From: Martin Willi <martin@revosec.ch>
Date: Mon, 13 Dec 2010 13:22:00 +0000 (+0100)
Subject: Do not parse certificates with invalid version in openssl plugin
X-Git-Tag: 4.5.1~195
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6850b8499ab6a535b86248b58261b719b47bb27;p=thirdparty%2Fstrongswan.git

Do not parse certificates with invalid version in openssl plugin
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index b6a06d0151..80639ddc0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -899,6 +899,13 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
+	if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2)
+	{
+		DBG1(DBG_LIB, "unsupported x509 version: %d",
+			 X509_get_version(this->x509) + 1);
+		return FALSE;
+	}
+
 	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
 	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));