push(pmaps, pmap);
}
return pmaps;
}
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index 05c5050..9e777ed 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -73,7 +73,8 @@
}
ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str) {
+ const X509V3_CTX *ctx,
+ const char *str) {
ASN1_OCTET_STRING *oct;
long length;
@@ -97,7 +98,7 @@
return i2s_ASN1_OCTET_STRING(method, ext);
}
-static void *s2i_skey_id(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+static void *s2i_skey_id(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
const char *str) {
ASN1_OCTET_STRING *oct;
ASN1_BIT_STRING *pk;
diff --git a/decrepit/x509/x509_decrepit.c b/decrepit/x509/x509_decrepit.c
index 3abab06..5af499e 100644
--- a/decrepit/x509/x509_decrepit.c
+++ b/decrepit/x509/x509_decrepit.c
@@ -19,8 +19,9 @@
#include <openssl/conf.h>
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- int ext_nid, const char *value) {
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
+ const X509V3_CTX *ctx, int ext_nid,
+ const char *value) {
assert(conf == NULL);
return X509V3_EXT_nconf_nid(NULL, ctx, ext_nid, value);
}
diff --git a/include/openssl/conf.h b/include/openssl/conf.h
index 0872e13..908c16e 100644
--- a/include/openssl/conf.h
+++ b/include/openssl/conf.h
@@ -110,8 +110,8 @@
// NCONF_get_section returns a stack of values for a given section in |conf|.
// If |section| is NULL, the default section is returned. It returns NULL on
// error.
-OPENSSL_EXPORT STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,
- const char *section);
+OPENSSL_EXPORT const STACK_OF(CONF_VALUE) *NCONF_get_section(
+ const CONF *conf, const char *section);
// NCONF_get_string returns the value of the key |name|, in section |section|.
// The |section| argument may be NULL to indicate the default section. It
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index ec2427d..c0d1677 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -89,14 +89,15 @@
void *ext,
STACK_OF(CONF_VALUE) *extlist);
typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+ const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *values);
typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext);
typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str);
+ const X509V3_CTX *ctx, const char *str);
typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext,
BIO *out, int indent);
typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, const char *str);
+ const X509V3_CTX *ctx, const char *str);
// V3 extension structure
@@ -130,10 +131,10 @@
struct v3_ext_ctx {
#define CTX_TEST 0x1
int flags;
- X509 *issuer_cert;
- X509 *subject_cert;
- X509_REQ *subject_req;
- X509_CRL *crl;
+ const X509 *issuer_cert;
+ const X509 *subject_cert;
+ const X509_REQ *subject_req;
+ const X509_CRL *crl;
const CONF *db;
};
@@ -477,9 +478,9 @@
OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(
const X509V3_EXT_METHOD *method, GENERAL_NAMES *gen,
STACK_OF(CONF_VALUE) *extlist);
-OPENSSL_EXPORT GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx,
- STACK_OF(CONF_VALUE) *nval);
+OPENSSL_EXPORT GENERAL_NAMES *v2i_GENERAL_NAMES(
+ const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const STACK_OF(CONF_VALUE) *nval);
DECLARE_ASN1_FUNCTIONS_const(OTHERNAME)
DECLARE_ASN1_FUNCTIONS_const(EDIPARTYNAME)
@@ -497,7 +498,7 @@
OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,
const ASN1_OCTET_STRING *ia5);
OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(
- const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
+ const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str);
DECLARE_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE)
OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
@@ -548,43 +549,51 @@
OPENSSL_EXPORT GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, int gen_type,
+ const X509V3_CTX *ctx, int gen_type,
const char *value, int is_nc);
OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
- X509V3_CTX *ctx, CONF_VALUE *cnf);
+ const X509V3_CTX *ctx,
+ const CONF_VALUE *cnf);
OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME_ex(
- GENERAL_NAME *out, const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
- CONF_VALUE *cnf, int is_nc);
+ GENERAL_NAME *out, const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,
+ const CONF_VALUE *cnf, int is_nc);
OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val);
// X509V3_EXT_conf_nid contains the only exposed instance of an LHASH in our
// public headers. The |conf| pointer must be NULL but cryptography.io wraps
// this function so we cannot, yet, replace the type with a dummy struct.
OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
- X509V3_CTX *ctx, int ext_nid,
+ const X509V3_CTX *ctx,
+ int ext_nid,
const char *value);
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf,
+ const X509V3_CTX *ctx,
int ext_nid,
const char *value);
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf,
+ const X509V3_CTX *ctx,
const char *name,
const char *value);
-OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf,
+ const X509V3_CTX *ctx,
const char *section,
STACK_OF(X509_EXTENSION) **sk);
-OPENSSL_EXPORT int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx,
const char *section, X509 *cert);
-OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf,
+ const X509V3_CTX *ctx,
const char *section, X509_REQ *req);
-OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx,
+OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf,
+ const X509V3_CTX *ctx,
const char *section, X509_CRL *crl);
OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf);
-OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
- X509_REQ *req, X509_CRL *crl, int flags);
+OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer,
+ const X509 *subject, const X509_REQ *req,
+ const X509_CRL *crl, int flags);
OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *meth,
const ASN1_INTEGER *aint);
