Constify various mostly X509-related parameter types in crypto/ and apps/

in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *, also some result types of new functions, which does not break compatibility Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/10504)
2025-05-16 11:29:42 +00:00 · 2020-03-23 08:30:37 +01:00 · 2020-03-23 08:30:37 +01:00 · 8cc86b81ac
commit 8cc86b81ac
parent 7e06a6758b
71 changed files with 353 additions and 317 deletions
--- a/apps/ca.c
+++ b/apps/ca.c
@ -1430,7 +1430,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
                   CONF *lconf, unsigned long certopt, unsigned long nameopt,
                   int default_op, int ext_copy, int selfsign)
 {
-    X509_NAME *name = NULL, *CAname = NULL, *subject = NULL;
+    const X509_NAME *name = NULL;
    X509_NAME *CAname = NULL, *subject = NULL;
    const ASN1_TIME *tm;
    ASN1_STRING *str, *str2;
    ASN1_OBJECT *obj;
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@ -91,7 +91,7 @@ int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
 int chopup_args(ARGS *arg, char *buf);
 int dump_cert_text(BIO *out, X509 *x);
-void print_name(BIO *out, const char *title, X509_NAME *nm,
+void print_name(BIO *out, const char *title, const X509_NAME *nm,
                unsigned long lflags);
 void print_bignum_var(BIO *, const BIGNUM *, const char*,
                      int, unsigned char *);
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -968,7 +968,7 @@ static int set_table_opts(unsigned long *flags, const char *arg,
    return 0;
 }
-void print_name(BIO *out, const char *title, X509_NAME *nm,
+void print_name(BIO *out, const char *title, const X509_NAME *nm,
                unsigned long lflags)
 {
    char *buf;
@ -1900,7 +1900,8 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
 * anything.
 */
-static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
                                        const X509_NAME *nm)
 {
    X509 *x;
    STACK_OF(X509_CRL) *crls = NULL;
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -1081,7 +1081,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
                           STACK_OF(OCSP_CERTID) *ids)
 {
    OCSP_CERTID *id;
-    X509_NAME *iname;
+    const X509_NAME *iname;
    ASN1_BIT_STRING *ikey;
    ASN1_INTEGER *sno;
--- a/apps/rehash.c
+++ b/apps/rehash.c
@ -233,7 +233,7 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
 {
    STACK_OF (X509_INFO) *inf = NULL;
    X509_INFO *x;
-    X509_NAME *name = NULL;
+    const X509_NAME *name = NULL;
    BIO *b;
    const char *ext;
    unsigned char digest[EVP_MAX_MD_SIZE];
--- a/apps/req.c
+++ b/apps/req.c
@ -1107,8 +1107,7 @@ static int prompt_info(X509_REQ *req,
    char *type, *value;
    const char *def;
    CONF_VALUE *v;
-    X509_NAME *subj;
+    X509_NAME *subj = X509_REQ_get_subject_name(req);
    subj = X509_REQ_get_subject_name(req);
    if (!batch) {
        BIO_printf(bio_err,
@ -1193,8 +1192,7 @@ static int prompt_info(X509_REQ *req,
                return 0;
        }
        if (X509_NAME_entry_count(subj) == 0) {
-            BIO_printf(bio_err,
+            BIO_printf(bio_err, "error, no objects specified in config file\n");
                       "error, no objects specified in config file\n");
            return 0;
        }
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@ -750,7 +750,7 @@ int BIO_set_ex_data(BIO *bio, int idx, void *data)
    return CRYPTO_set_ex_data(&(bio->ex_data), idx, data);
 }
-void *BIO_get_ex_data(BIO *bio, int idx)
+void *BIO_get_ex_data(const BIO *bio, int idx)
 {
    return CRYPTO_get_ex_data(&(bio->ex_data), idx);
 }
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@ -266,8 +266,8 @@ int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr)
 /* fill in all fields of the hdr according to the info given in ctx */
 int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
 {
-    X509_NAME *sender;
+    const X509_NAME *sender;
-    X509_NAME *rcp = NULL;
+    const X509_NAME *rcp = NULL;
    if (!ossl_assert(ctx != NULL && hdr != NULL))
        return 0;
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@ -56,7 +56,7 @@ struct ossl_cmp_ctx_st {
    int unprotectedErrors;
    X509 *srvCert; /* certificate used to identify the server */
    X509 *validatedSrvCert; /* caches any already validated server cert */
-    X509_NAME *expected_sender; /* expected sender in pkiheader of response */
+    X509_NAME *expected_sender; /* expected sender in header of response */
    X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
    STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
    int ignore_keyusage; /* ignore key usage entry when validating certs */
@ -95,7 +95,7 @@ struct ossl_cmp_ctx_st {
    int newPkey_priv; /* flag indicating if newPkey contains private key */
    X509_NAME *issuer; /* issuer name to used in cert template */
    int days; /* Number of days new certificates are asked to be valid for */
-    X509_NAME *subjectName; /* subject name to be used in the cert template */
+    X509_NAME *subjectName; /* subject name to be used in cert template */
    STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
    int SubjectAltName_nodefault;
    int setSubjectAltNameCritical;
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@ -185,7 +185,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
    (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
         || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
-static X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
+static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
                                       int bodytype)
 {
    if (ctx->subjectName != NULL)
@ -212,7 +212,7 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
    /* refcert defaults to current client cert */
    EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
    STACK_OF(GENERAL_NAME) *default_sans = NULL;
-    X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
+    const X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
    int crit = ctx->setSubjectAltNameCritical || subject == NULL;
    /* RFC5280: subjectAltName MUST be critical if subject is null */
    X509_EXTENSIONS *exts = NULL;
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@ -249,7 +249,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
    OSSL_CMP_REVDETAILS *details;
    OSSL_CRMF_CERTID *certId;
    OSSL_CRMF_CERTTEMPLATE *tmpl;
-    X509_NAME *issuer;
+    const X509_NAME *issuer;
    ASN1_INTEGER *serial;
    OSSL_CMP_PKISI *si;
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@ -567,14 +567,14 @@ ASN1_INTEGER
 }
 /* retrieves the issuer name of the given cert template or NULL on error */
-X509_NAME
+const X509_NAME
    *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl)
 {
    return tmpl != NULL ? tmpl->issuer : NULL;
 }
 /* retrieves the issuer name of the given CertId or NULL on error */
-X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
+const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
 {
    return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
        cid->issuer->d.directoryName : NULL;
@ -600,9 +600,9 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
        CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, CRMF_R_NULL_ARGUMENT);
        return 0;
    }
-    if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject))
+    if (subject != NULL && !X509_NAME_set((X509_NAME **)&tmpl->subject, subject))
        return 0;
-    if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer))
+    if (issuer != NULL && !X509_NAME_set((X509_NAME **)&tmpl->issuer, issuer))
        return 0;
    if (serial != NULL) {
        ASN1_INTEGER_free(tmpl->serialNumber);
--- a/crypto/crmf/crmf_local.h
+++ b/crypto/crmf/crmf_local.h
@ -315,9 +315,9 @@ struct ossl_crmf_certtemplate_st {
    /* This field is assigned by the CA during certificate creation */
    X509_ALGOR *signingAlg; /* signingAlg MUST be omitted */
    /* This field is assigned by the CA during certificate creation */
-    X509_NAME *issuer;
+    const X509_NAME *issuer;
    OSSL_CRMF_OPTIONALVALIDITY *validity;
-    X509_NAME *subject;
+    const X509_NAME *subject;
    X509_PUBKEY *publicKey;
    ASN1_BIT_STRING *issuerUID; /* deprecated in version 2 */
    /* According to rfc 3280: UniqueIdentifier ::= BIT STRING */
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@ -171,7 +171,7 @@ int DH_set_ex_data(DH *d, int idx, void *arg)
    return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
 }
-void *DH_get_ex_data(DH *d, int idx)
+void *DH_get_ex_data(const DH *d, int idx)
 {
    return CRYPTO_get_ex_data(&d->ex_data, idx);
 }
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@ -32,7 +32,7 @@ int DSA_set_ex_data(DSA *d, int idx, void *arg)
    return CRYPTO_set_ex_data(&d->ex_data, idx, arg);
 }
-void *DSA_get_ex_data(DSA *d, int idx)
+void *DSA_get_ex_data(const DSA *d, int idx)
 {
    return CRYPTO_get_ex_data(&d->ex_data, idx);
 }
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@ -310,8 +310,7 @@ static int pkey_mac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
                if (ctx->pkey == NULL)
                    return 0;
