mod_ssl: constify X509_NAME_ENTRY and X509_EXTENSION pointers:

* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert_dn,
  extract_dn): Constify X509_NAME_ENTRY * variables, constify
  X509_NAME * parameter of extract_dn, drop unnecessary casts
  on X509_NAME_ENTRY_get_object() calls.
  (ssl_ext_list): Use MODSSL_X509_EXT_CONST for X509_EXTENSION *
  since X509_EXTENSION accessors are only constified in OpenSSL 4.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h
  (modssl_X509_NAME_ENTRY_to_string): Constify X509_NAME_ENTRY *
  parameter.
* modules/ssl/ssl_private.h: Add MODSSL_X509_EXT_CONST, defined
  as const for OpenSSL 4+ and empty otherwise.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: notroj

modules/ssl/ssl_engine_vars.c

@@ -732,7 +732,7 @@ static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xs
 {
     const char *ptr;
     const char *result;
-    X509_NAME_ENTRY *xsne;
+    const X509_NAME_ENTRY *xsne;
     int i, j, n, idx = 0, raw = 0;
     apr_size_t varlen;
 
@@ -759,7 +759,7 @@ static const char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, const X509_NAME *xs
             for (j = 0; j < X509_NAME_entry_count(xsname); j++) {
                 xsne = X509_NAME_get_entry(xsname, j);
 
-                n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
+                n = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne));
 
                 if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
                     result = modssl_X509_NAME_ENTRY_to_string(p, xsne, raw);
@@ -1112,9 +1112,9 @@ static const char *ssl_var_lookup_ssl_version(const char *var)
 /* Add each RDN in 'xn' to the table 't' where the NID is present in
  * 'nids', using key prefix 'pfx'.  */
 static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
-                       X509_NAME *xn, apr_pool_t *p)
+                       const X509_NAME *xn, apr_pool_t *p)
 {
-    X509_NAME_ENTRY *xsne;
+    const X509_NAME_ENTRY *xsne;
     apr_hash_t *count;
     int i, nid;
 
@@ -1129,7 +1129,7 @@ static void extract_dn(apr_table_t *t, apr_hash_t *nids, const char *pfx,
 
          /* Retrieve the nid, and check whether this is one of the nids
           * which are to be extracted. */
-         nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
+         nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(xsne));
 
          tag = apr_hash_get(nids, &nid, sizeof nid);
          if (tag) {
@@ -1301,7 +1301,7 @@ apr_array_header_t *ssl_ext_list(apr_pool_t *p, conn_rec *c, int peer,
      */
     array = apr_array_make(p, count, sizeof(char *));
     for (j = 0; j < count; j++) {
-        X509_EXTENSION *ext = X509_get_ext(xs, j);
+        MODSSL_X509_EXT_CONST X509_EXTENSION *ext = X509_get_ext(xs, j);
 
         if (OBJ_cmp(X509_EXTENSION_get_object(ext), oid) == 0) {
             BIO *bio = BIO_new(BIO_s_mem());

modules/ssl/ssl_private.h

@@ -155,6 +155,12 @@
 #define MODSSL_SSL_METHOD_CONST
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+#define MODSSL_X509_EXT_CONST const
+#else
+#define MODSSL_X509_EXT_CONST
+#endif
+
 #if defined(LIBRESSL_VERSION_NUMBER)
 /* Missing from LibreSSL */
 #if LIBRESSL_VERSION_NUMBER < 0x2060000f

modules/ssl/ssl_util_ssl.c

@@ -224,7 +224,7 @@ static char *asn1_string_convert(apr_pool_t *p, ASN1_STRING *asn1str, int raw)
 #define asn1_string_to_utf8(p, a) asn1_string_convert(p, a, 0)
 
 /* convert a NAME_ENTRY to UTF8 string */
-char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
+char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne,
                                        int raw)
 {
     char *result = asn1_string_convert(p, X509_NAME_ENTRY_get_data(xsne), raw);

modules/ssl/ssl_util_ssl.h

@@ -71,7 +71,7 @@ EVP_PKEY   *modssl_read_privatekey(const char *filename, pem_password_cb *cb, vo
 
 int         modssl_smart_shutdown(SSL *ssl);
 BOOL        modssl_X509_getBC(X509 *, int *, int *);
-char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne,
+char       *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, const X509_NAME_ENTRY *xsne,
                                              int raw);
 char       *modssl_X509_NAME_to_string(apr_pool_t *, const X509_NAME *, int);
 BOOL        modssl_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);