From 2254ec89d3eead78a2ce8ce2ed06773906e0fe50 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Thu, 31 Oct 2024 17:08:42 -0400
Subject: [PATCH 1/4] Fix for setting wrong version in CSRs.

---
 src/x509.c            | 23 +++++++++++++++++++++--
 wolfssl/openssl/ssl.h |  3 ++-
 wolfssl/ssl.h         |  2 ++
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/x509.c b/src/x509.c
index 18feff022..c19330f4a 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -7067,8 +7067,10 @@ int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
             return WOLFSSL_FAILURE;
     }
 
-    /* print version of cert */
-    if (X509PrintVersion(bio, wolfSSL_X509_version(x509), 8)
+    /* print version of cert.  Note that we increment by 1 because for REQs,
+     * the value stored in x509->version is the actual value of the field; not
+     * the version. */
+    if (X509PrintVersion(bio, wolfSSL_X509_REQ_get_version(x509) + 1, 8)
             != WOLFSSL_SUCCESS) {
         return WOLFSSL_FAILURE;
     }
@@ -14840,6 +14842,23 @@ void wolfSSL_X509_REQ_free(WOLFSSL_X509* req)
     wolfSSL_X509_free(req);
 }
 
+int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version) {
+    WOLFSSL_ENTER("wolfSSL_X509_REQ_set_version");
+    if ((x == NULL) || (version < 0) || (version >= INT_MAX)) {
+        return WOLFSSL_FAILURE;
+    }
+    x->version = (int)version;
+    return WOLFSSL_SUCCESS;
+}
+
+long wolfSSL_X509_REQ_get_version(const WOLFSSL_X509 *req) {
+    WOLFSSL_ENTER("wolfSSL_X509_REQ_get_version");
+    if (req == NULL) {
+        return WOLFSSL_FAILURE;
+    }
+    return (long)req->version;
+}
+
 int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
                           const WOLFSSL_EVP_MD *md)
 {
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index f6d29f0b7..5a4eaa55a 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -509,7 +509,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_set1_notBefore             wolfSSL_X509_set1_notBefore
 #define X509_set_serialNumber           wolfSSL_X509_set_serialNumber
 #define X509_set_version                wolfSSL_X509_set_version
-#define X509_REQ_set_version            wolfSSL_X509_set_version
+#define X509_REQ_set_version            wolfSSL_X509_REQ_set_version
+#define X509_REQ_get_version            wolfSSL_X509_REQ_get_version
 #define X509_sign                       wolfSSL_X509_sign
 #define X509_sign_ctx                   wolfSSL_X509_sign_ctx
 #define X509_print                      wolfSSL_X509_print
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 4bbdf6565..245fd9cab 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -4815,6 +4815,8 @@ WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x);
 WOLFSSL_API int wolfSSL_i2d_X509_REQ(WOLFSSL_X509* req, unsigned char** out);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_new(void);
 WOLFSSL_API void wolfSSL_X509_REQ_free(WOLFSSL_X509* req);
+WOLFSSL_API long wolfSSL_X509_REQ_get_version(const WOLFSSL_X509 *req);
+WOLFSSL_API int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version);
 WOLFSSL_API int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey,
                                       const WOLFSSL_EVP_MD *md);
 WOLFSSL_API int wolfSSL_X509_REQ_sign_ctx(WOLFSSL_X509 *req,

From d959d9de7f53fdf7bf43aa599dc31dc9c1c10570 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Fri, 1 Nov 2024 11:34:22 -0400
Subject: [PATCH 2/4] cast 1 to long

---
 src/x509.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c
index c19330f4a..2b6c7e0d4 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -7070,7 +7070,7 @@ int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
     /* print version of cert.  Note that we increment by 1 because for REQs,
      * the value stored in x509->version is the actual value of the field; not
      * the version. */
-    if (X509PrintVersion(bio, wolfSSL_X509_REQ_get_version(x509) + 1, 8)
+    if (X509PrintVersion(bio, wolfSSL_X509_REQ_get_version(x509) + (long)1, 8)
             != WOLFSSL_SUCCESS) {
         return WOLFSSL_FAILURE;
     }

From 0508151ddffb37802e9068a7bda34c5171f217a9 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Wed, 6 Nov 2024 16:07:18 -0500
Subject: [PATCH 3/4] Quick fix

---
 src/x509.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c
index 2b6c7e0d4..308edf468 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -7070,7 +7070,7 @@ int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
     /* print version of cert.  Note that we increment by 1 because for REQs,
      * the value stored in x509->version is the actual value of the field; not
      * the version. */
-    if (X509PrintVersion(bio, wolfSSL_X509_REQ_get_version(x509) + (long)1, 8)
+    if (X509PrintVersion(bio, (int)wolfSSL_X509_REQ_get_version(x509) + 1, 8)
             != WOLFSSL_SUCCESS) {
         return WOLFSSL_FAILURE;
     }

From b1ccbbc7fa4298ae10f0c75d65f0fde498aa9868 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Tue, 12 Nov 2024 16:36:12 -0500
Subject: [PATCH 4/4] Addressing review comments from dgarske

---
 src/x509.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/x509.c b/src/x509.c
index 308edf468..eddf979b3 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -14842,7 +14842,8 @@ void wolfSSL_X509_REQ_free(WOLFSSL_X509* req)
     wolfSSL_X509_free(req);
 }
 
-int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version) {
+int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version)
+{
     WOLFSSL_ENTER("wolfSSL_X509_REQ_set_version");
     if ((x == NULL) || (version < 0) || (version >= INT_MAX)) {
         return WOLFSSL_FAILURE;
@@ -14851,10 +14852,11 @@ int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version) {
     return WOLFSSL_SUCCESS;
 }
 
-long wolfSSL_X509_REQ_get_version(const WOLFSSL_X509 *req) {
+long wolfSSL_X509_REQ_get_version(const WOLFSSL_X509 *req)
+{
     WOLFSSL_ENTER("wolfSSL_X509_REQ_get_version");
     if (req == NULL) {
-        return WOLFSSL_FAILURE;
+        return 0; /* invalid arg */
     }
     return (long)req->version;
 }