-                new_mac_ctx = EVP_MAC_CTX_dup((EVP_MAC_CTX *)ctx->pkey
+                new_mac_ctx = EVP_MAC_CTX_dup(ctx->pkey->pkey.ptr);
                                              ->pkey.ptr);
                if (new_mac_ctx == NULL)
                    return 0;
                EVP_MAC_CTX_free(hctx->ctx);
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@ -48,7 +48,7 @@ OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
 /* Set requestorName from an X509_NAME structure */
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
 {
    GENERAL_NAME *gen;
--- a/crypto/ocsp/ocsp_ext.c
+++ b/crypto/ocsp/ocsp_ext.c
@ -430,7 +430,7 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This method
 * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls)
+X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls)
 {
    X509_EXTENSION *x = NULL;
    ASN1_IA5STRING *ia5 = NULL;
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@ -22,7 +22,7 @@
 OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
                             const X509 *issuer)
 {
-    X509_NAME *iname;
+    const X509_NAME *iname;
    const ASN1_INTEGER *serial;
    ASN1_BIT_STRING *ikey;
    if (!dgst)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@ -22,7 +22,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                               STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x);
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                X509_NAME *nm, STACK_OF(X509) *certs,
+                                const X509_NAME *nm, STACK_OF(X509) *certs,
                                unsigned long flags);
 /* Verify a basic response message */
@ -279,7 +279,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
    /* If only one ID to match then do it */
    if (cid) {
        const EVP_MD *dgst;
-        X509_NAME *iname;
+        const X509_NAME *iname;
        int mdlen;
        unsigned char md[EVP_MAX_MD_SIZE];
        if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
@ -340,7 +340,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
                        X509_STORE *store, unsigned long flags)
 {
    X509 *signer;
-    X509_NAME *nm;
+    const X509_NAME *nm;
    GENERAL_NAME *gen;
    int ret = 0;
    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
@ -414,7 +414,7 @@ end:
 }
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                X509_NAME *nm, STACK_OF(X509) *certs,
+                                const X509_NAME *nm, STACK_OF(X509) *certs,
                                unsigned long flags)
 {
    X509 *signer;
--- a/crypto/store/store_local.h
+++ b/crypto/store/store_local.h
@ -73,7 +73,7 @@ struct ossl_store_search_st {
     * Used by OSSL_STORE_SEARCH_BY_NAME and
     * OSSL_STORE_SEARCH_BY_ISSUER_SERIAL
     */
-    X509_NAME *name;
+    X509_NAME *name; /* TODO constify this; leads to API incompatibility */
    /* Used by OSSL_STORE_SEARCH_BY_ISSUER_SERIAL */
    const ASN1_INTEGER *serial;
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@ -578,7 +578,7 @@ int UI_set_ex_data(UI *r, int idx, void *arg)
    return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
 }
-void *UI_get_ex_data(UI *r, int idx)
+void *UI_get_ex_data(const UI *r, int idx)
 {
    return CRYPTO_get_ex_data(&r->ex_data, idx);
 }
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@ -45,7 +45,7 @@ static int new_dir(X509_LOOKUP *lu);
 static void free_dir(X509_LOOKUP *lu);
 static int add_cert_dir(BY_DIR *ctx, const char *dir, int type);
 static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
-                               X509_NAME *name, X509_OBJECT *ret);
+                               const X509_NAME *name, X509_OBJECT *ret);
 static X509_LOOKUP_METHOD x509_dir_lookup = {
    "Load certs from files in a directory",
    new_dir,                    /* new_item */
@ -209,7 +209,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 }
 static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
-                               X509_NAME *name, X509_OBJECT *ret)
+                               const X509_NAME *name, X509_OBJECT *ret)
 {
    BY_DIR *ctx;
    union {
@ -228,11 +228,11 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
    stmp.type = type;
    if (type == X509_LU_X509) {
-        data.st_x509.cert_info.subject = name;
+        data.st_x509.cert_info.subject = (X509_NAME *)name; /* won't modify it */
        stmp.data.x509 = &data.st_x509;
        postfix = "";
    } else if (type == X509_LU_CRL) {
-        data.crl.crl.issuer = name;
+        data.crl.crl.issuer = (X509_NAME *)name; /* won't modify it */
        stmp.data.crl = &data.crl;
        postfix = "r";
    } else {
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@ -151,9 +151,10 @@ static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 }
 static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                            X509_NAME *name, X509_OBJECT *ret)
+                            const X509_NAME *name, X509_OBJECT *ret)
 {
-    OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
+    OSSL_STORE_SEARCH *criterion =
        OSSL_STORE_SEARCH_by_name((X509_NAME *)name); /* won't modify it */
    int ok = by_store(ctx, type, criterion, ret);
    STACK_OF(X509_OBJECT) *store_objects =
        X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
--- a/crypto/x509/pcy_lib.c
+++ b/crypto/x509/pcy_lib.c
@ -69,7 +69,7 @@ int X509_policy_level_node_count(X509_POLICY_LEVEL *level)
    return n;
 }
-X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
+X509_POLICY_NODE *X509_policy_level_get0_node(const X509_POLICY_LEVEL *level, int i)
 {
    if (!level)
        return NULL;
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@ -227,7 +227,7 @@ int X509_ocspid_print(BIO *bp, X509 *x)
    int i;
    unsigned char SHA1md[SHA_DIGEST_LENGTH];
    ASN1_BIT_STRING *keybstr;
-    X509_NAME *subj;
+    const X509_NAME *subj;
    /*
     * display the hash of the subject as it would appear in OCSP requests
--- a/crypto/x509/v3_crld.c
+++ b/crypto/x509/v3_crld.c
@ -479,7 +479,7 @@ static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
    return 1;
 }
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
+int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, const X509_NAME *iname)
 {
    int i;
    STACK_OF(X509_NAME_ENTRY) *frag;
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@ -31,7 +31,7 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
 static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
-static int nc_dn(X509_NAME *sub, X509_NAME *nm);
+static int nc_dn(const X509_NAME *sub, const X509_NAME *nm);
 static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
 static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
 static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
@ -400,7 +400,7 @@ static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)
 int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)
 {
    int r, i;
-    X509_NAME *nm = X509_get_subject_name(x);
+    const X509_NAME *nm = X509_get_subject_name(x);
    ASN1_STRING stmp;
    GENERAL_NAME gntmp;
@ -543,7 +543,7 @@ static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
 * subset of the name.
 */
-static int nc_dn(X509_NAME *nm, X509_NAME *base)
+static int nc_dn(const X509_NAME *nm, const X509_NAME *base)
 {
    /* Ensure canonical encodings are up to date.  */
    if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
--- a/crypto/x509/v3_purp.c
+++ b/crypto/x509/v3_purp.c
@ -304,7 +304,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static int setup_dp(X509 *x, DIST_POINT *dp)
 {
-    X509_NAME *iname = NULL;
+    const X509_NAME *iname = NULL;
    int i;
    if (dp->reasons) {
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@ -22,7 +22,7 @@
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char *const *a, const char *const *b);
-static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
+static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
                                           GENERAL_NAMES *gens);
 static void str_free(OPENSSL_STRING str);
 static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email);
@ -463,7 +463,7 @@ STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
    return ret;
 }
-static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
+static STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,
                                           GENERAL_NAMES *gens)
 {
    STACK_OF(OPENSSL_STRING) *ret = NULL;
@ -819,7 +819,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
                         unsigned int flags, int check_type, char **peername)
 {
    GENERAL_NAMES *gens = NULL;
-    X509_NAME *name = NULL;
+    const X509_NAME *name = NULL;
    int i;
    int cnid = NID_undef;
    int alt_type;
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@ -184,7 +184,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
 }
-unsigned long X509_NAME_hash(X509_NAME *x)
+unsigned long X509_NAME_hash(const X509_NAME *x)
 {
    unsigned long ret = 0;
    unsigned char md[SHA_DIGEST_LENGTH];
@ -207,7 +207,7 @@ unsigned long X509_NAME_hash(X509_NAME *x)
 * this is reasonably efficient.
