Only print versions we know about

The version field of an X.509 Certificate is an enum

   Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

1 files changed, 10 insertions, 4 deletions

diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 563edac074..abcce54366 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.37 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: t_x509.c,v 1.38 2022/08/10 11:15:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,9 +137,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
         }
         if (!(cflag & X509_FLAG_NO_VERSION)) {
                 l = X509_get_version(x);
-                if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n",
-                    "", l + 1, l) <= 0)
-                        goto err;
+                if (l >= 0 && l <= 2) {
+                        if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n",
+                            "", l + 1, l) <= 0)
+                                goto err;
+                } else {
+                        if (BIO_printf(bp, "%8sVersion: unknown (%ld)\n",
+                            "", l) <= 0)
+                                goto err;
+                }
         }
         if (!(cflag & X509_FLAG_NO_SERIAL)) {
                 if (BIO_write(bp, "        Serial Number:", 22) <= 0)