From 8ccacb7e1efd86c86fb623b399b30684b8f3f179 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Sun, 23 Apr 2023 21:46:07 +0000
Subject: [PATCH] In the case of V1 certs, the extension count should be
 exactly 0

OK tb@
---
 lib/libcrypto/x509/x509_purp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index e0069313b93..610a6d8796d 100644
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.23 2023/04/23 21:39:19 job Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.24 2023/04/23 21:46:07 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -459,7 +459,7 @@ x509v3_cache_extensions_internal(X509 *x)
 	/* V1 should mean no extensions ... */
 	if (X509_get_version(x) == 0) {
 		x->ex_flags |= EXFLAG_V1;
-		if (X509_get_ext_count(x) > 0)
+		if (X509v3_get_ext_count(x) != 0)
 			x->ex_flags |= EXFLAG_INVALID;
 	}
 
-- 
2.20.1