Do not parse certificates with invalid version in openssl plugin

author: Martin Willi <martin@revosec.ch> 2010-12-13 14:22:00 +0100
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:46:01 +0100
commit: a6850b8499ab6a535b86248b58261b719b47bb27 (patch)
tree: 588f7eeb457cd76545b0c84bb82e4a371be39b42 /src/libstrongswan/plugins/openssl/openssl_x509.c
parent: a2b340764fac2021ade280c4bdedb6c7c5f76ee3 (diff)
download: strongswan-a6850b8499ab6a535b86248b58261b719b47bb27.tar.bz2
strongswan-a6850b8499ab6a535b86248b58261b719b47bb27.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index b6a06d015..80639ddc0 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -899,6 +899,13 @@ static bool parse_certificate(private_openssl_x509_t *this)
 	{
 		return FALSE;
 	}
+	if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2)
+	{
+		DBG1(DBG_LIB, "unsupported x509 version: %d",
+			 X509_get_version(this->x509) + 1);
+		return FALSE;
+	}
+
 	this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509));
 	this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509));
author	Martin Willi <martin@revosec.ch>	2010-12-13 14:22:00 +0100
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:46:01 +0100
commit	a6850b8499ab6a535b86248b58261b719b47bb27 (patch)
tree	588f7eeb457cd76545b0c84bb82e4a371be39b42 /src/libstrongswan/plugins/openssl/openssl_x509.c
parent	a2b340764fac2021ade280c4bdedb6c7c5f76ee3 (diff)
download	strongswan-a6850b8499ab6a535b86248b58261b719b47bb27.tar.bz2 strongswan-a6850b8499ab6a535b86248b58261b719b47bb27.tar.xz