From f4f77cc4f76e643a050c99b0295facf1900335c4 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 31 Mar 2023 16:46:53 -0400
Subject: Reject invalid versions in X509Req.set_version (#1208)

* Reject invalid versions in X509Req.set_version

* Update CHANGELOG.rst

Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>

---------

Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---
 CHANGELOG.rst         |  2 ++
 src/OpenSSL/crypto.py |  6 ++++++
 tests/test_crypto.py  | 12 +++---------
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index f219137..8a0957e 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,6 +16,8 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
+- Invalid versions are now rejected in ``OpenSSL.crypto.X509Req.set_version``.
+
 23.1.1 (2023-03-28)
 -------------------
 
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index f5dd312..a3d9e9a 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1010,6 +1010,12 @@ class X509Req:
         :param int version: The version number.
         :return: ``None``
         """
+        if not isinstance(version, int):
+            raise TypeError("version must be an int")
+        if version != 0:
+            raise ValueError(
+                "Invalid version. The only valid version for X509Req is 0."
+            )
         set_result = _lib.X509_REQ_set_version(self._req, version)
         _openssl_assert(set_result == 1)
 
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 3212fba..0f67d20 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -1601,20 +1601,12 @@ class TestX509Req(_PKeyInteractionTestsMixin):
         """
         `X509Req.set_version` sets the X.509 version of the certificate
         request. `X509Req.get_version` returns the X.509 version of the
-        certificate request. The only defined version is 0. Others may or
-        may not be supported depending on backend.
+        certificate request. The only defined version is 0.
         """
         request = X509Req()
         assert request.get_version() == 0
         request.set_version(0)
         assert request.get_version() == 0
-        try:
-            request.set_version(1)
-            assert request.get_version() == 1
-            request.set_version(3)
-            assert request.get_version() == 3
-        except Error:
-            pass
 
     def test_version_wrong_args(self):
         """
@@ -1624,6 +1616,8 @@ class TestX509Req(_PKeyInteractionTestsMixin):
         request = X509Req()
         with pytest.raises(TypeError):
             request.set_version("foo")
+        with pytest.raises(ValueError):
+            request.set_version(2)
 
     def test_get_subject(self):
         """
-- 
cgit v1.2.1