From a6850b8499ab6a535b86248b58261b719b47bb27 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Mon, 13 Dec 2010 14:22:00 +0100
Subject: [PATCH] Do not parse certificates with invalid version in openssl
 plugin

---
 src/libstrongswan/plugins/openssl/openssl_x509.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index b6a06d0151..80639ddc0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -899,6 +899,13 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
+	if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2)
+	{
+		DBG1(DBG_LIB, "unsupported x509 version: %d",
+			 X509_get_version(this->x509) + 1);
+		return FALSE;
+	}
+
 	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
 	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
 
-- 
2.47.3