From a41a6120cdcb7e883481bc1bed55e7157c9255c4 Mon Sep 17 00:00:00 2001 From: Patrick Schlangen Date: Wed, 10 Jan 2018 12:06:35 -0500 Subject: [PATCH] Make data argument const in SSL_dane_tlsa_add The data argument of SSL_dane_tlsa_add is used read-only, so it should be const. Reviewed-by: Viktor Dukhovni Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5056) --- doc/man3/SSL_CTX_dane_enable.pod | 4 +++- include/openssl/ssl.h | 2 +- ssl/ssl_lib.c | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod index 9415065b2d..1efe60763c 100644 --- a/doc/man3/SSL_CTX_dane_enable.pod +++ b/doc/man3/SSL_CTX_dane_enable.pod @@ -18,7 +18,7 @@ TLS client uint8_t mtype, uint8_t ord); int SSL_dane_enable(SSL *s, const char *basedomain); int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen); + uint8_t mtype, unsigned const char *data, size_t dlen); int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, uint8_t *mtype, unsigned const char **data, @@ -76,6 +76,8 @@ TLSA records that apply to the remote TLS peer. The arguments specify the fields of the TLSA record. The B field is provided in binary (wire RDATA) form, not the hexadecimal ASCII presentation form, with an explicit length passed via B. +The library takes a copy of the B buffer contents and the caller may +free the original B buffer when convenient. A return value of 0 indicates that "unusable" TLSA records (with invalid or unsupported parameters) were provided. A negative return value indicates an internal error in processing the record. diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index eda76df39f..05a07eb98d 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1667,7 +1667,7 @@ __owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, uint8_t mtype, uint8_t ord); __owur int SSL_dane_enable(SSL *s, const char *basedomain); __owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen); + uint8_t mtype, unsigned const char *data, size_t dlen); __owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); __owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, uint8_t *mtype, unsigned const char **data, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e7867cd5c8..da2e8df2c9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -290,7 +290,7 @@ static const EVP_MD *tlsa_md_get(SSL_DANE *dane, uint8_t mtype) static int dane_tlsa_add(SSL_DANE *dane, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen) + uint8_t mtype, unsigned const char *data, size_t dlen) { danetls_record *t; const EVP_MD *md = NULL; @@ -1089,7 +1089,7 @@ SSL_DANE *SSL_get0_dane(SSL *s) } int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, - uint8_t mtype, unsigned char *data, size_t dlen) + uint8_t mtype, unsigned const char *data, size_t dlen) { return dane_tlsa_add(&s->dane, usage, selector, mtype, data, dlen); } -- 2.25.1