Only print versions we know about

The version field of an X.509 Certificate is an enum

   Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

Printing the version as l + 1 only really makes sense with 0 <= l <= 2.
Otherwise print a naked l while also indicating that it is an unknown
version.

ok jsing

1 files changed, 10 insertions, 4 deletions

diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c
index 563edac0743..abcce54366a 100644
--- a/lib/libcrypto/asn1/t_x509.c
+++ b/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.37 2021/12/25 13:17:48 jsing Exp $ */
+/* $OpenBSD: t_x509.c,v 1.38 2022/08/10 11:15:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -137,9 +137,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 	}
 	if (!(cflag & X509_FLAG_NO_VERSION)) {
 		l = X509_get_version(x);
-		if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n",
-		    "", l + 1, l) <= 0)
-			goto err;
+		if (l >= 0 && l <= 2) {
+			if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n",
+			    "", l + 1, l) <= 0)
+				goto err;
+		} else {
+			if (BIO_printf(bp, "%8sVersion: unknown (%ld)\n",
+			    "", l) <= 0)
+				goto err;
+		}
 	}
 	if (!(cflag & X509_FLAG_NO_SERIAL)) {
 		if (BIO_write(bp, "        Serial Number:", 22) <= 0)