 */
-unsigned long X509_NAME_hash_old(X509_NAME *x)
+unsigned long X509_NAME_hash_old(const X509_NAME *x)
 {
    EVP_MD *md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips");
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
@ -235,8 +235,8 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
 #endif
 /* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
-                                     ASN1_INTEGER *serial)
+                                     const ASN1_INTEGER *serial)
 {
    int i;
    X509 x, *x509 = NULL;
@ -245,7 +245,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
        return NULL;
    x.cert_info.serialNumber = *serial;
-    x.cert_info.issuer = name;
+    x.cert_info.issuer = (X509_NAME *)name; /* won't modify it */
    for (i = 0; i < sk_X509_num(sk); i++) {
        x509 = sk_X509_value(sk, i);
@ -255,7 +255,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
    return NULL;
 }
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name)
+X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name)
 {
    X509 *x509;
    int i;
--- a/crypto/x509/x509_local.h
+++ b/crypto/x509/x509_local.h
@ -64,7 +64,7 @@ struct x509_crl_method_st {
    int (*crl_init) (X509_CRL *crl);
    int (*crl_free) (X509_CRL *crl);
    int (*crl_lookup) (X509_CRL *crl, X509_REVOKED **ret,
-                       ASN1_INTEGER *ser, X509_NAME *issuer);
+                       const ASN1_INTEGER *ser, const X509_NAME *issuer);
    int (*crl_verify) (X509_CRL *crl, EVP_PKEY *pk);
 };
@ -77,9 +77,10 @@ struct x509_lookup_method_st {
    int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
                 char **ret);
    int (*get_by_subject) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           X509_NAME *name, X509_OBJECT *ret);
+                           const X509_NAME *name, X509_OBJECT *ret);
    int (*get_by_issuer_serial) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 X509_NAME *name, ASN1_INTEGER *serial,
+                                 const X509_NAME *name,
                                 const ASN1_INTEGER *serial,
                                 X509_OBJECT *ret);
    int (*get_by_fingerprint) (X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                               const unsigned char *bytes, int len,
@ -128,8 +129,11 @@ struct x509_store_st {
    int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
    /* Check policy status of the chain */
    int (*check_policy) (X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
+    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx,
-    STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
+                                     const X509_NAME *nm);
    /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
    STACK_OF(X509_CRL) *(*lookup_crls) (const X509_STORE_CTX *ctx,
                                        const X509_NAME *nm);
    int (*cleanup) (X509_STORE_CTX *ctx);
    CRYPTO_EX_DATA ex_data;
    CRYPTO_REF_COUNT references;
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@ -83,7 +83,7 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
 }
 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           X509_NAME *name, X509_OBJECT *ret)
+                           const X509_NAME *name, X509_OBJECT *ret)
 {
    if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL))
        return 0;
@ -93,7 +93,8 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 }
 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 X509_NAME *name, ASN1_INTEGER *serial,
+                                 const X509_NAME *name,
                                 const ASN1_INTEGER *serial,
                                 X509_OBJECT *ret)
 {
    if ((ctx->method == NULL) || (ctx->method->get_by_issuer_serial == NULL))
@ -273,7 +274,7 @@ X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m)
 X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
                                               X509_LOOKUP_TYPE type,
-                                               X509_NAME *name)
+                                               const X509_NAME *name)
 {
    X509_OBJECT *ret = X509_OBJECT_new();
@ -286,8 +287,9 @@ X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
    return ret;
 }
-int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
+int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
-                                  X509_NAME *name, X509_OBJECT *ret)
+                                  X509_LOOKUP_TYPE type,
                                  const X509_NAME *name, X509_OBJECT *ret)
 {
    X509_STORE *store = vs->store;
    X509_LOOKUP *lu;
@ -403,7 +405,7 @@ X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
    return a->data.x509;
 }
-X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
+X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a)
 {
    if (a == NULL || a->type != X509_LU_CRL)
        return NULL;
@ -472,7 +474,7 @@ void X509_OBJECT_free(X509_OBJECT *a)
 }
 static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
-                               X509_NAME *name, int *pnmatch)
+                               const X509_NAME *name, int *pnmatch)
 {
    X509_OBJECT stmp;
    X509 x509_s;
@ -483,11 +485,11 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
    switch (type) {
    case X509_LU_X509:
        stmp.data.x509 = &x509_s;
-        x509_s.cert_info.subject = name;
+        x509_s.cert_info.subject = (X509_NAME *)name; /* won't modify it */
        break;
    case X509_LU_CRL:
        stmp.data.crl = &crl_s;
-        crl_s.crl.issuer = name;
+        crl_s.crl.issuer = (X509_NAME *)name; /* won't modify it */
        break;
    case X509_LU_NONE:
        /* abort(); */
@ -511,14 +513,14 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
 }
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
-                               X509_NAME *name)
+                               const X509_NAME *name)
 {
    return x509_object_idx_cnt(h, type, name, NULL);
 }
 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
                                             X509_LOOKUP_TYPE type,
-                                             X509_NAME *name)
+                                             const X509_NAME *name)
 {
    int idx;
    idx = X509_OBJECT_idx_by_subject(h, type, name);
@ -527,11 +529,12 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
    return sk_X509_OBJECT_value(h, idx);
 }
-STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v)
+STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v)
 {
    return v->objs;
 }
 /* TODO param type could be constified as change to lock is intermittent */
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
 {
    STACK_OF(X509) *sk;
@ -567,7 +570,8 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
    return NULL;
 }
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx,
                                          const X509_NAME *nm)
 {
    int i, idx, cnt;
    STACK_OF(X509) *sk = NULL;
@ -624,7 +628,8 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
    return sk;
 }
-STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
+STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *ctx,
                                             const X509_NAME *nm)
 {
    int i, idx, cnt;
    STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();
@ -711,7 +716,7 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
 */
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 {
-    X509_NAME *xn;
+    const X509_NAME *xn;
    X509_OBJECT *obj = X509_OBJECT_new(), *pobj = NULL;
    X509_STORE *store = ctx->store;
    int i, ok, idx, ret;
@ -800,12 +805,12 @@ int X509_STORE_set_trust(X509_STORE *ctx, int trust)
    return X509_VERIFY_PARAM_set_trust(ctx->param, trust);
 }
-int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param)
+int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param)
 {
    return X509_VERIFY_PARAM_set1(ctx->param, param);
 }
-X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx)
+X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx)
 {
    return ctx->param;
 }
@ -815,7 +820,7 @@ void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify)
    ctx->verify = verify;
 }
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx)
+X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx)
 {
    return ctx->verify;
 }
@ -826,7 +831,7 @@ void X509_STORE_set_verify_cb(X509_STORE *ctx,
    ctx->verify_cb = verify_cb;
 }
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx)
+X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx)
 {
    return ctx->verify_cb;
 }
@ -837,7 +842,7 @@ void X509_STORE_set_get_issuer(X509_STORE *ctx,
    ctx->get_issuer = get_issuer;
 }
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx)
+X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx)
 {
    return ctx->get_issuer;
 }
@ -848,7 +853,7 @@ void X509_STORE_set_check_issued(X509_STORE *ctx,
    ctx->check_issued = check_issued;
 }
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx)
+X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx)
 {
    return ctx->check_issued;
 }
@ -859,7 +864,7 @@ void X509_STORE_set_check_revocation(X509_STORE *ctx,
    ctx->check_revocation = check_revocation;
 }
-X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx)
+X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(const X509_STORE *ctx)
 {
    return ctx->check_revocation;
 }
@ -870,7 +875,7 @@ void X509_STORE_set_get_crl(X509_STORE *ctx,
    ctx->get_crl = get_crl;
 }
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx)
+X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx)
 {
    return ctx->get_crl;
 }
@ -881,7 +886,7 @@ void X509_STORE_set_check_crl(X509_STORE *ctx,
    ctx->check_crl = check_crl;
 }
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx)
+X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx)
 {
    return ctx->check_crl;
 }
@ -892,7 +897,7 @@ void X509_STORE_set_cert_crl(X509_STORE *ctx,
    ctx->cert_crl = cert_crl;
 }
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx)
+X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx)
 {
    return ctx->cert_crl;
 }
@ -903,7 +908,7 @@ void X509_STORE_set_check_policy(X509_STORE *ctx,
    ctx->check_policy = check_policy;
 }
-X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx)
+X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx)
 {
    return ctx->check_policy;
 }
@ -914,7 +919,7 @@ void X509_STORE_set_lookup_certs(X509_STORE *ctx,
    ctx->lookup_certs = lookup_certs;
 }
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx)
+X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx)
 {
    return ctx->lookup_certs;
 }
@ -925,7 +930,7 @@ void X509_STORE_set_lookup_crls(X509_STORE *ctx,
    ctx->lookup_crls = lookup_crls;
 }
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx)
+X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx)
 {
    return ctx->lookup_crls;
 }
@ -936,7 +941,7 @@ void X509_STORE_set_cleanup(X509_STORE *ctx,
    ctx->cleanup = ctx_cleanup;
 }
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx)
+X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx)
 {
    return ctx->cleanup;
 }
@ -946,12 +951,12 @@ int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data)
    return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
 }
-void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx)
+void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx)
 {
    return CRYPTO_get_ex_data(&ctx->ex_data, idx);
 }
-X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx)
+X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx)
 {
    return ctx->store;
 }
--- a/crypto/x509/x509_r2x.c
+++ b/crypto/x509/x509_r2x.c
@ -21,7 +21,7 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
 {
    X509 *ret = NULL;
    X509_CINF *xi = NULL;
-    X509_NAME *xn;
+    const X509_NAME *xn;
    EVP_PKEY *pubkey = NULL;
    if ((ret = X509_new()) == NULL) {
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@ -47,14 +47,14 @@ int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
    return 1;
 }
-int X509_set_issuer_name(X509 *x, X509_NAME *name)
+int X509_set_issuer_name(X509 *x, const X509_NAME *name)
 {
    if (x == NULL)
        return 0;
    return X509_NAME_set(&x->cert_info.issuer, name);
 }
-int X509_set_subject_name(X509 *x, X509_NAME *name)
+int X509_set_subject_name(X509 *x, const X509_NAME *name)
 {
    if (x == NULL)
        return 0;
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -357,7 +357,8 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
        return 0;
 }
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
+static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx,
                                       const X509_NAME *nm)
 {
    STACK_OF(X509) *sk = NULL;
    X509 *x;
@ -1208,7 +1209,7 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
                           X509 **pissuer, int *pcrl_score)
 {
    X509 *crl_issuer = NULL;
-    X509_NAME *cnm = X509_CRL_get_issuer(crl);
+    const X509_NAME *cnm = X509_CRL_get_issuer(crl);
    int cidx = ctx->error_depth;
    int i;
@ -1384,7 +1385,7 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
 static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
 {
    int i;
-    X509_NAME *nm = X509_CRL_get_issuer(crl);
+    const X509_NAME *nm = X509_CRL_get_issuer(crl);
    /* If no CRLissuer return is successful iff don't need a match */
    if (!dp->CRLissuer)
        return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
@ -1443,7 +1444,7 @@ static int get_crl_delta(X509_STORE_CTX *ctx,
    unsigned int reasons;
    X509_CRL *crl = NULL, *dcrl = NULL;
    STACK_OF(X509_CRL) *skcrl;
-    X509_NAME *nm = X509_get_issuer_name(x);
+    const X509_NAME *nm = X509_get_issuer_name(x);
    reasons = ctx->current_reasons;
    ok = get_crl_sk(ctx, &crl, &dcrl,
@ -2048,12 +2049,12 @@ int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
    return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
 }
-void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+void *X509_STORE_CTX_get_ex_data(const X509_STORE_CTX *ctx, int idx)
 {
    return CRYPTO_get_ex_data(&ctx->ex_data, idx);
 }
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
+int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx)
 {
    return ctx->error;
 }
@ -2063,7 +2064,7 @@ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
    ctx->error = err;
 }
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
+int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx)
 {
    return ctx->error_depth;
 }
@ -2073,7 +2074,7 @@ void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
    ctx->error_depth = depth;
 }
-X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx)
 {
    return ctx->current_cert;
 }
@ -2083,29 +2084,29 @@ void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
    ctx->current_cert = x;
 }
-STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
+STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx)
 {
    return ctx->chain;
 }
-STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx)
 {
    if (!ctx->chain)
        return NULL;
    return X509_chain_up_ref(ctx->chain);
 }
-X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx)
 {
    return ctx->current_issuer;
 }
-X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
+X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx)
 {
    return ctx->current_crl;
 }
-X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
+X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx)
 {
    return ctx->parent;
 }
@ -2412,12 +2413,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
    X509_VERIFY_PARAM_set_time(ctx->param, t);
 }
-X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
 {
    return ctx->cert;
 }
-STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
+STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx)
 {
    return ctx->untrusted;
 }
@ -2439,7 +2440,7 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
    ctx->verify_cb = verify_cb;
 }
-X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
+X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(const X509_STORE_CTX *ctx)
 {
    return ctx->verify_cb;
 }
@ -2450,72 +2451,77 @@ void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
    ctx->verify = verify;
 }
-X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
+X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx)
 {
    return ctx->verify;
 }
-X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx)
+X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx)
 {
    return ctx->get_issuer;
 }
-X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx)
+X509_STORE_CTX_check_issued_fn
   X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx)
 {
    return ctx->check_issued;
 }
-X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx)
+X509_STORE_CTX_check_revocation_fn
    X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx)
 {
    return ctx->check_revocation;
 }
-X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx)
+X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx)
 {
    return ctx->get_crl;
 }
-X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx)
+X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx)
 {
    return ctx->check_crl;
 }
-X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx)
+X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx)
 {
    return ctx->cert_crl;
 }
-X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx)
+X509_STORE_CTX_check_policy_fn
    X509_STORE_CTX_get_check_policy(const X509_STORE_CTX *ctx)
 {
    return ctx->check_policy;
 }
-X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx)
+X509_STORE_CTX_lookup_certs_fn
    X509_STORE_CTX_get_lookup_certs(const X509_STORE_CTX *ctx)
 {
    return ctx->lookup_certs;
 }
-X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx)
+X509_STORE_CTX_lookup_crls_fn
    X509_STORE_CTX_get_lookup_crls(const X509_STORE_CTX *ctx)
 {
    return ctx->lookup_crls;
 }
-X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx)
+X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(const X509_STORE_CTX *ctx)
 {
    return ctx->cleanup;
 }
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
+X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(const X509_STORE_CTX *ctx)
 {
    return ctx->tree;
 }
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
+int X509_STORE_CTX_get_explicit_policy(const X509_STORE_CTX *ctx)
 {
    return ctx->explicit_policy;
 }
-int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
+int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx)
 {
    return ctx->num_untrusted;
 }
@ -2530,7 +2536,7 @@ int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
    return X509_VERIFY_PARAM_inherit(ctx->param, param);
 }
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx)
 {
    return ctx->param;
 }
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@ -398,7 +398,7 @@ unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
    return param->hostflags;
 }
-char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
+char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param)
 {
    return param->peername;
 }
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@ -27,7 +27,7 @@ int X509_CRL_set_version(X509_CRL *x, long version)
    return ASN1_INTEGER_set(x->crl.version, version);
 }
-int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
+int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name)
 {
    if (x == NULL)
        return 0;
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@ -16,7 +16,8 @@
 #include <openssl/x509.h>
 #include "crypto/x509.h"
-int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
+int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
                              char *buf, int len)
 {
    ASN1_OBJECT *obj;
@ -26,7 +27,7 @@ int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
    return X509_NAME_get_text_by_OBJ(name, obj, buf, len);
 }
-int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,
+int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
                              char *buf, int len)
 {
    int i;
@ -53,7 +54,7 @@ int X509_NAME_entry_count(const X509_NAME *name)
    return sk_X509_NAME_ENTRY_num(name->entries);
 }
-int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
+int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos)
 {
    ASN1_OBJECT *obj;
@ -64,7 +65,8 @@ int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos)
 }
 /* NOTE: you should be passing -1, not 0 as lastpos */
-int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos)
+int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
                               int lastpos)
 {
    int n;
    X509_NAME_ENTRY *ne;
@ -216,11 +218,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc,
            set = sk_X509_NAME_ENTRY_value(sk, loc)->set;
    }
-    /*
+    if ((new_name = X509_NAME_ENTRY_dup(ne)) == NULL)
     * X509_NAME_ENTRY_dup is ASN1 generated code, that can't be easily
     * const'ified; harmless cast since dup() don't modify its input.
     */
    if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL)
        goto err;
    new_name->set = set;
    if (!sk_X509_NAME_ENTRY_insert(sk, new_name, loc)) {
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@ -23,7 +23,7 @@ int X509_REQ_set_version(X509_REQ *x, long version)
    return ASN1_INTEGER_set(x->req_info.version, version);
 }
-int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
+int X509_REQ_set_subject_name(X509_REQ *x, const X509_NAME *name)
 {
    if (x == NULL)
        return 0;
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@ -27,8 +27,8 @@ ASN1_SEQUENCE(X509_REVOKED) = {
 static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r);
 static int def_crl_lookup(X509_CRL *crl,
-                          X509_REVOKED **ret, ASN1_INTEGER *serial,
+                          X509_REVOKED **ret, const ASN1_INTEGER *serial,
-                          X509_NAME *issuer);
+                          const X509_NAME *issuer);
 static X509_CRL_METHOD int_crl_meth = {
    0,
@ -354,7 +354,7 @@ int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *r)
 }
 int X509_CRL_get0_by_serial(X509_CRL *crl,
-                            X509_REVOKED **ret, ASN1_INTEGER *serial)
+                            X509_REVOKED **ret, const ASN1_INTEGER *serial)
 {
    if (crl->meth->crl_lookup)
        return crl->meth->crl_lookup(crl, ret, serial, NULL);
@ -376,7 +376,7 @@ static int def_crl_verify(X509_CRL *crl, EVP_PKEY *r)
                             &crl->sig_alg, &crl->signature, &crl->crl, r));
 }
-static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
+static int crl_revoked_issuer_match(X509_CRL *crl, const X509_NAME *nm,
                                    X509_REVOKED *rev)
 {
    int i;
@ -404,8 +404,8 @@ static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,
 }
 static int def_crl_lookup(X509_CRL *crl,
-                          X509_REVOKED **ret, ASN1_INTEGER *serial,
+                          X509_REVOKED **ret, const ASN1_INTEGER *serial,
-                          X509_NAME *issuer)
+                          const X509_NAME *issuer)
 {
    X509_REVOKED rtmp, *rev;
    int idx, num;
@ -454,8 +454,8 @@ X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
                                     int (*crl_free) (X509_CRL *crl),
                                     int (*crl_lookup) (X509_CRL *crl,
                                                        X509_REVOKED **ret,
-                                                        ASN1_INTEGER *ser,
+                                                        const ASN1_INTEGER *ser,
-                                                        X509_NAME *issuer),
+                                                        const X509_NAME *issuer),
                                     int (*crl_verify) (X509_CRL *crl,
                                                        EVP_PKEY *pk))
 {
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@ -542,7 +542,7 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase)
    return 0;
 }
-int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
                       size_t *pderlen)
 {
    /* Make sure encoding is valid */
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@ -117,7 +117,7 @@ int X509_set_ex_data(X509 *r, int idx, void *arg)
    return CRYPTO_set_ex_data(&r->ex_data, idx, arg);
 }
-void *X509_get_ex_data(X509 *r, int idx)
+void *X509_get_ex_data(const X509 *r, int idx)
 {
    return CRYPTO_get_ex_data(&r->ex_data, idx);
 }
--- a/doc/man3/BIO_get_ex_new_index.pod
+++ b/doc/man3/BIO_get_ex_new_index.pod
@ -39,7 +39,7 @@ X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data
 int TYPE_set_ex_data(TYPE *d, int idx, void *arg);
- void *TYPE_get_ex_data(TYPE *d, int idx);
+ void *TYPE_get_ex_data(const TYPE *d, int idx);
 #define TYPE_set_app_data(TYPE *d, void *arg)
 #define TYPE_get_app_data(TYPE *d)
--- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
+++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@ -18,10 +18,11 @@ OSSL_CRMF_MSG_get_certReqId
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 ASN1_INTEGER
     *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
- X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+ const X509_NAME
     *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
 ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
- X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
+ const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
                                             EVP_PKEY *pkey);
--- a/doc/man3/X509_CRL_get0_by_serial.pod
+++ b/doc/man3/X509_CRL_get0_by_serial.pod
@ -13,7 +13,7 @@ functions
 #include <openssl/x509.h>
 int X509_CRL_get0_by_serial(X509_CRL *crl,
-                             X509_REVOKED **ret, ASN1_INTEGER *serial);
+                             X509_REVOKED **ret, const ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
--- a/doc/man3/X509_LOOKUP.pod
+++ b/doc/man3/X509_LOOKUP.pod
@ -40,10 +40,10 @@ X509_LOOKUP_by_alias
 X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                            X509_NAME *name, X509_OBJECT *ret);
+                            const X509_NAME *name, X509_OBJECT *ret);
 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                  X509_NAME *name, ASN1_INTEGER *serial,
+                                  const X509_NAME *name,
-                                  X509_OBJECT *ret);
+                                  const ASN1_INTEGER *serial, X509_OBJECT *ret);
 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                                const unsigned char *bytes, int len,
                                X509_OBJECT *ret);
--- a/doc/man3/X509_LOOKUP_meth_new.pod
+++ b/doc/man3/X509_LOOKUP_meth_new.pod
@ -57,7 +57,7 @@ X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL
 typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx,
                                              X509_LOOKUP_TYPE type,
-                                              X509_NAME *name,
+                                              const X509_NAME *name,
                                              X509_OBJECT *ret);
 int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method,
     X509_LOOKUP_get_by_subject_fn fn);
@ -66,8 +66,8 @@ X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL
 typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx,
                                                    X509_LOOKUP_TYPE type,
-                                                    X509_NAME *name,
+                                                    const X509_NAME *name,
-                                                    ASN1_INTEGER *serial,
+                                                    const ASN1_INTEGER *serial,
                                                    X509_OBJECT *ret);
 int X509_LOOKUP_meth_set_get_by_issuer_serial(
     X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn);
--- a/doc/man3/X509_NAME_get0_der.pod
+++ b/doc/man3/X509_NAME_get0_der.pod
@ -8,7 +8,7 @@ X509_NAME_get0_der - get X509_NAME DER encoding
 #include <openssl/x509.h>
- int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+ int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
                        size_t *pderlen)
--- a/doc/man3/X509_NAME_get_index_by_NID.pod
+++ b/doc/man3/X509_NAME_get_index_by_NID.pod
@ -10,14 +10,17 @@ X509_NAME lookup and enumeration functions
 #include <openssl/x509.h>
- int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos);
+ int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos);
- int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos);
+ int X509_NAME_get_index_by_OBJ(const X509_NAME *name,
                                const ASN1_OBJECT *obj, int lastpos);
 int X509_NAME_entry_count(const X509_NAME *name);
 X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc);
- int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len);
+ int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
- int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, int len);
+                               char *buf, int len);
 int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
                               char *buf, int len);
 =head1 DESCRIPTION
--- a/doc/man3/X509_STORE_CTX_get_error.pod
+++ b/doc/man3/X509_STORE_CTX_get_error.pod
@ -13,15 +13,15 @@ information
 #include <openssl/x509.h>
- int   X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+ int   X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);
 void  X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
- int   X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
+ int   X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
 void  X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
- X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+ X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
 void  X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
- X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
+ X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
- STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
+ STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
 const char *X509_verify_cert_error_string(long n);
--- a/doc/man3/X509_STORE_CTX_new.pod
+++ b/doc/man3/X509_STORE_CTX_new.pod
@ -28,18 +28,18 @@ X509_STORE_CTX_verify_fn
 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x);
- STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
+ STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
+ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
- STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
+ STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
- int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
+ int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx);
 typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
 void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
--- a/doc/man3/X509_STORE_get0_param.pod
+++ b/doc/man3/X509_STORE_get0_param.pod
@ -10,9 +10,9 @@ X509_STORE_get0_objects, X509_STORE_get1_all_certs
 #include <openssl/x509_vfy.h>
- X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);
+ X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
- int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
+ int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
- STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *ctx);
+ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *ctx);
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
 =head1 DESCRIPTION
--- a/doc/man3/X509_STORE_set_verify_cb_func.pod
+++ b/doc/man3/X509_STORE_set_verify_cb_func.pod
@ -51,57 +51,65 @@ X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn
                                           X509_CRL *crl, X509 *x);
 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
 typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
-                                                           X509_NAME *nm);
+                                                           const X509_NAME *nm);
- typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(X509_STORE_CTX *ctx,
+ typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(const
-                                                              X509_NAME *nm);
+                                                              X509_STORE_CTX *ctx,
                                                              const X509_NAME *nm);
 typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
 void X509_STORE_set_verify_cb(X509_STORE *ctx,
                               X509_STORE_CTX_verify_cb verify_cb);
- X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE_CTX *ctx);
 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
- X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);
 void X509_STORE_set_get_issuer(X509_STORE *ctx,
                                X509_STORE_CTX_get_issuer_fn get_issuer);
- X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_get_issuer_fn
     X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx);
 void X509_STORE_set_check_issued(X509_STORE *ctx,
                                  X509_STORE_CTX_check_issued_fn check_issued);
- X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_check_issued_fn
     X509_STORE_get_check_issued(const X509_STORE_CTX *ctx);
 void X509_STORE_set_check_revocation(X509_STORE *ctx,
                                      X509_STORE_CTX_check_revocation_fn check_revocation);
- X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_check_revocation_fn
     X509_STORE_get_check_revocation(const X509_STORE_CTX *ctx);
 void X509_STORE_set_get_crl(X509_STORE *ctx,
                             X509_STORE_CTX_get_crl_fn get_crl);
- X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE_CTX *ctx);
 void X509_STORE_set_check_crl(X509_STORE *ctx,
                               X509_STORE_CTX_check_crl_fn check_crl);
- X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_check_crl_fn
     X509_STORE_get_check_crl(const X509_STORE_CTX *ctx);
 void X509_STORE_set_cert_crl(X509_STORE *ctx,
                              X509_STORE_CTX_cert_crl_fn cert_crl);
- X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE_CTX *ctx);
 void X509_STORE_set_check_policy(X509_STORE *ctx,
                                  X509_STORE_CTX_check_policy_fn check_policy);
- X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_check_policy_fn
     X509_STORE_get_check_policy(const X509_STORE_CTX *ctx);
 void X509_STORE_set_lookup_certs(X509_STORE *ctx,
                                  X509_STORE_CTX_lookup_certs_fn lookup_certs);
- X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_lookup_certs_fn
     X509_STORE_get_lookup_certs(const X509_STORE_CTX *ctx);
 void X509_STORE_set_lookup_crls(X509_STORE *ctx,
                                 X509_STORE_CTX_lookup_crls_fn lookup_crls);
- X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_lookup_crls_fn
     X509_STORE_get_lookup_crls(const X509_STORE_CTX *ctx);
 void X509_STORE_set_cleanup(X509_STORE *ctx,
                             X509_STORE_CTX_cleanup_fn cleanup);
- X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE_CTX *ctx);
+ X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE_CTX *ctx);
 /* Aliases */
 void X509_STORE_set_verify_cb_func(X509_STORE *st,
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@ -57,7 +57,7 @@ X509_VERIFY_PARAM_set1_ip_asc
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
                                      unsigned int flags);
 unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
- char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
+ char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param);
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                  const char *email, size_t emaillen);
 int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
--- a/doc/man3/X509_get_subject_name.pod
+++ b/doc/man3/X509_get_subject_name.pod
@ -12,16 +12,16 @@ subject names
 #include <openssl/x509.h>
 X509_NAME *X509_get_subject_name(const X509 *x);
- int X509_set_subject_name(X509 *x, X509_NAME *name);
+ int X509_set_subject_name(X509 *x, const X509_NAME *name);
 X509_NAME *X509_get_issuer_name(const X509 *x);
- int X509_set_issuer_name(X509 *x, X509_NAME *name);
+ int X509_set_issuer_name(X509 *x, const X509_NAME *name);
 X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
- int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
+ int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name);
 X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
- int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+ int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name);
 =head1 DESCRIPTION
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@ -227,8 +227,11 @@ struct x509_store_ctx_st {      /* X509_STORE_CTX */
    int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
    /* Check policy status of the chain */
    int (*check_policy) (X509_STORE_CTX *ctx);
-    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
+    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx,
-    STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
+                                     const X509_NAME *nm);
    /* cannot constify 'ctx' param due to lookup_certs_sk() in x509_vfy.c */
    STACK_OF(X509_CRL) *(*lookup_crls) (const X509_STORE_CTX *ctx,
                                        const X509_NAME *nm);
    int (*cleanup) (X509_STORE_CTX *ctx);
    /* The following is built up */
    /* if 0, rebuild chain */
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@ -566,7 +566,7 @@ int BIO_ctrl_reset_read_request(BIO *b);
 #define BIO_get_ex_new_index(l, p, newf, dupf, freef) \
    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_BIO, l, p, newf, dupf, freef)
 int BIO_set_ex_data(BIO *bio, int idx, void *data);
-void *BIO_get_ex_data(BIO *bio, int idx);
+void *BIO_get_ex_data(const BIO *bio, int idx);
 uint64_t BIO_number_read(BIO *bio);
 uint64_t BIO_number_written(BIO *bio);
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@ -122,9 +122,10 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 ASN1_INTEGER
 *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
-X509_NAME
+const X509_NAME
 *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl);
-X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
+const X509_NAME
 *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
                                EVP_PKEY *pubkey,
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@ -155,7 +155,7 @@ DEPRECATEDIN_3_0(int DH_security_bits(const DH *dh))
        CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, l, p, newf, dupf, freef)
 #  endif
 DEPRECATEDIN_3_0(int DH_set_ex_data(DH *d, int idx, void *arg))
-DEPRECATEDIN_3_0(void *DH_get_ex_data(DH *d, int idx))
+DEPRECATEDIN_3_0(void *DH_get_ex_data(const DH *d, int idx))
 /* Deprecated version */
 DEPRECATEDIN_0_9_8(DH *DH_generate_parameters(int prime_len, int generator,
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@ -130,7 +130,7 @@ DEPRECATEDIN_3_0(int DSA_verify(int type, const unsigned char *dgst,
        CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, l, p, newf, dupf, freef)
 #  endif
 DEPRECATEDIN_3_0(int DSA_set_ex_data(DSA *d, int idx, void *arg))
-DEPRECATEDIN_3_0(void *DSA_get_ex_data(DSA *d, int idx))
+DEPRECATEDIN_3_0(void *DSA_get_ex_data(const DSA *d, int idx))
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPublicKey)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPrivateKey)
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@ -177,8 +177,8 @@ typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
 #  define OCSP_CERTSTATUS_dup(cs)\
-                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+                (OCSP_CERTSTATUS*)ASN1_dup((i2d_of_void *)i2d_OCSP_CERTSTATUS,\
-                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+                (d2i_of_void *)d2i_OCSP_CERTSTATUS,(char *)(cs))
 DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID)
@ -205,7 +205,7 @@ int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
 int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
 int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
-int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm);
 int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
 int OCSP_request_sign(OCSP_REQUEST *req,
@ -286,7 +286,7 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids);
 X509_EXTENSION *OCSP_archive_cutoff_new(char *tim);
-X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls);
+X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls);
 int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
 int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
--- a/include/openssl/ui.h
+++ b/include/openssl/ui.h
@ -214,7 +214,7 @@ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void));
 # define UI_get_ex_new_index(l, p, newf, dupf, freef) \
    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, l, p, newf, dupf, freef)
 int UI_set_ex_data(UI *r, int idx, void *arg);
-void *UI_get_ex_data(UI *r, int idx);
+void *UI_get_ex_data(const UI *r, int idx);
 /* Use specific methods instead of the built-in one */
 void UI_set_default_method(const UI_METHOD *meth);
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@ -342,7 +342,9 @@ X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
                                     int (*crl_free) (X509_CRL *crl),
                                     int (*crl_lookup) (X509_CRL *crl,
                                                        X509_REVOKED **ret,
-                                                        ASN1_INTEGER *ser,
+                                                        const
                                                        ASN1_INTEGER *serial,
                                                        const
                                                        X509_NAME *issuer),
                                     int (*crl_verify) (X509_CRL *crl,
                                                        EVP_PKEY *pk));
@ -564,7 +566,7 @@ DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
 #define X509_get_ex_new_index(l, p, newf, dupf, freef) \
    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, l, p, newf, dupf, freef)
 int X509_set_ex_data(X509 *r, int idx, void *arg);
-void *X509_get_ex_data(X509 *r, int idx);
+void *X509_get_ex_data(const X509 *r, int idx);
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(X509,X509_AUX)
 int i2d_re_X509_tbs(X509 *x, unsigned char **pp);
@ -608,7 +610,7 @@ DECLARE_ASN1_FUNCTIONS(X509_CRL)
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 int X509_CRL_get0_by_serial(X509_CRL *crl,
-                            X509_REVOKED **ret, ASN1_INTEGER *serial);
+                            X509_REVOKED **ret, const ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 X509_PKEY *X509_PKEY_new(void);
@ -655,10 +657,10 @@ int X509_set_version(X509 *x, long version);
 int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 ASN1_INTEGER *X509_get_serialNumber(X509 *x);
 const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
-int X509_set_issuer_name(X509 *x, X509_NAME *name);
+int X509_set_issuer_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_issuer_name(const X509 *a);
+X509_NAME *X509_get_issuer_name(const X509 *a); /* TODO change to get0_ */
-int X509_set_subject_name(X509 *x, X509_NAME *name);
+int X509_set_subject_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_subject_name(const X509 *a);
+X509_NAME *X509_get_subject_name(const X509 *a); /* TODO change to get0_ */
 const ASN1_TIME * X509_get0_notBefore(const X509 *x);
 ASN1_TIME *X509_getm_notBefore(const X509 *x);
 int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
@ -694,8 +696,8 @@ int X509_certificate_type(const X509 *x, const EVP_PKEY *pubkey);
 long X509_REQ_get_version(const X509_REQ *req);
 int X509_REQ_set_version(X509_REQ *x, long version);
-X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
+X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); /* TODO change to get0_ */
-int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
+int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name);
 void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
                             const X509_ALGOR **palg);
 int X509_REQ_get_signature_nid(const X509_REQ *req);
@ -729,7 +731,7 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
                              const unsigned char *bytes, int len);
 int X509_CRL_set_version(X509_CRL *x, long version);
-int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name);
 int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
 int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
 int X509_CRL_sort(X509_CRL *crl);
@ -745,7 +747,7 @@ const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
 const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
 DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
 DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
-X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
+X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); /* TODO change to get0_ */
 const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
 STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
@ -788,8 +790,8 @@ unsigned long X509_subject_name_hash_old(X509 *x);
 int X509_cmp(const X509 *a, const X509 *b);
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
-unsigned long X509_NAME_hash(X509_NAME *x);
+unsigned long X509_NAME_hash(const X509_NAME *x);
-unsigned long X509_NAME_hash_old(X509_NAME *x);
+unsigned long X509_NAME_hash_old(const X509_NAME *x);
 int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
@ -818,16 +820,17 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
 int X509_REQ_print(BIO *bp, X509_REQ *req);
 int X509_NAME_entry_count(const X509_NAME *name);
-int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len);
+int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
-int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,
+                              char *buf, int len);
 int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
                              char *buf, int len);
 /*
 * NOTE: you should be passing -1, not 0 as lastpos. The functions that use
 * lastpos, search after that position on.
 */
-int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos);
+int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos);
-int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,
+int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
                               int lastpos);
 X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc);
 X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
@ -861,7 +864,7 @@ ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne);
 ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
 int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne);
-int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
+int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
                       size_t *pderlen);
 int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
@ -991,9 +994,9 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
 int X509_verify_cert(X509_STORE_CTX *ctx);
 /* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
-                                     ASN1_INTEGER *serial);
+                                     const ASN1_INTEGER *serial);
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name);
+X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name);
 DECLARE_ASN1_FUNCTIONS(PBEPARAM)
 DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@ -80,10 +80,12 @@ typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl);
 typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx,
                                          X509_CRL *crl, X509 *x);
 typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
-typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
+typedef STACK_OF(X509)
-                                                          X509_NAME *nm);
+    *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
-typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(X509_STORE_CTX *ctx,
+                                       const X509_NAME *nm);
-                                                             X509_NAME *nm);
+typedef STACK_OF(X509_CRL)
    *(*X509_STORE_CTX_lookup_crls_fn)(const X509_STORE_CTX *ctx,
                                      const X509_NAME *nm);
 typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
@ -269,10 +271,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
                                | X509_V_FLAG_INHIBIT_MAP)
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
-                               X509_NAME *name);
+                               const X509_NAME *name);
 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
                                             X509_LOOKUP_TYPE type,
-                                             X509_NAME *name);
+                                             const X509_NAME *name);
 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
                                        X509_OBJECT *x);
 int X509_OBJECT_up_ref_count(X509_OBJECT *a);
@ -281,72 +283,74 @@ void X509_OBJECT_free(X509_OBJECT *a);
 X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
 X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
 int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
-X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a);
+X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a);
 int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
 X509_STORE *X509_STORE_new(void);
 void X509_STORE_free(X509_STORE *v);
 int X509_STORE_lock(X509_STORE *ctx);
 int X509_STORE_unlock(X509_STORE *ctx);
 int X509_STORE_up_ref(X509_STORE *v);
-
+STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v);
 STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st, X509_NAME *nm);
+STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st,
-STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *st, X509_NAME *nm);
+                                          const X509_NAME *nm);
 STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st,
                                             const X509_NAME *nm);
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
 int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
 int X509_STORE_set_trust(X509_STORE *ctx, int trust);
-int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
+int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
-X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);
+X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
 void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
 #define X509_STORE_set_verify_func(ctx, func) \
            X509_STORE_set_verify((ctx),(func))
 void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
                               X509_STORE_CTX_verify_fn verify);
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx);
+X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx);
 void X509_STORE_set_verify_cb(X509_STORE *ctx,
                              X509_STORE_CTX_verify_cb verify_cb);
 # define X509_STORE_set_verify_cb_func(ctx,func) \
            X509_STORE_set_verify_cb((ctx),(func))
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx);
+X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx);
 void X509_STORE_set_get_issuer(X509_STORE *ctx,
                               X509_STORE_CTX_get_issuer_fn get_issuer);
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx);
+X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx);
 void X509_STORE_set_check_issued(X509_STORE *ctx,
                                 X509_STORE_CTX_check_issued_fn check_issued);
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx);
+X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx);
 void X509_STORE_set_check_revocation(X509_STORE *ctx,
                                     X509_STORE_CTX_check_revocation_fn check_revocation);
-X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE *ctx);
+X509_STORE_CTX_check_revocation_fn
    X509_STORE_get_check_revocation(const X509_STORE *ctx);
 void X509_STORE_set_get_crl(X509_STORE *ctx,
                            X509_STORE_CTX_get_crl_fn get_crl);
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx);
+X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx);
 void X509_STORE_set_check_crl(X509_STORE *ctx,
                              X509_STORE_CTX_check_crl_fn check_crl);
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx);
+X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx);
 void X509_STORE_set_cert_crl(X509_STORE *ctx,
                             X509_STORE_CTX_cert_crl_fn cert_crl);
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx);
+X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx);
 void X509_STORE_set_check_policy(X509_STORE *ctx,
                                 X509_STORE_CTX_check_policy_fn check_policy);
-X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE *ctx);
+X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx);
 void X509_STORE_set_lookup_certs(X509_STORE *ctx,
                                 X509_STORE_CTX_lookup_certs_fn lookup_certs);
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx);
+X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx);
