Here's a few X509_* functions with added const. This was part of a bulk by sthen with no fallout. One minor difference: the diff I sent to Stuart contained a mistake in X509_signature_print().
Most of these are straightforward. X509_ALGOR_get0() required a bit of churn in *{pub,priv}_decode* functions. Among those, gost stands out with an ugly cast, but I'd rather not touch these more than necessary. Index: asn1/t_x509.c =================================================================== RCS file: /cvs/src/lib/libcrypto/asn1/t_x509.c,v retrieving revision 1.29 diff -u -p -r1.29 t_x509.c --- asn1/t_x509.c 25 Apr 2018 19:58:53 -0000 1.29 +++ asn1/t_x509.c 1 May 2018 16:18:46 -0000 @@ -321,7 +321,7 @@ X509_signature_dump(BIO *bp, const ASN1_ } int -X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig) +X509_signature_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig) { int sig_nid; if (BIO_puts(bp, " Signature Algorithm: ") <= 0) Index: asn1/x_algor.c =================================================================== RCS file: /cvs/src/lib/libcrypto/asn1/x_algor.c,v retrieving revision 1.21 diff -u -p -r1.21 x_algor.c --- asn1/x_algor.c 24 Jul 2015 15:09:52 -0000 1.21 +++ asn1/x_algor.c 1 May 2018 16:18:46 -0000 @@ -176,8 +176,8 @@ X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OB } void -X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, - X509_ALGOR *algor) +X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, const void **ppval, + const X509_ALGOR *algor) { if (paobj) *paobj = algor->algorithm; Index: asn1/x_x509a.c =================================================================== RCS file: /cvs/src/lib/libcrypto/asn1/x_x509a.c,v retrieving revision 1.14 diff -u -p -r1.14 x_x509a.c --- asn1/x_x509a.c 14 Feb 2015 15:28:39 -0000 1.14 +++ asn1/x_x509a.c 1 May 2018 16:18:46 -0000 @@ -154,7 +154,7 @@ aux_get(X509 *x) } int -X509_alias_set1(X509 *x, unsigned char *name, int len) +X509_alias_set1(X509 *x, const unsigned char *name, int len) { X509_CERT_AUX *aux; if (!name) { @@ -172,7 +172,7 @@ X509_alias_set1(X509 *x, unsigned char * } int -X509_keyid_set1(X509 *x, unsigned char *id, int len) +X509_keyid_set1(X509 *x, const unsigned char *id, int len) { X509_CERT_AUX *aux; if (!id) { @@ -210,7 +210,7 @@ X509_keyid_get0(X509 *x, int *len) } int -X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) +X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) { X509_CERT_AUX *aux; ASN1_OBJECT *objtmp; @@ -232,7 +232,7 @@ err: } int -X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) +X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) { X509_CERT_AUX *aux; ASN1_OBJECT *objtmp; Index: dh/dh_ameth.c =================================================================== RCS file: /cvs/src/lib/libcrypto/dh/dh_ameth.c,v retrieving revision 1.14 diff -u -p -r1.14 dh_ameth.c --- dh/dh_ameth.c 29 Jan 2017 17:49:22 -0000 1.14 +++ dh/dh_ameth.c 1 May 2018 16:18:46 -0000 @@ -78,8 +78,8 @@ dh_pub_decode(EVP_PKEY *pkey, X509_PUBKE const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *public_key = NULL; DH *dh = NULL; @@ -185,8 +185,8 @@ dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRI const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *privkey = NULL; DH *dh = NULL; Index: dsa/dsa_ameth.c =================================================================== RCS file: /cvs/src/lib/libcrypto/dsa/dsa_ameth.c,v retrieving revision 1.23 diff -u -p -r1.23 dsa_ameth.c --- dsa/dsa_ameth.c 29 Jan 2017 17:49:22 -0000 1.23 +++ dsa/dsa_ameth.c 1 May 2018 16:18:46 -0000 @@ -75,8 +75,8 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBK const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *public_key = NULL; @@ -184,8 +184,8 @@ dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PR const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *privkey = NULL; BN_CTX *ctx = NULL; Index: ec/ec_ameth.c =================================================================== RCS file: /cvs/src/lib/libcrypto/ec/ec_ameth.c,v retrieving revision 1.19 diff -u -p -r1.19 ec_ameth.c --- ec/ec_ameth.c 12 Mar 2018 13:14:21 -0000 1.19 +++ ec/ec_ameth.c 1 May 2018 16:18:46 -0000 @@ -136,12 +136,12 @@ err: } static EC_KEY * -eckey_type2param(int ptype, void *pval) +eckey_type2param(int ptype, const void *pval) { EC_KEY *eckey = NULL; if (ptype == V_ASN1_SEQUENCE) { - ASN1_STRING *pstr = pval; + const ASN1_STRING *pstr = pval; const unsigned char *pm = NULL; int pmlen; @@ -152,7 +152,7 @@ eckey_type2param(int ptype, void *pval) goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { - ASN1_OBJECT *poid = pval; + const ASN1_OBJECT *poid = pval; EC_GROUP *group; /* @@ -187,7 +187,7 @@ static int eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey) { const unsigned char *p = NULL; - void *pval; + const void *pval; int ptype, pklen; EC_KEY *eckey = NULL; X509_ALGOR *palg; @@ -235,7 +235,7 @@ static int eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8) { const unsigned char *p = NULL; - void *pval; + const void *pval; int ptype, pklen; EC_KEY *eckey = NULL; X509_ALGOR *palg; Index: gost/gostr341001_ameth.c =================================================================== RCS file: /cvs/src/lib/libcrypto/gost/gostr341001_ameth.c,v retrieving revision 1.11 diff -u -p -r1.11 gostr341001_ameth.c --- gost/gostr341001_ameth.c 29 Jan 2017 17:49:23 -0000 1.11 +++ gost/gostr341001_ameth.c 1 May 2018 16:18:47 -0000 @@ -201,7 +201,7 @@ pub_decode_gost01(EVP_PKEY *pk, X509_PUB == 0) return 0; (void)EVP_PKEY_assign_GOST(pk, NULL); - X509_ALGOR_get0(NULL, &ptype, (void **)&pval, palg); + X509_ALGOR_get0(NULL, &ptype, (const void **)&pval, palg); if (ptype != V_ASN1_SEQUENCE) { GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; @@ -410,7 +410,7 @@ priv_decode_gost01(EVP_PKEY *pk, PKCS8_P if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 0) return 0; (void)EVP_PKEY_assign_GOST(pk, NULL); - X509_ALGOR_get0(NULL, &ptype, (void **)&pval, palg); + X509_ALGOR_get0(NULL, &ptype, (const void **)&pval, palg); if (ptype != V_ASN1_SEQUENCE) { GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; Index: x509/x509.h =================================================================== RCS file: /cvs/src/lib/libcrypto/x509/x509.h,v retrieving revision 1.45 diff -u -p -r1.45 x509.h --- x509/x509.h 1 May 2018 16:14:54 -0000 1.45 +++ x509/x509.h 1 May 2018 16:18:47 -0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.45 2018/05/01 16:14:54 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.44 2018/03/17 15:28:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com) * All rights reserved. * @@ -654,7 +654,8 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SP int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent); -int X509_signature_print(BIO *bp, X509_ALGOR *alg, ASN1_STRING *sig); +int X509_signature_print(BIO *bp, const X509_ALGOR *alg, + const ASN1_STRING *sig); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); @@ -758,8 +759,8 @@ X509_CRL *X509_CRL_dup(X509_CRL *crl); X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); -void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, - X509_ALGOR *algor); +void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, const void **ppval, + const X509_ALGOR *algor); void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); @@ -907,14 +908,14 @@ void X509_get0_signature(const ASN1_BIT_ const X509_ALGOR **palg, const X509 *x); int X509_get_signature_nid(const X509 *x); -int X509_alias_set1(X509 *x, unsigned char *name, int len); -int X509_keyid_set1(X509 *x, unsigned char *id, int len); +int X509_alias_set1(X509 *x, const unsigned char *name, int len); +int X509_keyid_set1(X509 *x, const unsigned char *id, int len); unsigned char *X509_alias_get0(X509 *x, int *len); unsigned char *X509_keyid_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); int X509_TRUST_set(int *t, int trust); -int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); -int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); +int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj); +int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj); void X509_trust_clear(X509 *x); void X509_reject_clear(X509 *x); @@ -999,7 +1000,7 @@ const ASN1_TIME *X509_get0_notAfter(cons ASN1_TIME *X509_getm_notAfter(const X509 *x); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); EVP_PKEY * X509_get_pubkey(X509 *x); -EVP_PKEY * X509_get0_pubkey(X509 *x); +EVP_PKEY * X509_get0_pubkey(const X509 *x); ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */); @@ -1121,7 +1122,7 @@ int X509_NAME_ENTRY_set_object(X509_NA ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); -ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); +ASN1_OBJECT * X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne); ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); Index: x509/x509_cmp.c =================================================================== RCS file: /cvs/src/lib/libcrypto/x509/x509_cmp.c,v retrieving revision 1.30 diff -u -p -r1.30 x509_cmp.c --- x509/x509_cmp.c 17 Mar 2018 14:57:23 -0000 1.30 +++ x509/x509_cmp.c 1 May 2018 16:18:47 -0000 @@ -327,7 +327,7 @@ X509_get_pubkey(X509 *x) } EVP_PKEY * -X509_get0_pubkey(X509 *x) +X509_get0_pubkey(const X509 *x) { if (x == NULL || x->cert_info == NULL) return (NULL); Index: x509/x509name.c =================================================================== RCS file: /cvs/src/lib/libcrypto/x509/x509name.c,v retrieving revision 1.16 diff -u -p -r1.16 x509name.c --- x509/x509name.c 4 Apr 2018 11:59:26 -0000 1.16 +++ x509/x509name.c 1 May 2018 16:18:47 -0000 @@ -388,7 +388,7 @@ X509_NAME_ENTRY_set_data(X509_NAME_ENTRY } ASN1_OBJECT * -X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) +X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) { if (ne == NULL) return (NULL);