more constify X509_NAME, X509 pointers, PoC to fix OpenSSL 4.0 at the cost of breaking < 4.0.

notroj · notroj · commit 655df152c792 · 2026-03-03T16:00:34.000Z
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
@@ -1263,7 +1263,7 @@ int ssl_hook_UserCheck(request_rec *r)
     }
 
     if (!sslconn->client_dn) {
-        X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
+        const X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
         char *cp = X509_NAME_oneline(name, NULL, 0);
         sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
         OPENSSL_free(cp);
@@ -1817,7 +1817,7 @@ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
     server_rec *s = mySrvFromConn(c);
     SSLSrvConfigRec *sc = mySrvConfig(s);
     SSLDirConfigRec *dc = myDirConfigFromConn(c);
-    X509_NAME *ca_name, *issuer, *ca_issuer;
+    const X509_NAME *ca_name, *issuer, *ca_issuer;
     X509_INFO *info;
     X509 *ca_cert;
     STACK_OF(X509_NAME) *ca_list;
diff --git a/modules/ssl/ssl_engine_log.c b/modules/ssl/ssl_engine_log.c
@@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char *file, int line, int level, server_rec *s)
 static void ssl_log_cert_error(const char *file, int line, int level,
                                apr_status_t rv, const server_rec *s,
                                const conn_rec *c, const request_rec *r,
-                               apr_pool_t *p, X509 *cert, const char *format,
+                               apr_pool_t *p, const X509 *cert, const char *format,
                                va_list ap)
 {
     char buf[HUGE_STRING_LEN];
@@ -212,7 +212,7 @@ static void ssl_log_cert_error(const char *file, int line, int level,
  * in the other cases we use the connection and request pool, respectively).
  */
 void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,
-                    apr_pool_t *ptemp, server_rec *s, X509 *cert,
+                    apr_pool_t *ptemp, server_rec *s, const X509 *cert,
                     const char *fmt, ...)
 {
     if (APLOG_IS_LEVEL(s,level)) {
@@ -225,7 +225,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,
 }
 
 void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,
-                     conn_rec *c, X509 *cert, const char *fmt, ...)
+                     conn_rec *c, const X509 *cert, const char *fmt, ...)
 {
     if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {
        va_list ap;
@@ -237,7 +237,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,
 }
 
 void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv,
-                     request_rec *r, X509 *cert, const char *fmt, ...)
+                     request_rec *r, const X509 *cert, const char *fmt, ...)
 {
     if (APLOG_R_IS_LEVEL(r,level)) {
        va_list ap;
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
@@ -929,7 +929,7 @@ static const char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
 
     serialNumber = X509_get_serialNumber(xs);
     if (serialNumber) {
-        X509_NAME *issuer = X509_get_issuer_name(xs);
+        const X509_NAME *issuer = X509_get_issuer_name(xs);
         if (issuer) {
             BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
             if((decimal = BN_bn2dec(bn)) == NULL) {
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
@@ -1212,16 +1212,16 @@ void         ssl_log_ssl_error(const char *, int, int, server_rec *);
  * counterparts. */
 void ssl_log_xerror(const char *file, int line, int level,
                     apr_status_t rv, apr_pool_t *p, server_rec *s,
-                    X509 *cert, const char *format, ...)
+                    const X509 *cert, const char *format, ...)
     __attribute__((format(printf,8,9)));
 
 void ssl_log_cxerror(const char *file, int line, int level,
-                     apr_status_t rv, conn_rec *c, X509 *cert,
+                     apr_status_t rv, conn_rec *c, const X509 *cert,
                      const char *format, ...)
     __attribute__((format(printf,7,8)));
 
 void ssl_log_rxerror(const char *file, int line, int level,
-                     apr_status_t rv, request_rec *r, X509 *cert,
+                     apr_status_t rv, request_rec *r, const X509 *cert,
                      const char *format, ...)
     __attribute__((format(printf,7,8)));
 
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
@@ -236,7 +236,7 @@ char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
  * convert an X509_NAME to an RFC 2253 formatted string, optionally truncated
  * to maxlen characters (specify a maxlen of 0 for no length limit)
  */
-char *modssl_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
+char *modssl_X509_NAME_to_string(apr_pool_t *p, const X509_NAME *dn, int maxlen)
 {
     char *result = NULL;
     BIO *bio;
@@ -373,7 +373,7 @@ BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
 /* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
 static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
 {
-    X509_NAME *subj;
+    const X509_NAME *subj;
     int i = -1;
 
     /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
@@ -73,7 +73,7 @@ int         modssl_smart_shutdown(SSL *ssl);
 BOOL        modssl_X509_getBC(X509 *, int *, int *);
 char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
                                              int raw);
-char       *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+char       *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int);
 BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
 BOOL        modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
 char       *modssl_SSL_SESSION_id2sz(IDCONST unsigned char *, int, char *, int);

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ void ssl_log_ssl_error(const char file, int line, int level, server_rec s)`
`126`	`126`	`static void ssl_log_cert_error(const char *file, int line, int level,`
`127`	`127`	`apr_status_t rv, const server_rec *s,`
`128`	`128`	`const conn_rec c, const request_rec r,`
`129`		`- apr_pool_t p, X509 cert, const char *format,`
	`129`	`+ apr_pool_t p, const X509 cert, const char *format,`
`130`	`130`	`va_list ap)`
`131`	`131`	`{`
`132`	`132`	`char buf[HUGE_STRING_LEN];`
`@@ -212,7 +212,7 @@ static void ssl_log_cert_error(const char *file, int line, int level,`
`212`	`212`	`* in the other cases we use the connection and request pool, respectively).`
`213`	`213`	`*/`
`214`	`214`	`void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,`
`215`		`- apr_pool_t ptemp, server_rec s, X509 *cert,`
	`215`	`+ apr_pool_t ptemp, server_rec s, const X509 *cert,`
`216`	`216`	`const char *fmt, ...)`
`217`	`217`	`{`
`218`	`218`	`if (APLOG_IS_LEVEL(s,level)) {`
`@@ -225,7 +225,7 @@ void ssl_log_xerror(const char *file, int line, int level, apr_status_t rv,`
`225`	`225`	`}`
`226`	`226`
`227`	`227`	`void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,`
`228`		`- conn_rec c, X509 cert, const char *fmt, ...)`
	`228`	`+ conn_rec c, const X509 cert, const char *fmt, ...)`
`229`	`229`	`{`
`230`	`230`	`if (APLOG_IS_LEVEL(mySrvFromConn(c),level)) {`
`231`	`231`	`va_list ap;`
`@@ -237,7 +237,7 @@ void ssl_log_cxerror(const char *file, int line, int level, apr_status_t rv,`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`void ssl_log_rxerror(const char *file, int line, int level, apr_status_t rv,`
`240`		`- request_rec r, X509 cert, const char *fmt, ...)`
	`240`	`+ request_rec r, const X509 cert, const char *fmt, ...)`
`241`	`241`	`{`
`242`	`242`	`if (APLOG_R_IS_LEVEL(r,level)) {`
`243`	`243`	`va_list ap;`