This is the needed patch:
This patch should not work either, you still need a skip_tag before the get_int.
tag = ber_skip_tag( ber,&len ); /* Context +Constructed
(version) */
tag = ber_peek_tag( ber,&len ); /* Context +Constructed
I confirm this patch worked for me, at least it did on an amd64 I'm working on.
It worked both with openssl-generated v1 (no version tag present) and v3 certificates (version tag present).
I don't know if this is an cpu-architecture -dependent issue (I don't think so), nor I know how the ber_* library works, but FWICU the Context + Constructed stuff is handled as a tag prefix by the ber_get_int(), which then discards it when found and fetches the encapsulated value.
Instead, ber_peek_tag() is probably more simple-minded in that it peeks the first word at the buffer pointer, which is the Context + Constructed prefix, not really the tag.
I can of course be wrong, but with this patch I got i==2 from v3 certificates, which is the correct value.
Giampaolo