From 5fb443360603069396e081d36330fcd44d3945a0 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Mon, 27 Nov 2023 07:51:33 +0000
Subject: Make ssl_cert_info read-only

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22828)
---
 ssl/ssl_cert.c       | 6 +++---
 ssl/ssl_cert_table.h | 2 +-
 ssl/ssl_ciph.c       | 2 +-
 ssl/ssl_local.h      | 8 ++++----
 4 files changed, 9 insertions(+), 9 deletions(-)

(limited to 'ssl')

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 126be668fd..f11eb75827 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1240,13 +1240,13 @@ int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx)
     return 0;
 }
 
-SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx)
+const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_CTX *ctx)
 {
     size_t i;
 
     /* check classic pk types */
     for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
-        SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
+        const SSL_CERT_LOOKUP *tmp_lu = &ssl_cert_info[i];
 
         if (EVP_PKEY_is_a(pk, OBJ_nid2sn(tmp_lu->nid))
             || EVP_PKEY_is_a(pk, OBJ_nid2ln(tmp_lu->nid))) {
@@ -1270,7 +1270,7 @@ SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx, SSL_C
     return NULL;
 }
 
-SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx)
+const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx)
 {
     if (idx >= (OSSL_NELEM(ssl_cert_info) + ctx->sigalg_list_len))
         return NULL;
diff --git a/ssl/ssl_cert_table.h b/ssl/ssl_cert_table.h
index 28918b9767..e4dc8063b1 100644
--- a/ssl/ssl_cert_table.h
+++ b/ssl/ssl_cert_table.h
@@ -10,7 +10,7 @@
 /*
  * Certificate table information. NB: table entries must match SSL_PKEY indices
  */
-static SSL_CERT_LOOKUP ssl_cert_info [] = {
+static const SSL_CERT_LOOKUP ssl_cert_info [] = {
     {EVP_PKEY_RSA, SSL_aRSA}, /* SSL_PKEY_RSA */
     {EVP_PKEY_RSA_PSS, SSL_aRSA}, /* SSL_PKEY_RSA_PSS_SIGN */
     {EVP_PKEY_DSA, SSL_aDSS}, /* SSL_PKEY_DSA_SIGN */
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 8360991ce4..31c0d5af1d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2234,7 +2234,7 @@ int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
 
 int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx)
 {
-    SSL_CERT_LOOKUP *cl;
+    const SSL_CERT_LOOKUP *cl;
 
     /* A provider-loaded key type is always enabled */
     if (idx >= SSL_PKEY_NUM)
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index d1ef358932..ed9f54b06f 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2531,10 +2531,10 @@ __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
 int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp);
 
 __owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx, SSL_CTX *ctx);
-__owur SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
-                                                size_t *pidx,
-                                                SSL_CTX *ctx);
-__owur SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx);
+__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk,
+                                                      size_t *pidx,
+                                                      SSL_CTX *ctx);
+__owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx, SSL_CTX *ctx);
 
 int ssl_undefined_function(SSL *s);
 __owur int ssl_undefined_void_function(void);
-- 
cgit v1.2.3