From cc88cbeddb7d5a75202cbffeb7b3d5e6cd8cbbc0 Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 28 Mar 2026 11:49:31 +0000 Subject: [PATCH] libtls: const workarounds for X509_NAME in OCSP for OpenSSL 4 The API to look up a cert by subject or issuer name clearly only needs to do name comparisons in a collection of certs so should by all means take a const X509_NAME * as an argument. However, this isn't all that easy to do and hence it's only in OpenSSL 4 that this obvious step was reached. This means that there is no way around casting for older code. One could cast the return value of X509_get_issuer_name() or the argument passed to the two lookups by subject. jsing slightly prefers the second approach, so this is what we do here. ok djm jsing kenjiro --- lib/libtls/tls_ocsp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index bfd06e3c6aa..c65911920ab 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.27 2026/03/28 11:49:31 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck @@ -130,7 +130,7 @@ static OCSP_CERTID * tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, SSL_CTX *ssl_ctx) { - X509_NAME *issuer_name; + const X509_NAME *issuer_name; X509 *issuer; X509_STORE_CTX *storectx = NULL; X509_OBJECT *obj = NULL; @@ -141,7 +141,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, goto out; if (extra_certs != NULL) { - issuer = X509_find_by_subject(extra_certs, issuer_name); + issuer = X509_find_by_subject(extra_certs, + (X509_NAME *)issuer_name); if (issuer != NULL) { cid = OCSP_cert_to_id(NULL, main_cert, issuer); goto out; @@ -155,7 +156,7 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs, if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1) goto out; if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509, - issuer_name)) == NULL) + (X509_NAME *)issuer_name)) == NULL) goto out; cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj));