Constify OSSL_FUNC_keymgmt_validate()

The keydata argument of OSSL_FUNC_keymgmt_validate() should be read-only.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13201)

2 files changed, 12 insertions, 4 deletions

diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index ce8c6f7185..8fa9a43637 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -281,7 +281,7 @@ err:
  * FFC pairwise check from SP800-56A R3.
  *    Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
  */
-int dh_check_pairwise(DH *dh)
+int dh_check_pairwise(const DH *dh)
 {
     int ret = 0;
     BN_CTX *ctx = NULL;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 8d9c72d65c..90802633a6 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -182,7 +182,7 @@ int DH_generate_key(DH *dh)
 #endif
 }
 
-int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key,
+int dh_generate_public_key(BN_CTX *ctx, const DH *dh, const BIGNUM *priv_key,
                            BIGNUM *pub_key)
 {
     int ret = 0;
@@ -193,8 +193,16 @@ int dh_generate_public_key(BN_CTX *ctx, DH *dh, const BIGNUM *priv_key,
         return 0;
 
     if (dh->flags & DH_FLAG_CACHE_MONT_P) {
-        mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
-                                      dh->lock, dh->params.p, ctx);
+        /*
+         * We take the input DH as const, but we lie, because in some cases we
+         * want to get a hold of its Montgomery context.
+         *
+         * We cast to remove the const qualifier in this case, it should be
+         * fine...
+         */
+        BN_MONT_CTX **pmont = (BN_MONT_CTX **)&dh->method_mont_p;
+
+        mont = BN_MONT_CTX_set_locked(pmont, dh->lock, dh->params.p, ctx);
         if (mont == NULL)
             goto err;
     }