From: Job Snijders <job@sobornost.net>
Date: Mon, 25 Mar 2024 10:49:12 +0000 (+0000)
Subject: Reject setting invalid CSR versions
X-Git-Tag: openssl-3.4.0-alpha1~792
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=397051a40db2d68433b842e7505e8cf3c9effb36;p=thirdparty%2Fopenssl.git

Reject setting invalid CSR versions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23965)
---

diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index 344993d4c78..0806b0c9000 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -17,8 +17,10 @@
 
 int X509_REQ_set_version(X509_REQ *x, long version)
 {
-    if (x == NULL)
+    if (x == NULL || version != X509_REQ_VERSION_1) {
+        ERR_raise(ERR_LIB_X509, ERR_R_PASSED_INVALID_ARGUMENT);
         return 0;
+    }
     x->req_info.enc.modified = 1;
     return ASN1_INTEGER_set(x->req_info.version, version);
 }