 void X509_STORE_set_lookup_crls(X509_STORE *ctx,
                                X509_STORE_CTX_lookup_crls_fn lookup_crls);
 #define X509_STORE_set_lookup_crls_cb(ctx, func) \
    X509_STORE_set_lookup_crls((ctx), (func))
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx);
+X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx);
 void X509_STORE_set_cleanup(X509_STORE *ctx,
                            X509_STORE_CTX_cleanup_fn cleanup);
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx);
+X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx);
 #define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef)
 int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data);
-void *X509_STORE_get_ex_data(X509_STORE *ctx, int idx);
+void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx);
 X509_STORE_CTX *X509_STORE_CTX_new(void);
@ -358,24 +362,24 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
-X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx);
+X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);
-X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
-STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
+STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
                                  X509_STORE_CTX_verify_cb verify);
-X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
+X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
+X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
+X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
+X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
+X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
+X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
+X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
+X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
+X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
+X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
+X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
+X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(const X509_STORE_CTX *ctx);
 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
 # define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain
@ -399,12 +403,12 @@ typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc,
                                   long argl, char **ret);
 typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx,
                                             X509_LOOKUP_TYPE type,
-                                             X509_NAME *name,
+                                             const X509_NAME *name,
                                             X509_OBJECT *ret);
 typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx,
                                                   X509_LOOKUP_TYPE type,
-                                                   X509_NAME *name,
+                                                   const X509_NAME *name,
-                                                   ASN1_INTEGER *serial,
+                                                   const ASN1_INTEGER *serial,
                                                   X509_OBJECT *ret);
 typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx,
                                                 X509_LOOKUP_TYPE type,
@ -468,11 +472,12 @@ X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias(
 int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
 int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
-int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
+int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
-                                  X509_NAME *name, X509_OBJECT *ret);
+                                  X509_LOOKUP_TYPE type,
                                  const X509_NAME *name, X509_OBJECT *ret);
 X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
                                               X509_LOOKUP_TYPE type,
-                                               X509_NAME *name);
+                                               const X509_NAME *name);
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
                     long argl, char **ret);
@ -485,9 +490,10 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
 void X509_LOOKUP_free(X509_LOOKUP *ctx);
 int X509_LOOKUP_init(X509_LOOKUP *ctx);
 int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           X509_NAME *name, X509_OBJECT *ret);
+                           const X509_NAME *name, X509_OBJECT *ret);
 int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 X509_NAME *name, ASN1_INTEGER *serial,
+                                 const X509_NAME *name,
                                 const ASN1_INTEGER *serial,
                                 X509_OBJECT *ret);
 int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
                               const unsigned char *bytes, int len,
@ -502,25 +508,26 @@ int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
 int X509_STORE_load_file(X509_STORE *ctx, const char *file);
 int X509_STORE_load_path(X509_STORE *ctx, const char *path);
 int X509_STORE_load_store(X509_STORE *ctx, const char *store);
-DEPRECATEDIN_3_0(int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
+DEPRECATEDIN_3_0(int X509_STORE_load_locations(X509_STORE *ctx,
                                               const char *file,
                                               const char *dir))
 int X509_STORE_set_default_paths(X509_STORE *ctx);
 #define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, l, p, newf, dupf, freef)
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data);
-void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
+void *X509_STORE_CTX_get_ex_data(const X509_STORE_CTX *ctx, int idx);
-int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
-int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
-X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
-X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx);
+X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
-X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx);
+X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx);
+X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx);
-STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
+STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
-STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
+STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, STACK_OF(X509_CRL) *sk);
@ -532,11 +539,11 @@ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
                             time_t t);
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx);
+X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(const X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_explicit_policy(const X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx);
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
 int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
@ -583,7 +590,7 @@ int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
                                     unsigned int flags);
 unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
-char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *);
+char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param);
 void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *, X509_VERIFY_PARAM *);
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
                                 const char *email, size_t emaillen);
@ -625,26 +632,23 @@ int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
 X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
                                               int i);
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(const
+STACK_OF(X509_POLICY_NODE)
-                                                           X509_POLICY_TREE
+    *X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
                                                           *tree);
-STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(const
+STACK_OF(X509_POLICY_NODE)
-                                                                X509_POLICY_TREE
+    *X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
                                                                *tree);
 int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
-X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level,
+X509_POLICY_NODE *X509_policy_level_get0_node(const X509_POLICY_LEVEL *level,
                                              int i);
 const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
-STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(const
+STACK_OF(POLICYQUALINFO)
-                                                           X509_POLICY_NODE
+    *X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
-                                                           *node);
+const X509_POLICY_NODE
-const X509_POLICY_NODE *X509_policy_node_get0_parent(const X509_POLICY_NODE
+    *X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
                                                     *node);
 #ifdef  __cplusplus
 }
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@ -530,7 +530,7 @@ DECLARE_ASN1_FUNCTIONS(DIST_POINT)
 DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
 DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
+int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, const X509_NAME *iname);
 int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
 int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc);
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -2240,7 +2240,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
 /* Check to see if a certificate issuer name matches list of CA names */
 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
 {
-    X509_NAME *nm;
+    const X509_NAME *nm;
    int i;
    nm = X509_get_issuer_name(x);
    for (i = 0; i < sk_X509_NAME_num(names); i++) {
--- a/test/cmp_ctx_test.c
+++ b/test/cmp_ctx_test.c
@ -520,7 +520,7 @@ static X509_STORE *X509_STORE_new_1(void)
 #define DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, N, DUP, FIELD, TYPE, DEFAULT) \
    static TYPE *OSSL_CMP_CTX_get0_##FIELD(const CMP_CTX *ctx) \
    { \
-        return ctx == NULL ? ERR(NULL) : ctx->FIELD; \
+        return ctx == NULL ? ERR(NULL) : (TYPE *)ctx->FIELD; \
    } \
    DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, N, 0, DUP, FIELD, TYPE, DEFAULT)
 #define DEFINE_SET_TEST(OSSL_CMP, CTX, N, DUP, FIELD, TYPE) \
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@ -313,7 +313,7 @@ static int test_validate_msg_signature_sender_cert_absent(void)
 }
-static int test_validate_with_sender(X509_NAME *name, int expected)
+static int test_validate_with_sender(const X509_NAME *name, int expected)
 {
    SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
    fixture->expected = expected;